title: CobaltStrike Service Installations - System
id: 5a105d34-05fc-401e-8553-272b45c1522d
status: test
description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
references:
    - https://www.sans.org/webcasts/119395
    - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Florian Roth (Nextron Systems), Wojciech Lesicki
date: 2021-05-26
modified: 2022-11-27
tags:
    - attack.persistence
    - attack.execution
    - attack.privilege-escalation
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1543.003
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection_id:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection1:
        ImagePath|contains|all:
            - 'ADMIN$'
            - '.exe'
    selection2:
        ImagePath|contains|all:
            - '%COMSPEC%'
            - 'start'
            - 'powershell'
    selection3:
        ImagePath|contains: 'powershell -nop -w hidden -encodedcommand'
    selection4:
        ImagePath|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
    condition: selection_id and (selection1 or selection2 or selection3 or selection4)
falsepositives:
    - Unknown
level: critical

title: HackTool - SharpUp PrivEsc Tool Execution
id: c484e533-ee16-4a93-b6ac-f0ea4868b2f1
status: test
description: Detects the use of SharpUp, a tool for local privilege escalation
references:
    - https://github.com/GhostPack/SharpUp
author: Florian Roth (Nextron Systems)
date: 2022-08-20
modified: 2023-02-13
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.discovery
    - attack.execution
    - attack.stealth
    - attack.t1615
    - attack.t1569.002
    - attack.t1574.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\SharpUp.exe'
        - Description: 'SharpUp'
        - CommandLine|contains:
              - 'HijackablePaths'
              - 'UnquotedServicePath'
              - 'ProcessDLLHijack'
              - 'ModifiableServiceBinaries'
              - 'ModifiableScheduledTask'
              - 'DomainGPPPassword'
              - 'CachedGPPPassword'
    condition: selection
falsepositives:
    - Unknown
level: critical

title: CobaltStrike Service Installations - Security
id: d7a95147-145f-4678-b85d-d1ff4a3bb3f6
related:
    - id: 5a105d34-05fc-401e-8553-272b45c1522d
      type: derived
status: test
description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
references:
    - https://www.sans.org/webcasts/119395
    - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
    - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
author: Florian Roth (Nextron Systems), Wojciech Lesicki
date: 2021-05-26
modified: 2022-11-27
tags:
    - attack.persistence
    - attack.execution
    - attack.privilege-escalation
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1543.003
    - attack.t1569.002
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    event_id:
        EventID: 4697
    selection1:
        ServiceFileName|contains|all:
            - 'ADMIN$'
            - '.exe'
    selection2:
        ServiceFileName|contains|all:
            - '%COMSPEC%'
            - 'start'
            - 'powershell'
    selection3:
        ServiceFileName|contains: 'powershell -nop -w hidden -encodedcommand'
    selection4:
        ServiceFileName|base64offset|contains: "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:"
    condition: event_id and 1 of selection*
falsepositives:
    - Unknown
level: high

title: Credential Dumping Tools Service Execution - Security
id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
related:
    - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
      type: derived
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
    - attack.credential-access
    - attack.execution
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - attack.t1003.006
    - attack.t1569.002
    - attack.s0005
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains:
            - 'cachedump'
            - 'dumpsvc'
            - 'fgexec'
            - 'gsecdump'
            - 'mimidrv'
            - 'pwdump'
            - 'servpw'
    condition: selection
falsepositives:
    - Legitimate Administrator using credential dumping tool for password recovery
level: high

title: Credential Dumping Tools Service Execution - System
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
    - attack.credential-access
    - attack.execution
    - attack.t1003.001
    - attack.t1003.002
    - attack.t1003.004
    - attack.t1003.005
    - attack.t1003.006
    - attack.t1569.002
    - attack.s0005
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains:
            - 'cachedump'
            - 'dumpsvc'
            - 'fgexec'
            - 'gsecdump'
            - 'mimidrv'
            - 'pwdump'
            - 'servpw'
    condition: selection
falsepositives:
    - Legitimate Administrator using credential dumping tool for password recovery
level: high

