title: Antivirus Hacktool Detection
id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
status: stable
description: |
    Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
    - https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2021-08-16
modified: 2024-11-02
tags:
    - attack.execution
    - attack.t1204
logsource:
    category: antivirus
detection:
    selection:
        - Signature|startswith:
              - 'ATK/'  # Sophos
              - 'Exploit.Script.CVE'
              - 'HKTL'
              - 'HTOOL'
              - 'PWS.'
              - 'PWSX'
              - 'SecurityTool'
              # - 'FRP.'
        - Signature|contains:
              - 'Adfind'
              - 'Brutel'
              - 'BruteR'
              - 'Cobalt'
              - 'COBEACON'
              - 'Cometer'
              - 'DumpCreds'
              - 'FastReverseProxy'
              - 'Hacktool'
              - 'Havoc'
              - 'Impacket'
              - 'Keylogger'
              - 'Koadic'
              - 'Mimikatz'
              - 'Nighthawk'
              - 'PentestPowerShell'
              - 'Potato'
              - 'PowerSploit'
              - 'PowerSSH'
              - 'PshlSpy'
              - 'PSWTool'
              - 'PWCrack'
              - 'PWDump'
              - 'Rozena'
              - 'Rusthound'
              - 'Sbelt'
              - 'Seatbelt'
              - 'SecurityTool'
              - 'SharpDump'
              - 'SharpHound'
              - 'Shellcode'
              - 'Sliver'
              - 'Snaffler'
              - 'SOAPHound'
              - 'Splinter'
              - 'Swrort'
              - 'TurtleLoader'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: File With Uncommon Extension Created By An Office Application
id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
status: test
description: Detects the creation of files with an executable or script extension by an Office application.
references:
    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)
date: 2021-08-23
modified: 2025-10-17
tags:
    - attack.t1204.002
    - attack.execution
logsource:
    product: windows
    category: file_event
detection:
    # Note: Please add more file extensions to the logic of your choice.
    selection1:
        Image|endswith:
            - '\excel.exe'
            - '\msaccess.exe'
            - '\mspub.exe'
            - '\powerpnt.exe'
            - '\visio.exe'
            - '\winword.exe'
    selection2:
        TargetFilename|endswith:
            - '.bat'
            - '.cmd'
            - '.com'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.ocx'
            - '.proj'
            - '.ps1'
            - '.scf'
            - '.scr'
            - '.sys'
            - '.vbe'
            - '.vbs'
            - '.wsf'
            - '.wsh'
    filter_main_localassembly:
        TargetFilename|contains: '\AppData\Local\assembly\tmp\'
        TargetFilename|endswith: '.dll'
    filter_optional_webservicecache: # matches e.g. directory with name *.microsoft.com
        TargetFilename|contains|all:
            - 'C:\Users\'
            - '\AppData\Local\Microsoft\Office\'
            - '\WebServiceCache\AllUsers'
        TargetFilename|endswith: '.com'
    filter_optional_webex:
        Image|endswith: '\winword.exe'
        TargetFilename|contains: '\AppData\Local\Temp\webexdelta\'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    filter_optional_backstageinappnavcache: # matches e.g. C:\Users\xxxxx\AppData\Local\Microsoft\Office\16.0\BackstageInAppNavCache\ODB-user@domain.com
        TargetFilename|contains|all:
            - 'C:\Users\'
            - '\AppData\Local\Microsoft\Office\'
            - '\BackstageInAppNavCache\'
        TargetFilename|endswith: '.com'
    condition: all of selection* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

title: FileFix - Command Evidence in TypedPaths
id: 4fee3d51-8069-4a4c-a0f7-924fcaff2c70
related:
    - id: 4be03877-d5b6-4520-85c9-a5911c0a656c
      type: similar
status: experimental
description: |
    Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.
references:
    - https://x.com/russianpanda9xx/status/1940831134759506029
    - https://mrd0x.com/filefix-clickfix-alternative/
    - https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Alfie Champion (delivr.to), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-05
modified: 2025-11-19
tags:
    - attack.execution
    - attack.t1204.004
logsource:
    category: registry_set
    product: windows
detection:
    selection_base:
        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1'
        Details|contains|all:
            - '#'
            - 'http'
    selection_cmd:
        - Details|contains:
              # Add more suspicious keywords
              - 'account'
              - 'anti-bot'
              - 'botcheck'
              - 'captcha'
              - 'challenge'
              - 'confirmation'
              - 'fraud'
              - 'human'
              - 'identification'
              - 'identificator'
              - 'identity'
              - 'robot'
              - 'validation'
              - 'verification'
              - 'verify'
        - Details|contains:
              - '%comspec%'
              - 'bitsadmin'
              - 'certutil'
              - 'cmd'
              - 'cscript'
              - 'curl'
              - 'finger'
              - 'mshta'
              - 'powershell'
              - 'pwsh'
              - 'regsvr32'
              - 'rundll32'
              - 'schtasks'
              - 'wget'
              - 'wscript'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Flash Player Update from Suspicious Location
id: 4922a5dd-6743-4fc2-8e81-144374280997
status: test
description: Detects a flashplayer update from an unofficial location
references:
    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
author: Florian Roth (Nextron Systems)
date: 2017-10-25
modified: 2022-08-08
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1189
    - attack.execution
    - attack.t1204.002
    - attack.t1036.005
logsource:
    category: proxy
detection:
    selection:
        - c-uri|contains: '/flash_install.php'
        - c-uri|endswith: '/install_flash_player.exe'
    filter:
        cs-host|endswith: '.adobe.com'
    condition: selection and not filter
falsepositives:
    - Unknown flash download locations
level: high

