title: AD Privileged Users or Groups Reconnaissance
id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
status: test
description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
references:
    - https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2022-07-13
tags:
    - attack.discovery
    - attack.t1087.002
logsource:
    product: windows
    service: security
    definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
detection:
    selection:
        EventID: 4661
        ObjectType:
            - 'SAM_USER'
            - 'SAM_GROUP'
    selection_object:
        - ObjectName|endswith:
              - '-512'
              - '-502'
              - '-500'
              - '-505'
              - '-519'
              - '-520'
              - '-544'
              - '-551'
              - '-555'
        - ObjectName|contains: 'admin'
    filter:
        SubjectUserName|endswith: '$'
    condition: selection and selection_object and not filter
falsepositives:
    - If source account name is not an admin then its super suspicious
level: high

title: BloodHound Collection Files
id: 02773bed-83bf-469f-b7ff-e676e7d78bab
status: test
description: Detects default file names outputted by the BloodHound collection tool SharpHound
references:
    - https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
author: C.J. May
date: 2022-08-09
modified: 2026-02-19
tags:
    - attack.discovery
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1482
    - attack.t1069.001
    - attack.t1069.002
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - 'BloodHound.zip'
            - '_computers.json'
            - '_containers.json'
            # - '_domains.json'  # prone to false positives with ProbabilisticRevealTokenRegistry function in Google Chrome
            - '_gpos.json'
            - '_groups.json'
            - '_ous.json'
            - '_users.json'
    filter_optional_ms_winapps:
        Image|endswith: '\svchost.exe'
        TargetFilename|startswith: 'C:\Program Files\WindowsApps\Microsoft.'
        TargetFilename|endswith: '\pocket_containers.json'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise
level: high

title: Chopper Webshell Process Pattern
id: fa3c117a-bc0d-416e-a31b-0c0e80653efb
status: test
description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
references:
    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
author: Florian Roth (Nextron Systems), MSTI (query)
date: 2022-10-01
tags:
    - attack.persistence
    - attack.discovery
    - attack.t1505.003
    - attack.t1018
    - attack.t1033
    - attack.t1087
logsource:
    category: process_creation
    product: windows
detection:
    selection_origin:
        - Image|endswith: '\w3wp.exe'
        - ParentImage|endswith: '\w3wp.exe'
    selection_cmdline:
        CommandLine|contains:
            - '&ipconfig&echo'
            - '&quser&echo'
            - '&whoami&echo'
            - '&c:&echo'
            - '&cd&echo'
            - '&dir&echo'
            - '&echo [E]'
            - '&echo [S]'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Discovery Using AzureHound
id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b
status: test
description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
references:
    - https://github.com/BloodHoundAD/AzureHound
author: Janantha Marasinghe
date: 2022-11-27
tags:
    - attack.discovery
    - attack.t1087.004
    - attack.t1526
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        userAgent|contains: 'azurehound'
        ResultType: 0
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - Bloodhound/Sharphound Execution
id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
status: test
description: Detects command line parameters used by Bloodhound and Sharphound hack tools
references:
    - https://github.com/BloodHoundAD/BloodHound
    - https://github.com/BloodHoundAD/SharpHound
author: Florian Roth (Nextron Systems)
date: 2019-12-20
modified: 2023-02-04
tags:
    - attack.discovery
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1482
    - attack.t1069.001
    - attack.t1069.002
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Product|contains: 'SharpHound'
        - Description|contains: 'SharpHound'
        - Company|contains:
              - 'SpecterOps'
              - 'evil corp'
        - Image|contains:
              - '\Bloodhound.exe'
              - '\SharpHound.exe'
    selection_cli_1:
        CommandLine|contains:
            - ' -CollectionMethod All '
            - ' --CollectionMethods Session '
            - ' --Loop --Loopduration '
            - ' --PortScanTimeout '
            - '.exe -c All -d '
            - 'Invoke-Bloodhound'
            - 'Get-BloodHoundData'
    selection_cli_2:
        CommandLine|contains|all:
            - ' -JsonFolder '
            - ' -ZipFileName '
    selection_cli_3:
        CommandLine|contains|all:
            - ' DCOnly '
            - ' --NoSaveCache '
    condition: 1 of selection_*
falsepositives:
    - Other programs that use these command line option and accepts an 'All' parameter
level: high

title: HackTool - SOAPHound Execution
id: e92a4287-e072-4a40-9739-370c106bb750
status: test
description: |
    Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
references:
    - https://github.com/FalconForceTeam/SOAPHound
    - https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
author: '@kostastsale'
date: 2024-01-26
tags:
    - attack.discovery
    - attack.t1087
logsource:
    product: windows
    category: process_creation
detection:
    selection_1:
        CommandLine|contains:
            - ' --buildcache '
            - ' --bhdump '
            - ' --certdump '
            - ' --dnsdump '
    selection_2:
        CommandLine|contains:
            - ' -c '
            - ' --cachefilename '
            - ' -o '
            - ' --outputdirectory'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: HackTool - winPEAS Execution
id: 98b53e78-ebaf-46f8-be06-421aafd176d9
status: test
description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
references:
    - https://github.com/carlospolop/PEASS-ng
    - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
author: Georg Lauenstein (sure[secure])
date: 2022-09-19
modified: 2023-03-23
tags:
    - attack.privilege-escalation
    - attack.discovery
    - attack.t1082
    - attack.t1087
    - attack.t1046
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'winPEAS.exe'
        - Image|endswith:
              - '\winPEASany_ofs.exe'
              - '\winPEASany.exe'
              - '\winPEASx64_ofs.exe'
              - '\winPEASx64.exe'
              - '\winPEASx86_ofs.exe'
              - '\winPEASx86.exe'
    selection_cli_option:
        CommandLine|contains:
            - ' applicationsinfo' # Search installed applications information
            - ' browserinfo' # Search browser information
            - ' eventsinfo' # Display interesting events information
            - ' fileanalysis' # Search specific files that can contains credentials and for regexes inside files
            - ' filesinfo' # Search generic files that can contains credentials
            - ' processinfo' # Search processes information
            - ' servicesinfo' # Search services information
            - ' windowscreds' # Search windows credentials
    selection_cli_dl:
        CommandLine|contains: 'https://github.com/carlospolop/PEASS-ng/releases/latest/download/'
    selection_cli_specific:
        - ParentCommandLine|endswith: ' -linpeas'
        - CommandLine|endswith: ' -linpeas'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: Hacktool Ruler
id: 24549159-ac1b-479c-8175-d42aea947cae
status: test
description: This events that are generated when using the hacktool Ruler by Sensepost
references:
    - https://github.com/sensepost/ruler
    - https://github.com/sensepost/ruler/issues/47
    - https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624
author: Florian Roth (Nextron Systems)
date: 2017-05-31
modified: 2022-10-09
tags:
    - attack.discovery
    - attack.execution
    - attack.collection
    - attack.lateral-movement
    - attack.t1087
    - attack.t1114
    - attack.t1059
    - attack.t1550.002
logsource:
    product: windows
    service: security
detection:
    selection1:
        EventID: 4776
        Workstation: 'RULER'
    selection2:
        EventID:
            - 4624
            - 4625
        WorkstationName: 'RULER'
    condition: (1 of selection*)
falsepositives:
    - Go utilities that use staaldraad awesome NTLM library
level: high

