Sigma rules for Disco
92 rules · scoped to tool · back to Disco
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: SharpHound Recon Account Discovery
id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5
status: test
description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
references:
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
- https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md
- https://github.com/zeronetworks/rpcfirewall
- https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
author: Sagie Dulce, Dekel Paz
date: 2022-01-01
tags:
- attack.t1087
- attack.discovery
logsource:
product: rpc_firewall
category: application
definition: 'Requirements: install and apply the RPC Firewall to all processes with "audit:true action:block uuid:6bffd098-a112-3610-9833-46c3f87e345a opnum:2'
detection:
selection:
EventLog: RPCFW
EventID: 3
InterfaceUuid: 6bffd098-a112-3610-9833-46c3f87e345a
OpNum: 2
condition: selection
falsepositives:
- Unknown
level: high
title: Discovery Using AzureHound
id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b
status: test
description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
references:
- https://github.com/BloodHoundAD/AzureHound
author: Janantha Marasinghe
date: 2022-11-27
tags:
- attack.discovery
- attack.t1087.004
- attack.t1526
logsource:
product: azure
service: signinlogs
detection:
selection:
userAgent|contains: 'azurehound'
ResultType: 0
condition: selection
falsepositives:
- Unknown
level: high
title: Potential GobRAT File Discovery Via Grep
id: e34cfa0c-0a50-4210-9cb3-5632d08eb041
status: test
description: Detects the use of grep to discover specific files created by the GobRAT malware
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/grep'
CommandLine|contains:
- 'apached'
- 'frpc'
- 'sshd.sh'
- 'zone.arm'
condition: selection
falsepositives:
- Unknown
level: high
title: Renamed AdFind Execution
id: df55196f-f105-44d3-a675-e9dfb6cc2f2b
status: test
description: Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
references:
- https://www.joeware.net/freetools/tools/adfind/
- https://thedfirreport.com/2020/05/08/adfind-recon/
- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
- https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
- https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
author: Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2025-02-26
tags:
- attack.discovery
- attack.t1018
- attack.t1087.002
- attack.t1482
- attack.t1069.002
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains:
- 'domainlist'
- 'trustdmp'
- 'dcmodes'
- 'adinfo'
- ' dclist '
- 'computer_pwdnotreqd'
- 'objectcategory='
- '-subnets -f'
- 'name="Domain Admins"'
- '-sc u:'
- 'domainncs'
- 'dompol'
- ' oudmp '
- 'subnetdmp'
- 'gpodmp'
- 'fspdmp'
- 'users_noexpire'
- 'computers_active'
- 'computers_pwdnotreqd'
selection_2:
Hashes|contains:
- 'IMPHASH=BCA5675746D13A1F246E2DA3C2217492'
- 'IMPHASH=53E117A96057EAF19C41380D0E87F1C2'
- 'IMPHASH=d144de8117df2beceaba2201ad304764'
- 'IMPHASH=12ce1c0f3f5837ecc18a3782408fa975'
- 'IMPHASH=4fbf3f084fbbb2470b80b2013134df35'
- 'IMPHASH=49b639b4acbecc49d72a01f357aa4930'
- 'IMPHASH=680dad9e300346e05a85023965867201'
- 'IMPHASH=21aa085d54992511b9f115355e468782'
selection_3:
OriginalFileName: 'AdFind.exe'
filter:
Image|endswith: '\AdFind.exe'
condition: 1 of selection* and not filter
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_adfind/info.yml
title: PUA - Crassus Execution
id: 2c32b543-1058-4808-91c6-5b31b8bed6c5
status: test
description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
references:
- https://github.com/vu-ls/Crassus
author: pH-T (Nextron Systems)
date: 2023-04-17
tags:
- attack.discovery
- attack.reconnaissance
- attack.t1590.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\Crassus.exe'
- OriginalFileName: 'Crassus.exe'
- Description|contains: 'Crassus'
condition: selection
falsepositives:
- Unlikely
level: high
title: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
id: 37db85d1-b089-490a-a59a-c7b6f984f480
status: test
description: Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service
author: frack113
date: 2021-12-16
modified: 2023-11-14
tags:
- attack.discovery
- attack.t1518.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_cli:
CommandLine|contains: ' 385201' # Sysmon driver default altitude
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: HackTool - TruffleSnout Execution
id: 69ca006d-b9a9-47f5-80ff-ecd4d25d481a
status: test
description: Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md
- https://github.com/dsnezhkov/TruffleSnout
- https://github.com/dsnezhkov/TruffleSnout/blob/7c2f22e246ef704bc96c396f66fa854e9ca742b9/TruffleSnout/Docs/USAGE.md
author: frack113
date: 2022-08-20
modified: 2023-02-13
tags:
- attack.discovery
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'TruffleSnout.exe'
- Image|endswith: '\TruffleSnout.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
id: 584bca0f-3608-4402-80fd-4075ff6072e3
related:
- id: e0552b19-5a83-4222-b141-b36184bb8d79
type: similar
- id: ad691d92-15f2-4181-9aa4-723c74f9ddc3 # RTLO
type: similar
- id: 2c0d2d7b-30d6-4d14-9751-7b9113042ab9
type: obsolete
status: test
description: |
Detects potential commandline obfuscation using unicode characters.