title: GAC DLL Loaded Via Office Applications
id: 90217a70-13fc-48e4-b3db-0d836c5824ac
status: test
description: Detects any GAC DLL being loaded by an Office Product
references:
    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-02-10
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\excel.exe'
            - '\mspub.exe'
            - '\onenote.exe'
            - '\onenoteim.exe' # Just in case
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
        ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL'
    condition: selection
falsepositives:
    - Legitimate macro usage. Add the appropriate filter according to your environment
level: high

title: HackTool - LittleCorporal Generated Maldoc Injection
id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac
status: test
description: Detects the process injection of a LittleCorporal generated Maldoc.
references:
    - https://github.com/connormcgarr/LittleCorporal
author: Christian Burkard (Nextron Systems)
date: 2021-08-09
modified: 2023-11-28
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1204.002
    - attack.t1055.003
logsource:
    category: process_access
    product: windows
detection:
    selection:
        SourceImage|endswith: '\winword.exe'
        CallTrace|contains|all:
            - ':\Windows\Microsoft.NET\Framework64\v2.'
            - 'UNKNOWN'
    condition: selection
falsepositives:
    - Unknown
level: high

title: MMC Executing Files with Reversed Extensions Using RTLO Abuse
id: 9cfe4b27-1e56-48b4-b7a8-d46851c91a44
status: experimental
description: Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.
references:
    - https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
    - https://en.wikipedia.org/wiki/Right-to-left_override
    - https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
    - attack.execution
    - attack.stealth
    - attack.t1204.002
    - attack.t1218.014
    - attack.t1036.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_image:
        - Image|endswith: '\mmc.exe'
        - OriginalFileName: 'MMC.exe'
    selection_commandline:
        CommandLine|contains: # While looking at these files the prefix of their name will look something like csm.pdf, but in reality it is msc file
            - 'cod.msc'  # Reversed `.doc`
            - 'fdp.msc'  # Reversed `.pdf`
            - 'ftr.msc'  # Reversed `.rtf`
            - 'lmth.msc'  # Reversed `.html`
            - 'slx.msc'  # Reversed `.xls`
            - 'tdo.msc'  # Reversed `.odt`
            - 'xcod.msc'  # Reversed `.docx`
            - 'xslx.msc'  # Reversed `.xlsx`
            - 'xtpp.msc'  # Reversed `.pptx`
    condition: all of selection_*
falsepositives:
    - Legitimate administrative actions using MMC to execute misnamed `.msc` files.
    - Unconventional but non-malicious usage of RLO or reversed extensions.
level: high

title: Potential ClickFix Execution Pattern - Registry
id: f5fe36cf-f1ec-4c23-903d-09a3110f6bbb
related:
    - id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
      type: similar
status: experimental
description: |
    Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links.
    ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages.
    Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content,
    such as one-liners that execute remotely hosted malicious files or scripts.
references:
    - https://github.com/JohnHammond/recaptcha-phish
    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
    - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
    - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
    - https://medium.com/@boutnaru/the-windows-foreniscs-journey-run-mru-run-dialog-box-most-recently-used-57375a02d724
    - https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
    - https://medium.com/@poudelswachchhanda123/preventing-lnk-and-fakecaptcha-threats-a-system-hardening-approach-2f7b7ed2e493
    - https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-03-25
modified: 2025-11-19
tags:
    - attack.execution
    - attack.t1204.001
logsource:
    category: registry_set
    product: windows
detection:
    selection_registry:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
    selection_details:
        Details|contains:
            - 'http://'
            - 'https://'
    selection_susp_pattern:
        - Details|contains:
              # Add more suspicious keywords
              - 'account'
              - 'anti-bot'
              - 'botcheck'
              - 'captcha'
              - 'challenge'
              - 'confirmation'
              - 'fraud'
              - 'human'
              - 'identification'
              - 'identificator'
              - 'identity'
              - 'robot'
              - 'validation'
              - 'verification'
              - 'verify'
        - Details|contains:
              - '%comspec%'
              - 'bitsadmin'
              - 'certutil'
              - 'cmd'
              - 'cscript'
              - 'curl'
              - 'finger'
              - 'mshta'
              - 'powershell'
              - 'pwsh'
              - 'regsvr32'
              - 'rundll32'
              - 'schtasks'
              - 'wget'
              - 'wscript'
    condition: all of selection_*
falsepositives:
    - Legitimate applications using RunMRU with HTTP links
level: high

title: Suspicious Binaries and Scripts in Public Folder
id: b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e
status: experimental
description: Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
references:
    - https://intel.thedfirreport.com/events/view/30032 # Private Report
    - https://intel.thedfirreport.com/eventReports/view/70 # Private Report
    - https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/
author: 'The DFIR Report'
date: 2025-01-23
tags:
    - attack.execution
    - attack.t1204
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: ':\Users\Public\'
        TargetFilename|endswith:
            - '.bat'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.js'
            - '.ps1'
            - '.vbe'
            - '.vbs'
    condition: selection
falsepositives:
    - Administrators deploying legitimate binaries to public folders.
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_public_folder_extension/info.yml