title: Malicious PowerShell Commandlets - PoshModule
id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
related:
    - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
      type: similar
    - id: 02030f2f-6199-49ec-b258-ea71b07e03dc
      type: similar
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
    - https://adsecurity.org/?p=2921
    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
    - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
    - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
    - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
    - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
    - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
    - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
    - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
    - https://github.com/HarmJ0y/DAMP
    - https://github.com/samratashok/nishang
    - https://github.com/DarkCoderSc/PowerRunAsSystem/
    - https://github.com/besimorhino/powercat
    - https://github.com/Kevin-Robertson/Powermad
    - https://github.com/adrecon/ADRecon
    - https://github.com/adrecon/AzureADRecon
    - https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
    - https://github.com/The-Viper-One/Invoke-PowerDPAPI/
    - https://github.com/Arno0x/DNSExfiltrator/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-20
modified: 2025-12-10
tags:
    - attack.execution
    - attack.discovery
    - attack.t1482
    - attack.t1087
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1069.001
    - attack.t1069.002
    - attack.t1069
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        Payload|contains:
            # Note: Please ensure alphabetical order when adding new entries
            - 'Add-Exfiltration'
            - 'Add-Persistence'
            - 'Add-RegBackdoor'
            - 'Add-RemoteRegBackdoor'
            - 'Add-ScrnSaveBackdoor'
            - 'BadSuccessor'
            - 'Check-VM'
            - 'ConvertTo-Rc4ByteStream'
            - 'Decrypt-Hash'
            - 'Disable-ADIDNSNode'
            - 'Disable-MachineAccount'
            - 'Do-Exfiltration'
            - 'Enable-ADIDNSNode'
            - 'Enable-MachineAccount'
            - 'Enabled-DuplicateToken'
            - 'Exploit-Jboss'
            - 'Export-ADR' # # ADRecon related cmdlets
            - 'Export-ADRCSV' # # ADRecon related cmdlets
            - 'Export-ADRExcel' # # ADRecon related cmdlets
            - 'Export-ADRHTML' # # ADRecon related cmdlets
            - 'Export-ADRJSON' # # ADRecon related cmdlets
            - 'Export-ADRXML' # # ADRecon related cmdlets
            - 'Find-Fruit'
            - 'Find-GPOLocation'
            - 'Find-TrustedDocuments'
            - 'Get-ADIDNS' # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone
            - 'Get-ApplicationHost'
            - 'Get-ChromeDump'
            - 'Get-ClipboardContents'
            - 'Get-FoxDump'
            - 'Get-GPPPassword'
            - 'Get-IndexedItem'
            - 'Get-KerberosAESKey'
            - 'Get-Keystrokes'
            - 'Get-LSASecret'
            - 'Get-MachineAccountAttribute'
            - 'Get-MachineAccountCreator'
            - 'Get-PassHashes'
            - 'Get-RegAlwaysInstallElevated'
            - 'Get-RegAutoLogon'
            - 'Get-RemoteBootKey'
            - 'Get-RemoteCachedCredential'
            - 'Get-RemoteLocalAccountHash'
            - 'Get-RemoteLSAKey'
            - 'Get-RemoteMachineAccountHash'
            - 'Get-RemoteNLKMKey'
            - 'Get-RickAstley'
            - 'Get-Screenshot'
            - 'Get-SecurityPackages'
            - 'Get-ServiceFilePermission'
            - 'Get-ServicePermission'
            - 'Get-ServiceUnquoted'
            - 'Get-SiteListPassword'
            - 'Get-System'
            - 'Get-TimedScreenshot'
            - 'Get-UnattendedInstallFile'
            - 'Get-Unconstrained'
            - 'Get-USBKeystrokes'
            - 'Get-VaultCredential'
            - 'Get-VulnAutoRun'
            - 'Get-VulnSchTask'
            - 'Grant-ADIDNSPermission'
            - 'Gupt-Backdoor'
            - 'HTTP-Login'
            - 'Install-ServiceBinary'
            - 'Install-SSP'
            - 'Invoke-ACLScanner'
            - 'Invoke-ADRecon' # # ADRecon related cmdlets
            - 'Invoke-ADSBackdoor'
            - 'Invoke-AgentSmith'
            - 'Invoke-AllChecks'
            - 'Invoke-ARPScan'
            - 'Invoke-AzureHound'
            - 'Invoke-BackdoorLNK'
            - 'Invoke-BadPotato'
            - 'Invoke-BetterSafetyKatz'
            - 'Invoke-BypassUAC'
            - 'Invoke-Carbuncle'
            - 'Invoke-Certify'
            - 'Invoke-ConPtyShell'
            - 'Invoke-CredentialInjection'
            - 'Invoke-DAFT'
            - 'Invoke-DCSync'
            - 'Invoke-DinvokeKatz'
            - 'Invoke-DllInjection'
            - 'Invoke-DNSUpdate'
            - 'Invoke-DNSExfiltrator'
            - 'Invoke-DomainPasswordSpray'
            - 'Invoke-DowngradeAccount'
            - 'Invoke-EgressCheck'
            - 'Invoke-Eyewitness'
            - 'Invoke-FakeLogonScreen'
            - 'Invoke-Farmer'
            - 'Invoke-Get-RBCD-Threaded'
            - 'Invoke-Gopher'
            - 'Invoke-Grouper' # Also Covers Invoke-GrouperX
            - 'Invoke-HandleKatz'
            - 'Invoke-ImpersonatedProcess'
            - 'Invoke-ImpersonateSystem'
            - 'Invoke-InteractiveSystemPowerShell'
            - 'Invoke-Internalmonologue'
            - 'Invoke-Inveigh'
            - 'Invoke-InveighRelay'
            - 'Invoke-KrbRelay'
            - 'Invoke-LdapSignCheck'
            - 'Invoke-Lockless'
            - 'Invoke-MalSCCM'
            - 'Invoke-Mimikatz'
            - 'Invoke-Mimikittenz'
            - 'Invoke-MITM6'
            - 'Invoke-NanoDump'
            - 'Invoke-NetRipper'
            - 'Invoke-Nightmare'
            - 'Invoke-NinjaCopy'
            - 'Invoke-OfficeScrape'
            - 'Invoke-OxidResolver'
            - 'Invoke-P0wnedshell'
            - 'Invoke-Paranoia'
            - 'Invoke-PortScan'
            - 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
            - 'Invoke-PostExfil'
            - 'Invoke-PowerDump'
            - 'Invoke-PowerDPAPI'
            - 'Invoke-PowerShellTCP'
            - 'Invoke-PowerShellWMI'
            - 'Invoke-PPLDump'
            - 'Invoke-PsExec'
            - 'Invoke-PSInject'
            - 'Invoke-PsUaCme'
            - 'Invoke-ReflectivePEInjection'
            - 'Invoke-ReverseDNSLookup'
            - 'Invoke-Rubeus'
            - 'Invoke-RunAs'
            - 'Invoke-SafetyKatz'
            - 'Invoke-SauronEye'
            - 'Invoke-SCShell'
            - 'Invoke-Seatbelt'
            - 'Invoke-ServiceAbuse'
            - 'Invoke-ShadowSpray'
            - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
            - 'Invoke-Shellcode'
            - 'Invoke-SMBScanner'
            - 'Invoke-Snaffler'
            - 'Invoke-Spoolsample'
            - 'Invoke-SpraySinglePassword'
            - 'Invoke-SSHCommand'
            - 'Invoke-StandIn'
            - 'Invoke-StickyNotesExtract'
            - 'Invoke-SystemCommand'
            - 'Invoke-Tasksbackdoor'
            - 'Invoke-Tater'
            - 'Invoke-Thunderfox'
            - 'Invoke-ThunderStruck'
            - 'Invoke-TokenManipulation'
            - 'Invoke-Tokenvator'
            - 'Invoke-TotalExec'
            - 'Invoke-UrbanBishop'
            - 'Invoke-UserHunter'
            - 'Invoke-VoiceTroll'
            - 'Invoke-Whisker'
            - 'Invoke-WinEnum'
            - 'Invoke-winPEAS'
            - 'Invoke-WireTap'
            - 'Invoke-WmiCommand'
            - 'Invoke-WMIExec'
            - 'Invoke-WScriptBypassUAC'
            - 'Invoke-Zerologon'
            - 'MailRaider'
            - 'New-ADIDNSNode'
            - 'New-DNSRecordArray'
            - 'New-HoneyHash'
            - 'New-InMemoryModule'
            - 'New-MachineAccount'
            - 'New-SOASerialNumberArray'
            - 'Out-Minidump'
            - 'Port-Scan'
            - 'PowerBreach'
            - 'powercat '
            - 'PowerUp'
            - 'PowerView'
            - 'Remove-ADIDNSNode'
            - 'Remove-MachineAccount'
            - 'Remove-Update'
            - 'Rename-ADIDNSNode'
            - 'Revoke-ADIDNSPermission'
            - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
            - 'Set-MacAttribute'
            - 'Set-MachineAccountAttribute'
            - 'Set-Wallpaper'
            - 'Show-TargetScreen'
            - 'Start-CaptureServer'
            - 'Start-Dnscat2'
            - 'Start-WebcamRecorder'
            - 'Veeam-Get-Creds'
            - 'VolumeShadowCopyTools'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Malicious PowerShell Commandlets - ProcessCreation
id: 02030f2f-6199-49ec-b258-ea71b07e03dc
related:
    - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
      type: derived
    - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
      type: similar
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
    - https://adsecurity.org/?p=2921
    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
    - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
    - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
    - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
    - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
    - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
    - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
    - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
    - https://github.com/HarmJ0y/DAMP
    - https://github.com/samratashok/nishang
    - https://github.com/DarkCoderSc/PowerRunAsSystem/
    - https://github.com/besimorhino/powercat
    - https://github.com/Kevin-Robertson/Powermad
    - https://github.com/adrecon/ADRecon
    - https://github.com/adrecon/AzureADRecon
    - https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
    - https://github.com/The-Viper-One/Invoke-PowerDPAPI/
    - https://github.com/Arno0x/DNSExfiltrator/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
modified: 2025-12-10
tags:
    - attack.execution
    - attack.discovery
    - attack.t1482
    - attack.t1087
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1069.001
    - attack.t1069.002
    - attack.t1069
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Note: Please ensure alphabetical order when adding new entries
        CommandLine|contains:
            - 'Add-Exfiltration'
            - 'Add-Persistence'
            - 'Add-RegBackdoor'
            - 'Add-RemoteRegBackdoor'
            - 'Add-ScrnSaveBackdoor'
            - 'Check-VM'
            - 'ConvertTo-Rc4ByteStream'
            - 'Decrypt-Hash'
            - 'Disable-ADIDNSNode'
            - 'Disable-MachineAccount'
            - 'Do-Exfiltration'
            - 'Enable-ADIDNSNode'
            - 'Enable-MachineAccount'
            - 'Enabled-DuplicateToken'
            - 'Exploit-Jboss'
            - 'Export-ADR'
            - 'Export-ADRCSV'
            - 'Export-ADRExcel'
            - 'Export-ADRHTML'
            - 'Export-ADRJSON'
            - 'Export-ADRXML'
            - 'Find-Fruit'
            - 'Find-GPOLocation'
            - 'Find-TrustedDocuments'
            - 'Get-ADIDNS' # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone
            - 'Get-ApplicationHost'
            - 'Get-ChromeDump'
            - 'Get-ClipboardContents'
            - 'Get-FoxDump'
            - 'Get-GPPPassword'
            - 'Get-IndexedItem'
            - 'Get-KerberosAESKey'
            - 'Get-Keystrokes'
            - 'Get-LSASecret'
            - 'Get-MachineAccountAttribute'
            - 'Get-MachineAccountCreator'
            - 'Get-PassHashes'
            - 'Get-RegAlwaysInstallElevated'
            - 'Get-RegAutoLogon'
            - 'Get-RemoteBootKey'
            - 'Get-RemoteCachedCredential'
            - 'Get-RemoteLocalAccountHash'
            - 'Get-RemoteLSAKey'
            - 'Get-RemoteMachineAccountHash'
            - 'Get-RemoteNLKMKey'
            - 'Get-RickAstley'
            - 'Get-Screenshot'
            - 'Get-SecurityPackages'
            - 'Get-ServiceFilePermission'
            - 'Get-ServicePermission'
            - 'Get-ServiceUnquoted'
            - 'Get-SiteListPassword'
            - 'Get-System'
            - 'Get-TimedScreenshot'
            - 'Get-UnattendedInstallFile'
            - 'Get-Unconstrained'
            - 'Get-USBKeystrokes'
            - 'Get-VaultCredential'
            - 'Get-VulnAutoRun'
            - 'Get-VulnSchTask'
            - 'Grant-ADIDNSPermission'
            - 'Gupt-Backdoor'
            - 'HTTP-Login'
            - 'Install-ServiceBinary'
            - 'Install-SSP'
            - 'Invoke-ACLScanner'
            - 'Invoke-ADRecon'
            - 'Invoke-ADSBackdoor'
            - 'Invoke-AgentSmith'
            - 'Invoke-AllChecks'
            - 'Invoke-ARPScan'
            - 'Invoke-AzureHound'
            - 'Invoke-BackdoorLNK'
            - 'Invoke-BadPotato'
            - 'Invoke-BetterSafetyKatz'
            - 'Invoke-BypassUAC'
