title: Adwind RAT / JRAT File Artifact
id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1
related:
    - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71
      type: derived
status: test
description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
references:
    - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100
    - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community
date: 2017-11-10
modified: 2022-12-02
tags:
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: file_event
    product: windows
detection:
    selection:
        - TargetFilename|contains|all:
              - '\AppData\Roaming\Oracle\bin\java'
              - '.exe'
        - TargetFilename|contains|all:
              - '\Retrive'
              - '.vbs'
    condition: selection
level: high

title: Csc.EXE Execution Form Potentially Suspicious Parent
id: b730a276-6b63-41b8-bcf8-55930c8fc6ee
status: test
description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
references:
    - https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing
    - https://reaqta.com/2017/11/short-journey-darkvnc/
    - https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2019-02-11
modified: 2026-03-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218.005
    - attack.t1027.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\csc.exe'
        - OriginalFileName: 'csc.exe'
    selection_parent_generic:
        ParentImage|endswith:
            - '\cscript.exe'
            - '\excel.exe'
            - '\mshta.exe'
            - '\onenote.exe'
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
            - '\wscript.exe'
    selection_parent_powershell:
        ParentImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        ParentCommandLine|contains:
            - '-Encoded '
            - 'FromBase64String'
    selection_parent_susp_location:
        - ParentCommandLine|re: '(?:[Pp]rogram[Dd]ata|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\(?:[Ll]ocal(?:[Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$'
        - ParentCommandLine|contains:
              - ':\PerfLogs\'
              - ':\Users\Public\'
              - ':\Windows\Temp\'
              - '\Temporary Internet'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Pictures\'
    filter_main_programfiles:
        # Note: this is a generic filter. You could baseline execution in your env for a more robust rule
        ParentImage|startswith:
            - 'C:\Program Files (x86)\' # https://twitter.com/gN3mes1s/status/1206874118282448897
            - 'C:\Program Files\' # https://twitter.com/gN3mes1s/status/1206874118282448897
    filter_main_sdiagnhost:
        ParentImage: 'C:\Windows\System32\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
    filter_main_w3p:
        ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
    filter_optional_chocolatey:
        ParentImage: 'C:\ProgramData\chocolatey\choco.exe' # Chocolatey https://chocolatey.org/
    filter_optional_defender:
        ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
    filter_optional_ansible:
        # Note: As ansible is widely used we exclude it with this generic filter.
        # A better option would be to filter based on script content basis or other marker while hunting
        ParentCommandLine|contains:
            # '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}'
            - 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
            - 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
            - 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
    condition: selection_img and 1 of selection_parent_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