title: Suspicious Binary In User Directory Spawned From Office Application
id: aa3a6f94-890e-4e22-b634-ffdfd54792cc
status: test
description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
references:
    - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign
    - https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57
author: Jason Lynch
date: 2019-04-02
modified: 2023-02-04
tags:
    - attack.execution
    - attack.t1204.002
    - attack.g0046
    - car.2013-05-002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\WINWORD.EXE'
            - '\EXCEL.EXE'
            - '\POWERPNT.exe'
            - '\MSPUB.exe'
            - '\VISIO.exe'
            - '\MSACCESS.exe'
            - '\EQNEDT32.exe'
            # - '\OUTLOOK.EXE' too many FPs
        Image|startswith: 'C:\users\'
        Image|endswith: '.exe'
    filter:
        Image|endswith: '\Teams.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Suspicious ClickFix/FileFix Execution Pattern
id: d487ed4a-fd24-436d-a0b2-f4e95f7b2635
related:
    - id: f5fe36cf-f1ec-4c23-903d-09a3110f6bbb
      type: similar
status: experimental
description: |
    Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix).
    Attackers leverage social engineering campaigns—such as fake CAPTCHA challenges or urgent alerts—encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems.
references:
    - https://github.com/JohnHammond/recaptcha-phish
    - https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware
    - https://www.threatdown.com/blog/clipboard-hijacker-tries-to-install-a-trojan/
    - https://app.any.run/tasks/5c16b4db-4b36-4039-a0ed-9b09abff8be2
    - https://www.esentire.com/security-advisories/netsupport-rat-clickfix-distribution
    - https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/ # filefix variant
author: montysecurity, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-19
tags:
    - attack.execution
    - attack.t1204.001
    - attack.t1204.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\explorer.exe'
        CommandLine|contains: '#'
    selection_cli_captcha:
        CommandLine|contains:
            - 'account'
            - 'anti-bot'
            - 'botcheck'
            - 'captcha'
            - 'challenge'
            - 'confirmation'
            - 'fraud'
            - 'human'
            - 'identification'
            - 'identificator'
            - 'identity'
            - 'robot'
            - 'validation'
            - 'verification'
            - 'verify'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

title: Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
id: 3ae9974a-eb09-4044-8e70-8980a50c12c8
related:
    - id: 8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e
      type: similar
    - id: 7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e
      type: similar
status: experimental
description: |
    Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection.
    ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar.
    The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
references:
    - https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
    - https://mrd0x.com/filefix-clickfix-alternative/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-04
modified: 2025-11-26
tags:
    - attack.execution
    - attack.stealth
    - attack.t1204.004
    - attack.t1027.010
logsource:
    category: process_creation
    product: windows
detection:
    selection_explorer:
        ParentImage|endswith: '\explorer.exe'
        CommandLine|contains: '#'
    selection_space_variation:
        CommandLine|contains:
            - '            ' # En Quad (U+2000)
            - '            ' # Em Quad (U+2001)
            - '            ' # En Space (U+2002)
            - '            ' # Em Space (U+2003)
            - '            ' # Three-Per-Em Space (U+2004)
            - '            ' # Four-Per-Em Space (U+2005)
            - '            ' # Six-Per-Em Space (U+2006)
            - '            ' # Figure Space (U+2007)
            - '            ' # Punctuation Space (U+2008)
            - '            ' # Thin Space (U+2009)
            - '            ' # Hair Space (U+200A)
            - '            ' # No-Break Space (U+00A0)
            - '            ' # Normal space (0x20)
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Suspicious FileFix Execution Pattern
id: b5b29e4e-31fa-4fdf-b058-296e7a1aa0c2
related:
    - id: 4fee3d51-8069-4a4c-a0f7-924fcaff2c70
      type: similar
    - id: 4be03877-d5b6-4520-85c9-a5911c0a656c
      type: obsolete
status: experimental
description: |
    Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation.
    This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms,
    which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content.
    The clipboard content usually contains commands that download and execute malware, such as information stealing tools.
references:
    - https://mrd0x.com/filefix-clickfix-alternative/
    - https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/ # phishing lure directly asking users to open file explorer and paste command
    - https://blog.checkpoint.com/research/filefix-the-new-social-engineering-attack-building-on-clickfix-tested-in-the-wild/
author: 0xFustang, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-24
tags:
    - attack.execution
    - attack.t1204.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_exec_parent:
        # This is case where phishing pages trick users to paste commands in browser file upload dialog
        ParentImage|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
        CommandLine|contains: '#'
    selection_cli_lolbin:
        CommandLine|contains:
            - '%comspec%'
            - 'bitsadmin'
            - 'certutil'
            - 'cmd'
            - 'cscript'
            - 'curl'
            - 'finger'
            - 'mshta'
            - 'powershell'
            - 'pwsh'
            - 'regsvr32'
            - 'rundll32'
            - 'schtasks'
            - 'wget'
            - 'wscript'
    selection_cli_captcha:
        CommandLine|contains:
            - 'account'
            - 'anti-bot'
            - 'botcheck'
            - 'captcha'
            - 'challenge'
            - 'confirmation'
            - 'fraud'
            - 'human'
            - 'identification'
            - 'identificator'
            - 'identity'
            - 'robot'
            - 'validation'
            - 'verification'
            - 'verify'
    condition: selection_exec_parent and 1 of selection_cli_*
falsepositives:
    - Legitimate use of PowerShell or other utilities launched from browser extensions or automation tools
level: high

