title: Application AppID Uri Configuration Changes
id: 1b45b0d1-773f-4f23-aedc-814b759563b1
status: test
description: Detects when a configuration change is made to an applications AppID URI.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
    - attack.initial-access
    - attack.persistence
    - attack.credential-access
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1552
    - attack.t1078.004
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message:
            - Update Application
            - Update Service principal
    condition: selection
falsepositives:
    - When and administrator is making legitimate AppID URI configuration changes to an application. This should be a planned event.
level: high

title: Cisco Crypto Commands
id: 1f978c6a-4415-47fb-aca5-736a44d7ca3d
status: test
description: Show when private keys are being exported from the device, or when new certificates are installed
references:
    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html
author: Austin Clark
date: 2019-08-12
modified: 2023-01-04
tags:
    - attack.credential-access
    - attack.defense-impairment
    - attack.t1553.004
    - attack.t1552.004
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'crypto pki export'
        - 'crypto pki import'
        - 'crypto pki trustpoint'
    condition: keywords
falsepositives:
    - Not commonly run by administrators. Also whitelist your known good certificates
level: high

title: Copy Passwd Or Shadow From TMP Path
id: fa4aaed5-4fe0-498d-bbc0-08e3346387ba
status: test
description: Detects when the file "passwd" or "shadow" is copied from tmp path
references:
    - https://blogs.blackberry.com/
    - https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-31
tags:
    - attack.credential-access
    - attack.t1552.001
logsource:
    product: linux
    category: process_creation
detection:
    selection_img:
        Image|endswith: '/cp'
    selection_path:
        CommandLine|contains: '/tmp/'
    selection_file:
        CommandLine|contains:
            - 'passwd'
            - 'shadow'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: Credentials In Files
id: 53b1b378-9b06-4992-b972-dde6e423d2b4
status: test
description: Detecting attempts to extract passwords with grep and laZagne
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1552.001
logsource:
    product: macos
    category: process_creation
detection:
    selection1:
        Image|endswith: '/grep'
        CommandLine|contains: 'password'
    selection2:
        CommandLine|contains: 'laZagne'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high

title: Credentials In Files - Linux
id: df3fcaea-2715-4214-99c5-0056ea59eb35
status: test
description: 'Detecting attempts to extract passwords with grep'
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: 'Igor Fits, oscd.community'
date: 2020-10-15
modified: 2023-04-30
tags:
    - attack.credential-access
    - attack.t1552.001
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'EXECVE'
    keywords:
        '|all':
            - 'grep'
            - 'password'
    condition: selection and keywords
falsepositives:
    - Unknown
level: high

title: DPAPI Backup Keys And Certificate Export Activity IOC
id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4
status: test
description: |
    Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
references:
    - https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/
    - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32
author: Nounou Mbeiri, Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
    - attack.credential-access
    - attack.t1555
    - attack.t1552.004
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains:
            - 'ntds_capi_'
            - 'ntds_legacy_'
            - 'ntds_unknown_'
        TargetFilename|endswith:
            - '.cer'
            - '.key'
            - '.pfx'
            - '.pvk'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Findstr GPP Passwords
id: 91a2c315-9ee6-4052-a853-6f6a8238f90d
status: test
description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr
author: frack113
date: 2021-12-27
modified: 2023-11-11
tags:
    - attack.credential-access
    - attack.t1552.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\find.exe'
              - '\findstr.exe'
        - OriginalFileName:
              - 'FIND.EXE'
              - 'FINDSTR.EXE'
    selection_cli:
        CommandLine|contains|all:
            - 'cpassword'
            - '\sysvol\'
            - '.xml'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords/info.yml
simulation:
    - type: atomic-red-team
      name: GPP Passwords (findstr)
      technique: T1552.006
      atomic_guid: 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f

title: HackTool - Typical HiveNightmare SAM File Export
id: 6ea858a8-ba71-4a12-b2cc-5d83312404c7
status: test
description: Detects files written by the different tools that exploit HiveNightmare
references:
    - https://github.com/GossiTheDog/HiveNightmare
    - https://github.com/FireFart/hivenightmare/
    - https://github.com/WiredPulse/Invoke-HiveNightmare
    - https://twitter.com/cube0x0/status/1418920190759378944
author: Florian Roth (Nextron Systems)
date: 2021-07-23
modified: 2024-06-27
tags:
    - attack.credential-access
    - attack.t1552.001
    - cve.2021-36934
logsource:
    product: windows
    category: file_event
detection:
    selection:
        - TargetFilename|contains:
              - '\hive_sam_'  # Go version
              - '\SAM-2021-'  # C++ version
              - '\SAM-2022-'  # C++ version
              - '\SAM-2023-'  # C++ version
              - '\SAM-haxx'   # Early C++ versions
              - '\Sam.save'   # PowerShell version
        - TargetFilename: 'C:\windows\temp\sam'  # C# version of HiveNightmare
    condition: selection
falsepositives:
    - Files that accidentally contain these strings
level: high

