title: BPFDoor Abnormal Process ID or Lock File Accessed
id: 808146b2-9332-4d78-9416-d7e47012d83d
status: test
description: detects BPFDoor .lock and .pid files access in temporary file storage facility
references:
    - https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
    - https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
    - https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report/
    - https://github.com/rapid7/Rapid7-Labs/blob/741c7196ec12a0a56b63463d1fd726ff14d3a97a/BPFDoor/rapid7_detect_bpfdoor.sh
author: Rafal Piasecki
date: 2022-08-10
modified: 2026-03-30
tags:
    - attack.execution
    - attack.t1106
    - attack.t1059
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'PATH'
        name:
            - /var/run/aepmonend.pid
            - /var/run/auditd.lock
            - /var/run/cma.lock
            - /var/run/console-kit.pid
            - /var/run/consolekit.pid
            - /var/run/daemon.pid
            - /var/run/hald-addon.pid
            - /var/run/hald-smartd.pid
            - /var/run/haldrund.pid
            - /var/run/hp-health.pid
            - /var/run/hpasmlit.lock
            - /var/run/hpasmlited.pid
            - /var/run/kdevrund.pid
            - /var/run/lldpad.lock
            - /var/run/mcelog.pid
            - /var/run/system.pid
            - /var/run/uvp-srv.pid
            - /var/run/vmtoolagt.pid
            - /var/run/xinetd.lock
    condition: selection
falsepositives:
    - Unlikely
level: high

title: HackTool - CobaltStrike BOF Injection Pattern
id: 09706624-b7f6-455d-9d02-adee024cee1d
status: test
description: Detects a typical pattern of a CobaltStrike BOF which inject into other processes
references:
    - https://github.com/boku7/injectAmsiBypass
    - https://github.com/boku7/spawn
author: Christian Burkard (Nextron Systems)
date: 2021-08-04
modified: 2023-11-28
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1106
    - attack.t1685
logsource:
    category: process_access
    product: windows
detection:
    selection:
        CallTrace|re: '^C:\\Windows\\SYSTEM32\\ntdll\.dll\+[a-z0-9]{4,6}\|C:\\Windows\\System32\\KERNELBASE\.dll\+[a-z0-9]{4,6}\|UNKNOWN\([A-Z0-9]{16}\)$'
        GrantedAccess:
            - '0x1028'
            - '0x1fffff'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - HandleKatz Duplicating LSASS Handle
id: b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5
status: test
description: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
references:
    - https://github.com/codewhitesec/HandleKatz
author: Bhabesh Raj (rule), @thefLinkk
date: 2022-06-27
modified: 2023-11-28
tags:
    - attack.execution
    - attack.t1106
    - attack.t1003.001
    - attack.credential-access
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe' # Theoretically, can be any benign process holding handle to LSASS
        GrantedAccess: '0x1440' # Only PROCESS_DUP_HANDLE, PROCESS_QUERY_LIMITED_INFORMATION, PROCESS_QUERY_INFORMATION
        # Example: C:\Windows\SYSTEM32\ntdll.dll+9d234\|UNKNOWN(00000000001C119B)
        CallTrace|startswith: 'C:\Windows\System32\ntdll.dll+'
        CallTrace|contains: '|UNKNOWN('
        CallTrace|endswith: ')'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - RedMimicry Winnti Playbook Execution
id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
status: test
description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
references:
    - https://redmimicry.com/posts/redmimicry-winnti/
author: Alexander Rausch
date: 2020-06-24
modified: 2023-03-01
tags:
    - attack.execution
    - attack.stealth
    - attack.t1106
    - attack.t1059.003
    - attack.t1218.011
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\rundll32.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'gthread-3.6.dll'
            - '\Windows\Temp\tmp.bat'
            - 'sigcmm-2.4.dll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - WinPwn Execution
id: d557dc06-62e8-4468-a8e8-7984124908ce
related:
    - id: 851fd622-b675-4d26-b803-14bc7baa517a
      type: similar
status: test
description: |
    Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
    - https://github.com/S3cur3Th1sSh1t/WinPwn
    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
    - attack.credential-access
    - attack.discovery
    - attack.execution
    - attack.privilege-escalation
    - attack.t1046
    - attack.t1082
    - attack.t1106
    - attack.t1518
    - attack.t1548.002
    - attack.t1552.001
    - attack.t1555
    - attack.t1555.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'Offline_Winpwn'
            - 'WinPwn '
            - 'WinPwn.exe'
            - 'WinPwn.ps1'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - WinPwn Execution - ScriptBlock
id: 851fd622-b675-4d26-b803-14bc7baa517a
related:
    - id: d557dc06-62e8-4468-a8e8-7984124908ce
      type: similar
status: test
description: |
    Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
    - https://github.com/S3cur3Th1sSh1t/WinPwn
    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
    - attack.credential-access
    - attack.discovery
    - attack.execution
    - attack.privilege-escalation
    - attack.t1046
    - attack.t1082
    - attack.t1106
    - attack.t1518
    - attack.t1548.002
    - attack.t1552.001
    - attack.t1555
    - attack.t1555.003
logsource:
    category: ps_script
    product: windows
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Offline_Winpwn'
            - 'WinPwn '
            - 'WinPwn.exe'
            - 'WinPwn.ps1'
    condition: selection
falsepositives:
    - As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
level: high