            - 'Invoke-Carbuncle'
            - 'Invoke-Certify'
            - 'Invoke-ConPtyShell'
            - 'Invoke-CredentialInjection'
            - 'Invoke-DAFT'
            - 'Invoke-DCSync'
            - 'Invoke-DinvokeKatz'
            - 'Invoke-DllInjection'
            - 'Invoke-DNSUpdate'
            - 'Invoke-DNSExfiltrator'
            - 'Invoke-DomainPasswordSpray'
            - 'Invoke-DowngradeAccount'
            - 'Invoke-EgressCheck'
            - 'Invoke-Eyewitness'
            - 'Invoke-FakeLogonScreen'
            - 'Invoke-Farmer'
            - 'Invoke-Get-RBCD-Threaded'
            - 'Invoke-Gopher'
            - 'Invoke-Grouper' # Also Covers Invoke-GrouperX
            - 'Invoke-HandleKatz'
            - 'Invoke-ImpersonatedProcess'
            - 'Invoke-ImpersonateSystem'
            - 'Invoke-InteractiveSystemPowerShell'
            - 'Invoke-Internalmonologue'
            - 'Invoke-Inveigh'
            - 'Invoke-InveighRelay'
            - 'Invoke-KrbRelay'
            - 'Invoke-LdapSignCheck'
            - 'Invoke-Lockless'
            - 'Invoke-MalSCCM'
            - 'Invoke-Mimikatz'
            - 'Invoke-Mimikittenz'
            - 'Invoke-MITM6'
            - 'Invoke-NanoDump'
            - 'Invoke-NetRipper'
            - 'Invoke-Nightmare'
            - 'Invoke-NinjaCopy'
            - 'Invoke-OfficeScrape'
            - 'Invoke-OxidResolver'
            - 'Invoke-P0wnedshell'
            - 'Invoke-Paranoia'
            - 'Invoke-PortScan'
            - 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
            - 'Invoke-PostExfil'
            - 'Invoke-PowerDump'
            - 'Invoke-PowerDPAPI'
            - 'Invoke-PowerShellTCP'
            - 'Invoke-PowerShellWMI'
            - 'Invoke-PPLDump'
            - 'Invoke-PsExec'
            - 'Invoke-PSInject'
            - 'Invoke-PsUaCme'
            - 'Invoke-ReflectivePEInjection'
            - 'Invoke-ReverseDNSLookup'
            - 'Invoke-Rubeus'
            - 'Invoke-RunAs'
            - 'Invoke-SafetyKatz'
            - 'Invoke-SauronEye'
            - 'Invoke-SCShell'
            - 'Invoke-Seatbelt'
            - 'Invoke-ServiceAbuse'
            - 'Invoke-ShadowSpray'
            - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
            - 'Invoke-Shellcode'
            - 'Invoke-SMBScanner'
            - 'Invoke-Snaffler'
            - 'Invoke-Spoolsample'
            - 'Invoke-SpraySinglePassword'
            - 'Invoke-SSHCommand'
            - 'Invoke-StandIn'
            - 'Invoke-StickyNotesExtract'
            - 'Invoke-SystemCommand'
            - 'Invoke-Tasksbackdoor'
            - 'Invoke-Tater'
            - 'Invoke-Thunderfox'
            - 'Invoke-ThunderStruck'
            - 'Invoke-TokenManipulation'
            - 'Invoke-Tokenvator'
            - 'Invoke-TotalExec'
            - 'Invoke-UrbanBishop'
            - 'Invoke-UserHunter'
            - 'Invoke-VoiceTroll'
            - 'Invoke-Whisker'
            - 'Invoke-WinEnum'
            - 'Invoke-winPEAS'
            - 'Invoke-WireTap'
            - 'Invoke-WmiCommand'
            - 'Invoke-WMIExec'
            - 'Invoke-WScriptBypassUAC'
            - 'Invoke-Zerologon'
            - 'MailRaider'
            - 'New-ADIDNSNode'
            - 'New-DNSRecordArray'
            - 'New-HoneyHash'
            - 'New-InMemoryModule'
            - 'New-MachineAccount'
            - 'New-SOASerialNumberArray'
            - 'Out-Minidump'
            - 'Port-Scan'
            - 'PowerBreach'
            - 'powercat '
            - 'PowerUp'
            - 'PowerView'
            - 'Remove-ADIDNSNode'
            - 'Remove-MachineAccount'
            - 'Remove-Update'
            - 'Rename-ADIDNSNode'
            - 'Revoke-ADIDNSPermission'
            - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
            - 'Set-MacAttribute'
            - 'Set-MachineAccountAttribute'
            - 'Set-Wallpaper'
            - 'Show-TargetScreen'
            - 'Start-CaptureServer'
            - 'Start-Dnscat2'
            - 'Start-WebcamRecorder'
            - 'Veeam-Get-Creds'
            - 'VolumeShadowCopyTools'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Malicious PowerShell Commandlets - ScriptBlock
id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
related:
    - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
      type: similar
    - id: 02030f2f-6199-49ec-b258-ea71b07e03dc
      type: similar
    - id: 6d3f1399-a81c-4409-aff3-1ecfe9330baf
      type: obsolete
    - id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
      type: obsolete
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
    - https://adsecurity.org/?p=2921
    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
    - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
    - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
    - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
    - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
    - https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
    - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
    - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
    - https://github.com/HarmJ0y/DAMP
    - https://github.com/samratashok/nishang
    - https://github.com/DarkCoderSc/PowerRunAsSystem/
    - https://github.com/besimorhino/powercat
    - https://github.com/Kevin-Robertson/Powermad
    - https://github.com/adrecon/ADRecon
    - https://github.com/adrecon/AzureADRecon
    - https://github.com/The-Viper-One/Invoke-PowerDPAPI/
    - https://github.com/Arno0x/DNSExfiltrator/
author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
date: 2017-03-05
modified: 2025-12-10
tags:
    - attack.execution
    - attack.discovery
    - attack.t1482
    - attack.t1087
    - attack.t1087.001
    - attack.t1087.002
    - attack.t1069.001
    - attack.t1069.002
    - attack.t1069
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            # Note: Please ensure alphabetical order when adding new entries
            - 'Add-Exfiltration'
            - 'Add-Persistence'
            - 'Add-RegBackdoor'
            - 'Add-RemoteRegBackdoor'
            - 'Add-ScrnSaveBackdoor'
            - 'ConvertTo-Rc4ByteStream'
            - 'Decrypt-Hash'
            - 'Disable-ADIDNSNode'
            - 'Do-Exfiltration'
            - 'Enable-ADIDNSNode'
            - 'Enabled-DuplicateToken'
            - 'Exploit-Jboss'
            - 'Export-ADRCSV'
            - 'Export-ADRExcel'
            - 'Export-ADRHTML'
            - 'Export-ADRJSON'
            - 'Export-ADRXML'
            - 'Find-Fruit'
            - 'Find-GPOLocation'
            - 'Find-TrustedDocuments'
            - 'Get-ADIDNSNodeAttribute'
            - 'Get-ADIDNSNodeOwner'
            - 'Get-ADIDNSNodeTombstoned'
            - 'Get-ADIDNSPermission'
            - 'Get-ADIDNSZone'
            - 'Get-ChromeDump'
            - 'Get-ClipboardContents'
            - 'Get-FoxDump'
            - 'Get-GPPPassword'
            - 'Get-IndexedItem'
            - 'Get-KerberosAESKey'
            - 'Get-Keystrokes'
            - 'Get-LSASecret'
            - 'Get-PassHashes'
            - 'Get-RegAlwaysInstallElevated'
            - 'Get-RegAutoLogon'
            - 'Get-RemoteBootKey'
            - 'Get-RemoteCachedCredential'
            - 'Get-RemoteLocalAccountHash'
            - 'Get-RemoteLSAKey'
            - 'Get-RemoteMachineAccountHash'
            - 'Get-RemoteNLKMKey'
            - 'Get-RickAstley'
            - 'Get-SecurityPackages'
            - 'Get-ServiceFilePermission'
            - 'Get-ServicePermission'
            - 'Get-ServiceUnquoted'
            - 'Get-SiteListPassword'
            - 'Get-System'
            - 'Get-TimedScreenshot'
            - 'Get-UnattendedInstallFile'
            - 'Get-Unconstrained'
            - 'Get-USBKeystrokes'
            - 'Get-VaultCredential'
            - 'Get-VulnAutoRun'
            - 'Get-VulnSchTask'
            - 'Grant-ADIDNSPermission'
            - 'Gupt-Backdoor'
            - 'Invoke-ACLScanner'
            - 'Invoke-ADRecon'
            - 'Invoke-ADSBackdoor'
            - 'Invoke-AgentSmith'
            - 'Invoke-AllChecks'
            - 'Invoke-ARPScan'
            - 'Invoke-AzureHound'
            - 'Invoke-BackdoorLNK'
            - 'Invoke-BadPotato'
            - 'Invoke-BetterSafetyKatz'
            - 'Invoke-BypassUAC'
            - 'Invoke-Carbuncle'
            - 'Invoke-Certify'
            - 'Invoke-ConPtyShell'
            - 'Invoke-CredentialInjection'
            - 'Invoke-DAFT'
            - 'Invoke-DCSync'
            - 'Invoke-DinvokeKatz'
            - 'Invoke-DllInjection'
            - 'Invoke-DNSUpdate'
            - 'Invoke-DNSExfiltrator'
            - 'Invoke-DomainPasswordSpray'
            - 'Invoke-DowngradeAccount'
            - 'Invoke-EgressCheck'
            - 'Invoke-Eyewitness'
            - 'Invoke-FakeLogonScreen'
            - 'Invoke-Farmer'
            - 'Invoke-Get-RBCD-Threaded'
            - 'Invoke-Gopher'
            - 'Invoke-Grouper' # Also Covers Invoke-GrouperX
            - 'Invoke-HandleKatz'
            - 'Invoke-ImpersonatedProcess'
            - 'Invoke-ImpersonateSystem'
            - 'Invoke-InteractiveSystemPowerShell'
            - 'Invoke-Internalmonologue'
            - 'Invoke-Inveigh'
            - 'Invoke-InveighRelay'
            - 'Invoke-KrbRelay'
            - 'Invoke-LdapSignCheck'
            - 'Invoke-Lockless'
            - 'Invoke-MalSCCM'
            - 'Invoke-Mimikatz'
            - 'Invoke-Mimikittenz'
            - 'Invoke-MITM6'
            - 'Invoke-NanoDump'
            - 'Invoke-NetRipper'
            - 'Invoke-Nightmare'
            - 'Invoke-NinjaCopy'
            - 'Invoke-OfficeScrape'
            - 'Invoke-OxidResolver'
            - 'Invoke-P0wnedshell'
            - 'Invoke-Paranoia'
            - 'Invoke-PortScan'
            - 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
            - 'Invoke-PostExfil'
            - 'Invoke-PowerDump'
            - 'Invoke-PowerDPAPI'
            - 'Invoke-PowerShellTCP'
            - 'Invoke-PowerShellWMI'
            - 'Invoke-PPLDump'
            - 'Invoke-PsExec'
            - 'Invoke-PSInject'
            - 'Invoke-PsUaCme'
            - 'Invoke-ReflectivePEInjection'
            - 'Invoke-ReverseDNSLookup'
            - 'Invoke-Rubeus'
            - 'Invoke-RunAs'
            - 'Invoke-SafetyKatz'
            - 'Invoke-SauronEye'
            - 'Invoke-SCShell'
            - 'Invoke-Seatbelt'
            - 'Invoke-ServiceAbuse'
            - 'Invoke-ShadowSpray'
            - 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
            - 'Invoke-Shellcode'
            - 'Invoke-SMBScanner'
            - 'Invoke-Snaffler'
            - 'Invoke-Spoolsample'
            - 'Invoke-SpraySinglePassword'
            - 'Invoke-SSHCommand'
            - 'Invoke-StandIn'
            - 'Invoke-StickyNotesExtract'
            - 'Invoke-SystemCommand'
            - 'Invoke-Tasksbackdoor'
            - 'Invoke-Tater'
            - 'Invoke-Thunderfox'
            - 'Invoke-ThunderStruck'
            - 'Invoke-TokenManipulation'
            - 'Invoke-Tokenvator'
            - 'Invoke-TotalExec'
            - 'Invoke-UrbanBishop'
            - 'Invoke-UserHunter'
            - 'Invoke-VoiceTroll'
            - 'Invoke-Whisker'
            - 'Invoke-WinEnum'
            - 'Invoke-winPEAS'
            - 'Invoke-WireTap'
            - 'Invoke-WmiCommand'
            - 'Invoke-WMIExec'
            - 'Invoke-WScriptBypassUAC'
            - 'Invoke-Zerologon'
            - 'MailRaider'
            - 'New-ADIDNSNode'
            - 'New-HoneyHash'
            - 'New-InMemoryModule'
            - 'New-SOASerialNumberArray'
            - 'Out-Minidump'
            - 'PowerBreach'
            - 'powercat '
            - 'PowerUp'
            - 'PowerView'
            - 'Remove-ADIDNSNode'
            - 'Remove-Update'
            - 'Rename-ADIDNSNode'
            - 'Revoke-ADIDNSPermission'
            - 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
            - 'Show-TargetScreen'
            - 'Start-CaptureServer'
            - 'Start-Dnscat2'
            - 'Start-WebcamRecorder'
            - 'VolumeShadowCopyTools'
            # - 'Check-VM'
            # - 'Disable-MachineAccount'
            # - 'Enable-MachineAccount'
            # - 'Get-ApplicationHost'
            # - 'Get-MachineAccountAttribute'
            # - 'Get-MachineAccountCreator'
            # - 'Get-Screenshot'
            # - 'HTTP-Login'
            # - 'Install-ServiceBinary'
            # - 'Install-SSP'
            # - 'New-DNSRecordArray'
            # - 'New-MachineAccount'
            # - 'Port-Scan'
            # - 'Remove-MachineAccount'
            # - 'Set-MacAttribute'
            # - 'Set-MachineAccountAttribute'
            # - 'Set-Wallpaper'
    filter_optional_amazon_ec2:
        ScriptBlockText|contains:
            - Get-SystemDriveInfo  # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1
            - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\  # false positive form Amazon EC2
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