title: HackTool - WinPwn Execution
id: d557dc06-62e8-4468-a8e8-7984124908ce
related:
    - id: 851fd622-b675-4d26-b803-14bc7baa517a
      type: similar
status: test
description: |
    Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
    - https://github.com/S3cur3Th1sSh1t/WinPwn
    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
    - attack.credential-access
    - attack.discovery
    - attack.execution
    - attack.privilege-escalation
    - attack.t1046
    - attack.t1082
    - attack.t1106
    - attack.t1518
    - attack.t1548.002
    - attack.t1552.001
    - attack.t1555
    - attack.t1555.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'Offline_Winpwn'
            - 'WinPwn '
            - 'WinPwn.exe'
            - 'WinPwn.ps1'
    condition: selection
falsepositives:
    - Unknown
level: high

title: HackTool - WinPwn Execution - ScriptBlock
id: 851fd622-b675-4d26-b803-14bc7baa517a
related:
    - id: d557dc06-62e8-4468-a8e8-7984124908ce
      type: similar
status: test
description: |
    Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
author: Swachchhanda Shrawan Poudel
date: 2023-12-04
references:
    - https://github.com/S3cur3Th1sSh1t/WinPwn
    - https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841
    - https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/
    - https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md
    - https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
tags:
    - attack.credential-access
    - attack.discovery
    - attack.execution
    - attack.privilege-escalation
    - attack.t1046
    - attack.t1082
    - attack.t1106
    - attack.t1518
    - attack.t1548.002
    - attack.t1552.001
    - attack.t1555
    - attack.t1555.003
logsource:
    category: ps_script
    product: windows
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Offline_Winpwn'
            - 'WinPwn '
            - 'WinPwn.exe'
            - 'WinPwn.ps1'
    condition: selection
falsepositives:
    - As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection.
level: high

title: LSASS Process Reconnaissance Via Findstr.EXE
id: fe63010f-8823-4864-a96b-a7b4a0f7b929
status: test
description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
references:
    - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
author: Florian Roth (Nextron Systems)
date: 2022-08-12
modified: 2024-06-04
tags:
    - attack.credential-access
    - attack.t1552.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_findstr_img:
        - Image|endswith:
              - '\find.exe'
              - '\findstr.exe'
        - OriginalFileName:
              - 'FIND.EXE'
              - 'FINDSTR.EXE'
    selection_findstr_cli:
        CommandLine|contains: 'lsass'
    selection_special:
        CommandLine|contains|windash:
            - ' /i "lsass'
            - ' /i lsass.exe'
            - 'findstr "lsass'
            - 'findstr lsass'
            - 'findstr.exe "lsass'
            - 'findstr.exe lsass'
    condition: all of selection_findstr_* or selection_special
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_lsass/info.yml

title: Linux Recon Indicators
id: 0cf7a157-8879-41a2-8f55-388dd23746b7
status: test
description: Detects events with patterns found in commands used for reconnaissance on linux systems
references:
    - https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py
author: Florian Roth (Nextron Systems)
date: 2022-06-20
tags:
    - attack.reconnaissance
    - attack.t1592.004
    - attack.credential-access
    - attack.t1552.001
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        CommandLine|contains:
            - ' -name .htpasswd'
            - ' -perm -4000 '
    condition: selection
falsepositives:
    - Legitimate administration activities
level: high

title: Potential Okta Password in AlternateID Field
id: 91b76b84-8589-47aa-9605-c837583b82a9
status: test
description: |
    Detects when a user has potentially entered their password into the
    username field, which will cause the password to be retained in log files.
references:
    - https://developer.okta.com/docs/reference/api/system-log/
    - https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data
    - https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm
author: kelnage
date: 2023-04-03
modified: 2026-04-27
tags:
    - attack.credential-access
    - attack.t1552
logsource:
    product: okta
    service: okta
detection:
    selection:
        legacyEventType: 'core.user_auth.login_failed'
    filter_main:
        # Okta service account names start with 0oa
        # Email addresses are the default format for Okta usernames, so attempt
        # to exclude alternateIds that look like valid emails
        # If your Okta configuration uses different character restrictions, you
        # will need to update this regular expression to reflect that or disable the rule for your environment
        # Possible false negatives are failed login attempts with a password that looks like a valid email address
        actor.alternateId|re: '(^0oa.*|[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,10})'
    condition: selection and not filter_main
falsepositives:
    - Unlikely
level: high