title: Potential WinAPI Calls Via CommandLine
id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
related:
    - id: 03d83090-8cba-44a0-b02f-0b756a050306
      type: derived
status: test
description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
references:
    - https://twitter.com/m417z/status/1566674631788007425
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-06
modified: 2025-03-06
tags:
    - attack.execution
    - attack.t1106
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'AddSecurityPackage'
            - 'AdjustTokenPrivileges'
            - 'Advapi32'
            - 'CloseHandle'
            - 'CreateProcessWithToken'
            - 'CreatePseudoConsole'
            - 'CreateRemoteThread'
            - 'CreateThread'
            - 'CreateUserThread'
            - 'DangerousGetHandle'
            - 'DuplicateTokenEx'
            - 'EnumerateSecurityPackages'
            - 'FreeHGlobal'
            - 'FreeLibrary'
            - 'GetDelegateForFunctionPointer'
            - 'GetLogonSessionData'
            - 'GetModuleHandle'
            - 'GetProcAddress'
            - 'GetProcessHandle'
            - 'GetTokenInformation'
            - 'ImpersonateLoggedOnUser'
            - 'kernel32'
            - 'LoadLibrary'
            - 'memcpy'
            - 'MiniDumpWriteDump'
            # - 'msvcrt'
            - 'ntdll'
            - 'OpenDesktop'
            - 'OpenProcess'
            - 'OpenProcessToken'
            - 'OpenThreadToken'
            - 'OpenWindowStation'
            - 'PtrToString'
            - 'QueueUserApc'
            - 'ReadProcessMemory'
            - 'RevertToSelf'
            - 'RtlCreateUserThread'
            - 'secur32'
            - 'SetThreadToken'
            # - 'user32'
            - 'VirtualAlloc'
            - 'VirtualFree'
            - 'VirtualProtect'
            - 'WaitForSingleObject'
            - 'WriteInt32'
            - 'WriteProcessMemory'
            - 'ZeroFreeGlobalAllocUnicode'
    filter_optional_mpcmdrun:
        Image|endswith: '\MpCmdRun.exe'
        CommandLine|contains: 'GetLoadLibraryWAddress32'
    filter_optional_compatTelRunner:
        ParentImage|endswith: '\CompatTelRunner.exe'
        CommandLine|contains:
            - 'FreeHGlobal'
            - 'PtrToString'
            - 'kernel32'
            - 'CloseHandle'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Some legitimate action or applications may use these functions. Investigate further to determine the legitimacy of the activity.
level: high

title: Potential WinAPI Calls Via PowerShell Scripts
id: 03d83090-8cba-44a0-b02f-0b756a050306
related:
    - id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
      type: similar
status: test
description: Detects use of WinAPI functions in PowerShell scripts
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Nasreddine Bencherchali (Nextron Systems), Nikita Nazarov, oscd.community
date: 2020-10-06
modified: 2023-06-20
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1106
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    # Note: Add more suspicious combinations in the form of different selections
    selection_injection:
        ScriptBlockText|contains|all:
            - 'VirtualAlloc'
            - 'OpenProcess'
            - 'WriteProcessMemory'
            - 'CreateRemoteThread'
    selection_token_steal:
        ScriptBlockText|contains|all:
            - 'OpenProcessToken'
            - 'LookupPrivilegeValue'
            - 'AdjustTokenPrivileges'
    selection_duplicate_token:
        ScriptBlockText|contains|all:
            - 'OpenProcessToken'
            - 'DuplicateTokenEx'
            - 'CloseHandle'
    selection_process_write_read:
        ScriptBlockText|contains|all:
            - 'WriteProcessMemory'
            - 'VirtualAlloc'
            - 'ReadProcessMemory'
            - 'VirtualFree'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