title: Cscript/Wscript Uncommon Script Extension Execution
id: 99b7460d-c9f1-40d7-a316-1f36f61d52ee
status: test
description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2023-06-19
tags:
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName:
              - 'wscript.exe'
              - 'cscript.exe'
        - Image|endswith:
              - '\wscript.exe'
              - '\cscript.exe'
    selection_extension:
        CommandLine|contains:
            # Note: add additional potential suspicious extension
            # We could specify the "//E:" flag to avoid typos by admin. But since that's prone to blind spots via the creation of assoc it's better not to include it
            - '.csv'
            - '.dat'
            - '.doc'
            - '.gif'
            - '.jpeg'
            - '.jpg'
            - '.png'
            - '.ppt'
            - '.txt'
            - '.xls'
            - '.xml'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: HTML Help HH.EXE Suspicious Child Process
id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
status: test
description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
references:
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
    - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
date: 2020-04-01
modified: 2023-04-12
tags:
    - attack.execution
    - attack.initial-access
    - attack.stealth
    - attack.t1047
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218
    - attack.t1218.001
    - attack.t1218.010
    - attack.t1218.011
    - attack.t1566
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\hh.exe'
        Image|endswith:
            - '\CertReq.exe'
            - '\CertUtil.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\installutil.exe'
            - '\MSbuild.exe'
            - '\MSHTA.EXE'
            - '\msiexec.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - CACTUSTORCH Remote Thread Creation
id: 2e4e488a-6164-4811-9ea1-f960c7359c40
status: test
description: Detects remote thread creation from CACTUSTORCH as described in references.
references:
    - https://twitter.com/SBousseaden/status/1090588499517079552 # Deleted
    - https://github.com/mdsecactivebreach/CACTUSTORCH
author: '@SBousseaden (detection), Thomas Patzke (rule)'
date: 2019-02-01
modified: 2023-05-05
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1055.012
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218.005
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith:
            - '\System32\cscript.exe'
            - '\System32\wscript.exe'
            - '\System32\mshta.exe'
            - '\winword.exe'
            - '\excel.exe'
        TargetImage|contains: '\SysWOW64\'
        StartModule: null
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - Koadic Execution
id: 5cddf373-ef00-4112-ad72-960ac29bac34
status: test
description: Detects command line parameters used by Koadic hack tool
references:
    - https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
    - https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js
    - https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/
author: wagga, Jonhnathan Ribeiro, oscd.community
date: 2020-01-12
modified: 2023-02-11
tags:
    - attack.execution
    - attack.t1059.003
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cli:
        CommandLine|contains|all:
            - '/q'
            - '/c'
            - 'chcp'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: JXA In-memory Execution Via OSAScript
id: f1408a58-0e94-4165-b80a-da9f96cf6fc3
related:
    - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
      type: derived
status: test
description: Detects possible malicious execution of JXA in-memory via OSAScript
references:
    - https://redcanary.com/blog/applescript/
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
tags:
    - attack.t1059.002
    - attack.t1059.007
    - attack.execution
logsource:
    product: macos
    category: process_creation
detection:
    selection_main:
        CommandLine|contains|all:
            - 'osascript'
            - ' -e '
            - 'eval'
            - 'NSData.dataWithContentsOfURL'
    selection_js:
        - CommandLine|contains|all:
              - ' -l '
              - 'JavaScript'
        - CommandLine|contains: '.js'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: MSHTA Execution with Suspicious File Extensions
id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
status: test
description: |
    Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,
    such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications
    containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and
    execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.
references:
    - http://blog.sevagas.com/?Hacking-around-HTA-files
    - https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script
    - https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
    - https://twitter.com/mattifestation/status/1326228491302563846
    - https://www.virustotal.com/gui/file/c1f27d9795a2eba630db8a043580a0761798f06370fb1317067805f8a845b00c
author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-02-22
modified: 2025-05-12
tags:
    - attack.stealth
    - attack.t1140
    - attack.t1218.005
    - attack.execution
    - attack.t1059.007
    - cve.2020-1599
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\mshta.exe'
        - OriginalFileName: 'mshta.exe'
    selection_cli:
        CommandLine|contains:
            - '.7z'
            - '.avi'
            - '.bat'
            - '.bmp'
            - '.conf'
            - '.csv'
            - '.dll'
            - '.doc'
            - '.gif'
            - '.gz'
            - '.ini'
            - '.jpe'
            - '.jpg'
            - '.json'
            - '.lnk'
            - '.log'
            - '.mkv'
            - '.mp3'
            - '.mp4'
            - '.pdf'
            - '.png'
            - '.ppt'
            - '.rar'
            - '.rtf'
            - '.svg'
            - '.tar'
            - '.tmp'
            - '.txt'
            - '.xls'
            - '.xml'
            - '.yaml'
            - '.yml'
            - '.zip'
            - 'vbscript'
            # - '.chm'  # could be prone to false positives
            # - '.exe'
    condition: all of selection_*
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: high

title: Potential Remote SquiblyTwo Technique Execution
id: 8d63dadf-b91b-4187-87b6-34a1114577ea
related:
    - id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
      type: similar
    - id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
      type: similar
status: test
description: |
    Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI)
    to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process
    malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript.
    The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it
    with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common
    LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.
references:
    - https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html
    - https://twitter.com/mattifestation/status/986280382042595328 # Deleted
    - https://atomicredteam.io/defense-evasion/T1220/
    - https://lolbas-project.github.io/lolbas/Binaries/Wmic/
    - https://x.com/byrne_emmy12099/status/1932346420226658668
author: Markus Neis, Florian Roth, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-01-16
modified: 2026-01-24
tags:
    - attack.stealth
    - attack.t1047
    - attack.t1220
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_pe:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
        - Hashes|contains:  # Sysmon field hashes contains all types
              - 'IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E'
              - 'IMPHASH=37777A96245A3C74EB217308F3546F4C'
              - 'IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206'
              - 'IMPHASH=B12619881D79C3ACADF45E752A58554A'
              - 'IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00'
    selection_cli:
        CommandLine|contains|windash: '/format:'
        CommandLine|contains:
            - '://'
            - '\\\\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Script Interpreter Spawning Credential Scanner - Windows
id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
related:
    - id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
      type: similar
status: experimental
description: |
    Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
    This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
    - https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
    - https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
    - https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
    - https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
    - attack.credential-access
    - attack.t1552
    - attack.collection
    - attack.execution
    - attack.t1005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
           # Add more script interpreters as needed
            - '\node.exe'
            - '\bun.exe'
    selection_child:
        - Image|endswith:
              - 'trufflehog.exe'
              - 'gitleaks.exe'
        - CommandLine|contains:
              - 'trufflehog'
              - 'gitleaks'
    condition: all of selection_*
falsepositives:
    - Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_script_interpretor_spawn_credential_scanner/info.yml

