title: CobaltStrike Named Pipe
id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2
related:
    - id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 # Patterns
      type: similar
    - id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a # Regex
      type: similar
status: test
description: Detects the creation of a named pipe as used by CobaltStrike
references:
    - https://twitter.com/d4rksystem/status/1357010969264873472
    - https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/
    - https://github.com/SigmaHQ/sigma/issues/253
    - https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/
    - https://redcanary.com/threat-detection-report/threats/cobalt-strike/
author: Florian Roth (Nextron Systems), Wojciech Lesicki
date: 2021-05-25
modified: 2022-10-31
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection_MSSE:
        PipeName|contains|all:
            - '\MSSE-'
            - '-server'
    selection_postex:
        PipeName|startswith: '\postex_' # Also include the pipe "\postex_ssh_"
    selection_status:
        PipeName|startswith: '\status_'
    selection_msagent:
        PipeName|startswith: '\msagent_'
    selection_mojo:
        PipeName|startswith: '\mojo_'
    selection_interprocess:
        PipeName|startswith: '\interprocess_'
    selection_samr:
        PipeName|startswith: '\samr_'
    selection_netlogon:
        PipeName|startswith: '\netlogon_'
    selection_srvsvc:
        PipeName|startswith: '\srvsvc_'
    selection_lsarpc:
        PipeName|startswith: '\lsarpc_'
    selection_wkssvc:
        PipeName|startswith: '\wkssvc_'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical

title: CobaltStrike Named Pipe Pattern Regex
id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a
related:
    - id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7 # Patterns
      type: similar
    - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 # Generic
      type: similar
status: test
description: Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
references:
    - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
    - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
author: Florian Roth (Nextron Systems)
date: 2021-07-30
modified: 2022-12-31
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        - PipeName|re: '\\mojo\.5688\.8052\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}'
        - PipeName|re: '\\wkssvc_?[0-9a-f]{2}'
        - PipeName|re: '\\ntsvcs[0-9a-f]{2}'
        - PipeName|re: '\\DserNamePipe[0-9a-f]{2}'
        - PipeName|re: '\\SearchTextHarvester[0-9a-f]{2}'
        - PipeName|re: '\\mypipe-(?:f|h)[0-9a-f]{2}'
        - PipeName|re: '\\windows\.update\.manager[0-9a-f]{2,3}'
        - PipeName|re: '\\ntsvcs_[0-9a-f]{2}'
        - PipeName|re: '\\scerpc_?[0-9a-f]{2}'
        - PipeName|re: '\\PGMessagePipe[0-9a-f]{2}'
        - PipeName|re: '\\MsFteWds[0-9a-f]{2}'
        - PipeName|re: '\\f4c3[0-9a-f]{2}'
        - PipeName|re: '\\fullduplex_[0-9a-f]{2}'
        - PipeName|re: '\\msrpc_[0-9a-f]{4}'
        - PipeName|re: '\\win\\msrpc_[0-9a-f]{2}'
        - PipeName|re: '\\f53f[0-9a-f]{2}'
        - PipeName|re: '\\rpc_[0-9a-f]{2}'
        - PipeName|re: '\\spoolss_[0-9a-f]{2}'
        - PipeName|re: '\\Winsock2\\CatalogChangeListener-[0-9a-f]{3}-0,'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: HackTool - DInjector PowerShell Cradle Execution
id: d78b5d61-187d-44b6-bf02-93486a80de5a
status: test
description: Detects the use of the Dinject PowerShell cradle based on the specific flags
references:
    - https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector # Original got deleted. This is a fork
author: Florian Roth (Nextron Systems)
date: 2021-12-07
modified: 2023-02-04
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - ' /am51'
            - ' /password'
    condition: selection
falsepositives:
    - Unlikely
level: critical