title: Suspicious LNK Command-Line Padding with Whitespace Characters
id: dd8756e7-a3a0-4768-b47e-8f545d1a751c
status: experimental
description: |
    Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).
    Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.
    The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks.
    This rule flags suspicious use of such padding observed in real-world attacks.
references:
    - https://syedhasan010.medium.com/forensics-analysis-of-an-lnk-file-da68a98b8415
    - https://thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html
    - https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-03-19
tags:
    - attack.initial-access
    - attack.execution
    - attack.t1204.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - ParentImage|endswith: '\explorer.exe'
        - ParentCommandLine|contains: '.lnk'
    selection_cmd:
        - CommandLine|contains:
              - '                 '  # Padding of SPACE (0x20)
            # - '	'  # Horizontal Tab (0x9)
              - '\u0009'
              - '\u000A' # Line Feed
              - '\u0011'
              - '\u0012'
              - '\u0013'
              - '\u000B' # Vertical Tab
              - '\u000C'  # \x0C
              - '\u000D'  # \x0D
        - CommandLine|re: '\n\n\n\n\n\n' # In some cases \u000[ABCD] are represented as a newline in the eventlog
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Suspicious Microsoft Office Child Process
id: 438025f9-5856-4663-83f7-52f878a70a50
related:
    - id: c27515df-97a9-4162-8a60-dc0eeb51b775 # Speicifc OneNote rule due to its recent usage in phishing attacks
      type: derived
    - id: e1693bc8-7168-4eab-8718-cdcaa68a1738
      type: derived
    - id: 23daeb52-e6eb-493c-8607-c4f0246cb7d8
      type: obsolete
    - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
      type: obsolete
    - id: 04f5363a-6bca-42ff-be70-0d28bf629ead
      type: obsolete
status: test
description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
references:
    - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
    - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
    - https://github.com/splunk/security_content/blob/300af51b88ad5d5b27ce4f5f54e4d6e6a3a2c06d/detections/endpoint/office_spawning_control.yml
    - https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A
    - https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
    - https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
    - https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io
date: 2018-04-06
modified: 2023-04-24
tags:
    - attack.execution
    - attack.stealth
    - attack.t1047
    - attack.t1204.002
    - attack.t1218.010
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\EQNEDT32.EXE'
            - '\EXCEL.EXE'
            - '\MSACCESS.EXE'
            - '\MSPUB.exe'
            - '\ONENOTE.EXE'
            - '\POWERPNT.exe'
            - '\VISIO.exe'
            - '\WINWORD.EXE'
            - '\wordpad.exe'
            - '\wordview.exe'
    selection_child_processes:
        - OriginalFileName:
              - 'bitsadmin.exe'
              - 'CertOC.exe'
              - 'CertUtil.exe'
              - 'Cmd.Exe'
              - 'CMSTP.EXE'
              - 'cscript.exe'
              - 'curl.exe'
              - 'HH.exe'
              - 'IEExec.exe'
              - 'InstallUtil.exe'
              - 'javaw.exe'
              - 'Microsoft.Workflow.Compiler.exe'
              - 'msdt.exe'
              - 'MSHTA.EXE'
              - 'msiexec.exe'
              - 'Msxsl.exe'
              - 'odbcconf.exe'
              - 'pcalua.exe'
              - 'PowerShell.EXE'
              - 'RegAsm.exe'
              - 'RegSvcs.exe'
              - 'REGSVR32.exe'
              - 'RUNDLL32.exe'
              - 'schtasks.exe'
              - 'ScriptRunner.exe'
              - 'wmic.exe'
              - 'WorkFolders.exe'
              - 'wscript.exe'
        - Image|endswith:
              - '\AppVLP.exe'
              - '\bash.exe'
              - '\bitsadmin.exe'
              - '\certoc.exe'
              - '\certutil.exe'
              - '\cmd.exe'
              - '\cmstp.exe'
              - '\control.exe'
              - '\cscript.exe'
              - '\curl.exe'
              - '\forfiles.exe'
              - '\hh.exe'
              - '\ieexec.exe'
              - '\installutil.exe'
              - '\javaw.exe'
              - '\mftrace.exe'
              - '\Microsoft.Workflow.Compiler.exe'
              - '\msbuild.exe'
              - '\msdt.exe'
              - '\mshta.exe'
              - '\msidb.exe'
              - '\msiexec.exe'
              - '\msxsl.exe'
              - '\odbcconf.exe'
              - '\pcalua.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\regasm.exe'
              - '\regsvcs.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
              - '\schtasks.exe'
              - '\scrcons.exe'
              - '\scriptrunner.exe'
              - '\sh.exe'
              - '\svchost.exe'
              - '\verclsid.exe'
              - '\wmic.exe'
              - '\workfolders.exe'
              - '\wscript.exe'
    selection_child_susp_paths: # Idea: Laiali Kazalbach, Mohamed Elsayed (#4142)
        Image|contains:
            - '\AppData\'
            - '\Users\Public\'
            - '\ProgramData\'
            - '\Windows\Tasks\'
            - '\Windows\Temp\'
            - '\Windows\System32\Tasks\'
    condition: selection_parent and 1 of selection_child_*
falsepositives:
    - Unknown
level: high

title: Suspicious Microsoft Office Child Process - MacOS
id: 69483748-1525-4a6c-95ca-90dc8d431b68
status: test
description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
references:
    - https://redcanary.com/blog/applescript/
    - https://objective-see.org/blog/blog_0x4B.html
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
modified: 2023-02-04
tags:
    - attack.execution
    - attack.persistence
    - attack.t1059.002
    - attack.t1137.002
    - attack.t1204.002
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        ParentImage|contains:
            - 'Microsoft Word'
            - 'Microsoft Excel'
            - 'Microsoft PowerPoint'
            - 'Microsoft OneNote'
        Image|endswith:
            - '/bash'
            - '/curl'
            - '/dash'
            - '/fish'
            - '/osacompile'
            - '/osascript'
            - '/sh'
            - '/zsh'
            - '/python'
            - '/python3'
            - '/wget'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Suspicious Outlook Child Process
id: 208748f7-881d-47ac-a29c-07ea84bf691d
related:
    - id: 438025f9-5856-4663-83f7-52f878a70a50 # Office Child Processes
      type: derived
    - id: e212d415-0e93-435f-9e1a-f29005bb4723 # Outlook Remote Child Process
      type: derived
status: test
description: Detects a suspicious process spawning from an Outlook process.
references:
    - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team
date: 2022-02-28
modified: 2023-02-04
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\OUTLOOK.EXE'
        Image|endswith:
            - '\AppVLP.exe'
            - '\bash.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\forfiles.exe'
            - '\hh.exe'
            - '\mftrace.exe'
            - '\msbuild.exe'        # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
            - '\msdt.exe'           # CVE-2022-30190
            - '\mshta.exe'
            - '\msiexec.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\schtasks.exe'
            - '\scrcons.exe'
            - '\scriptrunner.exe'
            - '\sh.exe'
            - '\svchost.exe'        # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
            - '\wmic.exe'           # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
            - '\wscript.exe'
            # Several FPs with rundll32.exe
            # We started excluding specific use cases and ended up commenting out the rundll32.exe sub processes completely
            # - '\rundll32.exe'
            # filter_outlook_photoviewer:  # https://twitter.com/Luke_Hamp/status/1495919717760237568
            #   ParentImage|endswith: '\OUTLOOK.EXE'
            #   Image|endswith: '\rundll32.exe'
            #   CommandLine|contains: '\PhotoViewer.dll'
            # filter_outlook_printattachments:  # https://twitter.com/KickaKamil/status/1496238278659485696
            #   ParentImage|endswith: '\OUTLOOK.EXE'
            #   Image|endswith: '\rundll32.exe'
            #   CommandLine|contains|all:
            #     - 'shell32.dll,Control_RunDLL'
            #     - '\SYSTEM32\SPOOL\DRIVERS\'
    condition: selection # and not 1 of filter*
falsepositives:
    - Unknown
level: high