title: Network Reconnaissance Activity
id: e6313acd-208c-44fc-a0ff-db85d572e90e
status: test
description: Detects a set of suspicious network related commands often used in recon stages
references:
    - https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
author: Florian Roth (Nextron Systems)
date: 2022-02-07
tags:
    - attack.discovery
    - attack.t1087
    - attack.t1082
    - car.2016-03-001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'nslookup'
            - '_ldap._tcp.dc._msdcs.'
    condition: selection
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: high

title: PUA - AdFind Suspicious Execution
id: 9a132afa-654e-11eb-ae93-0242ac130002
related:
    - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
      type: similar
    - id: 75df3b17-8bcc-4565-b89b-c9898acef911
      type: obsolete
status: test
description: Detects AdFind execution with common flags seen used during attacks
references:
    - https://www.joeware.net/freetools/tools/adfind/
    - https://thedfirreport.com/2020/05/08/adfind-recon/
    - https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
    - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
    - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
    - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects
author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community
date: 2021-02-02
modified: 2025-10-24
tags:
    - attack.discovery
    - attack.t1018
    - attack.t1087.002
    - attack.t1482
    - attack.t1069.002
    - stp.1u
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'domainlist'
            - 'trustdmp'
            - 'dcmodes'
            - 'adinfo'
            - '-sc dclist'
            - 'computer_pwdnotreqd'
            - 'objectcategory='
            - '-subnets -f'
            - 'name="Domain Admins"'
            - '-sc u:'
            - 'domainncs'
            - 'dompol'
            - ' oudmp '
            - 'subnetdmp'
            - 'gpodmp'
            - 'fspdmp'
            - 'users_noexpire'
            - 'computers_active'
            - 'computers_pwdnotreqd'
    condition: selection
falsepositives:
    - Legitimate admin activity
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage/info.yml
simulation:
    - type: atomic-red-team
      name: Adfind - Enumerate Active Directory Computer Objects
      technique: T1018
      atomic_guid: a889f5be-2d54-4050-bd05-884578748bb4
    - type: atomic-red-team
      name: Adfind - Enumerate Active Directory Domain Controller Objects
      technique: T1018
      atomic_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e