title: Malicious Named Pipe Created
id: fe3ac066-98bb-432a-b1e7-a5229cb39d4a
status: test
description: Detects the creation of a named pipe seen used by known APTs or malware.
references:
    - https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/
    - https://securelist.com/faq-the-projectsauron-apt/75533/
    - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
    - https://www.us-cert.gov/ncas/alerts/TA17-117A
    - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
    - https://thedfirreport.com/2020/06/21/snatch-ransomware/
    - https://github.com/RiccardoAncarani/LiquidSnake
    - https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
    - https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a
    - https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf
    - https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: Florian Roth (Nextron Systems), blueteam0ps, elhoim
date: 2017-11-06
modified: 2023-08-07
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName:
            - '\46a676ab7f179e511e30dd2dc41bd388'  # Project Sauron
            - '\583da945-62af-10e8-4902-a8f205c72b2e'  # SolarWinds SUNBURST malware
            - '\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7'  # LiquidSnake
            - '\9f81f59bc58452127884ce513865ed20'  # Project Sauron
            - '\adschemerpc'  # Turla HyperStack
            - '\ahexec'  # Sofacy group malware
            - '\AnonymousPipe'  # Hidden Cobra Hoplight
            - '\bc31a7'  # Pacifier
            - '\bc367'  # Pacifier
            - '\bizkaz'  # Snatch Ransomware
            - '\csexecsvc' # CSEXEC default
            - '\dce_3d' # Qbot
            - '\e710f28d59aa529d6792ca6ff0ca1b34'  # Project Sauron
            - '\gruntsvc' # Covenant default
            - '\isapi_dg'  # Uroburos Malware
            - '\isapi_dg2'  # Uroburos Malware
            - '\isapi_http'  # Uroburos Malware
            - '\jaccdpqnvbrrxlaf' # PoshC2 default
            - '\lsassw'  # Wild Neutron APT malware
            - '\NamePipe_MoreWindows'  # Cloud Hopper - RedLeaves
            - '\pcheap_reuse'  # Pipe used by Equation Group malware
            - '\Posh*' # PoshC2 default
            - '\rpchlp_3'  # Project Sauron
            - '\sdlrpc'  # Cobra Trojan
            - '\svcctl' # Crackmapexec smbexec default
            - '\testPipe'  # Emissary Panda Hyperbro
            - '\winsession'  # Wild Neutron APT malware
            # - '\status_*' # CS default  https://github.com/SigmaHQ/sigma/issues/253
    condition: selection
falsepositives:
    - Unknown
level: critical

title: ASLR Disabled Via Sysctl or Direct Syscall - Linux
id: e497a24e-9345-4a62-9803-b06d7d7cb132
status: experimental
description: |
    Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:
      - Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
      - Modification of the /proc/sys/kernel/randomize_va_space file
      - Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
    Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms.
    A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
references:
    - https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/personality-syscall/README.md
    - https://man7.org/linux/man-pages/man2/personality.2.html
    - https://manual.cs50.io/2/personality
    - https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/
author: Milad Cheraghi
date: 2025-05-26
modified: 2025-12-05
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.defense-impairment
    - attack.t1685
    - attack.t1055.009
logsource:
    product: linux
    service: auditd
detection:
    selection_syscall:
        type: 'SYSCALL'
        SYSCALL: 'personality'
        a0: 40000
    selection_sysctl:
        type: 'EXECVE'
        a0: 'sysctl'
        a1: '-w'
        a2: 'kernel.randomize_va_space=0' # 0 = disable
    condition: 1 of selection_*
falsepositives:
    - Debugging or legitimate software testing
level: high

title: CobaltStrike Named Pipe Patterns
id: 85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7
related:
    - id: 0e7163d4-9e19-4fa7-9be6-000c61aad77a # Regex
      type: similar
    - id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 # Generic
      type: similar
status: test
description: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
references:
    - https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
    - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
author: Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
date: 2021-07-30
modified: 2024-01-26
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
    - stp.1k
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can always use Cobalt Strike, but also you can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection_malleable_profile_generic:
        - PipeName|startswith:
              - '\DserNamePipe'
              - '\f4c3'
              - '\f53f'
              - '\fullduplex_'
              - '\mojo.5688.8052.183894939787088877'
              - '\mojo.5688.8052.35780273329370473'
              - '\MsFteWds'
              - '\msrpc_'
              - '\mypipe-f'
              - '\mypipe-h'
              - '\ntsvcs'
              - '\PGMessagePipe'
              - '\rpc_'
              - '\scerpc'
              - '\SearchTextHarvester'
              - '\spoolss'
              - '\win_svc'
              - '\win\msrpc_'
              - '\windows.update.manager'
              - '\wkssvc'
        - PipeName:
              - '\demoagent_11'
              - '\demoagent_22'
    selection_malleable_profile_catalog_change_listener:
        PipeName|startswith: '\Winsock2\CatalogChangeListener-'
        PipeName|endswith: '-0,'
    filter_main_generic:
        PipeName:
            - '\wkssvc'
            - '\spoolss'
            - '\scerpc'
            - '\ntsvcs'
            - '\SearchTextHarvester'
            - '\PGMessagePipe'
            - '\MsFteWds'
    filter_optional_websense:
        Image|contains:
            - ':\Program Files\Websense\'
            - ':\Program Files (x86)\Websense\'
        PipeName|startswith:
            - '\DserNamePipeR'
            - '\DserNamePipeW'
    condition: 1 of selection_malleable_profile_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Chrome instances using the exact same pipe name "mojo.xxx"
    - Websense Endpoint using the pipe name "DserNamePipe(R|W)\d{1,5}"
level: high