title: Suspicious HH.EXE Execution
id: e8a95b5e-c891-46e2-b33a-93937d3abc31
status: test
description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
references:
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
    - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin
date: 2020-04-01
modified: 2023-04-12
tags:
    - attack.execution
    - attack.initial-access
    - attack.stealth
    - attack.t1047
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218
    - attack.t1218.001
    - attack.t1218.010
    - attack.t1218.011
    - attack.t1566
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'HH.exe'
        - Image|endswith: '\hh.exe'
    selection_paths:
        CommandLine|contains:
            - '.application'
            - '\AppData\Local\Temp\'
            - '\Content.Outlook\'
            - '\Downloads\'
            - '\Users\Public\'
            - '\Windows\Temp\'
            # - '\AppData\Local\Temp\Temp?_'
            # - '\AppData\Local\Temp\Rar$'
            # - '\AppData\Local\Temp\7z'
            # - '\AppData\Local\Temp\wz'
            # - '\AppData\Local\Temp\peazip-tmp'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: WScript or CScript Dropper - File
id: 002bdb95-0cf1-46a6-9e08-d38c128a6127
related:
    - id: cea72823-df4d-4567-950c-0b579eaf0846
      type: derived
status: test
description: Detects a file ending in jse, vbe, js, vba, vbs, wsf, wsh written by cscript.exe or wscript.exe
references:
    - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)
author: Tim Shelton
date: 2022-01-10
modified: 2026-02-17
tags:
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
        TargetFilename|contains:
            - ':\Perflogs\'
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Tmp\'
            - ':\Users\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp'
            - '\AppData\Roaming\Temp'
            - '\Start Menu\Programs\Startup\'
            - '\Temporary Internet'
        TargetFilename|endswith:
            - '.js'
            - '.jse'
            - '.vba'
            - '.vbe'
            - '.vbs'
            - '.wsf'
            - '.wsh'
    condition: selection
falsepositives:
    - Unknown
level: high

title: AppLocker Prevented Application or Script from Running
id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
status: test
description: |
    Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
references:
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker
    - https://nxlog.co/documentation/nxlog-user-guide/applocker.html
author: Pushkarev Dmitry
date: 2020-06-28
modified: 2025-12-03
tags:
    - attack.execution
    - attack.t1204.002
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1059.005
    - attack.t1059.006
    - attack.t1059.007
logsource:
    product: windows
    service: applocker
detection:
    selection:
        EventID:
            - 8004 # EXE and DLL
            - 8007 # MSI and Script
            - 8022 # Packaged app execution
            - 8025 # Packaged app deployment
    condition: selection
falsepositives:
    - Unlikely, since this event notifies about blocked application execution. Tune your applocker rules to avoid blocking legitimate applications.
level: medium

title: Node Process Executions
id: df1f26d3-bea7-4700-9ea2-ad3e990cf90e
status: test
description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
references:
    - https://twitter.com/mttaggart/status/1511804863293784064
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\Adobe Creative Cloud Experience\libs\node.exe'
    filter:
        CommandLine|contains: 'Adobe Creative Cloud Experience\js' # Folder where Creative Cloud's JS resources are located
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

title: Potential Dropper Script Execution Via WScript/CScript/MSHTA
id: cea72823-df4d-4567-950c-0b579eaf0846
related:
    - id: 1e33157c-53b1-41ad-bbcc-780b80b58288
      type: similar
status: test
description: Detects wscript/cscript/mshta executions of scripts located in user directories
references:
    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
    - https://redcanary.com/blog/gootloader/
    - https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems), Dave Johnson
date: 2019-01-16
modified: 2026-02-17
tags:
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_exec:
        Image|endswith:
            - '\wscript.exe'
            - '\cscript.exe'
            - '\mshta.exe'
    selection_paths:
        CommandLine|contains:
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Tmp\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\Temp\'
            - '\Start Menu\Programs\Startup\'
            - '\Temporary Internet'
            - '\Windows\Temp'
            - '%LocalAppData%\Temp\'
            - '%TEMP%'
            - '%TMP%'
    selection_ext:
        CommandLine|contains:
            - '.hta'
            - '.js'
            - '.jse'
            - '.vba'
            - '.vbe'
            - '.vbs'
            - '.wsf'
            - '.wsh'
    condition: all of selection_*
falsepositives:
    - Some installers might generate a similar behavior. An initial baseline is required
level: medium