title: PUA - Seatbelt Execution
id: 38646daa-e78f-4ace-9de0-55547b2d30da
status: test
description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters
references:
    - https://github.com/GhostPack/Seatbelt
    - https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-18
modified: 2023-02-04
tags:
    - attack.discovery
    - attack.t1526
    - attack.t1087
    - attack.t1083
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\Seatbelt.exe'
        - OriginalFileName: 'Seatbelt.exe'
        - Description: 'Seatbelt'
        - CommandLine|contains:
              # This just a list of the commands that will produce the least amount of FP in "theory"
              # Comment out/in as needed in your environment
              # To get the full list of commands see reference section
              - ' DpapiMasterKeys'
              - ' InterestingProcesses'
              - ' InterestingFiles'
              - ' CertificateThumbprints'
              - ' ChromiumBookmarks'
              - ' ChromiumHistory'
              - ' ChromiumPresence'
              - ' CloudCredentials'
              - ' CredEnum'
              - ' CredGuard'
              - ' FirefoxHistory'
              - ' ProcessCreationEvents'
              # - ' RDPSessions'
              # - ' PowerShellHistory'
    selection_group_list:
        CommandLine|contains:
            - ' -group=misc'
            - ' -group=remote'
            - ' -group=chromium'
            - ' -group=slack'
            - ' -group=system'
            - ' -group=user'
            - ' -group=all'
    selection_group_output:
        CommandLine|contains: ' -outputfile='
    condition: selection_img or all of selection_group_*
falsepositives:
    - Unlikely
level: high

title: PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
related:
    - id: 9a132afa-654e-11eb-ae93-0242ac130002
      type: similar
    - id: 514e7e3e-b3b4-4a67-af60-be20f139198b
      type: similar
status: test
description: Detects active directory enumeration activity using known AdFind CLI flags
references:
    - https://www.joeware.net/freetools/tools/adfind/
    - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md
author: frack113
date: 2021-12-13
modified: 2023-03-05
tags:
    - attack.discovery
    - attack.t1087.002
logsource:
    product: windows
    category: process_creation
detection:
    selection_password: # Listing password policy
        CommandLine|contains:
            - lockoutduration
            - lockoutthreshold
            - lockoutobservationwindow
            - maxpwdage
            - minpwdage
            - minpwdlength
            - pwdhistorylength
            - pwdproperties
    selection_enum_ad: # Enumerate Active Directory Admins
        CommandLine|contains: '-sc admincountdmp'
    selection_enum_exchange: # Enumerate Active Directory Exchange AD Objects
        CommandLine|contains: '-sc exchaddresses'
    condition: 1 of selection_*
falsepositives:
    - Authorized administrative activity
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration/info.yml

title: Reconnaissance Activity
id: 968eef52-9cff-4454-8992-1e74b9cbad6c
status: test
description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
references:
    - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
author: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community
date: 2017-03-07
modified: 2022-08-22
tags:
    - attack.discovery
    - attack.t1087.002
    - attack.t1069.002
    - attack.s0039
logsource:
    product: windows
    service: security
    definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
detection:
    selection:
        EventID: 4661
        AccessMask: '0x2d'
        ObjectType:
            - 'SAM_USER'
            - 'SAM_GROUP'
        ObjectName|startswith: 'S-1-5-21-'
        ObjectName|endswith:
            - '-500'
            - '-512'
    condition: selection
falsepositives:
    - Administrator activity
level: high

title: Renamed AdFind Execution
id: df55196f-f105-44d3-a675-e9dfb6cc2f2b
status: test
description: Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
references:
    - https://www.joeware.net/freetools/tools/adfind/
    - https://thedfirreport.com/2020/05/08/adfind-recon/
    - https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
    - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
    - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
    - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
author: Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2025-02-26
tags:
    - attack.discovery
    - attack.t1018
    - attack.t1087.002
    - attack.t1482
    - attack.t1069.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        CommandLine|contains:
            - 'domainlist'
            - 'trustdmp'
            - 'dcmodes'
            - 'adinfo'
            - ' dclist '
            - 'computer_pwdnotreqd'
            - 'objectcategory='
            - '-subnets -f'
            - 'name="Domain Admins"'
            - '-sc u:'
            - 'domainncs'
            - 'dompol'
            - ' oudmp '
            - 'subnetdmp'
            - 'gpodmp'
            - 'fspdmp'
            - 'users_noexpire'
            - 'computers_active'
            - 'computers_pwdnotreqd'
    selection_2:
        Hashes|contains:
            - 'IMPHASH=BCA5675746D13A1F246E2DA3C2217492'
            - 'IMPHASH=53E117A96057EAF19C41380D0E87F1C2'
            - 'IMPHASH=d144de8117df2beceaba2201ad304764'
            - 'IMPHASH=12ce1c0f3f5837ecc18a3782408fa975'
            - 'IMPHASH=4fbf3f084fbbb2470b80b2013134df35'
            - 'IMPHASH=49b639b4acbecc49d72a01f357aa4930'
            - 'IMPHASH=680dad9e300346e05a85023965867201'
            - 'IMPHASH=21aa085d54992511b9f115355e468782'
    selection_3:
        OriginalFileName: 'AdFind.exe'
    filter:
        Image|endswith: '\AdFind.exe'
    condition: 1 of selection* and not filter
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_adfind/info.yml

title: SharpHound Recon Account Discovery
id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5
status: test
description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.t1087
    - attack.discovery
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:6bffd098-a112-3610-9833-46c3f87e345a opnum:2'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 6bffd098-a112-3610-9833-46c3f87e345a
        OpNum: 2
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious Active Directory Database Snapshot Via ADExplorer
id: ef61af62-bc74-4f58-b49b-626448227652
related:
    - id: 9212f354-7775-4e28-9c9f-8f0a4544e664
      type: derived
status: test
description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
    - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
    - https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
    - https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
    - https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
    - https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
    - https://trustedsec.com/blog/adexplorer-on-engagements
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
modified: 2025-07-09
tags:
    - attack.discovery
    - attack.t1087.002
    - attack.t1069.002
    - attack.t1482
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\ADExp.exe'
              - '\ADExplorer.exe'
              - '\ADExplorer64.exe'
              - '\ADExplorer64a.exe'
        - OriginalFileName: 'AdExp'
        - Description: 'Active Directory Editor'
        - Product: 'Sysinternals ADExplorer'
    selection_flag:
        CommandLine|contains: 'snapshot'
    selection_paths:
        CommandLine|contains:
            # TODO: Add more suspicious paths
            - '\Downloads\'
            - '\Users\Public\'
            - '\AppData\'
            - '\Windows\Temp\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Webshell Detection With Command Line Keywords
id: bed2a484-9348-4143-8a8a-b801c979301c
status: test
description: Detects certain command line parameters often used during reconnaissance activity via web shells
references:
    - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
    - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/
    - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community, Chad Hudson, Matt Anderson
date: 2017-01-01
modified: 2024-12-14
tags:
    - attack.persistence
    - attack.discovery
    - attack.t1505.003
    - attack.t1018
    - attack.t1033
    - attack.t1087
logsource:
    category: process_creation
    product: windows
detection:
    selection_webserver_image:
        ParentImage|endswith:
            - '\w3wp.exe'
            - '\php-cgi.exe'
            - '\nginx.exe'
            - '\httpd.exe'
            - '\caddy.exe'
            - '\ws_tomcatservice.exe'
    selection_webserver_characteristics_tomcat1:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        ParentImage|contains:
            - '-tomcat-'
            - '\tomcat'
    selection_webserver_characteristics_tomcat2:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        CommandLine|contains:
            - 'catalina.jar'
            - 'CATALINA_HOME'
    selection_susp_net_utility:
        OriginalFileName:
            - 'net.exe'
            - 'net1.exe'
        CommandLine|contains:
            - ' user '
            - ' use '
            - ' group '
    selection_susp_ping_utility:
        OriginalFileName: 'ping.exe'
        CommandLine|contains: ' -n '
    selection_susp_change_dir:
        CommandLine|contains:
            - '&cd&echo'  # china chopper web shell
            - 'cd /d '  # https://www.computerhope.com/cdhlp.htm
    selection_susp_wmic_utility:
        OriginalFileName: 'wmic.exe'
        CommandLine|contains: ' /node:'
    selection_susp_powershell_cli:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - ' -enc '
            - ' -EncodedCommand '
            - ' -w hidden '
            - ' -windowstyle hidden'
            - '.WebClient).Download'
    selection_susp_misc_discovery_binaries:
        - Image|endswith:
              - '\dsquery.exe'
              - '\find.exe'
              - '\findstr.exe'
              - '\ipconfig.exe'
              - '\netstat.exe'
              - '\nslookup.exe'
              - '\pathping.exe'
              - '\quser.exe'
              - '\schtasks.exe'
              - '\systeminfo.exe'
              - '\tasklist.exe'
              - '\tracert.exe'
              - '\ver.exe'
              - '\wevtutil.exe'
              - '\whoami.exe'
        - OriginalFileName:
              - 'dsquery.exe'
              - 'find.exe'
              - 'findstr.exe'
              - 'ipconfig.exe'
              - 'netstat.exe'
              - 'nslookup.exe'
              - 'pathping.exe'
              - 'quser.exe'
              - 'schtasks.exe'
              - 'sysinfo.exe'
              - 'tasklist.exe'
              - 'tracert.exe'
              - 'ver.exe'
              - 'VSSADMIN.EXE'
              - 'wevtutil.exe'
              - 'whoami.exe'
    selection_susp_misc_discovery_commands:
        CommandLine|contains:
            - ' Test-NetConnection '
            - 'dir \'  # remote dir: dir \<redacted IP #3>\C$:\windows\temp\*.exe
    condition: 1 of selection_webserver_* and 1 of selection_susp_*
falsepositives:
    - Unknown
level: high