title: Dllhost.EXE Execution Anomaly
id: e7888eb1-13b0-4616-bd99-4bc0c2b054b9
status: test
description: Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.
references:
    - https://redcanary.com/blog/child-processes/
    - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-27
modified: 2023-05-15
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\dllhost.exe'
        CommandLine:
            - 'dllhost.exe'
            - 'dllhost'
    filter_main_null:
        CommandLine: null
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high

title: DotNet CLR DLL Loaded By Scripting Applications
id: 4508a70e-97ef-4300-b62b-ff27992990ea
status: test
description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
references:
    - https://github.com/tyranid/DotNetToJScript
    - https://thewover.github.io/Introducing-Donut/
    - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
    - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
author: omkar72, oscd.community
date: 2020-10-14
modified: 2023-02-23
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmstp.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\msxsl.exe'
            - '\regsvr32.exe'
            # - '\svchost.exe'
            - '\wmic.exe'
            - '\wscript.exe'
        ImageLoaded|endswith:
            - '\clr.dll'
            - '\mscoree.dll'
            - '\mscorlib.dll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - CACTUSTORCH Remote Thread Creation
id: 2e4e488a-6164-4811-9ea1-f960c7359c40
status: test
description: Detects remote thread creation from CACTUSTORCH as described in references.
references:
    - https://twitter.com/SBousseaden/status/1090588499517079552 # Deleted
    - https://github.com/mdsecactivebreach/CACTUSTORCH
author: '@SBousseaden (detection), Thomas Patzke (rule)'
date: 2019-02-01
modified: 2023-05-05
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1055.012
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218.005
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith:
            - '\System32\cscript.exe'
            - '\System32\wscript.exe'
            - '\System32\mshta.exe'
            - '\winword.exe'
            - '\excel.exe'
        TargetImage|contains: '\SysWOW64\'
        StartModule: null
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - CoercedPotato Execution
id: e8d34729-86a4-4140-adfd-0a29c2106307
status: test
description: Detects the use of CoercedPotato, a tool for privilege escalation
references:
    - https://github.com/hackvens/CoercedPotato
    - https://blog.hackvens.fr/articles/CoercedPotato.html
author: Florian Roth (Nextron Systems)
date: 2023-10-11
modified: 2024-11-23
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    selection_loader_img:
        Image|endswith: '\CoercedPotato.exe'
    selection_params:
        CommandLine|contains: ' --exploitId '
    selection_loader_imphash:
        Hashes|contains:
            - 'IMPHASH=A75D7669DB6B2E107A44C4057FF7F7D6'
            - 'IMPHASH=F91624350E2C678C5DCBE5E1F24E22C9'
            - 'IMPHASH=14C81850A079A87E83D50CA41C709A15'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: HackTool - CoercedPotato Named Pipe Creation
id: 4d0083b3-580b-40da-9bba-626c19fe4033
status: test
description: Detects the pattern of a pipe name as used by the hack tool CoercedPotato
references:
    - https://blog.hackvens.fr/articles/CoercedPotato.html
    - https://github.com/hackvens/CoercedPotato
author: Florian Roth (Nextron Systems)
date: 2023-10-11
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName|contains: '\coerced\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - EfsPotato Named Pipe Creation
id: 637f689e-b4a5-4a86-be0e-0100a0a33ba2
status: test
description: Detects the pattern of a pipe name as used by the hack tool EfsPotato
references:
    - https://twitter.com/SBousseaden/status/1429530155291193354?s=20
    - https://github.com/zcgonvh/EfsPotato
author: Florian Roth (Nextron Systems)
date: 2021-08-23
modified: 2023-12-21
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName|contains:
            - '\pipe\'
            - '\pipe\srvsvc'  # more specific version (use only this one if the other causes too many false positives)
    filter_optional_ctx:
        PipeName|contains: '\CtxShare'
    filter_optional_default:
        PipeName|startswith: '\pipe\' # excludes pipes that start with \pipe\*
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - \pipe\LOCAL\Monitorian # https://github.com/emoacht/Monitorian
level: high

title: HackTool - HollowReaper Execution
id: 85d23b42-9a9d-4f8f-b3d7-d2733c1d58f5
status: experimental
description: |
    Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing.
    It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.
references:
    - https://github.com/vari-sh/RedTeamGrimoire/tree/b5e7635d34db6e1f0398d8847e8f293186e947c5/HollowReaper
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-01
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.012
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\HollowReaper.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - LittleCorporal Generated Maldoc Injection
id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac
status: test
description: Detects the process injection of a LittleCorporal generated Maldoc.
references:
    - https://github.com/connormcgarr/LittleCorporal
author: Christian Burkard (Nextron Systems)
date: 2021-08-09
modified: 2023-11-28
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1204.002
    - attack.t1055.003
logsource:
    category: process_access
    product: windows
detection:
    selection:
        SourceImage|endswith: '\winword.exe'
        CallTrace|contains|all:
            - ':\Windows\Microsoft.NET\Framework64\v2.'
            - 'UNKNOWN'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - Potential CobaltStrike Process Injection
id: 6309645e-122d-4c5b-bb2b-22e4f9c2fa42
status: test
description: Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
references:
    - https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
    - https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
author: Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community
date: 2018-11-30
modified: 2023-05-05
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.001
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        StartAddress|endswith:
            - '0B80'
            - '0C7C'
            - '0C88'
    condition: selection
falsepositives:
    - Unknown
level: high

