title: Restricted Software Access By SRP
id: b4c8da4a-1c12-46b0-8a2b-0a8521d03442
status: test
description: Detects restricted access to applications by the Software Restriction Policies (SRP) policy
references:
- https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies
- https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
author: frack113
date: 2023-01-12
tags:
- attack.lateral-movement
- attack.execution
- attack.t1072
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'Microsoft-Windows-SoftwareRestrictionPolicies'
EventID:
- 865 # Access to %1 has been restricted by your Administrator by the default software restriction policy level
- 866 # Access to %1 has been restricted by your Administrator by location with policy rule %2 placed on path %3.
- 867 # Access to %1 has been restricted by your Administrator by software publisher policy.
- 868 # Access to %1 has been restricted by your Administrator by policy rule %2.
- 882 # Access to %1 has been restricted by your Administrator by policy rule %2.
condition: selection
falsepositives:
- Unknown
level: high
title: PDQ Deploy Remote Adminstartion Tool Execution
id: d679950c-abb7-43a6-80fb-2a480c4fc450
related:
- id: 12b8e9f5-96b2-41e1-9a42-8c6779a5c184
type: similar
status: test
description: Detect use of PDQ Deploy remote admin tool
references:
- https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md
- https://www.pdq.com/pdq-deploy/
author: frack113
date: 2022-10-01
modified: 2023-01-30
tags:
- attack.execution
- attack.lateral-movement
- attack.t1072
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: PDQ Deploy Console
- Product: PDQ Deploy
- Company: PDQ.com
- OriginalFileName: PDQDeployConsole.exe
condition: selection
falsepositives:
- Legitimate use
level: medium
title: PUA - Radmin Viewer Utility Execution
id: 5817e76f-4804-41e6-8f1d-5fa0b3ecae2d
status: test
description: Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md
- https://www.radmin.fr/
author: frack113
date: 2022-01-22
modified: 2023-12-11
tags:
- attack.execution
- attack.lateral-movement
- attack.t1072
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: 'Radmin Viewer'
- Product: 'Radmin Viewer'
- OriginalFileName: 'Radmin.exe'
condition: selection
falsepositives:
- Unknown
level: medium
title: Suspicious Csi.exe Usage
id: 40b95d31-1afc-469e-8d34-9a3a667d058e
status: test
description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/
- https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
- https://twitter.com/Z3Jpa29z/status/1317545798981324801
author: Konstantin Grishchenko, oscd.community
date: 2020-10-17
modified: 2022-07-11
tags:
- attack.lateral-movement
- attack.execution
- attack.stealth
- attack.t1072
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\csi.exe'
- '\rcsi.exe'
- OriginalFileName:
- 'csi.exe'
- 'rcsi.exe'
selection_cli:
Company: 'Microsoft Corporation'
condition: all of selection*
falsepositives:
- Legitimate usage by software developers
level: medium