title: Suspicious Mshta.EXE Execution Patterns
id: e32f92d1-523e-49c3-9374-bdb13b46a3ba
status: test
description: Detects suspicious mshta process execution patterns
references:
    - https://en.wikipedia.org/wiki/HTML_Application
    - https://www.echotrail.io/insights/search/mshta.exe
    - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-07-17
modified: 2023-02-21
tags:
    - attack.execution
    - attack.t1106
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\mshta.exe'
        - OriginalFileName: 'MSHTA.EXE'
    selection_susp:
        # Suspicious parents
        ParentImage|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\wscript.exe'
        # Suspicious folders
        CommandLine|contains:
            - '\AppData\Local\'
            - 'C:\ProgramData\'
            - 'C:\Users\Public\'
            - 'C:\Windows\Temp\'
    filter_img:
        # Filter legit Locations
        - Image|startswith:
              - 'C:\Windows\System32\'
              - 'C:\Windows\SysWOW64\'
        # Suspicious extensions
        - CommandLine|contains:
              - '.htm'
              - '.hta'
        # Filter simple execution
        - CommandLine|endswith:
              - 'mshta.exe'
              - 'mshta'
    condition: all of selection_* or (selection_img and not filter_img)
falsepositives:
    - Unknown
level: high

title: Potential Binary Proxy Execution Via Cdb.EXE
id: b5c7395f-e501-4a08-94d4-57fe7a9da9d2
status: test
description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/
    - https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
    - https://twitter.com/nas_bench/status/1534957360032120833
author: Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-26
modified: 2024-04-22
tags:
    - attack.execution
    - attack.stealth
    - attack.t1106
    - attack.t1218
    - attack.t1127
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cdb.exe'
        - OriginalFileName: 'CDB.Exe'
    selection_cli:
        CommandLine|contains:
            - ' -c ' # Using a debugger script
            - ' -cf '
    condition: all of selection*
falsepositives:
    - Legitimate use of debugging tools
level: medium

title: Potential Direct Syscall of NtOpenProcess
id: 3f3f3506-1895-401b-9cc3-e86b16e630d0
status: test
description: Detects potential calls to NtOpenProcess directly from NTDLL.
references:
    - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
author: Christian Burkard (Nextron Systems), Tim Shelton (FP)
date: 2021-07-28
modified: 2023-12-13
tags:
    - attack.execution
    - attack.t1106
logsource:
    category: process_access
    product: windows
detection:
    selection:
        CallTrace|startswith: 'UNKNOWN'
    filter_main_vcredist:
        TargetImage|endswith: 'vcredist_x64.exe'
        SourceImage|endswith: 'vcredist_x64.exe'
    filter_main_generic:
        # Examples include "systeminfo", "backgroundTaskHost", "AUDIODG"
        SourceImage|contains:
            - ':\Program Files (x86)\'
            - ':\Program Files\'
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
            - ':\Windows\WinSxS\'
        TargetImage|contains:
            - ':\Program Files (x86)\'
            - ':\Program Files\'
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
            - ':\Windows\WinSxS\'
    filter_main_kerneltrace_edge:
        # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider
        Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls'
    filter_optional_vmware:
        TargetImage|endswith: ':\Windows\system32\systeminfo.exe'
        SourceImage|endswith: 'setup64.exe' # vmware
    filter_optional_cylance:
        SourceImage|endswith: ':\Windows\Explorer.EXE'
        TargetImage|endswith: ':\Program Files\Cylance\Desktop\CylanceUI.exe'
    filter_optional_amazon:
        SourceImage|endswith: 'AmazonSSMAgentSetup.exe'
        TargetImage|endswith: 'AmazonSSMAgentSetup.exe'
    filter_optional_vscode: # VsCode
        SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
        TargetImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
    filter_optional_teams: # MS Teams
        TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
        SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
    filter_optional_discord: # Discord
        TargetImage|contains: '\AppData\Local\Discord\'
        TargetImage|endswith: '\Discord.exe'
    filter_optional_yammer:
        SourceImage|contains: '\AppData\Local\yammerdesktop\app-'
        SourceImage|endswith: '\Yammer.exe'
        TargetImage|contains: '\AppData\Local\yammerdesktop\app-'
        TargetImage|endswith: '\Yammer.exe'
        GrantedAccess: '0x1000'
    filter_optional_evernote:
        TargetImage|endswith: '\Evernote\Evernote.exe'
    filter_optional_adobe_acrobat:
        SourceImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
        SourceImage|endswith: '\AcroCEF.exe'
        TargetImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
        TargetImage|endswith: '\AcroCEF.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium