title: HackTool - PurpleSharp Execution
id: ff23ffbc-3378-435e-992f-0624dcf93ab4
status: test
description: Detects the execution of the PurpleSharp adversary simulation tool
references:
    - https://github.com/mvelazc0/PurpleSharp
author: Florian Roth (Nextron Systems)
date: 2021-06-18
modified: 2023-02-05
tags:
    - attack.t1587
    - attack.resource-development
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|contains: '\purplesharp'
        - OriginalFileName: 'PurpleSharp.exe'
    selection_cli:
        CommandLine|contains:
            - 'xyz123456.exe'
            - 'PurpleSharp'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: critical

title: ProxyLogon MSExchange OabVirtualDirectory
id: 550d3350-bb8a-4ff3-9533-2ba533f4a1c0
status: test
description: Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
references:
    - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
author: Florian Roth (Nextron Systems)
date: 2021-08-09
modified: 2023-01-23
tags:
    - attack.t1587.001
    - attack.resource-development
logsource:
    product: windows
    service: msexchange-management
detection:
    keywords_cmdlet:
        '|all':
            - 'OabVirtualDirectory'
            - ' -ExternalUrl '
    keywords_params:
        - 'eval(request'
        - 'http://f/<script'
        - '"unsafe"};'
        - 'function Page_Load()'
    condition: keywords_cmdlet and keywords_params
falsepositives:
    - Unlikely
level: critical

title: Linux HackTool Execution
id: a015e032-146d-4717-8944-7a1884122111
status: test
description: Detects known hacktool execution based on image name.
references:
    - https://github.com/Gui774ume/ebpfkit
    - https://github.com/pathtofile/bad-bpf
    - https://github.com/carlospolop/PEASS-ng
    - https://github.com/t3l3machus/hoaxshell
    - https://github.com/t3l3machus/Villain
    - https://github.com/HavocFramework/Havoc
    - https://github.com/1N3/Sn1per
    - https://github.com/Ne0nd0g/merlin
    - https://github.com/Pennyw0rth/NetExec/
author: Nasreddine Bencherchali (Nextron Systems), Georg Lauenstein (sure[secure])
date: 2023-01-03
modified: 2024-09-19
tags:
    - attack.execution
    - attack.resource-development
    - attack.t1587
logsource:
    product: linux
    category: process_creation
detection:
    selection_c2_frameworks:
        Image|endswith:
            - '/crackmapexec'
            - '/havoc'
            - '/merlin-agent'
            - '/merlinServer-Linux-x64'
            - '/msfconsole'
            - '/msfvenom'
            - '/ps-empire server'
            - '/ps-empire'
            - '/sliver-client'
            - '/sliver-server'
            - '/Villain.py'
    selection_c2_framework_cobaltstrike:
        Image|contains:
            - '/cobaltstrike'
            - '/teamserver'
    selection_scanners:
        Image|endswith:
            - '/autorecon'
            - '/httpx'
            - '/legion'
            - '/naabu'
            - '/netdiscover'
            - '/nuclei'
            - '/recon-ng'
    selection_scanners_sniper:
        Image|contains: '/sniper'
    selection_web_enum:
        Image|endswith:
            - '/dirb'
            - '/dirbuster'
            - '/eyewitness'
            - '/feroxbuster'
            - '/ffuf'
            - '/gobuster'
            - '/wfuzz'
            - '/whatweb'
    selection_web_vuln:
        Image|endswith:
            - '/joomscan'
            - '/nikto'
            - '/wpscan'
    selection_exploit_tools:
        Image|endswith:
            - '/aircrack-ng'
            - '/bloodhound-python'
            - '/bpfdos'
            - '/ebpfki'
            - '/evil-winrm'
            - '/hashcat'
            - '/hoaxshell.py'
            - '/hydra'
            - '/john'
            - '/ncrack'
            # default binary: https://github.com/Pennyw0rth/NetExec/releases/download/v1.0.0/nxc-ubuntu-latest
            - '/nxc-ubuntu-latest'
            - '/pidhide'
            - '/pspy32'
            - '/pspy32s'
            - '/pspy64'
            - '/pspy64s'
            - '/setoolkit'
            - '/sqlmap'
            - '/writeblocker'
    selection_linpeas:
        # covers: all linux versions listed here: https://github.com/carlospolop/PEASS-ng/releases
        Image|contains: '/linpeas'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

title: PUA - CsExec Execution
id: d08a2711-ee8b-4323-bdec-b7d85e892b31
status: test
description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
references:
    - https://github.com/malcomvetter/CSExec
    - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
author: Florian Roth (Nextron Systems)
date: 2022-08-22
modified: 2023-02-21
tags:
    - attack.resource-development
    - attack.t1587.001
    - attack.execution
    - attack.t1569.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\csexec.exe'
    selection_pe:
        Description: 'csexec'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high

title: Potential Privilege Escalation To LOCAL SYSTEM
id: 207b0396-3689-42d9-8399-4222658efc99
related:
    - id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 # PsExec specific rule
      type: similar
status: test
description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
    - https://www.poweradmin.com/paexec/
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-05-22
modified: 2024-03-05
tags:
    - attack.resource-development
    - attack.t1587.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Escalation to LOCAL_SYSTEM
        CommandLine|contains|windash:
            # Note that you don't need to add the ".exe" part when using psexec/paexec
            # The "-" can also be replaced with "/"
            # The order of args isn't important
            # "cmd" can be replaced by "powershell", "pwsh" or any other console like software
            - ' -s cmd'
            - ' -s -i cmd'
            - ' -i -s cmd'
            # Pwsh (For PowerShell 7)
            - ' -s pwsh'
            - ' -s -i pwsh'
            - ' -i -s pwsh'
            # PowerShell (For PowerShell 5)
            - ' -s powershell'
            - ' -s -i powershell'
            - ' -i -s powershell'
    filter_main_exclude_coverage:
        # This filter exclude strings covered by 8834e2f7-6b4b-4f09-8906-d2276470ee23
        CommandLine|contains:
            - 'paexec'
            - 'PsExec'
            - 'accepteula'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Weird admins that rename their tools
    - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing
level: high

title: Potential PsExec Remote Execution
id: ea011323-7045-460b-b2d7-0f7442ea6b38
status: test
description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
    - https://www.poweradmin.com/paexec/
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
modified: 2025-09-01
tags:
    - attack.resource-development
    - attack.t1587.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Accepting EULA in commandline - often used in automated attacks
        CommandLine|contains|all:
            - 'accepteula'
            - ' -u '
            - ' -p '
            - ' \\\\'
    filter_main_localhost:
        CommandLine|contains:
            - '\\\\localhost'
            - '\\\\127.'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

title: PsExec/PAExec Escalation to LOCAL SYSTEM
id: 8834e2f7-6b4b-4f09-8906-d2276470ee23
related:
    - id: 207b0396-3689-42d9-8399-4222658efc99 # Generic rule based on similar cli flags
      type: similar
status: test
description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
    - https://www.poweradmin.com/paexec/
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-23
modified: 2024-03-05
tags:
    - attack.resource-development
    - attack.t1587.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_sys: # Escalation to LOCAL_SYSTEM
        CommandLine|contains|windash:
            # Note that you don't need to add the ".exe" part when using psexec/paexec
            # The "-" can also be replaced with "/"
            # The order of args isn't important
            # "cmd" can be replaced by "powershell", "pwsh" or any other console like software
            - ' -s cmd'
            - ' -s -i cmd'
            - ' -i -s cmd'
            # Pwsh (For PowerShell 7)
            - ' -s pwsh'
            - ' -s -i pwsh'
            - ' -i -s pwsh'
            # PowerShell (For PowerShell 5)
            - ' -s powershell'
            - ' -s -i powershell'
            - ' -i -s powershell'
    selection_other:
        CommandLine|contains:
            - 'psexec'
            - 'paexec'
            - 'accepteula'
    condition: all of selection_*
falsepositives:
    - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)
    - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
level: high

title: Uncommon File Created In Office Startup Folder
id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d
status: test
description: Detects the creation of a file with an uncommon extension in an Office application startup folder
references:
    - https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
    - http://addbalance.com/word/startup.htm
    - https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3
    - https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-05
modified: 2023-12-13
tags:
    - attack.resource-development
    - attack.t1587.001
logsource:
    product: windows
    category: file_event
detection:
    selection_word_paths:
        - TargetFilename|contains: '\Microsoft\Word\STARTUP'
        - TargetFilename|contains|all:
              - '\Office'
              - '\Program Files'
              - '\STARTUP'
    filter_exclude_word_ext:
        TargetFilename|endswith:
            - '.docb' # Word binary document introduced in Microsoft Office 2007
            - '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts
            - '.docx' # Word document
            - '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts
            - '.mdb' # MS Access DB
            - '.mdw' # MS Access DB
            - '.pdf' # PDF documents
            - '.wll' # Word add-in
            - '.wwl' # Word add-in
    selection_excel_paths:
        - TargetFilename|contains: '\Microsoft\Excel\XLSTART'
        - TargetFilename|contains|all:
              - '\Office'
              - '\Program Files'
              - '\XLSTART'
    filter_exclude_excel_ext:
        TargetFilename|endswith:
            - '.xll'
            - '.xls'
            - '.xlsm'
            - '.xlsx'
            - '.xlt'
            - '.xltm'
            - '.xlw'
    filter_main_office_click_to_run:
        Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_main_office_apps:
        Image|contains:
            - ':\Program Files\Microsoft Office\'
            - ':\Program Files (x86)\Microsoft Office\'
        Image|endswith:
            - '\winword.exe'
            - '\excel.exe'
    condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_*
falsepositives:
    - False positive might stem from rare extensions used by other Office utilities.
level: high

title: Program Executions in Suspicious Folders
id: a39d7fa7-3fbd-4dc2-97e1-d87f546b1bbc
status: test
description: Detects program executions in suspicious non-program folders related to malware or hacking activity
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2018-01-23
modified: 2021-11-27
tags:
    - attack.t1587
    - attack.t1584
    - attack.resource-development
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'SYSCALL'
        exe|startswith:
            # Temporary folder
            - '/tmp/'
            # Web server
            - '/var/www/'              # Standard
            - '/home/*/public_html/'   # Per-user
            - '/usr/local/apache2/'    # Classical Apache
            - '/usr/local/httpd/'      # Old SuSE Linux 6.* Apache
            - '/var/apache/'           # Solaris Apache
            - '/srv/www/'              # SuSE Linux 9.*
            - '/home/httpd/html/'      # Redhat 6 or older Apache
            - '/srv/http/'             # ArchLinux standard
            - '/usr/share/nginx/html/' # ArchLinux nginx
            # Data dirs of typically exploited services (incomplete list)
            - '/var/lib/pgsql/data/'
            - '/usr/local/mysql/data/'
            - '/var/lib/mysql/'
            - '/var/vsftpd/'
            - '/etc/bind/'
            - '/var/named/'
    condition: selection
falsepositives:
    - Admin activity (especially in /tmp folders)
    - Crazy web applications
level: medium

title: VHD Image Download Via Browser
id: 8468111a-ef07-4654-903b-b863a80bbc95
status: test
description: |
    Detects creation of ".vhd"/".vhdx" files by browser processes.
    Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.
references:
    - https://redcanary.com/blog/intelligence-insights-october-2021/
    - https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/
    - https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
date: 2021-10-25
modified: 2023-05-05
tags:
    - attack.resource-development
    - attack.t1587.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\firefox.exe'
            - '\iexplore.exe'
            - '\maxthon.exe'
            - '\MicrosoftEdge.exe'
            - '\msedge.exe'
            - '\msedgewebview2.exe'
            - '\opera.exe'
            - '\safari.exe'
            - '\seamonkey.exe'
            - '\vivaldi.exe'
            - '\whale.exe'
        # We don't use "endswith" to also match with ADS logs and ".vhdx". Example: "TargetFilename: C:\Users\xxx\Downloads\windows.vhd:Zone.Identifier"
        TargetFilename|contains: '.vhd'
    condition: selection
falsepositives:
    - Legitimate downloads of ".vhd" files would also trigger this
level: medium