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
references:
- https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
author: frack113, Florian Roth (Nextron Systems), Josh Nickels
date: 2024-09-02
modified: 2025-05-30
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- '\wscript.exe'
OriginalFileName:
- 'Cmd.EXE'
- 'cscript.exe'
- 'PowerShell.EXE'
- 'PowerShell_ISE.EXE'
- 'pwsh.dll'
- 'wscript.exe'
selection_special_chars:
CommandLine|contains:
# spacing modifier letters that get auto-replaced
- 'ˣ' # 0x02E3
- '˪' # 0x02EA
- 'ˢ' # 0x02E2
# Forward slash alternatives
- '∕' # 0x22FF
- '⁄' # 0x206F
# Hyphen alternatives
- '―' # 0x2015
- '—' # 0x2014
# Whitespace that don't work as path separator
- ' ' # 0x00A0
# Other
- '¯'
- '®'
- '¶'
# Unicode whitespace characters
- '⠀' # Braille Pattern Blank (Unicode: U+2800)
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Potential Process Injection Via Msra.EXE
id: 744a188b-0415-4792-896f-11ddb0588dbc
status: test
description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
references:
- https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/
- https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf
author: Alexander McDonald
date: 2022-06-24
modified: 2023-02-03
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\msra.exe'
ParentCommandLine|endswith: 'msra.exe'
Image|endswith:
- '\arp.exe'
- '\cmd.exe'
- '\net.exe'
- '\netstat.exe'
- '\nslookup.exe'
- '\route.exe'
- '\schtasks.exe'
- '\whoami.exe'
condition: selection
falsepositives:
- Legitimate use of Msra.exe
level: high
title: HackTool - SharpView Execution
id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d
related:
- id: dcd74b95-3f36-4ed9-9598-0490951643aa
type: similar
status: test
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
- https://github.com/tevora-threat/SharpView/
- https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview
author: frack113
date: 2021-12-10
modified: 2023-02-14
tags:
- attack.discovery
- attack.t1049
- attack.t1069.002
- attack.t1482
- attack.t1135
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'SharpView.exe'
- Image|endswith: '\SharpView.exe'
- CommandLine|contains:
# - 'Add-DomainGroupMember'
# - 'Add-DomainObjectAcl'
# - 'Add-ObjectAcl'
- 'Add-RemoteConnection'
- 'Convert-ADName'
- 'ConvertFrom-SID'
- 'ConvertFrom-UACValue'
- 'Convert-SidToName'
# - 'ConvertTo-SID'
- 'Export-PowerViewCSV'
# - 'Find-DomainLocalGroupMember'
- 'Find-DomainObjectPropertyOutlier'
- 'Find-DomainProcess'
- 'Find-DomainShare'
- 'Find-DomainUserEvent'
- 'Find-DomainUserLocation'
- 'Find-ForeignGroup'
- 'Find-ForeignUser'
- 'Find-GPOComputerAdmin'
- 'Find-GPOLocation'
- 'Find-Interesting' # 'Find-InterestingDomainAcl', 'Find-InterestingDomainShareFile', 'Find-InterestingFile'
- 'Find-LocalAdminAccess'
- 'Find-ManagedSecurityGroups'
# - 'Get-ADObject'
- 'Get-CachedRDPConnection'
- 'Get-DFSshare'
# - 'Get-DNSRecord'
# - 'Get-DNSZone'
# - 'Get-Domain'
- 'Get-DomainComputer'
- 'Get-DomainController'
- 'Get-DomainDFSShare'
- 'Get-DomainDNSRecord'
# - 'Get-DomainDNSZone'
- 'Get-DomainFileServer'
- 'Get-DomainForeign' # 'Get-DomainForeignGroupMember', 'Get-DomainForeignUser'
- 'Get-DomainGPO' # 'Get-DomainGPOComputerLocalGroupMapping', 'Get-DomainGPOLocalGroup', 'Get-DomainGPOUserLocalGroupMapping'
- 'Get-DomainGroup' # 'Get-DomainGroupMember'
- 'Get-DomainGUIDMap'
- 'Get-DomainManagedSecurityGroup'
- 'Get-DomainObject' # 'Get-DomainObjectAcl'
- 'Get-DomainOU'
- 'Get-DomainPolicy' # 'Get-DomainPolicyData'
- 'Get-DomainSID'
- 'Get-DomainSite'
- 'Get-DomainSPNTicket'
- 'Get-DomainSubnet'
- 'Get-DomainTrust' # 'Get-DomainTrustMapping'
# - 'Get-DomainUser'
- 'Get-DomainUserEvent'
# - 'Get-Forest'
- 'Get-ForestDomain'
- 'Get-ForestGlobalCatalog'
- 'Get-ForestTrust'
- 'Get-GptTmpl'
- 'Get-GroupsXML'
# - 'Get-GUIDMap'
# - 'Get-IniContent'
# - 'Get-IPAddress'
- 'Get-LastLoggedOn'
- 'Get-LoggedOnLocal'
- 'Get-NetComputer' # 'Get-NetComputerSiteName'
- 'Get-NetDomain' # 'Get-NetDomainController', 'Get-NetDomainTrust'
- 'Get-NetFileServer'
- 'Get-NetForest' # 'Get-NetForestCatalog', 'Get-NetForestDomain', 'Get-NetForestTrust'
- 'Get-NetGPO' # 'Get-NetGPOGroup'
# - 'Get-NetGroup'
- 'Get-NetGroupMember'
- 'Get-NetLocalGroup' # 'Get-NetLocalGroupMember'
- 'Get-NetLoggedon'
- 'Get-NetOU'
- 'Get-NetProcess'
- 'Get-NetRDPSession'
- 'Get-NetSession'
- 'Get-NetShare'
- 'Get-NetSite'
- 'Get-NetSubnet'
- 'Get-NetUser'
# - 'Get-ObjectAcl'
- 'Get-PathAcl'
- 'Get-PrincipalContext'
# - 'Get-Proxy'
- 'Get-RegistryMountedDrive'
- 'Get-RegLoggedOn'
# - 'Get-SiteName'
# - 'Get-UserEvent'
# - 'Get-WMIProcess'
- 'Get-WMIRegCachedRDPConnection'
- 'Get-WMIRegLastLoggedOn'
- 'Get-WMIRegMountedDrive'
- 'Get-WMIRegProxy'
- 'Invoke-ACLScanner'
- 'Invoke-CheckLocalAdminAccess'
- 'Invoke-Kerberoast'
- 'Invoke-MapDomainTrust'
- 'Invoke-RevertToSelf'
- 'Invoke-Sharefinder'
- 'Invoke-UserImpersonation'
# - 'New-DomainGroup'
# - 'New-DomainUser'
- 'Remove-DomainObjectAcl'
- 'Remove-RemoteConnection'
- 'Request-SPNTicket'
# - 'Resolve-IPAddress'
# - 'Set-ADObject'
- 'Set-DomainObject'
# - 'Set-DomainUserPassword'
- 'Test-AdminAccess'
condition: selection
falsepositives:
- Unknown
level: high
title: System Information Discovery Using sw_vers
id: 5de06a6f-673a-4fc0-8d48-bcfe3837b033
status: test
description: Detects the use of "sw_vers" for system information discovery
references:
- https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior
- https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior
- https://ss64.com/osx/sw_vers.html
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
tags:
- attack.discovery
- attack.t1082
logsource:
product: macos
category: process_creation
detection:
# VT Query: 'behavior_processes:"sw_vers" and (behavior_processes:"-productVersion" or behavior_processes:"-productName" or behavior_processes:"-buildVersion") tag:dmg p:5+'
selection_image:
Image|endswith: '/sw_vers'
selection_options:
CommandLine|contains:
- '-buildVersion'
- '-productName'
- '-productVersion'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
title: System Information Discovery Via Sysctl - MacOS
id: 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c
status: test
description: |
Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
This process is primarily used to detect and avoid virtualization and analysis environments.
references:
- https://www.loobins.io/binaries/sysctl/#
- https://evasions.checkpoint.com/techniques/macos.html
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://objective-see.org/blog/blog_0x1E.html
- https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior
- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior
author: Pratinav Chandra
date: 2024-05-27
tags:
- attack.stealth
- attack.t1497.001
- attack.discovery
- attack.t1082
logsource:
product: macos
category: process_creation
detection:
selection_img:
- Image|endswith: '/sysctl'
- CommandLine|contains: 'sysctl'
selection_cmd:
CommandLine|contains:
- 'hw.'
- 'kern.'
- 'machdep.'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
title: System Information Discovery Using System_Profiler
id: 4809c683-059b-4935-879d-36835986f8cf
status: test
description: |
Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information.
This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
references:
- https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
- https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf
- https://ss64.com/mac/system_profiler.html
- https://objective-see.org/blog/blog_0x62.html
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af
author: Stephen Lincoln `@slincoln_aiq` (AttackIQ)
date: 2024-01-02
tags:
- attack.discovery
- attack.stealth
- attack.t1082
- attack.t1497.001
logsource:
product: macos
category: process_creation
detection:
selection_img:
- Image|endswith: '/system_profiler'
- CommandLine|contains: 'system_profiler'
selection_cmd:
# Note: This list is based on CTI reporting. Threat actors might use other data types. Please refere to https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af for a full list
CommandLine|contains:
- 'SPApplicationsDataType'
- 'SPHardwareDataType'
- 'SPNetworkDataType'
- 'SPUSBDataType'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
title: Potential Discovery Activity Using Find - MacOS
id: 85de3a19-b675-4a51-bfc6-b11a5186c971
related:
- id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
type: similar
status: test
description: Detects usage of "find" binary in a suspicious manner to perform discovery
references:
- https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/find'
CommandLine|contains:
- '-perm -4000'
- '-perm -2000'
- '-perm 0777'
- '-perm -222'
- '-perm -o w'
- '-perm -o x'
- '-perm -u=s'
- '-perm -g=s'
condition: selection
falsepositives:
- Unknown
level: medium
title: Security Software Discovery - MacOs
id: 0ed75b9c-c73b-424d-9e7d-496cd565fbe0
status: test
description: Detects usage of system utilities (only grep for now) to discover security software discovery
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-27
tags:
- attack.discovery
- attack.t1518.001
logsource:
category: process_creation
product: macos
detection:
image:
Image: '/usr/bin/grep'
selection_cli_1:
CommandLine|contains:
- 'nessusd' # nessus vulnerability scanner
- 'santad' # google santa
- 'CbDefense' # carbon black
- 'falcond' # crowdstrike falcon
- 'td-agent' # fluentd log shipper
- 'packetbeat' # elastic network logger/shipper
- 'filebeat' # elastic log file shipper
- 'auditbeat' # elastic auditing agent/log shipper
- 'osqueryd' # facebook osquery
- 'BlockBlock' # Objective-See persistence locations watcher/blocker
- 'LuLu' # Objective-See firewall management utility
selection_cli_2: # Objective Development Software firewall management utility
CommandLine|contains|all:
- 'Little'
- 'Snitch'
condition: image and 1 of selection_cli_*
falsepositives:
- Legitimate activities
level: medium
title: System Information Discovery Using Ioreg
id: 2d5e7a8b-f484-4a24-945d-7f0efd52eab0
status: test
description: |
Detects the use of "ioreg" which will show I/O Kit registry information.
This process is used for system information discovery.
It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
references:
- https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior
- https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior
- https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior
- https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-12-20
modified: 2024-01-02
tags:
- attack.discovery
- attack.t1082
logsource:
product: macos
category: process_creation
detection:
# Examples:
# /bin/bash /bin/sh -c ioreg -l | grep -e 'VirtualBox' -e 'Oracle' -e 'VMware' -e 'Parallels' | wc -l
# /usr/sbin/ioreg ioreg -rd1 -w0 -c AppleAHCIDiskDriver
# /bin/bash /bin/sh -c ioreg -l | grep -e 'USB Vendor Name'
# ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformSerialNumber/ { split($0, line, \"\\\"\"); printf(\"%s\", line[4]); }
selection_img:
- Image|endswith: '/ioreg'
- CommandLine|contains: 'ioreg'
selection_cmd1:
CommandLine|contains:
- '-l'
- '-c'
selection_cmd2:
CommandLine|contains:
- 'AppleAHCIDiskDriver'
- 'IOPlatformExpertDevice'
- 'Oracle'
- 'Parallels'
- 'USB Vendor Name'
- 'VirtualBox'
- 'VMware'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium
title: PST Export Alert Using New-ComplianceSearchAction
id: 6897cd82-6664-11ed-9022-0242ac120002
related:
- id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0
type: similar
status: test
description: Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
references:
- https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps
author: Nikita Khalimonenkov
date: 2022-11-17
tags:
- attack.collection
- attack.t1114
logsource:
service: threat_management
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter
Payload|contains|all:
- 'New-ComplianceSearchAction'
- 'Export'
- 'pst'
condition: selection
falsepositives:
- Exporting a PST can be done for legitimate purposes by legitimate sources, but due to the sensitive nature of PST content, it must be monitored.
level: medium
title: PST Export Alert Using eDiscovery Alert
id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0
related:
- id: 6897cd82-6664-11ed-9022-0242ac120002
type: similar
status: test
description: Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
references:
- https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide
author: Sorina Ionescu
date: 2022-02-08
modified: 2022-11-17
tags:
- attack.collection
- attack.t1114
logsource:
service: threat_management
product: m365
definition: Requires the 'eDiscovery search or exported' alert to be enabled
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'eDiscovery search started or exported'
status: success
condition: selection
falsepositives:
- PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.
level: medium
title: ESXi Storage Information Discovery Via ESXCLI
id: f41dada5-3f56-4232-8503-3fb7f9cf2d60
status: test
description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
references:
- https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
- https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'storage'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
title: Potential Discovery Activity Using Find - Linux
id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
related:
- id: 85de3a19-b675-4a51-bfc6-b11a5186c971
type: similar
status: test
description: Detects usage of "find" binary in a suspicious manner to perform discovery
references:
- https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/find'
CommandLine|contains:
- '-perm -4000'
- '-perm -2000'
- '-perm 0777'
- '-perm -222'
- '-perm -o w'
- '-perm -o x'
- '-perm -u=s'
- '-perm -g=s'
condition: selection
falsepositives:
- Unknown
level: medium
title: ESXi Network Configuration Discovery Via ESXCLI
id: 33e814e0-1f00-4e43-9c34-31fb7ae2b174
status: test
description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'network'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
title: ESXi VSAN Information Discovery Via ESXCLI
id: d54c2f06-aca9-4e2b-81c9-5317858f4b79
status: test
description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
references:
- https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
- https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'vsan'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
title: ESXi System Information Discovery Via ESXCLI
id: e80273e1-9faf-40bc-bd85-dbaff104c4e9
status: test
description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'system'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
level: medium
title: ESXi VM List Discovery Via ESXCLI
id: 5f1573a7-363b-4114-9208-ad7a61de46eb
status: test
description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html
- https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
- https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains: 'vm process'
CommandLine|endswith: ' list'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
title: Detected Windows Software Discovery - PowerShell
id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
status: test
description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
- https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna
author: Nikita Nazarov, oscd.community
date: 2020-10-16
modified: 2022-12-02
tags:
- attack.discovery
- attack.t1518
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
# Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
- 'get-itemProperty'
- '\software\'
- 'select-object'
- 'format-table'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
title: Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
id: cdfa73b6-3c9d-4bb8-97f8-ddbd8921f5c5
status: experimental
description: Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
references:
- https://pentestlab.blog/2022/03/21/unconstrained-delegation/
- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps
author: frack113
date: 2025-03-05
tags:
- attack.reconnaissance
- attack.discovery
- attack.credential-access
- attack.t1018
- attack.t1558
- attack.t1589.002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enable'
detection:
selection:
ScriptBlockText|contains:
- '-Properties*TrustedForDelegation'
- '-Properties*TrustedToAuthForDelegation'
- '-Properties*msDS-AllowedToDelegateTo'
- '-Properties*PrincipalsAllowedToDelegateToAccount'
- '-LDAPFilter*(userAccountControl:1.2.840.113556.1.4.803:=524288)'
condition: selection
falsepositives:
- Legitimate use of the library for administrative activity
level: medium
title: Powershell Sensitive File Discovery
id: 7d416556-6502-45b2-9bad-9d2f05f38997
related:
- id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
type: derived
status: test
description: Detect adversaries enumerate sensitive files
references:
- https://twitter.com/malmoeb/status/1570814999370801158
author: frack113
date: 2022-09-16
tags:
- attack.discovery
- attack.t1083
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_action:
ScriptBlockText|contains:
- ls
- get-childitem
- gci
selection_recurse:
ScriptBlockText|contains: '-recurse'
selection_file:
ScriptBlockText|contains:
- '.pass'
- '.kdbx'
- '.kdb'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
id: db885529-903f-4c5d-9864-28fe199e6370
related:
- id: 435e10e4-992a-4281-96f3-38b11106adde
type: similar
status: test
description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
- https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-17
tags:
- attack.discovery
- attack.t1033
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-ADComputer '
- ' -Filter \*'
ScriptBlockText|contains:
- ' | Select '
- 'Out-File'
- 'Set-Content'
- 'Add-Content'
condition: selection
falsepositives:
- Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium
title: User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
id: c2993223-6da8-4b1a-88ee-668b8bf315e9
related:
- id: 1114e048-b69c-4f41-bc20-657245ae6e3f
type: similar
status: test
description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-17
tags:
- attack.discovery
- attack.t1033
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-ADUser '
- ' -Filter \*'
ScriptBlockText|contains:
- ' > '
- ' | Select '
- 'Out-File'
- 'Set-Content'
- 'Add-Content'
condition: selection
falsepositives:
- Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium
title: Powershell XML Execute Command
id: 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b
status: test
description: |
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests
author: frack113
date: 2022-01-19
modified: 2023-01-19
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_xml:
ScriptBlockText|contains|all:
- 'New-Object'
- 'System.Xml.XmlDocument'
- '.Load'
selection_exec:
ScriptBlockText|contains:
- 'IEX '
- 'Invoke-Expression '
- 'Invoke-Command '
- 'ICM -'
condition: all of selection_*
falsepositives:
- Legitimate administrative script
level: medium
title: Security Software Discovery Via Powershell Script
id: 904e8e61-8edf-4350-b59c-b905fc8e810c
status: test
description: |
Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes.
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell
author: frack113, Anish Bogati, Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-16
modified: 2023-10-24
tags:
- attack.discovery
- attack.t1518.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains:
- 'get-process | \?'
- 'get-process | where'
- 'gps | \?'
- 'gps | where'
selection_field:
ScriptBlockText|contains:
- 'Company -like'
- 'Description -like'
- 'Name -like'
- 'Path -like'
- 'Product -like'
selection_keywords:
ScriptBlockText|contains:
# Note: These strings are using wildcard assuming the search is using the "-like" operator.
# You can add specific variant with the actual process names to increase coverage
- '\*avira\*'
- '\*carbonblack\*'
- '\*cylance\*'
- '\*defender\*'
- '\*kaspersky\*'
- '\*malware\*'
- '\*sentinel\*'
- '\*symantec\*'
- '\*virus\*'
condition: all of selection_*
falsepositives:
- False positives might occur due to the nature of the ScriptBlock being ingested as a big blob. Initial tuning is required.
- As the "selection_cmdlet" is common in scripts the matching engine might slow down the search. Change into regex or a more accurate string to avoid heavy resource consumption if experienced
level: medium
title: Powershell MsXml COM Object
id: 78aa1347-1517-4454-9982-b338d6df8343
status: test
description: |
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt
- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)
- https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
author: frack113, MatilJ
date: 2022-01-19
modified: 2022-05-19
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-Object'
- '-ComObject'
- 'MsXml2.'
- 'XmlHttp'
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
title: Potential Discovery Activity Via Dnscmd.EXE
id: b6457d63-d2a2-4e29-859d-4e7affc153d1
status: test
description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd
- https://learn.microsoft.com/en-us/azure/dns/dns-zones-records
- https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/
author: '@gott_cyber'
date: 2022-07-31
modified: 2023-02-04
tags:
- attack.discovery
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\dnscmd.exe'
selection_cli:
CommandLine|contains:
- '/enumrecords'
- '/enumzones'
- '/ZonePrint'
- '/info'
condition: all of selection_*
falsepositives:
- Legitimate administration use
level: medium
title: Uncommon System Information Discovery Via Wmic.EXE
id: 9d5a1274-922a-49d0-87f3-8c653483b909
related:
- id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
type: derived
status: test
description: |
Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,
and GPU driver products/versions.