title: PowerShell Get-Process LSASS
id: b2815d0d-7481-4bf0-9b6c-a4c48a94b349
status: test
description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
references:
    - https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211
author: Florian Roth (Nextron Systems)
date: 2021-04-23
modified: 2023-01-05
tags:
    - attack.credential-access
    - attack.t1552.004
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            # You can add more permutation as you see fit
            - 'Get-Process lsas'
            - 'ps lsas'
            - 'gps lsas'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Registry Export of Third-Party Credentials
id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
related:
    - id: 87a476dc-0079-4583-a985-dee7a20a03de
      type: similar
status: experimental
description: |
    Detects the use of reg.exe to export registry paths associated with third-party credentials.
    Credential stealers have been known to use this technique to extract sensitive information from the registry.
references:
    - https://www.virustotal.com/gui/file/fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789/behavior
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
    - attack.credential-access
    - attack.t1552.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_cli_save:
        CommandLine|contains:
            - 'save'
            - 'export'
    selection_cli_path:
        CommandLine|contains:
            - '\Software\Aerofox\Foxmail\V3.1'
            - '\Software\Aerofox\FoxmailPreview'
            - '\Software\DownloadManager\Passwords'
            - '\Software\FTPWare\COREFTP\Sites'
            - '\Software\IncrediMail\Identities'
            - '\Software\Martin Prikryl\WinSCP 2\Sessions'
            - '\Software\Mobatek\MobaXterm'
            - '\Software\OpenSSH\Agent\Keys'
            - '\Software\OpenVPN-GUI\configs'
            - '\Software\ORL\WinVNC3\Password'
            - '\Software\Qualcomm\Eudora\CommandLine'
            - '\Software\RealVNC\WinVNC4'
            - '\Software\RimArts\B2\Settings'
            - '\Software\SimonTatham\PuTTY\Sessions'
            - '\Software\SimonTatham\PuTTY\SshHostKeys'
            - '\Software\Sota\FFFTP'
            - '\Software\TightVNC\Server'
            - '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

title: SAM Registry Hive Handle Request
id: f8748f2c-89dc-4d95-afb0-5a2dfdbad332
status: test
description: Detects handles requested to SAM registry hive
references:
    - https://threathunterplaybook.com/hunts/windows/190725-SAMRegistryHiveHandleRequest/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-12
modified: 2021-11-27
tags:
    - attack.discovery
    - attack.t1012
    - attack.credential-access
    - attack.t1552.002
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4656
        ObjectType: 'Key'
        ObjectName|endswith: '\SAM'
    condition: selection
falsepositives:
    - Unknown
level: high

title: Script Interpreter Spawning Credential Scanner - Linux
id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
related:
    - id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
      type: similar
status: experimental
description: |
    Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
    This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
    - https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
    - https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
    - https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
    - https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
    - attack.credential-access
    - attack.t1552
    - attack.execution
    - attack.collection
    - attack.t1005
    - attack.t1059.004
logsource:
    category: process_creation
    product: linux
detection:
    selection_parent:
        ParentImage|endswith:
         # Add more script interpreters as needed
            - '/node'
            - '/bun'
    selection_child:
        - Image|endswith:
              - '/trufflehog'
              - '/gitleaks'
        - CommandLine|contains:
              - 'trufflehog'
              - 'gitleaks'
    condition: all of selection_*
falsepositives:
    - Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high

title: Script Interpreter Spawning Credential Scanner - Windows
id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
related:
    - id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
      type: similar
status: experimental
description: |
    Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
    This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
    - https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
    - https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
    - https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
    - https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
    - attack.credential-access
    - attack.t1552
    - attack.collection
    - attack.execution
    - attack.t1005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
           # Add more script interpreters as needed
            - '\node.exe'
            - '\bun.exe'
    selection_child:
        - Image|endswith:
              - 'trufflehog.exe'
              - 'gitleaks.exe'
        - CommandLine|contains:
              - 'trufflehog'
              - 'gitleaks'
    condition: all of selection_*
falsepositives:
    - Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_script_interpretor_spawn_credential_scanner/info.yml

title: Access To Potentially Sensitive Sysvol Files By Uncommon Applications
id: d51694fe-484a-46ac-92d6-969e76d60d10
related:
    - id: 8344c19f-a023-45ff-ad63-a01c5396aea0
      type: derived
status: test
description: Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.
references:
    - https://github.com/vletoux/pingcastle
author: frack113
date: 2023-12-21
modified: 2024-07-29
tags:
    - attack.credential-access
    - attack.t1552.006
logsource:
    category: file_access
    product: windows
    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
    selection:
        FileName|startswith: '\\'
        FileName|contains|all:
            - '\sysvol\'
            - '\Policies\'
        FileName|endswith:
            - 'audit.csv'
            - 'Files.xml'
            - 'GptTmpl.inf'
            - 'groups.xml'
            - 'Registry.pol'
            - 'Registry.xml'
            - 'scheduledtasks.xml'
            - 'scripts.ini'
            - 'services.xml'
    filter_main_generic:
        Image|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\system32\'
            - 'C:\Windows\SysWOW64\'
    filter_main_explorer:
        Image: 'C:\Windows\explorer.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Added Owner To Application
id: 74298991-9fc4-460e-a92e-511aa60baec1
status: test
description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner
author: Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik'
date: 2022-06-02
tags:
    - attack.t1552
    - attack.credential-access
logsource:
    product: azure
    service: auditlogs
detection:
    selection:
        properties.message: Add owner to application
    condition: selection
falsepositives:
    - When a new application owner is added by an administrator
level: medium