title: Suspicious Space Characters in RunMRU Registry Path - ClickFix
id: 7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e
related:
    - id: 3ae9974a-eb09-4044-8e70-8980a50c12c8
      type: similar
status: experimental
description: |
    Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.
references:
    - https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
    - https://github.com/JohnHammond/recaptcha-phish
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-04
tags:
    - attack.execution
    - attack.stealth
    - attack.t1204.004
    - attack.t1027.010
logsource:
    category: registry_set
    product: windows
detection:
    selection_key:
        TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
        Details|contains: '#'
    selection_space_variation:
        Details|contains:
            - '            ' # En Quad (U+2000)
            - '            ' # Em Quad (U+2001)
            - '            ' # En Space (U+2002)
            - '            ' # Em Space (U+2003)
            - '            ' # Three-Per-Em Space (U+2004)
            - '            ' # Four-Per-Em Space (U+2005)
            - '            ' # Six-Per-Em Space (U+2006)
            - '            ' # Figure Space (U+2007)
            - '            ' # Punctuation Space (U+2008)
            - '            ' # Thin Space (U+2009)
            - '            ' # Hair Space (U+200A)
            - '            ' # No-Break Space (U+00A0)
            - '            ' # Normal space
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

title: Suspicious Space Characters in TypedPaths Registry Path - FileFix
id: 8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e
related:
    - id: 3ae9974a-eb09-4044-8e70-8980a50c12c8
      type: similar
status: experimental
description: |
    Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.
references:
    - https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
    - https://mrd0x.com/filefix-clickfix-alternative/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-04
tags:
    - attack.execution
    - attack.stealth
    - attack.t1204.004
    - attack.t1027.010
logsource:
    category: registry_set
    product: windows
detection:
    selection_key:
        TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1'
        Details|contains: '#'
    selection_space_variation:
        Details|contains:
            - '            ' # En Quad (U+2000)
            - '            ' # Em Quad (U+2001)
            - '            ' # En Space (U+2002)
            - '            ' # Em Space (U+2003)
            - '            ' # Three-Per-Em Space (U+2004)
            - '            ' # Four-Per-Em Space (U+2005)
            - '            ' # Six-Per-Em Space (U+2006)
            - '            ' # Figure Space (U+2007)
            - '            ' # Punctuation Space (U+2008)
            - '            ' # Thin Space (U+2009)
            - '            ' # Hair Space (U+200A)
            - '            ' # No-Break Space (U+00A0)
            - '            ' # Normal space
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

title: Suspicious Startup Folder Persistence
id: 28208707-fe31-437f-9a7f-4b1108b94d2e
related:
    - id: 2aa0a6b4-a865-495b-ab51-c28249537b75
      type: similar
status: test
description: |
    Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors.
    These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers.
    This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.
references:
    - https://github.com/last-byte/PersistenceSniper
    - https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
    - https://github.com/redcanaryco/atomic-red-team/blob/5ede8f21e42ebe37e0a6eff757dba60bcfa85859/atomics/T1547.001/T1547.001.md
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-08-10
modified: 2025-10-12
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.t1204.002
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '\Windows\Start Menu\Programs\Startup\'
        TargetFilename|endswith:
            # Add or remove suspicious extensions according to your env needs
            - '.bat'
            - '.cmd'
            - '.dll'
            - '.hta'
            - '.jar'
            - '.js'
            - '.jse'
            - '.msi'
            - '.ps1'
            - '.psd1'
            - '.psm1'
            - '.scr'
            - '.url'
            - '.vba'
            - '.vbe'
            - '.vbs'
            - '.wsf'
    condition: selection
falsepositives:
    - Rare legitimate usage of some of the extensions mentioned in the rule
level: high