title: HackTool Service Registration or Execution
id: d26ce60c-2151-403c-9a42-49420d87b5e4
status: test
description: Detects installation or execution of services
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-21
modified: 2023-08-07
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID:
            - 7045
            - 7036
    selection_service_name:
        ServiceName|contains:
            - 'cachedump'
            - 'DumpSvc'
            - 'gsecdump'
            - 'pwdump'
            - 'UACBypassedService'
            - 'WCE SERVICE'
            - 'WCESERVICE'
            - 'winexesvc'
    selection_service_image:
        ImagePath|contains: 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159
    condition: selection_eid and 1 of selection_service_*
falsepositives:
    - Unknown
level: high

title: Metasploit Or Impacket Service Installation Via SMB PsExec
id: 6fb63b40-e02a-403e-9ffd-3bcc1d749442
related:
    - id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0
      type: derived
status: test
description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
references:
    - https://bczyz1.github.io/2021/01/30/psexec.html
author: Bartlomiej Czyz, Relativity
date: 2021-01-21
modified: 2022-10-05
tags:
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1570
    - attack.execution
    - attack.t1569.002
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|re: '^%systemroot%\\[a-zA-Z]{8}\.exe$'
        ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)'
        ServiceStartType: 3  # on-demand start, see https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4697
        ServiceType: '0x10'
    filter:
        ServiceName: 'PSEXESVC'
    condition: selection and not filter
falsepositives:
    - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
level: high

title: PSExec and WMI Process Creations Block
id: 97b9ce1e-c5ab-11ea-87d0-0242ac130003
status: test
description: Detects blocking of process creations originating from PSExec and WMI commands
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands
    - https://twitter.com/duff22b/status/1280166329660497920
author: Bhabesh Raj
date: 2020-07-14
modified: 2022-12-25
tags:
    - attack.execution
    - attack.lateral-movement
    - attack.t1047
    - attack.t1569.002
logsource:
    product: windows
    service: windefend
    definition: 'Requirements:Enabled Block process creations originating from PSExec and WMI commands from Attack Surface Reduction (GUID: d1e49aac-8f56-4280-b9ba-993a6d77406c)'
detection:
    selection:
        EventID: 1121
        ProcessName|endswith:
            - '\wmiprvse.exe'
            - '\psexesvc.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

title: PUA - CsExec Execution
id: d08a2711-ee8b-4323-bdec-b7d85e892b31
status: test
description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
references:
    - https://github.com/malcomvetter/CSExec
    - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
author: Florian Roth (Nextron Systems)
date: 2022-08-22
modified: 2023-02-21
tags:
    - attack.resource-development
    - attack.t1587.001
    - attack.execution
    - attack.t1569.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\csexec.exe'
    selection_pe:
        Description: 'csexec'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high

title: PUA - NSudo Execution
id: 771d1eb5-9587-4568-95fb-9ec44153a012
status: test
description: Detects the use of NSudo tool for command execution
references:
    - https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/
    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
date: 2022-01-24
modified: 2023-02-13
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\NSudo.exe'
              - '\NSudoLC.exe'
              - '\NSudoLG.exe'
        - OriginalFileName:
              - 'NSudo.exe'
              - 'NSudoLC.exe'
              - 'NSudoLG.exe'
    selection_cli:
        CommandLine|contains:
            # Covers Single/Double dash "-"/"--" + ":"
            - '-U:S ' # System
            - '-U:T ' # Trusted Installer
            - '-U:E ' # Elevated
            - '-P:E ' # Enable All Privileges
            - '-M:S ' # System Integrity
            - '-M:H ' # High Integrity
            # Covers Single/Double dash "-"/"--" + "="
            - '-U=S '
            - '-U=T '
            - '-U=E '
            - '-P=E '
            - '-M=S '
            - '-M=H '
            - '-ShowWindowMode:Hide'
    condition: all of selection_*
falsepositives:
    - Legitimate use by administrators
level: high

title: PUA - NirCmd Execution As LOCAL SYSTEM
id: d9047477-0359-48c9-b8c7-792cedcdc9c4
status: test
description: Detects the use of NirCmd tool for command execution as SYSTEM user
references:
    - https://www.nirsoft.net/utils/nircmd.html
    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
    - https://www.nirsoft.net/utils/nircmd2.html#using
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-24
modified: 2023-02-13
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: ' runassystem '
    condition: selection
falsepositives:
    - Legitimate use by administrators
level: high

title: PUA - RunXCmd Execution
id: 93199800-b52a-4dec-b762-75212c196542
status: test
description: Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts
references:
    - https://www.d7xtech.com/free-software/runx/
    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
author: Florian Roth (Nextron Systems)
date: 2022-01-24
modified: 2023-02-14
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    category: process_creation
    product: windows
detection:
    selection_account:
        CommandLine|contains:
            - ' /account=system '
            - ' /account=ti '
    selection_exec:
        CommandLine|contains: '/exec='
    condition: all of selection_*
falsepositives:
    - Legitimate use by administrators
level: high

title: Potential CobaltStrike Service Installations - Registry
id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130
status: test
description: |
    Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
references:
    - https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
author: Wojciech Lesicki
date: 2021-06-29
modified: 2024-03-25
tags:
    - attack.persistence
    - attack.execution
    - attack.privilege-escalation
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1543.003
    - attack.t1569.002
logsource:
    category: registry_set
    product: windows
detection:
    selection_key:
        - TargetObject|contains: '\System\CurrentControlSet\Services'
        - TargetObject|contains|all:
              - '\System\ControlSet'
              - '\Services'
    selection_details:
        - Details|contains|all:
              - 'ADMIN$'
              - '.exe'
        - Details|contains|all:
              - '%COMSPEC%'
              - 'start'
              - 'powershell'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high

title: PowerShell Scripts Installed as Services
id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
status: test
description: Detects powershell script installed as a Service
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020-10-06
modified: 2022-12-25
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains:
            - 'powershell'
            - 'pwsh'
    condition: selection
falsepositives:
    - Unknown
level: high

title: PowerShell Scripts Installed as Services - Security
id: 2a926e6a-4b81-4011-8a96-e36cc8c04302
related:
    - id: a2e5019d-a658-4c6a-92bf-7197b54e2cae
      type: derived
status: test
description: Detects powershell script installed as a Service
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020-10-06
modified: 2022-11-29
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains:
            - 'powershell'
            - 'pwsh'
    condition: selection
falsepositives:
    - Unknown
level: high

title: PowerShell as a Service in Registry
id: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d
status: test
description: Detects that a powershell code is written to the registry as a service.
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020-10-06
modified: 2023-08-17
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\Services\'
        TargetObject|endswith: '\ImagePath'
        Details|contains:
            - 'powershell'
            - 'pwsh'
    condition: selection
falsepositives:
    - Unknown
level: high

title: ProcessHacker Privilege Elevation
id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9
status: test
description: Detects a ProcessHacker tool that elevated privileges to a very high level
references:
    - https://twitter.com/1kwpeter/status/1397816101455765504
author: Florian Roth (Nextron Systems)
date: 2021-05-27
modified: 2022-12-25
tags:
    - attack.persistence
    - attack.execution
    - attack.privilege-escalation
    - attack.t1543.003
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ServiceName|startswith: 'ProcessHacker'
        AccountName: 'LocalSystem'
    condition: selection
falsepositives:
    - Unlikely
level: high

title: Remote Server Service Abuse for Lateral Movement
id: 10018e73-06ec-46ec-8107-9172f1e04ff2
status: test
description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
references:
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
    - https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
    - attack.lateral-movement
    - attack.execution
    - attack.t1569.002
logsource:
    product: rpc_firewall
    category: application
    definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:367abb81-9844-35f1-ad32-98f038001003'
detection:
    selection:
        EventLog: RPCFW
        EventID: 3
        InterfaceUuid: 367abb81-9844-35f1-ad32-98f038001003
    condition: selection
falsepositives:
    - Administrative tasks on remote services
level: high

title: Rundll32 Execution Without Parameters
id: 5bb68627-3198-40ca-b458-49f973db8752
status: test
description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
references:
    - https://bczyz1.github.io/2021/01/30/psexec.html
author: Bartlomiej Czyz, Relativity
date: 2021-01-31
modified: 2023-02-28
tags:
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1570
    - attack.execution
    - attack.t1569.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine:
            - 'rundll32.exe'
            - 'rundll32'
    condition: selection
falsepositives:
    - False positives may occur if a user called rundll32 from CLI with no options
level: high

title: Sliver C2 Default Service Installation
id: 31c51af6-e7aa-4da7-84d4-8f32cc580af2
status: test
description: Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands
references:
    - https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231
    - https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-25
tags:
    - attack.persistence
    - attack.execution
    - attack.privilege-escalation
    - attack.t1543.003
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service_1:
        ImagePath|re: '^[a-zA-Z]:\\windows\\temp\\[a-zA-Z0-9]{10}\.exe'
    selection_service_2:
        ServiceName:
            - 'Sliver'
            - 'Sliver implant'
    condition: selection_eid and 1 of selection_service_*
falsepositives:
    - Unknown
level: high

title: smbexec.py Service Installation
id: 52a85084-6989-40c3-8f32-091e12e13f09
status: test
description: Detects the use of smbexec.py tool by detecting a specific service installation
references:
    - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
    - https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296
    - https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60 # Old service name
author: Omer Faruk Celik
date: 2018-03-20
modified: 2023-11-09
tags:
    - attack.lateral-movement
    - attack.execution
    - attack.t1021.002
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service_name:
        ServiceName: 'BTOBTO'
    selection_service_image:
        ImagePath|contains:
            - '.bat & del '
            - '__output 2^>^&1 >'
    condition: selection_eid and 1 of selection_service_*
falsepositives:
    - Unknown
level: high

title: CSExec Service File Creation
id: f0e2b768-5220-47dd-b891-d57b96fc0ec1
status: test
description: Detects default CSExec service filename which indicates CSExec service installation and execution
references:
    - https://github.com/malcomvetter/CSExec
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-04
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\csexecsvc.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: CSExec Service Installation
id: a27e5fa9-c35e-4e3d-b7e0-1ce2af66ad12
status: test
description: Detects CSExec service installation and execution events
references:
    - https://github.com/malcomvetter/CSExec
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-07
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ServiceName: 'csexecsvc'
        - ImagePath|endswith: '\csexecsvc.exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Launch Agent/Daemon Execution Via Launchctl
id: ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e
status: test
description: Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md
    - https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
    - https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/
    - https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html
    - https://www.loobins.io/binaries/launchctl/
author: Pratinav Chandra
date: 2024-05-13
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1569.001
    - attack.t1543.001
    - attack.t1543.004
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/launchctl'
        CommandLine|contains:
            - 'submit'
            - 'load'
            - 'start'
    condition: selection
falsepositives:
    - Legitimate administration activities is expected to trigger false positives. Investigate the command line being passed to determine if the service or launch agent are suspicious.
level: medium

title: MITRE BZAR Indicators for Execution
id: b640c0b8-87f8-4daa-aef8-95a24261dd1d
status: test
description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE'
references:
    - https://github.com/mitre-attack/bzar#indicators-for-attck-execution
author: '@neu5ron, SOC Prime'
date: 2020-03-19
modified: 2021-11-27
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1047
    - attack.t1053.002
    - attack.t1569.002
logsource:
    product: zeek
    service: dce_rpc
detection:
    op1:
        endpoint: 'JobAdd'
        operation: 'atsvc'
    op2:
        endpoint: 'ITaskSchedulerService'
        operation: 'SchRpcEnableTask'
    op3:
        endpoint: 'ITaskSchedulerService'
        operation: 'SchRpcRegisterTask'
    op4:
        endpoint: 'ITaskSchedulerService'
        operation: 'SchRpcRun'
    op5:
        endpoint: 'IWbemServices'
        operation: 'ExecMethod'
    op6:
        endpoint: 'IWbemServices'
        operation: 'ExecMethodAsync'
    op7:
        endpoint: 'svcctl'
        operation: 'CreateServiceA'
    op8:
        endpoint: 'svcctl'
        operation: 'CreateServiceW'
    op9:
        endpoint: 'svcctl'
        operation: 'StartServiceA'
    op10:
        endpoint: 'svcctl'
        operation: 'StartServiceW'
    condition: 1 of op*
falsepositives:
    - Windows administrator tasks or troubleshooting
    - Windows management scripts or software
level: medium

title: PAExec Service Installation
id: de7ce410-b3fb-4e8a-b38c-3b999e2c3420
status: test
description: Detects PAExec service installation
references:
    - https://www.poweradmin.com/paexec/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_image:
        - ServiceName|startswith: 'PAExec-'
        - ImagePath|startswith: 'C:\WINDOWS\PAExec-'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: PUA - CSExec Default Named Pipe
id: f318b911-ea88-43f4-9281-0de23ede628e
related:
    - id: 9e77ed63-2ecf-4c7b-b09d-640834882028
      type: obsolete
status: test
description: Detects default CSExec pipe creation
references:
    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
    - https://github.com/malcomvetter/CSExec
author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-07
modified: 2023-11-30
tags:
    - attack.lateral-movement
    - attack.t1021.002
    - attack.execution
    - attack.t1569.002
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName|contains: '\csexecsvc'
    condition: selection
falsepositives:
    - Legitimate Administrator activity
level: medium

title: PUA - NirCmd Execution
id: 4e2ed651-1906-4a59-a78a-18220fca1b22
status: test
description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
references:
    - https://www.nirsoft.net/utils/nircmd.html
    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
    - https://www.nirsoft.net/utils/nircmd2.html#using
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-24
modified: 2023-02-13
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    category: process_creation
    product: windows
detection:
    selection_org:
        - Image|endswith: '\NirCmd.exe'
        - OriginalFileName: 'NirCmd.exe'
    selection_cmd:
        CommandLine|contains:
            - ' execmd '
            - '.exe script '
            - '.exe shexec '
            - ' runinteractive '
    combo_exec:
        CommandLine|contains:
            - ' exec '
            - ' exec2 '
    combo_exec_params:
        CommandLine|contains:
            - ' show '
            - ' hide '
    condition: 1 of selection_* or all of combo_*
falsepositives:
    - Legitimate use by administrators
level: medium

title: PUA - PAExec Default Named Pipe
id: f6451de4-df0a-41fa-8d72-b39f54a08db5
status: test
description: Detects PAExec default named pipe
references:
    - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md
    - https://github.com/poweradminllc/PAExec
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-26
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    category: pipe_created
    product: windows
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName|startswith: '\PAExec'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: PUA - RemCom Default Named Pipe
id: d36f87ea-c403-44d2-aa79-1a0ac7c24456
related:
    - id: 9e77ed63-2ecf-4c7b-b09d-640834882028
      type: obsolete
status: test
description: Detects default RemCom pipe creation
references:
    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
    - https://github.com/kavika13/RemCom
author: Nikita Nazarov, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-07
modified: 2023-11-30
tags:
    - attack.lateral-movement
    - attack.t1021.002
    - attack.execution
    - attack.t1569.002
logsource:
    product: windows
    category: pipe_created
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName|contains: '\RemCom'
    condition: selection
falsepositives:
    - Legitimate Administrator activity
level: medium

title: PsExec Service Installation
id: 42c575ea-e41e-41f1-b248-8093c3e82a28
status: test
description: Detects PsExec service installation and execution events
references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-12
modified: 2023-08-04
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ServiceName: 'PSEXESVC'
        - ImagePath|endswith: '\PSEXESVC.exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: PsExec Tool Execution From Suspicious Locations - PipeName
id: 41504465-5e3a-4a5b-a5b4-2a0baadd4463
related:
    - id: f3f3a972-f982-40ad-b63c-bca6afdfad7c
      type: derived
status: test
description: Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack
references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-04
modified: 2023-09-20
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    category: pipe_created
    product: windows
    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
    selection:
        PipeName: '\PSEXESVC'
        Image|contains: # Add or remove locations depending on how and if you execute Psexec in your env
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
            - '\Desktop\'
            - '\Downloads\'
    condition: selection
falsepositives:
    - Rare legitimate use of psexec from the locations mentioned above. This will require initial tuning based on your environment.
level: medium

title: Psexec Execution
id: 730fc21b-eaff-474b-ad23-90fd265d4988
status: test
description: Detects user accept agreement execution in psexec commandline
references:
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: omkar72
date: 2020-10-30
modified: 2023-02-28
tags:
    - attack.execution
    - attack.lateral-movement
    - attack.t1569
    - attack.t1021
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\psexec.exe'
        - OriginalFileName: 'psexec.c'
    condition: selection
falsepositives:
    - Administrative scripts.
level: medium

title: RemCom Service File Creation
id: 7eff1a7f-dd45-4c20-877a-f21e342a7611
status: test
description: Detects default RemCom service filename which indicates RemCom service installation and execution
references:
    - https://github.com/kavika13/RemCom/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-04
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\RemComSvc.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: RemCom Service Installation
id: 9e36ed87-4986-482e-8e3b-5c23ffff11bf
status: test
description: Detects RemCom service installation and execution events
references:
    - https://github.com/kavika13/RemCom/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-07
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection_eid:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ServiceName: 'RemComSvc'
        - ImagePath|endswith: '\RemComSvc.exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Remote Access Tool Services Have Been Installed - Security
id: c8b00925-926c-47e3-beea-298fd563728e
related:
    - id: 1a31b18a-f00c-4061-9900-f735b96c99fc
      type: similar
status: test
description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Connor Martin, Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
modified: 2024-12-07
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1543.003
    - attack.t1569.002
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceName|contains:
            # Based on https://github.com/SigmaHQ/sigma/pull/2841
            - 'AmmyyAdmin' # https://www.ammyy.com/en/
            - 'AnyDesk' # https://usersince99.medium.com/windows-privilege-escalation-8214ceaf4db8
            - 'Atera'
            - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html
            - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html
            - 'chromoting'
            - 'GoToAssist' # https://www.goto.com/it-management/resolve
            - 'GoToMyPC' # https://get.gotomypc.com/
            - 'jumpcloud'
            - 'LMIGuardianSvc' # https://www.logmein.com/
            - 'LogMeIn' # https://www.logmein.com/
            - 'monblanking'
            - 'Parsec'
            - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html
            - 'RPCPerformanceService' # https://www.remotepc.com/
            - 'RPCService' # https://www.remotepc.com/
            - 'SplashtopRemoteService' # https://www.splashtop.com/
            - 'SSUService'
            - 'TeamViewer'
            - 'TightVNC' # https://www.tightvnc.com/
            - 'vncserver'
            - 'Zoho'
    condition: selection
falsepositives:
    - The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out
level: medium

title: Remote Access Tool Services Have Been Installed - System
id: 1a31b18a-f00c-4061-9900-f735b96c99fc
related:
    - id: c8b00925-926c-47e3-beea-298fd563728e
      type: similar
status: test
description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Connor Martin, Nasreddine Bencherchali
date: 2022-12-23
modified: 2023-06-22
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.t1543.003
    - attack.t1569.002
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID:
            - 7045
            - 7036
        ServiceName|contains:
            # Based on https://github.com/SigmaHQ/sigma/pull/2841
            - 'AmmyyAdmin' # https://www.ammyy.com/en/
            - 'Atera'
            - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html
            - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html
            - 'chromoting'
            - 'GoToAssist' # https://www.goto.com/it-management/resolve
            - 'GoToMyPC' # https://get.gotomypc.com/
            - 'jumpcloud'
            - 'LMIGuardianSvc' # https://www.logmein.com/
            - 'LogMeIn' # https://www.logmein.com/
            - 'monblanking'
            - 'Parsec'
            - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html
            - 'RPCPerformanceService' # https://www.remotepc.com/
            - 'RPCService' # https://www.remotepc.com/
            - 'SplashtopRemoteService' # https://www.splashtop.com/
            - 'SSUService'
            - 'TeamViewer'
            - 'TightVNC' # https://www.tightvnc.com/
            - 'vncserver'
            - 'Zoho'
    condition: selection
falsepositives:
    - Unknown
level: medium

title: WFP Filter Added via Registry
id: 1f1d8209-636e-4c6c-a137-781cca8b82f9
status: experimental
description: |
    Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
references:
    - https://github.com/netero1010/EDRSilencer/blob/0e73a7037ec65c52894d8208e6f605a7da0a34a6/EDRSilencer.c
    - https://www.huntress.com/blog/silencing-the-edr-silencers
    - https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpoint-security-solutions.html
author: Frack113
date: 2025-10-23
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1685
    - attack.t1569.002
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\BFE\Parameters\Policy\Persistent\Filter\'
    filter_main_svchost:
        Image:
            - 'C:\Windows\System32\svchost.exe'
            - 'C:\Windows\SysWOW64\svchost.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