Some of these commands were used by Aurora Stealer in late 2022/early 2023.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic
- https://nwgat.ninja/getting-system-information-with-wmic-on-windows/
- https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
- https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
- https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/
- https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior
author: TropChaud
date: 2023-01-26
modified: 2023-12-19
tags:
- attack.discovery
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_wmic:
- Description: 'WMI Commandline Utility'
- OriginalFileName: 'wmic.exe'
- Image|endswith: '\WMIC.exe'
selection_commands:
CommandLine|contains:
- 'LOGICALDISK get Name,Size,FreeSpace'
- 'os get Caption,OSArchitecture,Version'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Potentially Suspicious Electron Application CommandLine
id: 378a05d8-963c-46c9-bcce-13c7657eac99
related:
- id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8
type: similar
status: test
description: Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
references:
- https://positive.security/blog/ms-officecmd-rce
- https://lolbas-project.github.io/lolbas/Binaries/Teams/
- https://lolbas-project.github.io/lolbas/Binaries/Msedge/
- https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/
- https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
- https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-05
modified: 2023-11-09
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
# Add more electron based app to the list
- '\chrome.exe'
- '\code.exe'
- '\discord.exe'
- '\GitHubDesktop.exe'
- '\keybase.exe'
- '\msedge_proxy.exe'
- '\msedge.exe'
- '\msedgewebview2.exe'
- '\msteams.exe'
- '\slack.exe'
- '\Teams.exe'
- OriginalFileName:
# Add more electron based app to the list
- 'chrome.exe'
- 'code.exe'
- 'discord.exe'
- 'GitHubDesktop.exe'
- 'keybase.exe'
- 'msedge_proxy.exe'
- 'msedge.exe'
- 'msedgewebview2.exe'
- 'msteams.exe'
- 'slack.exe'
- 'Teams.exe'
selection_cli:
CommandLine|contains:
- '--browser-subprocess-path'
- '--gpu-launcher'
- '--renderer-cmd-prefix'
- '--utility-cmd-prefix'
condition: all of selection_*
falsepositives:
- Legitimate usage for debugging purposes
# Increase the level once FP rate is known better (see status)
level: medium
title: Suspicious Electron Application Child Processes
id: f26eb764-fd89-464b-85e2-dc4a8e6e77b8
related:
- id: 378a05d8-963c-46c9-bcce-13c7657eac99
type: similar
status: test
description: |
Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)
references:
- https://taggart-tech.com/quasar-electron/
- https://github.com/mttaggart/quasar
- https://positive.security/blog/ms-officecmd-rce
- https://lolbas-project.github.io/lolbas/Binaries/Msedge/
- https://lolbas-project.github.io/lolbas/Binaries/Teams/
- https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/
- https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-21
modified: 2024-07-12
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
# Add more electron based app to the list
- '\chrome.exe' # Might require additional tuning
- '\discord.exe'
- '\GitHubDesktop.exe'
- '\keybase.exe'
- '\msedge.exe'
- '\msedgewebview2.exe'
- '\msteams.exe'
- '\slack.exe'
- '\teams.exe'
# - '\code.exe' # Prone to a lot of FPs. Requires an additional baseline
selection_child_image:
Image|endswith:
# Add more suspicious/unexpected paths
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\whoami.exe'
- '\wscript.exe'
selection_child_paths:
Image|contains:
# Add more suspicious/unexpected paths
- ':\ProgramData\'
- ':\Temp\'
- '\AppData\Local\Temp\'
- '\Users\Public\'
- '\Windows\Temp\'
filter_optional_discord:
ParentImage|endswith: '\Discord.exe'
Image|endswith: '\cmd.exe'
CommandLine|contains: '\NVSMI\nvidia-smi.exe'
condition: selection_parent and 1 of selection_child_* and not 1 of filter_optional_*
falsepositives:
- Unknown
# Increase the level once FP rate is reduced (see status)
level: medium
title: Suspicious Use of PsLogList
id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc
status: test
description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
references:
- https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
- https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList
- https://twitter.com/EricaZelic/status/1614075109827874817
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-18
modified: 2024-03-05
tags:
- attack.discovery
- attack.t1087
- attack.t1087.001
- attack.t1087.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'psloglist.exe'
- Image|endswith:
- '\psloglist.exe'
- '\psloglist64.exe'
selection_cli_eventlog:
CommandLine|contains:
- ' security'
- ' application'
- ' system'
selection_cli_flags:
CommandLine|contains|windash:
- ' -d'
- ' -x'
- ' -s'
- ' -c' # Clear event log after displaying
- ' -g' # Export an event log as an evt file.
condition: all of selection_*
falsepositives:
- Another tool that uses the command line switches of PsLogList
- Legitimate use of PsLogList by an administrator
level: medium
title: Domain Trust Discovery Via Dsquery
id: 3bad990e-4848-4a78-9530-b427d854aac0
related:
- id: b23fcb74-b1cb-4ff7-a31d-bfe2a7ba453b
type: similar
- id: 77815820-246c-47b8-9741-e0def3f57308
type: obsolete
status: test
description: Detects execution of "dsquery.exe" for domain trust discovery
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md
- https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843
author: E.M. Anhaus, Tony Lambert, oscd.community, omkar72
date: 2019-10-24
modified: 2023-02-02
tags:
- attack.discovery
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dsquery.exe'
- OriginalFileName: 'dsquery.exe'
selection_cli:
CommandLine|contains: 'trustedDomain'
condition: all of selection_*
falsepositives:
- Legitimate use of the utilities by legitimate user for legitimate reason
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dsquery_domain_trust_discovery/info.yml
simulation:
- type: atomic-red-team
name: Windows - Discover domain trusts with dsquery
technique: T1482
atomic_guid: 4700a710-c821-4e17-a3ec-9e4c81d6845f
title: Detected Windows Software Discovery
id: e13f668e-7f95-443d-98d2-1816a7648a7b
related:
- id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282
type: derived
status: test
description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
- https://github.com/harleyQu1nn/AggressorScripts # AVQuery.cna
author: Nikita Nazarov, oscd.community
date: 2020-10-16
modified: 2022-10-09
tags:
- attack.discovery
- attack.t1518
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe' # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
CommandLine|contains|all:
- 'query'
- '\software\'
- '/v'
- 'svcversion'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
title: Windows Recall Feature Enabled Via Reg.EXE
id: 817f252c-5143-4dae-b418-48c3e9f63728
related:
- id: 5dfc1465-8f65-4fde-8eb5-6194380c6a62
type: similar
- id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4
type: similar
status: test
description: |
Detects the enabling of the Windows Recall feature via registry manipulation.
Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0.
Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
references:
- https://learn.microsoft.com/en-us/windows/client-management/manage-recall
- https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
author: Sajid Nawaz Khan
date: 2024-06-02
tags:
- attack.collection
- attack.t1113
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_value:
# HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
# HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableAIDataAnalysis
CommandLine|contains|all:
- 'Microsoft\Windows\WindowsAI'
- 'DisableAIDataAnalysis'
selection_action_add:
CommandLine|contains:
- 'add'
- '0'
selection_action_delete:
CommandLine|contains: 'delete'
condition: selection_img and selection_value and 1 of selection_action_*
falsepositives:
- Legitimate use/activation of Windows Recall
level: medium
title: Console CodePage Lookup Via CHCP
id: 7090adee-82e2-4269-bd59-80691e7c6338
status: test
description: Detects use of chcp to look up the system locale value as part of host discovery
references:
- https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
author: _pete_0, TheDFIRReport
date: 2022-02-21
modified: 2024-03-05
tags:
- attack.discovery
- attack.t1614.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\cmd.exe'
ParentCommandLine|contains|windash:
- ' -c '
- ' -r '
- ' -k '
Image|endswith: '\chcp.com'
CommandLine|endswith:
- 'chcp'
- 'chcp '
- 'chcp '
condition: selection
falsepositives:
- During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.
- Discord was seen using chcp to look up code pages
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup/info.yml
title: System Language Discovery via Reg.Exe
id: c43a5405-e8e1-4221-9ac9-dbe3fa14e886
status: experimental
description: |
Detects the usage of Reg.Exe to query system language settings.
Attackers may discover the system language to determine the geographic location of victims, customize payloads for specific regions,
or avoid targeting certain locales to evade detection.
references:
- https://scythe.io/threat-thursday/threatthursday-darkside-ransomware
author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
date: 2026-01-09
tags:
- attack.discovery
- attack.t1614.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli:
CommandLine|contains|all:
- 'query'
- 'Control\Nls\Language'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_reg_system_language_discovery/info.yml
simulation:
- type: atomic-red-team
name: Discover System Language by Registry Query
technique: T1614.001
atomic_guid: 631d4cf1-42c9-4209-8fe9-6bd4de9421be
title: Arbitrary File Download Via Squirrel.EXE
id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c
related:
- id: 45239e6a-b035-4aaf-b339-8ad379fcb67e
type: similar
- id: fa4b21c9-0057-4493-b289-2556416ae4d7
type: obsolete
status: test
description: |
Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2022-06-09
modified: 2023-11-09
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\squirrel.exe'
- '\update.exe'
selection_download_cli:
CommandLine|contains:
- ' --download '
- ' --update '
- ' --updateRollback='
selection_download_http_keyword:
CommandLine|contains: 'http'
condition: all of selection_*
falsepositives:
- Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)
level: medium
title: Potential Recon Activity Via Nltest.EXE
id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
related:
- id: 410ad193-a728-4107-bc79-4419789fcbf8
type: similar
- id: 903076ff-f442-475a-b667-4f246bcc203b
type: similar
- id: 77815820-246c-47b8-9741-e0def3f57308
type: obsolete
status: test
description: Detects nltest commands that can be used for information discovery
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
- https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
- https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
- https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
- https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest
author: Craig Young, oscd.community, Georg Lauenstein
date: 2021-07-24
modified: 2023-12-15
tags:
- attack.discovery
- attack.t1016
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_nltest:
- Image|endswith: '\nltest.exe'
- OriginalFileName: 'nltestrk.exe'
selection_recon:
- CommandLine|contains|all:
- 'server'
- 'query'
- CommandLine|contains:
- '/user'
- 'all_trusts' # Flag for /domain_trusts
- 'dclist:'
- 'dnsgetdc:'
- 'domain_trusts'
- 'dsgetdc:'
- 'parentdomain'
- 'trusted_domains'
condition: all of selection_*
falsepositives:
- Legitimate administration use but user and host must be investigated
level: medium
title: System Disk And Volume Reconnaissance Via Wmic.EXE
id: c79da740-5030-45ec-a2e0-479e824a562c
related:
- id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
type: similar
status: test
description: |
An adversary might use WMI to discover information about the system, such as the volume name, size,
free space, and other disk information. This can be done using the 'wmic' command-line utility and has been
observed being used by threat actors such as Volt Typhoon.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
author: Stephen Lincoln '@slincoln-aiq' (AttackIQ)
date: 2024-02-02
modified: 2025-10-20
tags:
- attack.execution
- attack.discovery
- attack.t1047
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
- CommandLine|contains:
- ' volumename'
- ' logicaldisk'
- CommandLine|contains|all:
- 'path'
- 'win32_logicaldisk'
- CommandLine|contains|all:
- ' volume'
- ' list '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: User Discovery And Export Via Get-ADUser Cmdlet
id: 1114e048-b69c-4f41-bc20-657245ae6e3f
related:
- id: c2993223-6da8-4b1a-88ee-668b8bf315e9
type: similar
status: test
description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
modified: 2022-11-17
tags:
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- 'Get-ADUser '
- ' -Filter \*'
CommandLine|contains:
- ' > '
- ' | Select '
- 'Out-File'
- 'Set-Content'
- 'Add-Content'
condition: all of selection_*
falsepositives:
- Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium
title: Suspicious Usage of For Loop with Recursive Directory Search in CMD
id: 2782fbd8-b662-4eb5-9962-5bfbfb671e7b
status: experimental
description: |
Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing.
This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection.
This behavior has been observed in various malicious lnk files.
references:
- https://www.virustotal.com/gui/file/29837d0d3202758063185828c8f8d9e0b7b42b365c8941cc926d2d7c7bae2fb3
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2025-11-12
tags:
- attack.execution
- attack.stealth
- attack.t1059.003
- attack.t1027.010
logsource:
category: process_creation
product: windows
detection:
selection_tokens:
CommandLine|contains|all:
- 'for /f'
- 'tokens='
- 'in ('
- 'dir'
selection_tokens_parent:
ParentCommandLine|contains|all:
- 'for /f'
- 'tokens='
- 'in ('
- 'dir'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
title: Process Proxy Execution Via Squirrel.EXE
id: 45239e6a-b035-4aaf-b339-8ad379fcb67e
related:
- id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c
type: similar
- id: fa4b21c9-0057-4493-b289-2556416ae4d7
type: obsolete
status: test
description: |
Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2022-06-09
modified: 2025-10-07
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\squirrel.exe'
- '\update.exe'
selection_exec:
CommandLine|contains:
- '--processStart'
- '--processStartAndWait'
- '--createShortcut'
filter_optional_discord:
CommandLine|contains|all:
- ':\Users\'
- '\AppData\Local\Discord\Update.exe'
- 'Discord.exe'
CommandLine|contains:
- '--createShortcut'
- '--processStart'
filter_optional_github_desktop:
CommandLine|contains|all:
- ':\Users\'
- '\AppData\Local\GitHubDesktop\Update.exe'
- 'GitHubDesktop.exe'
CommandLine|contains:
- '--createShortcut'
- '--processStartAndWait'
filter_optional_teams:
CommandLine|contains|all:
- ':\Users\'
- '\AppData\Local\Microsoft\Teams\Update.exe'
- 'Teams.exe'
CommandLine|contains:
- '--processStart'
- '--createShortcut'
filter_optional_yammer:
CommandLine|contains|all:
- ':\Users\'
- '\AppData\Local\yammerdesktop\Update.exe'
- 'Yammer.exe'
CommandLine|contains:
- '--processStart'
- '--createShortcut'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)
level: medium
title: Computer Discovery And Export Via Get-ADComputer Cmdlet
id: 435e10e4-992a-4281-96f3-38b11106adde
related:
- id: db885529-903f-4c5d-9864-28fe199e6370
type: similar
status: test
description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
- https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-10
modified: 2022-11-17
tags:
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- 'Get-ADComputer '
- ' -Filter \*'
CommandLine|contains:
- ' > '
- ' | Select '
- 'Out-File'
- 'Set-Content'
- 'Add-Content'
condition: all of selection_*
falsepositives:
- Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium
title: Unsigned .node File Loaded
id: e5f5c693-52d7-4de5-88ae-afbfbce85595
status: experimental
description: |
Detects the loading of unsigned .node files.
Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack.
.node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code.
This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
references:
- https://www.coreycburton.com/blog/driploader-case-study
- https://github.com/CoreyCBurton/DripLoaderNG
- https://www.electronjs.org/docs/latest/tutorial/native-code-and-electron
author: Jonathan Beierle (@hullabrian)
date: 2025-11-22
tags:
- attack.execution
- attack.privilege-escalation
- attack.persistence
- attack.stealth
- attack.t1129
- attack.t1574.001
- attack.t1036.005
logsource:
category: image_load
product: windows
detection:
selection_node_extension:
ImageLoaded|endswith: '.node'
selection_status:
- Signed: 'false'
- SignatureStatus: 'Unavailable'
filter_optional_vscode_jupyter:
Image|endswith: '\Code.exe'
ImageLoaded|contains: '.vscode\extensions\ms-toolsai.jupyter-'
ImageLoaded|endswith:
- '\electron.napi.node'
- '\node.napi.glibc.node'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- VsCode extensions or similar legitimate tools might use unsigned .node files. These should be investigated on a case-by-case basis, and whitelisted if determined to be benign.
level: medium