title: Webshell Hacking Activity Patterns
id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9
status: test
description: |
    Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
references:
    - https://youtu.be/7aemGhaE9ds?t=641
author: Florian Roth (Nextron Systems)
date: 2022-03-17
modified: 2023-11-09
tags:
    - attack.persistence
    - attack.discovery
    - attack.t1505.003
    - attack.t1018
    - attack.t1033
    - attack.t1087
logsource:
    category: process_creation
    product: windows
detection:
   # Webserver
    selection_webserver_image:
        ParentImage|endswith:
            - '\caddy.exe'
            - '\httpd.exe'
            - '\nginx.exe'
            - '\php-cgi.exe'
            - '\w3wp.exe'
            - '\ws_tomcatservice.exe'
    selection_webserver_characteristics_tomcat1:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        ParentImage|contains:
            - '-tomcat-'
            - '\tomcat'
    selection_webserver_characteristics_tomcat2:
        ParentImage|endswith:
            - '\java.exe'
            - '\javaw.exe'
        CommandLine|contains:
            - 'catalina.jar'
            - 'CATALINA_HOME'
    # Suspicious child processes
    selection_child_1:
        # Process dumping
        CommandLine|contains|all:
            - 'rundll32'
            - 'comsvcs'
    selection_child_2:
        # Winrar exfil
        CommandLine|contains|all:
            - ' -hp'
            - ' a '
            - ' -m'
    selection_child_3:
        # User add
        CommandLine|contains|all:
            - 'net'
            - ' user '
            - ' /add'
    selection_child_4:
        CommandLine|contains|all:
            - 'net'
            - ' localgroup '
            - ' administrators '
            - '/add'
    selection_child_5:
        Image|endswith:
            # Credential stealing
            - '\ntdsutil.exe'
            # AD recon
            - '\ldifde.exe'
            - '\adfind.exe'
            # Process dumping
            - '\procdump.exe'
            - '\Nanodump.exe'
            # Destruction / ransom groups
            - '\vssadmin.exe'
            - '\fsutil.exe'
    selection_child_6:
        # SUspicious patterns
        CommandLine|contains:
            - ' -decode '  # Used with certutil
            - ' -NoP '  # Often used in malicious PowerShell commands
            - ' -W Hidden '  # Often used in malicious PowerShell commands
            - ' /decode '  # Used with certutil
            - ' /ticket:'  # Rubeus
            - ' sekurlsa'  # Mimikatz
            - '.dmp full'  # Process dumping method apart from procdump
            - '.downloadfile('  # PowerShell download command
            - '.downloadstring('  # PowerShell download command
            - 'FromBase64String' # PowerShell encoded payload
            - 'process call create' # WMIC process creation
            - 'reg save '  # save registry SAM - syskey extraction
            - 'whoami /priv'
    condition: 1 of selection_webserver_* and 1 of selection_child_*
falsepositives:
    - Unlikely
level: high

title: ADExplorer Writing Complete AD Snapshot Into .dat File
id: 0a1255c5-d732-4b62-ac02-b5152d34fb83
related:
    - id: 9212f354-7775-4e28-9c9f-8f0a4544e664
      type: similar
status: experimental
description: Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
    - https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
    - https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
    - https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
    - https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
    - https://trustedsec.com/blog/adexplorer-on-engagements
author: Arnim Rupp (Nextron Systems), Thomas Patzke
date: 2025-07-09
tags:
    - attack.discovery
    - attack.t1087.002
    - attack.t1069.002
    - attack.t1482
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\ADExp.exe'
            - '\ADExplorer.exe'
            - '\ADExplorer64.exe'
            - '\ADExplorer64a.exe'
        TargetFilename|endswith: '.dat'
    condition: selection
falsepositives:
    - Legitimate use of ADExplorer by administrators creating .dat snapshots
level: medium

title: AWS STS GetCallerIdentity Enumeration Via TruffleHog
id: 9b1b8e9b-0a5d-4af1-9d2f-4c4b6e7c2c9d
status: experimental
description: |
    Detects the use of TruffleHog for AWS credential validation by identifying GetCallerIdentity API calls where the userAgent indicates TruffleHog.
    Threat actors leverage TruffleHog to enumerate and validate exposed AWS keys.
    Successful exploitation allows threat actors to confirm the validity of compromised AWS credentials, facilitating further unauthorized access and actions within the AWS environment.
references:
    - https://www.rapid7.com/blog/post/tr-crimson-collective-a-new-threat-group-observed-operating-in-the-cloud/
    - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html
    - https://github.com/trufflesecurity/trufflehog
author: Adan Alvarez @adanalvarez
date: 2025-10-12
tags:
    - attack.discovery
    - attack.t1087.004
logsource:
    product: aws
    service: cloudtrail
detection:
    selection:
        eventSource: 'sts.amazonaws.com'
        eventName: 'GetCallerIdentity'
        userAgent|contains: 'TruffleHog'
    condition: selection
falsepositives:
    - Legitimate internal security scanning or key validation that intentionally uses TruffleHog. Authorize and filter known scanner roles, IP ranges, or assumed roles as needed.
level: medium

title: Active Directory Database Snapshot Via ADExplorer
id: 9212f354-7775-4e28-9c9f-8f0a4544e664
related:
    - id: ef61af62-bc74-4f58-b49b-626448227652
      type: derived
status: test
description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
    - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
    - https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
    - https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
    - https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
    - https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
    - https://trustedsec.com/blog/adexplorer-on-engagements
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
modified: 2025-07-09
tags:
    - attack.discovery
    - attack.t1087.002
    - attack.t1069.002
    - attack.t1482
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\ADExp.exe'
              - '\ADExplorer.exe'
              - '\ADExplorer64.exe'
              - '\ADExplorer64a.exe'
        - OriginalFileName: 'AdExp'
        - Description: 'Active Directory Editor'
        - Product: 'Sysinternals ADExplorer'
    selection_cli:
        CommandLine|contains: 'snapshot'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Active Directory Structure Export Via Csvde.EXE
id: e5d36acd-acb4-4c6f-a13f-9eb203d50099
status: test
description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.
references:
    - https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms
    - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
    - https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit
    - https://redcanary.com/blog/msix-installers/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
tags:
    - attack.exfiltration
    - attack.discovery
    - attack.t1087.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\csvde.exe'
        - OriginalFileName: 'csvde.exe'
    selection_remote:
        CommandLine|contains: ' -f'
    filter_import:
        CommandLine|contains: ' -i'
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - Unknown
level: medium

title: PUA - AdFind.EXE Execution
id: 514e7e3e-b3b4-4a67-af60-be20f139198b
related:
    - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
      type: similar
status: experimental
description: Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment
references:
    - https://www.joeware.net/freetools/tools/adfind/
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-26
tags:
    - attack.discovery
    - attack.t1087.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - Image|endswith: '\AdFind.exe'
        - OriginalFileName: 'AdFind.exe'
        - Hashes|contains:
              - 'IMPHASH=d144de8117df2beceaba2201ad304764'
              - 'IMPHASH=12ce1c0f3f5837ecc18a3782408fa975'
              - 'IMPHASH=bca5675746d13a1f246e2da3c2217492'
              - 'IMPHASH=4fbf3f084fbbb2470b80b2013134df35'
              - 'IMPHASH=49b639b4acbecc49d72a01f357aa4930'
              - 'IMPHASH=53e117a96057eaf19c41380d0e87f1c2'
              - 'IMPHASH=680dad9e300346e05a85023965867201'
              - 'IMPHASH=21aa085d54992511b9f115355e468782'
    condition: selection
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_adfind_execution/info.yml