title: DNS Events Related To Mining Pools
id: bf74135c-18e8-4a72-a926-0e4f47888c19
status: test
description: Identifies clients that may be performing DNS lookups associated with common currency mining pools.
references:
    - https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml
author: Saw Winn Naung, Azure-Sentinel, @neu5ron
date: 2021-08-19
modified: 2022-07-07
tags:
    - attack.execution
    - attack.t1569.002
    - attack.impact
    - attack.t1496
logsource:
    service: dns
    product: zeek
detection:
    selection:
        query|endswith:
            - 'monerohash.com'
            - 'do-dear.com'
            - 'xmrminerpro.com'
            - 'secumine.net'
            - 'xmrpool.com'
            - 'minexmr.org'
            - 'hashanywhere.com'
            - 'xmrget.com'
            - 'mininglottery.eu'
            - 'minergate.com'
            - 'moriaxmr.com'
            - 'multipooler.com'
            - 'moneropools.com'
            - 'xmrpool.eu'
            - 'coolmining.club'
            - 'supportxmr.com'
            - 'minexmr.com'
            - 'hashvault.pro'
            - 'xmrpool.net'
            - 'crypto-pool.fr'
            - 'xmr.pt'
            - 'miner.rocks'
            - 'walpool.com'
            - 'herominers.com'
            - 'gntl.co.uk'
            - 'semipool.com'
            - 'coinfoundry.org'
            - 'cryptoknight.cc'
            - 'fairhash.org'
            - 'baikalmine.com'
            - 'tubepool.xyz'
            - 'fairpool.xyz'
            - 'asiapool.io'
            - 'coinpoolit.webhop.me'
            - 'nanopool.org'
            - 'moneropool.com'
            - 'miner.center'
            - 'prohash.net'
            - 'poolto.be'
            - 'cryptoescrow.eu'
            - 'monerominers.net'
            - 'cryptonotepool.org'
            - 'extrmepool.org'
            - 'webcoin.me'
            - 'kippo.eu'
            - 'hashinvest.ws'
            - 'monero.farm'
            - 'linux-repository-updates.com'
            - '1gh.com'
            - 'dwarfpool.com'
            - 'hash-to-coins.com'
            - 'pool-proxy.com'
            - 'hashfor.cash'
            - 'fairpool.cloud'
            - 'litecoinpool.org'
            - 'mineshaft.ml'
            - 'abcxyz.stream'
            - 'moneropool.ru'
            - 'cryptonotepool.org.uk'
            - 'extremepool.org'
            - 'extremehash.com'
            - 'hashinvest.net'
            - 'unipool.pro'
            - 'crypto-pools.org'
            - 'monero.net'
            - 'backup-pool.com'
            - 'mooo.com' # Dynamic DNS, may want to exclude
            - 'freeyy.me'
            - 'cryptonight.net'
            - 'shscrypto.net'
    exclude_answers:
        answers:
            - '127.0.0.1'
            - '0.0.0.0'
    exclude_rejected:
        rejected: 'true'
    condition: selection and not 1 of exclude_*
falsepositives:
    - A DNS lookup does not necessarily  mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'.
level: low

title: PsExec Service File Creation
id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d
related:
    - id: 42c575ea-e41e-41f1-b248-8093c3e82a28
      type: derived
status: test
description: Detects default PsExec service filename which indicates PsExec service installation and execution
references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://jpcertcc.github.io/ToolAnalysisResultSheet
author: Thomas Patzke
date: 2017-06-12
modified: 2022-10-26
tags:
    - attack.execution
    - attack.t1569.002
    - attack.s0029
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\PSEXESVC.exe'
    condition: selection
falsepositives:
    - Unknown
level: low

title: Start Windows Service Via Net.EXE
id: 2a072a96-a086-49fa-bcb5-15cc5a619093
status: test
description: Detects the usage of the "net.exe" command to start a service using the "start" flag
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md
author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
date: 2019-10-21
modified: 2023-03-05
tags:
    - attack.execution
    - attack.t1569.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\net.exe'
              - '\net1.exe'
        - OriginalFileName:
              - 'net.exe'
              - 'net1.exe'
    selection_cli:
        CommandLine|contains: ' start '     # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression
    condition: all of selection_*
falsepositives:
    - Legitimate administrator or user executes a service for legitimate reasons.
level: low