title: Automated Collection Command Prompt
id: f576a613-2392-4067-9d1a-9345fb58d8d1
status: test
description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: frack113
date: 2021-07-28
modified: 2022-11-11
tags:
    - attack.collection
    - attack.t1119
    - attack.credential-access
    - attack.t1552.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_ext:
        CommandLine|contains:
            - '.doc'
            - '.docx'
            - '.xls'
            - '.xlsx'
            - '.ppt'
            - '.pptx'
            - '.rtf'
            - '.pdf'
            - '.txt'
    selection_other_dir:
        CommandLine|contains|all:
            - 'dir '
            - ' /b '
            - ' /s '
    selection_other_findstr:
        OriginalFileName: 'FINDSTR.EXE'
        CommandLine|contains:
            - ' /e '
            - ' /si '
    condition: selection_ext and 1 of selection_other_*
falsepositives:
    - Unknown
level: medium

title: Azure Key Vault Modified or Deleted
id: 459a2970-bb84-4e6a-a32e-ff0fbd99448d
status: test
description: Identifies when a key vault is modified or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-16
modified: 2022-08-23
tags:
    - attack.impact
    - attack.credential-access
    - attack.t1552
    - attack.t1552.001
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KEYVAULT/VAULTS/WRITE
            - MICROSOFT.KEYVAULT/VAULTS/DELETE
            - MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION
            - MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE
    condition: selection
falsepositives:
    - Key Vault being modified or deleted may be performed by a system administrator.
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium

title: Azure Keyvault Key Modified or Deleted
id: 80eeab92-0979-4152-942d-96749e11df40
status: test
description: Identifies when a Keyvault Key is modified or deleted in Azure.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-16
modified: 2022-08-23
tags:
    - attack.impact
    - attack.credential-access
    - attack.t1552
    - attack.t1552.001
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION
            - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE
            - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION
            - MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION
            - MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION
            - MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION
            - MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE
            - MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION
            - MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION
    condition: selection
falsepositives:
    - Key being modified or deleted may be performed by a system administrator.
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium

title: Azure Keyvault Secrets Modified or Deleted
id: b831353c-1971-477b-abb6-2828edc3bca1
status: test
description: Identifies when secrets are modified or deleted in Azure.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021-08-16
modified: 2022-08-23
tags:
    - attack.impact
    - attack.credential-access
    - attack.t1552
    - attack.t1552.001
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE
            - MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE
            - MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION
            - MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION
            - MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION
            - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION
            - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION
            - MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION
    condition: selection
falsepositives:
    - Secrets being modified or deleted may be performed by a system administrator.
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium

title: Azure Kubernetes Admission Controller
id: a61a3c56-4ce2-4351-a079-88ae4cbd2b58
status: test
description: |
  Identifies when an admission controller is executed in Azure Kubernetes.
  A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.
  The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.
  An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.
  For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.
  An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.
  An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-18
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078
    - attack.credential-access
    - attack.t1552
    - attack.t1552.007
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName|startswith:
            - 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'
            - 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'
        operationName|endswith:
            - '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE'
            - '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE'
    condition: selection
falsepositives:
    - Azure Kubernetes Admissions Controller may be done by a system administrator.
    - If known behavior is causing false positives, it can be exempted from the rule.
level: medium

title: Certificate Exported Via PowerShell
id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb
related:
    - id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
      type: similar
status: test
description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
references:
    - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
    - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps
    - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-18
tags:
    - attack.credential-access
    - attack.execution
    - attack.t1552.004
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - 'Export-PfxCertificate '
            - 'Export-Certificate '
    condition: selection
falsepositives:
    - Legitimate certificate exports by administrators. Additional filters might be required.
level: medium

title: Certificate Exported Via PowerShell - ScriptBlock
id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c
related:
    - id: 9e716b33-63b2-46da-86a4-bd3c3b9b5dfb
      type: similar
status: test
description: Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
references:
    - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
    - https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps
    - https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
author: Florian Roth (Nextron Systems)
date: 2021-04-23
modified: 2023-05-18
tags:
    - attack.credential-access
    - attack.t1552.004
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Export-PfxCertificate'
            - 'Export-Certificate'
    filter_optional_module_export:
        ScriptBlockText|contains: 'CmdletsToExport = @('
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Legitimate certificate exports by administrators. Additional filters might be required.
level: medium

title: Cisco Show Commands Input
id: b094d9fb-b1ad-4650-9f1a-fb7be9f1d34b
status: test
description: See what commands are being input into the device by other people, full credentials can be in the history
author: Austin Clark
date: 2019-08-11
modified: 2023-01-04
tags:
    - attack.credential-access
    - attack.t1552.003
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'show history'
        - 'show history all'
        - 'show logging'
    condition: keywords
falsepositives:
    - Not commonly run by administrators, especially if remote logging is configured
level: medium

title: Enumeration for 3rd Party Creds From CLI
id: 87a476dc-0079-4583-a985-dee7a20a03de
related:
    - id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
      type: derived
    - id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
      type: similar
status: test
description: Detects processes that query known 3rd party registry keys that holds credentials via commandline
references:
    - https://isc.sans.edu/diary/More+Data+Exfiltration/25698
    - https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt
    - https://github.com/HyperSine/how-does-MobaXterm-encrypt-password
    - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2025-05-22
tags:
    - attack.credential-access
    - attack.t1552.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: # Add more paths as they are discovered
            - '\Software\Aerofox\Foxmail\V3.1'
            - '\Software\Aerofox\FoxmailPreview'
            - '\Software\DownloadManager\Passwords'
            - '\Software\FTPWare\COREFTP\Sites'
            - '\Software\IncrediMail\Identities'
            - '\Software\Martin Prikryl\WinSCP 2\Sessions'
            - '\Software\Mobatek\MobaXterm\'
            - '\Software\OpenSSH\Agent\Keys'
            - '\Software\OpenVPN-GUI\configs'
            - '\Software\ORL\WinVNC3\Password'
            - '\Software\Qualcomm\Eudora\CommandLine'
            - '\Software\RealVNC\WinVNC4'
            - '\Software\RimArts\B2\Settings'
            - '\Software\SimonTatham\PuTTY\Sessions'
            - '\Software\SimonTatham\PuTTY\SshHostKeys\'
            - '\Software\Sota\FFFTP'
            - '\Software\TightVNC\Server'
            - '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
    filter_main_other_rule:  # matched by cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
        Image|endswith: 'reg.exe'
        CommandLine|contains:
            - 'export'
            - 'save'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: Enumeration for Credentials in Registry
id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
status: test
description: |
    Adversaries may search the Registry on compromised systems for insecurely stored credentials.
    The Windows Registry stores configuration information that can be used by the system or other programs.
    Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md
author: frack113
date: 2021-12-20
modified: 2022-12-25
tags:
    - attack.credential-access
    - attack.t1552.002
logsource:
    category: process_creation
    product: windows
detection:
    reg:
        Image|endswith: '\reg.exe'
        CommandLine|contains|all:
            - ' query '
            - '/t '
            - 'REG_SZ'
            - '/s'
    hive:
        - CommandLine|contains|all:
              - '/f '
              - 'HKLM'
        - CommandLine|contains|all:
              - '/f '
              - 'HKCU'
        - CommandLine|contains: 'HKCU\Software\SimonTatham\PuTTY\Sessions'
    condition: reg and hive
falsepositives:
    - Unknown
level: medium

title: Extracting Information with PowerShell
id: bd5971a7-626d-46ab-8176-ed643f694f68
status: test
description: |
    Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
    These can be files created by users to store their own credentials, shared credential stores for a group of individuals,
    configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
author: frack113
date: 2021-12-19
modified: 2022-12-25
tags:
    - attack.credential-access
    - attack.t1552.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - ls
            - ' -R'
            - 'select-string '
            - '-Pattern '
    condition: selection
falsepositives:
    - Unknown
level: medium

title: Google Cloud Kubernetes Admission Controller
id: 6ad91e31-53df-4826-bd27-0166171c8040
status: test
description: |
  Identifies when an admission controller is executed in GCP Kubernetes.
  A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.
  The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.
  An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.
  For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.
  An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
references:
    - https://cloud.google.com/kubernetes-engine/docs
author: Austin Songer @austinsonger
date: 2021-11-25
modified: 2022-12-18
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078
    - attack.credential-access
    - attack.t1552
    - attack.t1552.007
logsource:
    product: gcp
    service: gcp.audit
detection:
    selection:
        gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v'
        gcp.audit.method_name|contains:
            - '.mutatingwebhookconfigurations.'
            - '.validatingwebhookconfigurations.'
        gcp.audit.method_name|endswith:
            - 'create'
            - 'patch'
            - 'replace'
    condition: selection
falsepositives:
    - Google Cloud Kubernetes Admission Controller may be done by a system administrator.
    - If known behavior is causing false positives, it can be exempted from the rule.
level: medium

title: Hidden Flag Set On File/Directory Via Chflags - MacOS
id: 3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe
status: test
description: |
    Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS.
    When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
references:
    - https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/
    - https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
    - https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
    - https://ss64.com/mac/chflags.html
author: Omar Khaled (@beacon_exe)
date: 2024-08-21
tags:
    - attack.credential-access
    - attack.command-and-control
    - attack.stealth
    - attack.t1218
    - attack.t1564.004
    - attack.t1552.001
    - attack.t1105
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        Image|endswith: '/chflags'
        CommandLine|contains: 'hidden '
    condition: selection
falsepositives:
    - Legitimate usage of chflags by administrators and users.
level: medium