title: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
id: 6345b048-8441-43a7-9bed-541133633d7a
status: test
description: |
    Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
    This binary can be abused for DLL injection, arbitrary command and process execution.
references:
    - https://twitter.com/gN3mes1s/status/1222088214581825540
    - https://twitter.com/gN3mes1s/status/1222095963789111296
    - https://twitter.com/gN3mes1s/status/1222095371175911424
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-28
modified: 2025-01-22
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\dctask64.exe'
        - Hashes|contains:
              - 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'
              - 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'
              - 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'
              - 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'
    selection_cli:
        CommandLine|contains:
            - ' executecmd64 '
            - ' invokeexe '
            - ' injectDll '
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Mavinject Inject DLL Into Running Process
id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66
related:
    - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
      type: obsolete
status: test
description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md
    - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e
    - https://twitter.com/gN3mes1s/status/941315826107510784
    - https://reaqta.com/2017/12/mavinject-microsoft-injector/
    - https://twitter.com/Hexacorn/status/776122138063409152  # Deleted tweet
    - https://github.com/SigmaHQ/sigma/issues/3742
    - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection
author: frack113, Florian Roth
date: 2021-07-12
modified: 2022-12-05
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.001
    - attack.t1218.013
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: ' /INJECTRUNNING '
    filter:
        ParentImage: 'C:\Windows\System32\AppVClient.exe' # This parent is the expected process to launch "mavinject"
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Network Connection Initiated Via Notepad.EXE
id: e81528db-fc02-45e8-8e98-4e84aba1f10b
status: test
description: |
    Detects a network connection that is initiated by the "notepad.exe" process.
    This might be a sign of process injection from a beacon process or something similar.
    Notepad rarely initiates a network communication except when printing documents for example.
references:
    - https://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf
    - https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet
author: EagleEye Team
date: 2020-05-14
modified: 2024-02-02
tags:
    - attack.privilege-escalation
    - attack.command-and-control
    - attack.execution
    - attack.stealth
    - attack.t1055
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\notepad.exe'
    filter_optional_printing:
        DestinationPort: 9100
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Printing documents via notepad might cause communication with the printer via port 9100 or similar.
level: high

title: Potential Process Injection Via Msra.EXE
id: 744a188b-0415-4792-896f-11ddb0588dbc
status: test
description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
references:
    - https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/
    - https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf
author: Alexander McDonald
date: 2022-06-24
modified: 2023-02-03
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\msra.exe'
        ParentCommandLine|endswith: 'msra.exe'
        Image|endswith:
            - '\arp.exe'
            - '\cmd.exe'
            - '\net.exe'
            - '\netstat.exe'
            - '\nslookup.exe'
            - '\route.exe'
            - '\schtasks.exe'
            - '\whoami.exe'
    condition: selection
falsepositives:
    - Legitimate use of Msra.exe
level: high