title: Potential In-Memory Download And Compile Of Payloads
id: 13db8d2e-7723-4c2c-93c1-a4d36994f7ef
status: test
description: Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
references:
    - https://redcanary.com/blog/mac-application-bundles/
author: Sohan G (D4rkCiph3r), Red Canary (idea)
date: 2023-08-22
tags:
    - attack.command-and-control
    - attack.execution
    - attack.t1059.007
    - attack.t1105
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        CommandLine|contains|all:
            - 'osacompile'
            - 'curl'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
id: 8537c866-072e-460d-bfff-aaf39cbd73d3
status: experimental
description: Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.
references:
    - https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/
author: Microsoft (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-21
tags:
    - attack.execution
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\node.exe'
        - OriginalFileName: 'node.exe'
        - Product: 'Node.js'
    selection_cmd:
        CommandLine|contains|all:
            - 'http'
            - 'execSync'
            - 'spawn'
            - 'fs'
            - 'path'
            - 'zlib'
    condition: all of selection_*
falsepositives:
    - Legitimate scripts using Node.js with these modules
level: medium

title: Suspicious Installer Package Child Process
id: e0cfaecd-602d-41af-988d-f6ccebb2af26
status: test
description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
references:
    - https://redcanary.com/blog/clipping-silver-sparrows-wings/
    - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml
author: Sohan G (D4rkCiph3r)
date: 2023-02-18
tags:
    - attack.t1059
    - attack.t1059.007
    - attack.t1071
    - attack.t1071.001
    - attack.execution
    - attack.command-and-control
logsource:
    category: process_creation
    product: macos
detection:
    selection_installer:
        ParentImage|endswith:
            - '/package_script_service'
            - '/installer'
        Image|endswith:
            - '/sh'
            - '/bash'
            - '/dash'
            - '/python'
            - '/ruby'
            - '/perl'
            - '/php'
            - '/javascript'
            - '/osascript'
            - '/tclsh'
            - '/curl'
            - '/wget'
        CommandLine|contains:
            - 'preinstall'
            - 'postinstall'
    condition: selection_installer
falsepositives:
    - Legitimate software uses the scripts (preinstall, postinstall)
level: medium

title: XSL Script Execution Via WMIC.EXE
id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d
related:
    - id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
      type: similar
    - id: 8d63dadf-b91b-4187-87b6-34a1114577ea
      type: similar
status: test
description: |
    Detects the execution of WMIC with the "format" flag to potentially load local XSL files.
    Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
    Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel
date: 2019-10-21
modified: 2026-01-24
tags:
    - attack.stealth
    - attack.t1047
    - attack.t1220
    - attack.execution
    - attack.t1059.005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
        - Hashes|contains:  # Sysmon field hashes contains all types
              - 'IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E'
              - 'IMPHASH=37777A96245A3C74EB217308F3546F4C'
              - 'IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206'
              - 'IMPHASH=B12619881D79C3ACADF45E752A58554A'
              - 'IMPHASH=16A48C3CABF98A9DC1BF02C07FE1EA00'
    selection_cmd:
        CommandLine|contains|windash: '-format:'     # wmic process list -FORMAT /? or wmic process list /FORMAT /?
    filter_main_known_format:
        CommandLine|contains:
            - 'Format:List'
            - 'Format:htable'
            - 'Format:hform'
            - 'Format:table'
            - 'Format:mof'
            - 'Format:value'
            - 'Format:rawxml'
            - 'Format:xml'
            - 'Format:csv'
    filter_main_remote_operation: # Covered by 8d63dadf-b91b-4187-87b6-34a1114577ea
        CommandLine|contains:
            - '://'
            - '\\\\'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.
    - Static format arguments - https://petri.com/command-line-wmi-part-3
level: medium

title: NodeJS Execution of JavaScript File
id: ba3874b9-0fae-465f-836c-eb5d071a1789
status: experimental
description: |
    Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious.
    Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development.
    Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems.
    Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.
references:
    - https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-21
tags:
    - attack.execution
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\node.exe'
        - OriginalFileName: 'node.exe'
        - Product: 'Node.js'
    selection_cmd:
        CommandLine|contains: '.js'
    condition: all of selection_*
falsepositives:
    - Legitimate use of node.exe to execute JavaScript or JSC files on your environment
level: low

title: Suspicious Deno File Written from Remote Source
id: 6c0ce3b6-85e2-49d4-9c3f-6e008ce9796e
status: experimental
description: |
    Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL.
    This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
references:
    - https://taggart-tech.com/evildeno/
author: Josh Nickels, Michael Taggart
date: 2025-05-22
tags:
    - attack.execution
    - attack.t1204
    - attack.t1059.007
    - attack.command-and-control
    - attack.t1105
logsource:
    category: file_event
    product: windows
detection:
    selection_path:
        TargetFilename|contains:
            - '\deno\gen\'
            - '\deno\remote\https\'
        TargetFilename|contains|all:
            - ':\Users\'
            - '\AppData\'
    condition: selection_path
falsepositives:
    - Legitimate usage of deno to request a file or bring a DLL to a host
level: low