title: Suspicious WMIC Execution Via Office Process
id: e1693bc8-7168-4eab-8718-cdcaa68a1738
related:
    - id: 438025f9-5856-4663-83f7-52f878a70a50
      type: derived
    - id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
      type: obsolete
    - id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0
      type: obsolete
    - id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5
      type: obsolete
    - id: 04f5363a-6bca-42ff-be70-0d28bf629ead
      type: obsolete
status: test
description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
references:
    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: Vadim Khrykov, Cyb3rEng
date: 2021-08-23
modified: 2023-02-14
tags:
    - attack.stealth
    - attack.t1204.002
    - attack.t1047
    - attack.t1218.010
    - attack.execution
logsource:
    product: windows
    category: process_creation
detection:
    selection_parent:
        ParentImage|endswith:
            - '\WINWORD.EXE'
            - '\EXCEL.EXE'
            - '\POWERPNT.exe'
            - '\MSPUB.exe'
            - '\VISIO.exe'
            - '\MSACCESS.EXE'
            - '\EQNEDT32.EXE'
            - '\ONENOTE.EXE'
            - '\wordpad.exe'
            - '\wordview.exe'
    selection_wmic_img:
        - Image|endswith: '\wbem\WMIC.exe'
        - OriginalFileName: 'wmic.exe'
    selection_wmic_cli:
        CommandLine|contains|all:
            - 'process'
            - 'create'
            - 'call'
        CommandLine|contains:
            # Add more suspicious LOLBINs as you see fit
            - 'regsvr32'
            - 'rundll32'
            - 'msiexec'
            - 'mshta'
            - 'verclsid'
            - 'wscript'
            - 'cscript'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Suspicious WmiPrvSE Child Process
id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
related:
    - id: 692f0bec-83ba-4d04-af7e-e884a96059b6
      type: similar
    - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
      type: similar
    - id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
      type: obsolete
status: test
description: Detects suspicious and uncommon child processes of WmiPrvSE
references:
    - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
    - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
    - https://twitter.com/ForensicITGuy/status/1334734244120309760
author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)
date: 2021-08-23
modified: 2023-11-10
tags:
    - attack.execution
    - attack.stealth
    - attack.t1047
    - attack.t1204.002
    - attack.t1218.010
logsource:
    product: windows
    category: process_creation
detection:
    selection_parent:
        ParentImage|endswith: '\wbem\WmiPrvSE.exe'
    selection_children_1:
        # TODO: Add more LOLBINs or suspicious processes that make sens in your environment
        Image|endswith:
            - '\certutil.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\msiexec.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\verclsid.exe'
            - '\wscript.exe'
    selection_children_2:
        # This is in a separate selection due to the nature of FP generated with CMD
        Image|endswith: '\cmd.exe'
        CommandLine|contains:
            - 'cscript'
            - 'mshta'
            - 'powershell'
            - 'pwsh'
            - 'regsvr32'
            - 'rundll32'
            - 'wscript'
    filter_main_werfault:
        Image|endswith: '\WerFault.exe'
    filter_main_wmiprvse:
        Image|endswith: '\WmiPrvSE.exe' # In some legitimate case WmiPrvSE was seen spawning itself
    filter_main_msiexec:
        Image|endswith: '\msiexec.exe'
        CommandLine|contains: '/i '
    condition: selection_parent and 1 of selection_children_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: Symlink Etc Passwd
id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523
status: test
description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
references:
    - https://www.qualys.com/2021/05/04/21nails/21nails.txt
author: Florian Roth (Nextron Systems)
date: 2019-04-05
modified: 2021-11-27
tags:
    - attack.t1204.001
    - attack.execution
logsource:
    product: linux
detection:
    keywords:
        - 'ln -s -f /etc/passwd'
        - 'ln -s /etc/passwd'
    condition: keywords
falsepositives:
    - Unknown
level: high

title: VBA DLL Loaded Via Office Application
id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
status: test
description: Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
references:
    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-02-10
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\excel.exe'
            - '\mspub.exe'
            - '\onenote.exe'
            - '\onenoteim.exe' # Just in case
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
        ImageLoaded|endswith:
            - '\VBE7.DLL'
            - '\VBEUI.DLL'
            - '\VBE7INTL.DLL'
    condition: selection
falsepositives:
    - Legitimate macro usage. Add the appropriate filter according to your environment
level: high

title: AppLocker Prevented Application or Script from Running
id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
status: test
description: |
    Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
references:
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker
    - https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker
    - https://nxlog.co/documentation/nxlog-user-guide/applocker.html
author: Pushkarev Dmitry
date: 2020-06-28
modified: 2025-12-03
tags:
    - attack.execution
    - attack.t1204.002
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1059.005
    - attack.t1059.006
    - attack.t1059.007
logsource:
    product: windows
    service: applocker
detection:
    selection:
        EventID:
            - 8004 # EXE and DLL
            - 8007 # MSI and Script
            - 8022 # Packaged app execution
            - 8025 # Packaged app deployment
    condition: selection
falsepositives:
    - Unlikely, since this event notifies about blocked application execution. Tune your applocker rules to avoid blocking legitimate applications.
level: medium

title: Arbitrary Shell Command Execution Via Settingcontent-Ms
id: 24de4f3b-804c-4165-b442-5a06a2302c7e
status: test
description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
references:
    - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
author: Sreeman
date: 2020-03-13
modified: 2022-04-14
tags:
    - attack.t1204
    - attack.t1566.001
    - attack.execution
    - attack.initial-access
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '.SettingContent-ms'
    filter:
        CommandLine|contains: 'immersivecontrolpanel'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium

title: CLR DLL Loaded Via Office Applications
id: d13c43f0-f66b-4279-8b2c-5912077c1780
status: test
description: Detects CLR DLL being loaded by an Office Product
references:
    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-03-29
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\excel.exe'
            - '\mspub.exe'
            - '\outlook.exe'
            - '\onenote.exe'
            - '\onenoteim.exe' # Just in case
            - '\powerpnt.exe'
            - '\winword.exe'
        ImageLoaded|contains: '\clr.dll'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: DotNET Assembly DLL Loaded Via Office Application
id: ff0f2b05-09db-4095-b96d-1b75ca24894a
status: test
description: Detects any assembly DLL being loaded by an Office Product
references:
    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-03-29
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\excel.exe'
            - '\mspub.exe'
            - '\onenote.exe'
            - '\onenoteim.exe' # Just in case
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
        ImageLoaded|startswith: 'C:\Windows\assembly\'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Microsoft Excel Add-In Loaded From Uncommon Location
id: af4c4609-5755-42fe-8075-4effb49f5d44
related:
    - id: c5f4b5cb-4c25-4249-ba91-aa03626e3185
      type: derived
status: test
description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
references:
    - https://www.mandiant.com/resources/blog/lnk-between-browsers
    - https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-12
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\excel.exe'
        ImageLoaded|contains:
            # Note: Add or remove locations from this list based on your internal policy
            - '\Desktop\'
            - '\Downloads\'
            - '\Perflogs\'
            - '\Temp\'
            - '\Users\Public\'
            - '\Windows\Tasks\'
        ImageLoaded|endswith: '.xll'
    condition: selection
falsepositives:
    - Some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations
level: medium