title: Potential AD User Enumeration From Non-Machine Account
id: ab6bffca-beff-4baa-af11-6733f296d57a
status: test
description: Detects read access to a domain user from a non-machine account
references:
    - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
    - http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
    - https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662
author: Maxime Thiebaut (@0xThiebaut)
date: 2020-03-30
modified: 2022-11-08
tags:
    - attack.discovery
    - attack.t1087.002
logsource:
    product: windows
    service: security
    definition: 'Requirements: The "Read all properties" permission on the user object needs to be audited for the "Everyone" principal'
detection:
    selection:
        EventID: 4662
        # Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}"
        # The user class (https://learn.microsoft.com/en-us/windows/win32/adschema/c-user)
        ObjectType|contains: 'bf967aba-0de6-11d0-a285-00aa003049e2'
        AccessMask|endswith:
            # Note: Since the Access Mask can have more than once permission we need to add all permutations that include the READ property
            - '1?' # This covers all access masks that are 1 bytes or shorter and the "Read Property" itself
            - '3?' # Read Property + Write Property
            - '4?' # Read Property + Delete Tree
            - '7?' # Read Property + Write Property + Delete Tree
            - '9?' # Read Property + List Object
            - 'B?' # Read Property + Write Property + List Object
            - 'D?' # Read Property + Delete Tree + List Object
            - 'F?' # Covers usage of all possible 2 bytes permissions with any or none of the single byte permissions
    filter_main_machine_accounts:
        SubjectUserName|endswith: '$' # Exclude machine accounts
    filter_main_msql:
        SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Administrators configuring new users.
level: medium

title: Potential Active Directory Reconnaissance/Enumeration Via LDAP
id: 31d68132-4038-47c7-8f8e-635a39a7c174
status: test
description: Detects potential Active Directory enumeration via LDAP
references:
    - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726
    - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
    - https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs
    - https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c
    - https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427
    - https://ipurple.team/2024/07/15/sharphound-detection/
author: Adeem Mawani
date: 2021-06-22
modified: 2025-07-04
tags:
    - attack.discovery
    - attack.t1069.002
    - attack.t1087.002
    - attack.t1482
logsource:
    product: windows
    service: ldap
    definition: 'Requirements: Microsoft-Windows-LDAP-Client/Debug ETW logging'
detection:
    generic_search:
        EventID: 30
        SearchFilter|contains:
            - '(groupType:1.2.840.113556.1.4.803:=2147483648)'
            - '(groupType:1.2.840.113556.1.4.803:=2147483656)'
            - '(groupType:1.2.840.113556.1.4.803:=2147483652)'
            - '(groupType:1.2.840.113556.1.4.803:=2147483650)'
            - '(sAMAccountType=805306369)'
            - '(sAMAccountType=805306368)'
            - '(sAMAccountType=536870913)'
            - '(sAMAccountType=536870912)'
            - '(sAMAccountType=268435457)'
            - '(sAMAccountType=268435456)'
            - '(objectCategory=groupPolicyContainer)'
            - '(objectCategory=organizationalUnit)'
            # - '(objectCategory=Computer)' Prone to false positives
            - '(objectCategory=nTDSDSA)'
            - '(objectCategory=server)'
            - '(objectCategory=domain)'
            - '(objectCategory=person)'
            - '(objectCategory=group)'
            - '(objectCategory=user)'
            - '(objectClass=trustedDomain)'
            - '(objectClass=computer)'
            - '(objectClass=server)'
            - '(objectClass=group)'
            - '(objectClass=user)'
            - '(primaryGroupID=521)'
            - '(primaryGroupID=516)'
            - '(primaryGroupID=515)'
            - '(primaryGroupID=512)'
            - 'Domain Admins'
            - 'objectGUID=\*'
            - '(schemaIDGUID=\*)'
            - 'admincount=1'
    distinguished_name_enumeration:
        EventID: 30
        SearchFilter: '(objectclass=\*)'
        DistinguishedName|contains:
            - 'CN=Domain Admins'
            - 'CN=Enterprise Admins'
            - 'CN=Group Policy Creator Owners'
    suspicious_flag:
        EventID: 30
        SearchFilter|contains:
            - '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=2097152)'
            - '!(userAccountControl:1.2.840.113556.1.4.803:=1048574)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
            - '(userAccountControl:1.2.840.113556.1.4.803:=544)'
            - '!(UserAccountControl:1.2.840.113556.1.4.803:=2)'
            - 'msDS-AllowedToActOnBehalfOfOtherIdentity'
            - 'msDS-AllowedToDelegateTo'
            - 'msDS-GroupManagedServiceAccount'
            - '(accountExpires=9223372036854775807)'
            - '(accountExpires=0)'
            - '(adminCount=1)'
            - 'ms-MCS-AdmPwd'
    narrow_down_filter:
        EventID: 30
        SearchFilter|contains:
            - '(domainSid=*)'
            - '(objectSid=*)'
    condition: (generic_search and not narrow_down_filter) or suspicious_flag or distinguished_name_enumeration
level: medium

title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf
related:
    - id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
      type: derived
status: test
description: |
    Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.
    This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
    - https://www.group-ib.com/blog/apt41-world-tour-2021/
    - https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
    - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
    - https://ptsecurity.com/research/pt-esc-threat-intelligence/striking-panda-attacks-apt31-today
    - https://www.cybertriage.com/artifact/terminalservices_remoteconnectionmanager_log/
    - https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-09-09
modified: 2025-12-02
tags:
    - attack.credential-access
    - attack.discovery
    - attack.t1552
    - attack.t1087
logsource:
    category: process_creation
    product: windows
detection:
    selection_wmi:
        CommandLine|contains|all:
            - 'Select'
            - 'Win32_NTLogEvent'
    selection_wevtutil_img:
        - Image|endswith: '\wevtutil.exe'
        - OriginalFileName: 'wevtutil.exe'
    selection_wevtutil_cli:
        CommandLine|contains:
            - ' qe '
            - ' query-events '
    selection_wmic_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_wmic_cli:
        CommandLine|contains: ' ntevent'
    selection_cmdlet:
        CommandLine|contains:
            - 'Get-WinEvent '
            - 'get-eventlog '
    selection_logs_name:
        CommandLine|contains:
            # Note: Add more event log channels that are interesting for attackers
            - 'Microsoft-Windows-PowerShell'
            - 'Microsoft-Windows-Security-Auditing'
            - 'Microsoft-Windows-TerminalServices-LocalSessionManager'
            - 'Microsoft-Windows-TerminalServices-RemoteConnectionManager'
            - 'Microsoft-Windows-Windows Defender'
            - 'PowerShellCore'
            - 'Security'
            - 'Windows PowerShell'
    selection_logs_eid:
        CommandLine|contains:
            # Note: We use the "?" to account for both a single and a double quote
            # Note: Please add additional interesting event IDs
            # Note: As this only focuses on EIDs and we know EIDs are not unique across providers. Rare FPs might occur with legit queries to EIDs from different providers.
            # This covers EID 4624 and 4628 from Security Log
            - '-InstanceId 462?'
            - '.eventid -eq 462?'
            - '.ID -eq 462?'
            - 'EventCode=?462?'
            - 'EventIdentifier=?462?'
            - 'System[EventID=462?]'
            # This covers EID 4778 from Security Log
            - '-InstanceId 4778'
            - '.eventid -eq 4778'
            - '.ID -eq 4778'
            - 'EventCode=?4778?'
            - 'EventIdentifier=?4778?'
            - 'System[EventID=4778]'
            # This covers EID 25 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
            - '-InstanceId 25'
            - '.eventid -eq 25'
            - '.ID -eq 25'
            - 'EventCode=?25?'
            - 'EventIdentifier=?25?'
            - 'System[EventID=25]'
            # This covers EID 1149 from Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log
            - '-InstanceId 1149'
            - '.eventid -eq 1149'
            - '.ID -eq 1149'
            - 'EventCode=?1149?'
            - 'EventIdentifier=?1149?'
            - 'System[EventID=1149]'
            # This covers EID 21 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
            - '-InstanceId 21'
            - '.eventid -eq 21'
            - '.ID -eq 21'
            - 'EventCode=?21?'
            - 'EventIdentifier=?21?'
            - 'System[EventID=21]'
            # This covers EID 22 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
            - '-InstanceId 22'
            - '.eventid -eq 22'
            - '.ID -eq 22'
            - 'EventCode=?22?'
            - 'EventIdentifier=?22?'
            - 'System[EventID=22]'
    condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet)
falsepositives:
    - Legitimate usage of the utility by administrators to query the event log
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon/info.yml

title: Suspicious Group And Account Reconnaissance Activity Using Net.EXE
id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
status: test
description: |
    Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
    Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
references:
    - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
    - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
    - https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)
date: 2019-01-16
modified: 2023-03-02
tags:
    - attack.discovery
    - attack.t1087.001
    - attack.t1087.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    # Covers group and localgroup flags
    selection_group_root:
        CommandLine|contains:
            - ' group '
            - ' localgroup '
    selection_group_flags:
        CommandLine|contains:
            # Add more groups for other languages
            - 'domain admins'
            - ' administrator' # Typo without an 'S' so we catch both
            - ' administrateur' # Typo without an 'S' so we catch both
            - 'enterprise admins'
            - 'Exchange Trusted Subsystem'
            - 'Remote Desktop Users'
            - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
            - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
            - ' /do' # short for domain
    filter_group_add:
        # This filter is added to avoid the potential case where the point is not recon but addition
        CommandLine|contains: ' /add'
    # Covers 'accounts' flag
    selection_accounts_root:
        CommandLine|contains: ' accounts '
    selection_accounts_flags:
        CommandLine|contains: ' /do' # short for domain
    condition: selection_img and ((all of selection_group_* and not filter_group_add) or all of selection_accounts_*)
falsepositives:
    - Inventory tool runs
    - Administrative activity
level: medium