title: Kubernetes Admission Controller Modification
id: eed82177-38f5-4299-8a76-098d50d225ab
related:
    - id: 6ad91e31-53df-4826-bd27-0166171c8040
      type: similar
status: test
description: |
    Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
references:
    - https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
    - https://security.padok.fr/en/blog/kubernetes-webhook-attackers
author: kelnage
date: 2024-07-11
tags:
    - attack.privilege-escalation
    - attack.initial-access
    - attack.persistence
    - attack.stealth
    - attack.t1078
    - attack.credential-access
    - attack.t1552
    - attack.t1552.007
logsource:
    product: kubernetes
    service: audit
detection:
    selection:
        objectRef.apiGroup: 'admissionregistration.k8s.io'
        objectRef.resource:
            - 'mutatingwebhookconfigurations'
            - 'validatingwebhookconfigurations'
        verb:
            - 'create'
            - 'delete'
            - 'patch'
            - 'replace'
            - 'update'
    condition: selection
falsepositives:
    - Modifying the Kubernetes Admission Controller may need to be done by a system administrator.
    - Automated processes may need to take these actions and may need to be filtered.
level: medium

title: PUA - TruffleHog Execution
id: 44030449-b0df-4c94-aae1-502359ab28ee
related:
    - id: d7a650c4-226c-451e-948f-cc490db506aa
      type: similar
status: experimental
description: |
    Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
    While it is a legitimate tool, intended for use in CI pipelines and security assessments,
    It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
references:
    - https://github.com/trufflesecurity/trufflehog
    - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
tags:
    - attack.discovery
    - attack.credential-access
    - attack.t1083
    - attack.t1552.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\trufflehog.exe'
    selection_cli_platform:
        CommandLine|contains:
            - ' docker --image '
            - ' Git '
            - ' GitHub '
            - ' Jira '
            - ' Slack '
            - ' Confluence '
            - ' SharePoint '
            - ' s3 '
            - ' gcs '
    selection_cli_verified:
        CommandLine|contains: ' --results=verified'
    condition: selection_img or all of selection_cli_*
falsepositives:
    - Legitimate use of TruffleHog by security teams or developers.
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_trufflehog/info.yml

title: PUA - TruffleHog Execution - Linux
id: d7a650c4-226c-451e-948f-cc490db506aa
related:
    - id: 44030449-b0df-4c94-aae1-502359ab28ee
      type: similar
status: experimental
description: |
    Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
    While it is a legitimate tool, intended for use in CI pipelines and security assessments,
    It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
references:
    - https://github.com/trufflesecurity/trufflehog
    - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
tags:
    - attack.discovery
    - attack.credential-access
    - attack.t1083
    - attack.t1552.001
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '/trufflehog'
    selection_cli_platform:
        CommandLine|contains:
            - ' docker --image '
            - ' Git '
            - ' GitHub '
            - ' Jira '
            - ' Slack '
            - ' Confluence '
            - ' SharePoint '
            - ' s3 '
            - ' gcs '
    selection_cli_verified:
        CommandLine|contains: ' --results=verified'
    condition: selection_img or all of selection_cli_*
falsepositives:
    - Legitimate use of TruffleHog by security teams or developers.
level: medium

title: Permission Misconfiguration Reconnaissance Via Findstr.EXE
id: 47e4bab7-c626-47dc-967b-255608c9a920
status: test
description: |
    Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords.
    This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.
references:
    - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-12
modified: 2023-11-11
tags:
    - attack.credential-access
    - attack.t1552.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_findstr_img:
        - Image|endswith:
              - '\find.exe'
              - '\findstr.exe'
        - OriginalFileName:
              - 'FIND.EXE'
              - 'FINDSTR.EXE'
    selection_findstr_cli:
        CommandLine|contains:
            - '"Everyone"'
            - "'Everyone'"
            - '"BUILTIN\\"'
            - "'BUILTIN\\'"
    selection_special:
        CommandLine|contains|all:
            # Example CLI would be: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
            # You could extend it for other groups and users
            #   Example: icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
            # Note: This selection only detects the command when executed from a handler such as a "cmd /c" or "powershell -c"
            - 'icacls '
            - 'findstr '
            - 'Everyone'
    condition: all of selection_findstr_* or selection_special
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_recon_everyone/info.yml

title: Potential PowerShell Console History Access Attempt via History File
id: f4ff7323-b5fc-4323-8b52-6b9408e15788
status: experimental
description: |
    Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt).
    This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.
references:
    - https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html
author: Luc Génaux
date: 2025-04-03
tags:
    - attack.credential-access
    - attack.t1552.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'ConsoleHost_history.txt'
            - '(Get-PSReadLineOption).HistorySavePath'
    condition: selection
falsepositives:
    - Legitimate access of the console history file is possible
level: medium