title: PowerShell ShellCode
id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd
status: test
description: Detects Base64 encoded Shellcode
references:
    - https://twitter.com/cyb3rops/status/1063072865992523776
author: David Ledbetter (shellcode), Florian Roth (Nextron Systems)
date: 2018-11-17
modified: 2024-01-25
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'OiCAAAAYInlM'
            - 'OiJAAAAYInlM'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Rare Remote Thread Creation By Uncommon Source Image
id: 02d1d718-dd13-41af-989d-ea85c7fab93f
related:
    - id: 66d31e5f-52d6-40a4-9615-002d3789a119
      type: derived
status: test
description: Detects uncommon processes creating remote threads.
references:
    - Personal research, statistical analysis
    - https://lolbas-project.github.io
author: Perez Diego (@darkquassar), oscd.community
date: 2019-10-27
modified: 2025-12-08
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith:
            - '\bash.exe'
            - '\cscript.exe'
            - '\cvtres.exe'
            - '\defrag.exe'
            - '\dialer.exe'
            - '\dnx.exe'
            - '\esentutl.exe'
            - '\excel.exe'
            - '\expand.exe'
            - '\find.exe'
            - '\findstr.exe'
            - '\forfiles.exe'
            - '\gpupdate.exe'
            - '\hh.exe'
            - '\installutil.exe'
            - '\lync.exe'
            - '\makecab.exe'
            - '\mDNSResponder.exe'
            - '\monitoringhost.exe' # Loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
            - '\msbuild.exe'
            - '\mshta.exe'
            - '\mspaint.exe'
            - '\outlook.exe'
            - '\ping.exe'
            - '\provtool.exe'
            - '\python.exe'
            - '\regsvr32.exe'
            - '\robocopy.exe'
            - '\runonce.exe'
            - '\sapcimc.exe'
            - '\smartscreen.exe'
            - '\spoolsv.exe'
            - '\tstheme.exe'
            - '\userinit.exe'
            - '\vssadmin.exe'
            - '\vssvc.exe'
            - '\w3wp.exe'
            - '\winscp.exe'
            - '\winword.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    filter_main_conhost:
        SourceImage:
            - 'C:\Windows\System32\Defrag.exe'
            - 'C:\Windows\System32\makecab.exe'
        TargetImage: 'C:\Windows\System32\conhost.exe'
    filter_main_provtol_svchost:
        SourceImage: 'C:\Windows\System32\provtool.exe'
        TargetImage: 'C:\Windows\System32\svchost.exe'
    filter_main_provtool_system:
        SourceImage: 'C:\Windows\System32\provtool.exe'
        TargetImage: 'System'
    filter_main_userinit:
        SourceImage: 'C:\Windows\System32\userinit.exe'
        TargetImage: 'C:\Windows\explorer.exe'
    filter_main_winword:
        SourceImage|endswith: '\WINWORD.EXE'
        TargetImage|startswith:
            - 'C:\Program Files (x86)\' # C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            - 'C:\Program Files\' # C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
    filter_main_ms_office:
        # Raised by following issue: https://github.com/SigmaHQ/sigma/issues/5529
        SourceImage|startswith:
            - 'C:\Program Files\Microsoft Office\'
            - 'C:\Program Files (x86)\Microsoft Office\'
        TargetImage: 'System'
    filter_optional_explorer_vmtools:
        SourceImage|endswith: '\SysWOW64\explorer.exe'
        TargetImage:
            - 'C:\Program Files (x86)\VMware\VMware Tools\vmtoolsd.exe'
            - 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - This rule is best put in testing first in order to create a baseline that reflects the data in your environment.
level: high

title: Renamed Mavinject.EXE Execution
id: e6474a1b-5390-49cd-ab41-8d88655f7394
status: test
description: Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md
    - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e
    - https://twitter.com/gN3mes1s/status/941315826107510784
    - https://reaqta.com/2017/12/mavinject-microsoft-injector/
    - https://twitter.com/Hexacorn/status/776122138063409152  # Deleted tweet
    - https://github.com/SigmaHQ/sigma/issues/3742
    - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection
author: frack113, Florian Roth
date: 2022-12-05
modified: 2023-02-03
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.001
    - attack.t1218.013
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName:
            - 'mavinject32.exe'
            - 'mavinject64.exe'
    filter:
        Image|endswith:
            - '\mavinject32.exe'
            - '\mavinject64.exe'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high

title: Renamed ZOHO Dctask64 Execution
id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b
status: test
description: |
    Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
    This binary can be abused for DLL injection, arbitrary command and process execution.
references:
    - https://twitter.com/gN3mes1s/status/1222088214581825540
    - https://twitter.com/gN3mes1s/status/1222095963789111296
    - https://twitter.com/gN3mes1s/status/1222095371175911424
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-28
modified: 2025-01-22
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1036
    - attack.t1055.001
    - attack.t1202
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Hashes|contains:
            - 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'
            - 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'
            - 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'
            - 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'
    filter_main_legit_name:
        Image|endswith: '\dctask64.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Suspect Svchost Activity
id: 16c37b52-b141-42a5-a3ea-bbe098444397
status: test
description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
references:
    - https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
author: David Burkett, @signalblur
date: 2019-12-28
modified: 2022-06-27
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|endswith: 'svchost.exe'
        Image|endswith: '\svchost.exe'
    filter:
        - ParentImage|endswith:
              - '\rpcnet.exe'
              - '\rpcnetp.exe'
        - CommandLine: null  # no CommandLine value available
    condition: selection and not filter
falsepositives:
    - Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf
level: high