title: Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
id: c8a180d6-47a3-4345-a609-53f9c3d834fc
related:
    - id: cef24b90-dddc-4ae1-a09a-8764872f69fc
      type: similar
status: test
description: Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
references:
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-10
tags:
    - attack.discovery
    - attack.t1087.001
logsource:
    category: process_creation
    product: windows
detection:
    # Covers group and localgroup flags
    selection_cmdlet:
        CommandLine|contains: 'Get-LocalGroupMember '
    selection_group:
        CommandLine|contains:
            # Add more groups for other languages
            - 'domain admins'
            - ' administrator' # Typo without an 'S' so we catch both
            - ' administrateur' # Typo without an 'S' so we catch both
            - 'enterprise admins'
            - 'Exchange Trusted Subsystem'
            - 'Remote Desktop Users'
            - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users"
            - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users"
    condition: all of selection_*
falsepositives:
    - Administrative activity
level: medium

title: Suspicious Use of PsLogList
id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc
status: test
description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
references:
    - https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
    - https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList
    - https://twitter.com/EricaZelic/status/1614075109827874817
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-18
modified: 2024-03-05
tags:
    - attack.discovery
    - attack.t1087
    - attack.t1087.001
    - attack.t1087.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'psloglist.exe'
        - Image|endswith:
              - '\psloglist.exe'
              - '\psloglist64.exe'
    selection_cli_eventlog:
        CommandLine|contains:
            - ' security'
            - ' application'
            - ' system'
    selection_cli_flags:
        CommandLine|contains|windash:
            - ' -d'
            - ' -x'
            - ' -s'
            - ' -c' # Clear event log after displaying
            - ' -g' # Export an event log as an evt file.
    condition: all of selection_*
falsepositives:
    - Another tool that uses the command line switches of PsLogList
    - Legitimate use of PsLogList by an administrator
level: medium

title: Uncommon Connection to Active Directory Web Services
id: b3ad3c0f-c949-47a1-a30e-b0491ccae876
status: test
description: |
    Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
references:
    - https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
    - https://github.com/FalconForceTeam/FalconFriday/blob/a9219dfcfd89836f34660223f47d766982bdce46/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md
author: '@kostastsale'
date: 2024-01-26
tags:
    - attack.discovery
    - attack.t1087
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: true
        DestinationPort: 9389
    filter_main_dsac:
        Image: 'C:\Windows\system32\dsac.exe'
    filter_main_ms_monitoring_agent:
        Image: 'C:\Program Files\Microsoft Monitoring Agent\'
    filter_main_powershell:
        Image|startswith:
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Program Files\PowerShell\7-preview\pwsh.ex'
            - 'C:\Windows\System32\WindowsPowerShell\'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - ADWS is used by a number of legitimate applications that need to interact with Active Directory. These applications should be added to the allow-listing to avoid false positives.
level: medium

title: Active Directory Computers Enumeration With Get-AdComputer
id: 36bed6b2-e9a0-4fff-beeb-413a92b86138
status: test
description: Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
references:
    - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
    - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md
author: frack113
date: 2022-03-17
modified: 2023-07-08
tags:
    - attack.discovery
    - attack.t1018
    - attack.t1087.002
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_cmdlet:
        ScriptBlockText|contains: 'Get-AdComputer '
    selection_option:
        ScriptBlockText|contains:
            - '-Filter '
            - '-LDAPFilter '
            - '-Properties '
    condition: all of selection_*
falsepositives:
    - Unknown
level: low

title: Cisco Collect Data
id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
status: test
description: Collect pertinent data from the configuration files
references:
    - https://blog.router-switch.com/2013/11/show-running-config/
    - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm
    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html
author: Austin Clark
date: 2019-08-11
modified: 2023-01-04
tags:
    - attack.discovery
    - attack.credential-access
    - attack.collection
    - attack.t1087.001
    - attack.t1552.001
    - attack.t1005
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'show running-config'
        - 'show startup-config'
        - 'show archive config'
        - 'more'
    condition: keywords
falsepositives:
    - Commonly run by administrators
level: low

title: Local Accounts Discovery
id: 502b42de-4306-40b4-9596-6f590c81f073
status: test
related:
    - id: e28a5a99-da44-436d-b7a0-2afc20a5f413 # Whoami Utility Execution
      type: obsolete
description: Local accounts, System Owner/User discovery using operating systems utilities
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019-10-21
modified: 2025-10-20
tags:
    - attack.discovery
    - attack.t1033
    - attack.t1087.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_other_img:
        - Image|endswith:
              - '\whoami.exe'
              - '\quser.exe'
              - '\qwinsta.exe'
        - OriginalFileName:
              - 'whoami.exe'
              - 'quser.exe'
              - 'qwinsta.exe'
    selection_other_wmi:
        Image|endswith: '\wmic.exe'
        CommandLine|contains|all:
            - 'useraccount'
            - 'get'
    selection_other_cmdkey:
        Image|endswith: '\cmdkey.exe'
        CommandLine|contains: ' /l'
    selection_cmd:
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - ' /c'
            - 'dir '
            - '\Users\'
    filter_cmd:
        CommandLine|contains: ' rmdir ' # don't match on 'dir'   "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005"
    selection_net:
        Image|endswith:
            - '\net.exe'
            - '\net1.exe'
        CommandLine|contains: 'user'
    filter_net:
        CommandLine|contains:
            - '/domain'       # local account discovery only
            - '/add'          # discovery only
            - '/delete'       # discovery only
            - '/active'       # discovery only
            - '/expires'      # discovery only
            - '/passwordreq'  # discovery only
            - '/scriptpath'   # discovery only
            - '/times'        # discovery only
            - '/workstations' # discovery only
    condition: (selection_cmd and not filter_cmd) or (selection_net and not filter_net) or 1 of selection_other_*
falsepositives:
    - Legitimate administrator or user enumerates local users for legitimate reason
level: low

title: Local System Accounts Discovery - Linux
id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c
status: test
description: Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
    - https://my.f5.com/manage/s/article/K589
    - https://man.freebsd.org/cgi/man.cgi?pwd_mkdb
author: Alejandro Ortuno, oscd.community, CheraghiMilad
date: 2020-10-08
modified: 2024-12-10
tags:
    - attack.discovery
    - attack.t1087.001
logsource:
    category: process_creation
    product: linux
detection:
    selection_1:
        Image|endswith: '/lastlog'
    selection_2:
        CommandLine|contains: '''x:0:'''
    selection_3:
        Image|endswith:
            - '/cat'
            - '/ed'
            - '/head'
            - '/more'
            - '/nano'
            - '/tail'
            - '/vi'
            - '/vim'
            - '/less'
            - '/emacs'
            - '/sqlite3'
            - '/makemap'
        CommandLine|contains:
            - '/etc/passwd'
            - '/etc/shadow'
            - '/etc/sudoers'
            - '/etc/spwd.db'
            - '/etc/pwd.db'
            - '/etc/master.passwd'
    selection_4:
        Image|endswith: '/id'
    selection_5:
        Image|endswith: '/lsof'
        CommandLine|contains: '-u'
    condition: 1 of selection*
falsepositives:
    - Legitimate administration activities
level: low

title: Local System Accounts Discovery - MacOs
id: ddf36b67-e872-4507-ab2e-46bda21b842c
status: test
description: Detects enumeration of local systeam accounts on MacOS
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-08
modified: 2022-11-27
tags:
    - attack.discovery
    - attack.t1087.001
logsource:
    category: process_creation
    product: macos
detection:
    selection_1:
        Image|endswith: '/dscl'
        CommandLine|contains|all:
            - 'list'
            - '/users'
    selection_2:
        Image|endswith: '/dscacheutil'
        CommandLine|contains|all:
            - '-q'
            - 'user'
    selection_3:
        CommandLine|contains: '''x:0:'''
    selection_4:
        Image|endswith: '/cat'
        CommandLine|contains:
            - '/etc/passwd'
            - '/etc/sudoers'
    selection_5:
        Image|endswith: '/id'
    selection_6:
        Image|endswith: '/lsof'
        CommandLine|contains: '-u'
    condition: 1 of selection*
falsepositives:
    - Legitimate administration activities
level: low

title: RBAC Permission Enumeration Attempt
id: 84b777bd-c946-4d17-aa2e-c39f5a454325
status: test
description: |
    Detects identities attempting to enumerate their Kubernetes RBAC permissions.
    In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment.
    In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command.
    This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.
references:
    - https://www.elastic.co/guide/en/security/current/kubernetes-suspicious-self-subject-review.html
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.t1069.003
    - attack.t1087.004
    - attack.discovery
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'create'
        apiGroup: 'authorization.k8s.io'
        objectRef.resource: 'selfsubjectrulesreviews'
    condition: selection
falsepositives:
    - Unknown
level: low