title: Microsoft VBA For Outlook Addin Loaded Via Outlook
id: 9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed
status: test
description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
modified: 2024-03-12
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\outlook.exe'
        ImageLoaded|endswith: '\outlvba.dll'
    condition: selection
falsepositives:
    - Legitimate macro usage. Add the appropriate filter according to your environment
level: medium

title: Payload Decoded and Decrypted via Built-in Utilities
id: 234dc5df-40b5-49d1-bf53-0d44ce778eca
status: test
description: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-17
tags:
    - attack.stealth
    - attack.t1059
    - attack.t1204
    - attack.execution
    - attack.t1140
    - attack.s0482
    - attack.s0402
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/openssl'
        CommandLine|contains|all:
            - '/Volumes/'
            - 'enc'
            - '-base64'
            - ' -d '
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Potential Suspicious Browser Launch From Document Reader Process
id: 1193d960-2369-499f-a158-7b50a31df682
status: test
description: |
    Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
references:
    - https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ # PDF Document
    - https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ # Office Document
author: Joseph Kamau
date: 2024-05-27
modified: 2025-10-07
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|contains:
            - 'Acrobat Reader'
            - 'Microsoft Office'
            - 'PDF Reader'
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\maxthon.exe'
            - '\seamonkey.exe'
            - '\vivaldi.exe'
        CommandLine|contains: 'http'
    filter_main_microsoft_help:
        CommandLine|contains: 'https://go.microsoft.com/fwlink/'
    filter_optional_foxit:
        CommandLine|contains:
            - 'http://ad.foxitsoftware.com/adlog.php?'
            - 'https://globe-map.foxitservice.com/go.php?do=redirect'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed.
level: medium

title: Potentially Suspicious WebDAV LNK Execution
id: 1412aa78-a24c-4abd-83df-767dfb2c5bbe
related:
    - id: f0507c0f-a3a2-40f5-acc6-7f543c334993
      type: similar
status: test
description: Detects possible execution via LNK file accessed on a WebDAV server.
references:
    - https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
    - https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
author: Micah Babinski
date: 2023-08-21
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\explorer.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
        CommandLine|contains: '\DavWWWRoot\'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Remote DLL Load Via Rundll32.EXE
id: f40017b3-cb2e-4335-ab5d-3babf679c1de
status: test
description: Detects a remote DLL load event via "rundll32.exe".
references:
    - https://github.com/gabe-k/themebleed
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-18
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        ImageLoaded|startswith: '\\\\'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Suspicious Execution via macOS Script Editor
id: 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4
status: test
description: Detects when the macOS Script Editor utility spawns an unusual child process.
author: Tim Rauch (rule), Elastic (idea)
references:
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685
    - https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/
date: 2022-10-21
modified: 2022-12-28
logsource:
    category: process_creation
    product: macos
tags:
    - attack.defense-impairment
    - attack.t1566
    - attack.t1566.002
    - attack.initial-access
    - attack.t1059
    - attack.t1059.002
    - attack.t1204
    - attack.t1204.001
    - attack.execution
    - attack.persistence
    - attack.t1553
detection:
    selection_parent:
        ParentImage|endswith: '/Script Editor'
    selection_img:
        - Image|endswith:
              - '/curl'
              - '/bash'
              - '/sh'
              - '/zsh'
              - '/dash'
              - '/fish'
              - '/osascript'
              - '/mktemp'
              - '/chmod'
              - '/php'
              - '/nohup'
              - '/openssl'
              - '/plutil'
              - '/PlistBuddy'
              - '/xattr'
              - '/sqlite'
              - '/funzip'
              - '/popen'
        - Image|contains:
              - 'python'
              - 'perl'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Windows AppX Deployment Full Trust Package Installation
id: e54279c7-4910-4e2c-902c-c56a25b549f6
status: experimental
description: Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions
references:
    - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-03
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1204.002
    - attack.t1553.005
logsource:
    product: windows
    service: appxdeployment-server
detection:
    selection:
        EventID: 400
        HasFullTrust: true
    filter_main_legitpath:
        PackageSourceUri|startswith:
            - 'file:///C:/Program%20Files/'
            - 'file:///C:/Program%20Files%20(x86)/'
    filter_main_microsoft:
        - PackageSourceUri|startswith: 'https://go.microsoft.com/fwlink/?linkid'
        - PackageSourceUri|contains:
              - '.cdn.microsoft.com'
              - '.cdn.office.net/'
    filter_main_callerprocess:
        CallingProcess|startswith:
            - 'sysprep.exe'
            - 'svchost.exe,AppReadiness'
    filter_optional_x_update:
        PackageSourceUri|startswith: 'x-windowsupdate://'
    filter_optional_microsoftclient:
        PackageFullName|startswith: 'MicrosoftWindows.Client.'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Some legitimate applications installation which have been missed from filtering can generate fps, thus baselining and tuning is recommended before deploying to production
level: medium

title: Windows AppX Deployment Unsigned Package Installation
id: 9a025188-6f2d-42f8-bb2f-d3a83d24a5af
related:
    - id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a
      type: similar
    - id: 975b2262-9a49-439d-92a6-0709cccdf0b2
      type: similar
status: experimental
description: Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events
references:
    - https://docs.microsoft.com/en-us/powershell/module/appx/add-appxpackage
    - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-03
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1204.002
    - attack.t1553.005
logsource:
    product: windows
    service: appxdeployment-server
detection:
    selection:
        EventID: 603
        Flags: '8388608'
    condition: selection
falsepositives:
    - Legitimate installation of unsigned packages for legitimate purposes such as development or testing
level: medium