title: Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf
related:
    - id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
      type: derived
status: test
description: |
    Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.
    This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
    - https://www.group-ib.com/blog/apt41-world-tour-2021/
    - https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3
    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1
    - http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
    - https://ptsecurity.com/research/pt-esc-threat-intelligence/striking-panda-attacks-apt31-today
    - https://www.cybertriage.com/artifact/terminalservices_remoteconnectionmanager_log/
    - https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-09-09
modified: 2025-12-02
tags:
    - attack.credential-access
    - attack.discovery
    - attack.t1552
    - attack.t1087
logsource:
    category: process_creation
    product: windows
detection:
    selection_wmi:
        CommandLine|contains|all:
            - 'Select'
            - 'Win32_NTLogEvent'
    selection_wevtutil_img:
        - Image|endswith: '\wevtutil.exe'
        - OriginalFileName: 'wevtutil.exe'
    selection_wevtutil_cli:
        CommandLine|contains:
            - ' qe '
            - ' query-events '
    selection_wmic_img:
        - Image|endswith: '\wmic.exe'
        - OriginalFileName: 'wmic.exe'
    selection_wmic_cli:
        CommandLine|contains: ' ntevent'
    selection_cmdlet:
        CommandLine|contains:
            - 'Get-WinEvent '
            - 'get-eventlog '
    selection_logs_name:
        CommandLine|contains:
            # Note: Add more event log channels that are interesting for attackers
            - 'Microsoft-Windows-PowerShell'
            - 'Microsoft-Windows-Security-Auditing'
            - 'Microsoft-Windows-TerminalServices-LocalSessionManager'
            - 'Microsoft-Windows-TerminalServices-RemoteConnectionManager'
            - 'Microsoft-Windows-Windows Defender'
            - 'PowerShellCore'
            - 'Security'
            - 'Windows PowerShell'
    selection_logs_eid:
        CommandLine|contains:
            # Note: We use the "?" to account for both a single and a double quote
            # Note: Please add additional interesting event IDs
            # Note: As this only focuses on EIDs and we know EIDs are not unique across providers. Rare FPs might occur with legit queries to EIDs from different providers.
            # This covers EID 4624 and 4628 from Security Log
            - '-InstanceId 462?'
            - '.eventid -eq 462?'
            - '.ID -eq 462?'
            - 'EventCode=?462?'
            - 'EventIdentifier=?462?'
            - 'System[EventID=462?]'
            # This covers EID 4778 from Security Log
            - '-InstanceId 4778'
            - '.eventid -eq 4778'
            - '.ID -eq 4778'
            - 'EventCode=?4778?'
            - 'EventIdentifier=?4778?'
            - 'System[EventID=4778]'
            # This covers EID 25 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
            - '-InstanceId 25'
            - '.eventid -eq 25'
            - '.ID -eq 25'
            - 'EventCode=?25?'
            - 'EventIdentifier=?25?'
            - 'System[EventID=25]'
            # This covers EID 1149 from Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log
            - '-InstanceId 1149'
            - '.eventid -eq 1149'
            - '.ID -eq 1149'
            - 'EventCode=?1149?'
            - 'EventIdentifier=?1149?'
            - 'System[EventID=1149]'
            # This covers EID 21 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
            - '-InstanceId 21'
            - '.eventid -eq 21'
            - '.ID -eq 21'
            - 'EventCode=?21?'
            - 'EventIdentifier=?21?'
            - 'System[EventID=21]'
            # This covers EID 22 from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational log
            - '-InstanceId 22'
            - '.eventid -eq 22'
            - '.ID -eq 22'
            - 'EventCode=?22?'
            - 'EventIdentifier=?22?'
            - 'System[EventID=22]'
    condition: 1 of selection_logs_* and (selection_wmi or all of selection_wevtutil_* or all of selection_wmic_* or selection_cmdlet)
falsepositives:
    - Legitimate usage of the utility by administrators to query the event log
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon/info.yml

title: Potentially Suspicious JWT Token Search Via CLI
id: 6d3a3952-6530-44a3-8554-cf17c116c615
status: test
description: |
    Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG".
    JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others.
    Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.
references:
    - https://mrd0x.com/stealing-tokens-from-office-applications/
    - https://www.scip.ch/en/?labs.20240523
author: Nasreddine Bencherchali (Nextron Systems), kagebunsher
date: 2022-10-25
modified: 2025-10-21
tags:
    - attack.credential-access
    - attack.t1528
    - attack.t1552.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools:
        CommandLine|contains:
            - 'find '
            - 'find.exe'
            - 'findstr'
            - 'select-string '
            - 'strings'
    selection_jwt_string:
        CommandLine|contains:
            - 'eyJ0eXAiOi' # {"typ":
            - 'eyJhbGciOi' # {"alg":
            - ' eyJ0eX'
            - ' "eyJ0eX"'
            - " 'eyJ0eX'"
            - ' eyJhbG'
            - ' "eyJhbG"'
            - " 'eyJhbG'"
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Private Keys Reconnaissance Via CommandLine Tools
id: 213d6a77-3d55-4ce8-ba74-fcfef741974e
status: test
description: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-07-20
modified: 2023-03-06
tags:
    - attack.credential-access
    - attack.t1552.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cmd_cli:
        CommandLine|contains: 'dir '
    selection_pwsh_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_pwsh_cli:
        CommandLine|contains: 'Get-ChildItem '
    selection_findstr:
        - Image|endswith: '\findstr.exe'
        - OriginalFileName: 'FINDSTR.EXE'
    selection_ext:
        CommandLine|contains:
            - '.key'
            - '.pgp'
            - '.gpg'
            - '.ppk'
            - '.p12'
            - '.pem'
            - '.pfx'
            - '.cer'
            - '.p7b'
            - '.asc'
    condition: selection_ext and (all of selection_cmd_* or all of selection_pwsh_* or selection_findstr)
falsepositives:
    - Unknown
level: medium