title: Suspicious Child Process Of Wermgr.EXE
id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
related:
    - id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5
      type: similar
status: test
description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
references:
    - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
    - https://www.echotrail.io/insights/search/wermgr.exe
    - https://github.com/binderlabs/DirCreate2System
author: Florian Roth (Nextron Systems)
date: 2022-10-14
modified: 2024-08-29
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\wermgr.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\ipconfig.exe'
            - '\mshta.exe'
            - '\net.exe'
            - '\net1.exe'
            - '\netstat.exe'
            - '\nslookup.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\systeminfo.exe'
            - '\whoami.exe'
            - '\wscript.exe'
    filter_main_rundll32:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains|all:
            - 'C:\Windows\system32\WerConCpl.dll'
            - 'LaunchErcApp '
        CommandLine|contains:
            - '-queuereporting'
            - '-responsepester'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Suspicious Rundll32 Invoking Inline VBScript
id: 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd
status: test
description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
references:
    - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth (Nextron Systems)
date: 2021-03-05
modified: 2022-10-09
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'rundll32.exe'
            - 'Execute'
            - 'RegRead'
            - 'window.close'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Uncommon Svchost Command Line Parameter
id: f17211f1-1f24-4d0c-829f-31e28dc93cdd
status: experimental
description: |
    Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.
    This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.
references:
    - https://cardinalops.com/blog/the-art-of-anomaly-hunting-patterns-detection/
    - https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware
    - https://cloud.google.com/blog/topics/threat-intelligence/apt41-initiates-global-intrusion-campaign-using-multiple-exploits/
    - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf
author: Liran Ravich
date: 2025-11-14
modified: 2026-03-23
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1036.005
    - attack.t1055
    - attack.t1055.012
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Example of command to simulate: "C:\Windows\System32\svchost.exe" calc.exe
        Image|endswith: '\svchost.exe'
    filter_main_flags:
        CommandLine|re: '-k\s\w{1,64}(?:\s?(?:-p|-s))?'
    filter_main_empty:
        CommandLine: ''
    filter_main_null:
        CommandLine: null
    filter_optional_defender:
        ParentImage|endswith: '\MsMpEng.exe'
        CommandLine|contains: 'svchost.exe'
    filter_optional_mrt:
        ParentImage|endswith: '\MRT.exe'
        CommandLine: 'svchost.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unlikely
level: high

title: Created Files by Microsoft Sync Center
id: 409f8a98-4496-4aaa-818a-c931c0a8b832
status: test
description: This rule detects suspicious files created by Microsoft Sync Center (mobsync)
references:
    - https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022-04-28
modified: 2022-06-02
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
    - attack.t1218
    - attack.execution
logsource:
    product: windows
    category: file_event
detection:
    selection_mobsync:
        Image|endswith: '\mobsync.exe'
    filter_created_file:
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    condition: selection_mobsync and filter_created_file
falsepositives:
    - Unknown
level: medium

title: Microsoft Sync Center Suspicious Network Connections
id: 9f2cc74d-78af-4eb2-bb64-9cd1d292b87b
status: test
description: Detects suspicious connections from Microsoft Sync Center to non-private IPs.
references:
    - https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022-04-28
modified: 2024-03-12
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
    - attack.t1218
    - attack.execution
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        Image|endswith: '\mobsync.exe'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Potential DLL Injection Or Execution Using Tracker.exe
id: 148431ce-4b70-403d-8525-fcc2993f29ea
status: test
description: Detects potential DLL injection and execution using "Tracker.exe"
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/
author: 'Avneet Singh @v3t0_, oscd.community'
date: 2020-10-18
modified: 2023-01-09
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\tracker.exe'
        - Description: 'Tracker'
    selection_cli:
        CommandLine|contains:
            - ' /d '
            - ' /c '
    filter_msbuild1:
        CommandLine|contains: ' /ERRORREPORT:PROMPT '
    filter_msbuild2:
        # Example:
        #   GrandparentImage: C:\Program Files\Microsoft Visual Studio\2022\Community\Msbuild\Current\Bin\MSBuild.exe
        #   ParentCommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\MSBuild.exe" /nologo /nodemode:1 /nodeReuse:true /low:false
        #   CommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\Tracker.exe" @"C:\Users\user\AppData\Local\Temp\tmp05c7789bc5534838bf96d7a0fed1ffff.tmp" /c "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.29.30133\bin\HostX86\x64\Lib.exe"
        ParentImage|endswith:
            - '\Msbuild\Current\Bin\MSBuild.exe'
            - '\Msbuild\Current\Bin\amd64\MSBuild.exe'
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - Unknown
level: medium

title: Potential DLL Sideloading Using Coregen.exe
id: 0fa66f66-e3f6-4a9c-93f8-4f2610b00171
status: test
description: Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/
author: frack113
date: 2022-12-31
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1218
    - attack.t1055
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\coregen.exe'
    filter_main_legit_paths:
        ImageLoaded|startswith:
            - 'C:\Program Files (x86)\Microsoft Silverlight\'
            - 'C:\Program Files\Microsoft Silverlight\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Potential Linux Process Code Injection Via DD Utility
id: 4cad6c64-d6df-42d6-8dae-eb78defdc415
status: test
description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
references:
    - https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
    - https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh
author: Joseph Kamau
date: 2023-12-01
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.009
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/dd'
        CommandLine|contains|all:
            - 'of='
            - '/proc/'
            - '/mem'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential Process Hollowing Activity
id: c4b890e5-8d8c-4496-8c66-c805753817cd
status: test
description: Detects when a memory process image does not match the disk image, indicative of process hollowing.
references:
    - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20
    - https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/
author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S
date: 2022-01-25
modified: 2023-11-28
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.012
logsource:
    product: windows
    category: process_tampering
detection:
    selection:
        Type: 'Image is replaced'
    filter_main_generic:
        Image|contains:
            - ':\Program Files (x86)'
            - ':\Program Files\'
            - ':\Windows\System32\wbem\WMIADAP.exe'
            - ':\Windows\SysWOW64\wbem\WMIADAP.exe'
    filter_optional_opera:
        Image|contains: '\AppData\Local\Programs\Opera\'
        Image|endswith: '\opera.exe'
    filter_optional_edge:
        Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Process Creation Using Sysnative Folder
id: 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab
status: test
description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
references:
    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Max Altgelt (Nextron Systems)
date: 2022-08-23
modified: 2025-10-08
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|contains: ':\Windows\Sysnative\'
        - Image|contains: ':\Windows\Sysnative\'
    filter_main_ngen:
        Image|contains:
            - 'C:\Windows\Microsoft.NET\Framework64\v'
            - 'C:\Windows\Microsoft.NET\Framework\v'
            - 'C:\Windows\Microsoft.NET\FrameworkArm\v'
            - 'C:\Windows\Microsoft.NET\FrameworkArm64\v'
        Image|endswith: '\ngen.exe'
        CommandLine|contains: 'install'
    filter_optional_xampp:
        CommandLine|contains|all:
            - '"C:\Windows\sysnative\cmd.exe"'
            - '\xampp\'
            - '\catalina_start.bat'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Remote Thread Creation By Uncommon Source Image
id: 66d31e5f-52d6-40a4-9615-002d3789a119
related:
    - id: 02d1d718-dd13-41af-989d-ea85c7fab93f
      type: derived
status: test
description: Detects uncommon processes creating remote threads.
references:
    - Personal research, statistical analysis
    - https://lolbas-project.github.io
author: Perez Diego (@darkquassar), oscd.community
date: 2019-10-27
modified: 2025-07-08
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith:
            - '\explorer.exe'
            - '\iexplore.exe'
            - '\msiexec.exe'
            - '\powerpnt.exe'
            - '\schtasks.exe'
            - '\winlogon.exe'
    filter_main_winlogon_1:
        SourceImage: 'C:\Windows\System32\winlogon.exe'
        TargetImage:
            - 'C:\Windows\System32\services.exe' # happens on Windows 7
            - 'C:\Windows\System32\wininit.exe' # happens on Windows 7
            - 'C:\Windows\System32\csrss.exe' # multiple OS
            - 'C:\Windows\System32\LogonUI.exe' # multiple OS
            - 'C:\Windows\System32\wlrmdr.exe'
            - 'C:\Windows\System32\AtBroker.exe'
            - 'C:\Windows\System32\dwm.exe'
            - 'C:\Windows\System32\fontdrvhost.exe'
            - 'C:\Windows\System32\userinit.exe'
    filter_main_winlogon_2:
        SourceImage: 'C:\Windows\System32\winlogon.exe'
        TargetParentProcessId: 4
    filter_main_schtasks_conhost:
        SourceImage:
            - 'C:\Windows\System32\schtasks.exe'
            - 'C:\Windows\SysWOW64\schtasks.exe'
        TargetImage: 'C:\Windows\System32\conhost.exe'
    filter_main_explorer:
        SourceImage: 'C:\Windows\explorer.exe'
        TargetImage|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    filter_main_system:
        TargetImage: 'System'
    filter_main_msiexec_1:
        # Note: MSI installers will trigger this
        SourceImage|endswith: '\msiexec.exe'
        TargetImage|contains:
            - '\AppData\Local\'
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\Microsoft.NET\Framework64\' # C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    filter_main_msiexec_2:
        SourceImage|endswith: '\msiexec.exe'
        TargetImage:
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
    filter_main_iexplore:
        SourceImage: 'C:\Program Files\Internet Explorer\iexplore.exe'
        TargetImage:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Windows\System32\rundll32.exe'
    filter_main_powerpnt:
        SourceImage|endswith: '\POWERPNT.EXE'
        TargetImage|contains:
            - 'C:\Program Files\Microsoft Office\' # C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
            - 'C:\Program Files (x86)\Microsoft Office\'
    filter_optional_aurora_smartconsole1:
        SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
        SourceCommandLine|contains|all:
            - 'https://'
            - '.checkpoint.com/documents/'
            - 'SmartConsole_OLH/'
            - 'default.htm#cshid='
    filter_optional_aurora_smartconsole2:
        SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
        SourceParentImage|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
        SourceParentImage|contains|all:
            - '\CheckPoint\SmartConsole\'
            - '\SmartConsole.exe'
    filter_optional_powerpnt:
        # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
        SourceImage|contains: '\Microsoft Office\'
        SourceImage|endswith: '\POWERPNT.EXE'
        TargetImage: 'C:\Windows\System32\csrss.exe'
    filter_main_null:
        TargetImage: null
    filter_main_empty:
        TargetImage: ''
    filter_optional_onedrive:
        SourceImage: 'C:\Windows\explorer.exe'
        TargetImage|endswith: '\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
    filter_optional_aurora:
        SourceImage: 'C:\Windows\explorer.exe'
        TargetImage|endswith: '\aurora-dashboard.exe'
    filter_optional_officesetup:
        SourceImage: 'C:\Windows\explorer.exe'
        TargetImage|endswith: '\OfficeSetup.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - This rule is best put in testing first in order to create a baseline that reflects the data in your environment.
level: medium

title: Remote Thread Creation In Uncommon Target Image
id: a1a144b7-5c9b-4853-a559-2172be8d4a03
related:
    - id: f016c716-754a-467f-a39e-63c06f773987
      type: obsolete
status: test
description: Detects uncommon target processes for remote thread creation
references:
    - https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
author: Florian Roth (Nextron Systems)
date: 2022-03-16
modified: 2025-07-04
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.003
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        TargetImage|endswith:
            - '\calc.exe'
            - '\calculator.exe'
            - '\mspaint.exe'
            - '\notepad.exe'
            - '\ping.exe'
            - '\sethc.exe'
            - '\spoolsv.exe'
            - '\wordpad.exe'
            - '\write.exe'
    filter_main_csrss:
        SourceImage: 'C:\Windows\System32\csrss.exe'
    filter_main_notepad:
        SourceImage:
            - 'C:\Windows\System32\explorer.exe'
            - 'C:\Windows\System32\OpenWith.exe'
        TargetImage: 'C:\Windows\System32\notepad.exe'
    filter_main_sethc:
        SourceImage: 'C:\Windows\System32\AtBroker.exe'
        TargetImage: 'C:\Windows\System32\Sethc.exe'
    filter_optional_aurora_1:
        StartFunction: 'EtwpNotificationThread'
    filter_optional_aurora_2:
        SourceImage|contains: 'unknown process'
    filter_optional_vmtoolsd:
        SourceImage: 'C:\Program Files\VMware\VMware Tools\vmtoolsd.exe'
        StartFunction: 'GetCommandLineW'
        TargetImage:
            - 'C:\Windows\System32\notepad.exe'
            - 'C:\Windows\System32\spoolsv.exe'
    filter_optional_xerox_pjems:
        SourceImage: 'C:\Program Files\Xerox\XeroxPrintExperience\CommonFiles\XeroxPrintJobEventManagerService.exe'
        StartFunction: 'LoadLibraryW'
        TargetImage: 'C:\Windows\System32\spoolsv.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

title: Suspicious Userinit Child Process
id: b655a06a-31c0-477a-95c2-3726b83d649d
status: test
description: Detects a suspicious child process of userinit
references:
    - https://twitter.com/SBousseaden/status/1139811587760562176
author: Florian Roth (Nextron Systems), Samir Bousseaden (idea)
date: 2019-06-17
modified: 2025-10-17
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\userinit.exe'
    filter_main_netlogon:
        CommandLine|contains: '\netlogon\'
    filter_main_explorer:
        - Image|endswith: '\explorer.exe'
        - OriginalFileName: 'explorer.exe'
        - CommandLine: 'C:\Windows\Explorer.EXE'
    filter_main_null:
        Image: null
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Administrative scripts
level: medium

title: Uncommon Process Access Rights For Target Image
id: a24e5861-c6ca-4fde-a93c-ba9256feddf0
status: test
description: |
    Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
references:
    - https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2024-05-27
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.011
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith:
            # Note: Add additional uncommon targets to increase coverage.
            - '\calc.exe'
            - '\calculator.exe'
            - '\mspaint.exe'
            - '\notepad.exe'
            - '\ping.exe'
            - '\wordpad.exe'
            - '\write.exe'
        GrantedAccess: '0x1FFFFF' # PROCESS_ALL_ACCESS - All possible access rights for a process object.
    condition: selection
falsepositives:
    - Unknown
# Note: please upgrade to a higher level after an initial test/tuning.
level: low