title: Download From Suspicious TLD - Blacklist
id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
related:
    - id: b5de2919-b74a-4805-91a7-5049accbaefe
      type: similar
status: test
description: Detects download of certain file types from hosts in suspicious TLDs
references:
    - https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap
    - https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf
    - https://www.spamhaus.org/statistics/tlds/
    - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
author: Florian Roth (Nextron Systems)
date: 2017-11-07
modified: 2023-05-18
tags:
    - attack.initial-access
    - attack.t1566
    - attack.execution
    - attack.t1203
    - attack.t1204.002
logsource:
    category: proxy
detection:
    selection:
        c-uri-extension:
            - 'exe'
            - 'vbs'
            - 'bat'
            - 'rar'
            - 'ps1'
            - 'doc'
            - 'docm'
            - 'xls'
            - 'xlsm'
            - 'pptm'
            - 'rtf'
            - 'hta'
            - 'dll'
            - 'ws'
            - 'wsf'
            - 'sct'
            - 'zip'
            # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
        cs-host|endswith:
            # Symantec / Chris Larsen analysis
            - '.country'
            - '.stream'
            - '.gdn'
            - '.mom'
            - '.xin'
            - '.kim'
            - '.men'
            - '.loan'
            - '.download'
            - '.racing'
            - '.online'
            - '.science'
            - '.ren'
            - '.gb'
            - '.win'
            - '.top'
            - '.review'
            - '.vip'
            - '.party'
            - '.tech'
            - '.xyz'
            - '.date'
            - '.faith'
            - '.zip'
            - '.cricket'
            - '.space'
            # McAfee report
            - '.info'
            - '.vn'
            - '.cm'
            - '.am'
            - '.cc'
            - '.asia'
            - '.ws'
            - '.tk'
            - '.biz'
            - '.su'
            - '.st'
            - '.ro'
            - '.ge'
            - '.ms'
            - '.pk'
            - '.nu'
            - '.me'
            - '.ph'
            - '.to'
            - '.tt'
            - '.name'
            - '.tv'
            - '.kz'
            - '.tc'
            - '.mobi'
            # Spamhaus
            - '.study'
            - '.click'
            - '.link'
            - '.trade'
            - '.accountant'
            # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
            - '.cf'
            - '.gq'
            - '.ml'
            - '.ga'
            # Custom
            - '.pw'
    condition: selection
falsepositives:
    - All kinds of software downloads
level: low

title: Download From Suspicious TLD - Whitelist
id: b5de2919-b74a-4805-91a7-5049accbaefe
related:
    - id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
      type: similar
status: test
description: Detects executable downloads from suspicious remote systems
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2017-03-13
modified: 2023-05-18
tags:
    - attack.initial-access
    - attack.t1566
    - attack.execution
    - attack.t1203
    - attack.t1204.002
logsource:
    category: proxy
detection:
    selection:
        c-uri-extension:
            - 'exe'
            - 'vbs'
            - 'bat'
            - 'rar'
            - 'ps1'
            - 'doc'
            - 'docm'
            - 'xls'
            - 'xlsm'
            - 'pptm'
            - 'rtf'
            - 'hta'
            - 'dll'
            - 'ws'
            - 'wsf'
            - 'sct'
            - 'zip'
            # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
    filter:
        cs-host|endswith:
            - '.com'
            - '.org'
            - '.net'
            - '.edu'
            - '.gov'
            - '.uk'
            - '.ca'
            - '.de'
            - '.jp'
            - '.fr'
            - '.au'
            - '.us'
            - '.ch'
            - '.it'
            - '.nl'
            - '.se'
            - '.no'
            - '.es'
            # Extend this list as needed
    condition: selection and not filter
falsepositives:
    - All kind of software downloads
level: low

title: Suspicious Deno File Written from Remote Source
id: 6c0ce3b6-85e2-49d4-9c3f-6e008ce9796e
status: experimental
description: |
    Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL.
    This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
references:
    - https://taggart-tech.com/evildeno/
author: Josh Nickels, Michael Taggart
date: 2025-05-22
tags:
    - attack.execution
    - attack.t1204
    - attack.t1059.007
    - attack.command-and-control
    - attack.t1105
logsource:
    category: file_event
    product: windows
detection:
    selection_path:
        TargetFilename|contains:
            - '\deno\gen\'
            - '\deno\remote\https\'
        TargetFilename|contains|all:
            - ':\Users\'
            - '\AppData\'
    condition: selection_path
falsepositives:
    - Legitimate usage of deno to request a file or bring a DLL to a host
level: low

title: Windows MSIX Package Support Framework AI_STUBS Execution
id: af5732ed-764e-489d-826d-0447c8b36242
status: experimental
description: |
    Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'.
    This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.
references:
    - https://redcanary.com/blog/threat-intelligence/msix-installers/
    - https://redcanary.com/threat-detection-report/techniques/installer-packages/
    - https://learn.microsoft.com/en-us/windows/msix/package/package-support-framework
    - https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-03
tags:
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1218
    - attack.t1553.005
    - attack.t1204.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\AI_STUBS\AiStubX64Elevated.exe'
            - '\AI_STUBS\AiStubX86Elevated.exe'
            - '\AI_STUBS\AiStubX64.exe'
            - '\AI_STUBS\AiStubX86.exe'
        OriginalFileName: 'popupwrapper.exe'
    condition: selection
falsepositives:
    - Legitimate applications packaged with Advanced Installer using Package Support Framework
level: low

title: New Application in AppCompat
id: 60936b49-fca0-4f32-993d-7415edcf9a5d
status: test
description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
references:
    - https://github.com/OTRF/detection-hackathon-apt29/issues/1
    - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-08-17
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\'
    condition: selection
falsepositives:
    - This rule is to explore new applications on an endpoint. False positives depends on the organization.
    - Newly setup system.
    - Legitimate installation of new application.
level: informational