title: Remote File Download Via Findstr.EXE
id: 587254ee-a24b-4335-b3cd-065c0f1f4baa
related:
    - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
      type: obsolete
status: test
description: |
    Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
    - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-05
modified: 2024-03-05
tags:
    - attack.credential-access
    - attack.command-and-control
    - attack.stealth
    - attack.t1218
    - attack.t1564.004
    - attack.t1552.001
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_findstr:
        - CommandLine|contains: findstr
        - Image|endswith: 'findstr.exe'
        - OriginalFileName: 'FINDSTR.EXE'
    selection_cli_download_1:
        CommandLine|contains|windash: ' -v '
    selection_cli_download_2:
        CommandLine|contains|windash: ' -l '
    selection_cli_download_3:
        CommandLine|contains: '\\\\'
    condition: selection_findstr and all of selection_cli_download_*
falsepositives:
    - Unknown
level: medium

title: Suspicious History File Operations
id: 508a9374-ad52-4789-b568-fc358def2c65
status: test
description: Detects commandline operations on shell history files
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: 'Mikhail Larin, oscd.community'
date: 2020-10-17
modified: 2021-11-27
tags:
    - attack.credential-access
    - attack.t1552.003
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        CommandLine|contains:
            - '.bash_history'
            - '.zsh_history'
            - '.zhistory'
            - '.history'
            - '.sh_history'
            - 'fish_history'
    condition: selection
falsepositives:
    - Legitimate administrative activity
    - Legitimate software, cleaning hist file
level: medium

title: Suspicious History File Operations - Linux
id: eae8ce9f-bde9-47a6-8e79-f20d18419910
status: test
description: 'Detects commandline operations on shell history files'
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
author: 'Mikhail Larin, oscd.community'
date: 2020-10-17
modified: 2022-11-28
tags:
    - attack.credential-access
    - attack.t1552.003
logsource:
    product: linux
    service: auditd
detection:
    execve:
        type: EXECVE
    history:
        - '.bash_history'
        - '.zsh_history'
        - '.zhistory'
        - '.history'
        - '.sh_history'
        - 'fish_history'
    condition: execve and history
falsepositives:
    - Legitimate administrative activity
    - Legitimate software, cleaning hist file
level: medium

title: Suspicious SYSVOL Domain Group Policy Access
id: 05f3c945-dcc8-4393-9f3d-af65077a8f86
status: test
description: Detects Access to Domain Group Policies stored in SYSVOL
references:
    - https://adsecurity.org/?p=2288
    - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
author: Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2018-04-09
modified: 2022-01-07
tags:
    - attack.credential-access
    - attack.t1552.006
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '\SYSVOL\'
            - '\policies\'
    condition: selection
falsepositives:
    - Administrative activity
level: medium

title: Cisco Collect Data
id: cd072b25-a418-4f98-8ebc-5093fb38fe1a
status: test
description: Collect pertinent data from the configuration files
references:
    - https://blog.router-switch.com/2013/11/show-running-config/
    - https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm
    - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html
author: Austin Clark
date: 2019-08-11
modified: 2023-01-04
tags:
    - attack.discovery
    - attack.credential-access
    - attack.collection
    - attack.t1087.001
    - attack.t1552.001
    - attack.t1005
logsource:
    product: cisco
    service: aaa
detection:
    keywords:
        - 'show running-config'
        - 'show startup-config'
        - 'show archive config'
        - 'more'
    condition: keywords
falsepositives:
    - Commonly run by administrators
level: low

title: Insensitive Subfolder Search Via Findstr.EXE
id: 04936b66-3915-43ad-a8e5-809eadfd1141
related:
    - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
      type: obsolete
status: test
description: |
    Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Findstr/
    - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
    - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-05
modified: 2024-03-05
tags:
    - attack.credential-access
    - attack.command-and-control
    - attack.stealth
    - attack.t1218
    - attack.t1564.004
    - attack.t1552.001
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_findstr:
        - CommandLine|contains: findstr
        - Image|endswith: 'findstr.exe'
        - OriginalFileName: 'FINDSTR.EXE'
    selection_cli_search_subfolder:
        CommandLine|contains|windash: ' -s '
    selection_cli_search_insensitive:
        CommandLine|contains|windash: ' -i '
    condition: selection_findstr and all of selection_cli_search_*
falsepositives:
    - Administrative or software activity
level: low

title: Kubernetes Secrets Enumeration
id: eeb3e9e1-b685-44e4-9232-6bb701f925b5
related:
    - id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
      type: derived
status: test
description: Detects enumeration of Kubernetes secrets.
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.t1552.007
    - attack.credential-access
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'list'
        objectRef.resource: 'secrets'
    condition: selection
falsepositives:
    - The Kubernetes dashboard occasionally accesses the kubernetes-dashboard-key-holder secret
level: low