[ { "title": "DNS Query To Remote Access Software Domain", "id": "4d07b1f4-cb00-4470-b9f8-b0191d48ff52", "status": "experimental", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "author": "frack113, Connor Martin", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Likely with other browser software" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '22' AND (QueryName LIKE '%.getgo.com' ESCAPE '\\' OR QueryName LIKE '%.logmein.com' ESCAPE '\\' OR QueryName LIKE '%.ammyy.com' ESCAPE '\\' OR QueryName LIKE '%.netsupportsoftware.com' ESCAPE '\\' OR QueryName LIKE '%remoteutilities.com' ESCAPE '\\' OR QueryName LIKE '%.net.anydesk.com' ESCAPE '\\' OR QueryName LIKE '%api.playanext.com' ESCAPE '\\' OR QueryName LIKE '%.relay.splashtop.com' ESCAPE '\\' OR QueryName LIKE '%.api.splashtop.com' ESCAPE '\\' OR QueryName LIKE '%app.atera.com' ESCAPE '\\' OR QueryName LIKE '%.agentreporting.atera.com' ESCAPE '\\' OR QueryName LIKE '%.pubsub.atera.com' ESCAPE '\\' OR QueryName LIKE '%logmeincdn.http.internapcdn.net' ESCAPE '\\' OR QueryName LIKE '%logmein-gateway.com' ESCAPE '\\' OR QueryName LIKE '%client.teamviewer.com' ESCAPE '\\' OR QueryName LIKE '%integratedchat.teamviewer.com' ESCAPE '\\' OR QueryName LIKE '%static.remotepc.com' ESCAPE '\\' OR QueryName LIKE '%.n-able.com' ESCAPE '\\' OR QueryName LIKE '%comserver.corporate.beanywhere.com' ESCAPE '\\' OR QueryName LIKE '%.swi-rc.com' ESCAPE '\\' OR QueryName LIKE '%.swi-tc.com' ESCAPE '\\' OR QueryName LIKE '%telemetry.servers.qetqo.com' ESCAPE '\\' OR QueryName LIKE '%relay.screenconnect.com' ESCAPE '\\' OR QueryName LIKE '%control.connectwise.com' ESCAPE '\\' OR QueryName LIKE '%express.gotoassist.com' ESCAPE '\\' OR QueryName LIKE '%authentication.logmeininc.com' ESCAPE '\\' OR QueryName LIKE '%.services.vnc.com' ESCAPE '\\' OR QueryName LIKE '%.tmate.io' ESCAPE '\\' OR QueryName LIKE '%api.parsec.app' ESCAPE '\\' OR QueryName LIKE '%parsecusercontent.com' ESCAPE '\\' OR QueryName LIKE '%remotedesktop-pa.googleapis.com' ESCAPE '\\' OR QueryName LIKE '%.logmein-gateway.com' ESCAPE '\\' OR QueryName LIKE '%secure.logmeinrescue.com' ESCAPE '\\' OR QueryName LIKE '%join.zoho.com' ESCAPE '\\' OR QueryName LIKE '%assist.zoho.com' ESCAPE '\\' OR QueryName LIKE '%.zohoassist.com' ESCAPE '\\' OR QueryName LIKE '%downloads.zohocdn.com' ESCAPE '\\' OR QueryName LIKE '%agent.jumpcloud.com' ESCAPE '\\' OR QueryName LIKE '%kickstart.jumpcloud.com' ESCAPE '\\' OR QueryName LIKE '%cdn.kaseya.net' ESCAPE '\\' OR QueryName LIKE '%relay.kaseya.net' ESCAPE '\\' OR QueryName LIKE '%license.bomgar.com' ESCAPE '\\' OR QueryName LIKE '%.beyondtrustcloud.com' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], "filename": "dns_query_win_remote_access_software_domains.yml" }, { "title": "Suspicious Cobalt Strike DNS Beaconing - Sysmon", "id": "f356a9c4-effd-4608-bbf8-408afd5cd006", "status": "test", "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1071.004" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '22' AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" ], "filename": "dns_query_win_mal_cobaltstrike.yml" }, { "title": "Suspicious LDAP Domain Access", "id": "a21bcd7e-38ec-49ad-b69a-9ea17e69509e", "status": "experimental", "description": "Detect suspicious LDAP request from non-Windows application", "author": "frack113", "tags": [ "attack.discovery", "attack.t1482" ], "falsepositives": [ "Programs that also lookup the observed domain" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '22' AND QueryName LIKE '\\_ldap.%' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\MsMpEng.exe%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (NewProcessName = '') OR (NewProcessName LIKE 'C:\\\\WindowsAzure\\\\GuestAgent%' ESCAPE '\\')))" ], "filename": "dns_query_win_susp_ldap.yml" }, { "title": "AppX Package Installation Attempts Via AppInstaller", "id": "7cff77e1-9663-46a3-8260-17f2e1aa9d0a", "status": "test", "description": "AppInstaller.exe is spawned by the default handler for the \"ms-appinstaller\" URI. It attempts to load/install a package from the referenced URL", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '22' AND NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller\\_%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppInstaller.exe' ESCAPE '\\')" ], "filename": "dns_query_win_lolbin_appinstaller.yml" }, { "title": "Suspicious TeamViewer Domain Access", "id": "778ba9a8-45e4-4b80-8e3e-34a419f0b85e", "status": "test", "description": "Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Unknown binary names of TeamViewer", "Other programs that also lookup the observed domain" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '22' AND QueryName IN ('taf.teamviewer.com', 'udp.ping.teamviewer.com') AND NOT (NewProcessName LIKE '%TeamViewer%' ESCAPE '\\'))" ], "filename": "dns_query_win_susp_teamviewer.yml" }, { "title": "DNS Query Tor Onion Address - Sysmon", "id": "b55ca2a3-7cff-4dda-8bdd-c7bfa63bf544", "status": "experimental", "description": "Detects DNS queries to an \".onion\" address related to Tor routing networks", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1090.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '22' AND QueryName LIKE '%.onion%' ESCAPE '\\')" ], "filename": "dns_query_win_tor_onion.yml" }, { "title": "DNS HybridConnectionManager Service Bus", "id": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", "status": "test", "description": "Detects Azure Hybrid Connection Manager services querying the Azure service bus service", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.persistence", "attack.t1554" ], "falsepositives": [ "Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '22' AND QueryName LIKE '%servicebus.windows.net%' ESCAPE '\\' AND NewProcessName LIKE '%HybridConnectionManager%' ESCAPE '\\')" ], "filename": "dns_query_win_hybridconnectionmgr_servicebus.yml" }, { "title": "DNS Query for Anonfiles.com Domain - Sysmon", "id": "065cceea-77ec-4030-9052-fc0affea7110", "status": "experimental", "description": "Detects DNS queries for \"anonfiles.com\", which is an anonymous file upload platform often used for malicious purposes", "author": "pH-T (Nextron Systems)", "tags": [ "attack.exfiltration", "attack.t1567.002" ], "falsepositives": [ "Rare legitimate access to anonfiles.com" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '22' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" ], "filename": "dns_query_win_anonymfiles_com.yml" }, { "title": "Suspicious DNS Query for IP Lookup Service APIs", "id": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", "status": "test", "description": "Detects DNS queries for IP lookup services such as \"api.ipify.org\" originating from a non browser process.", "author": "Brandon George (blog post), Thomas Patzke (rule)", "tags": [ "attack.reconnaissance", "attack.t1590" ], "falsepositives": [ "Legitimate usage of IP lookup services such as ipify API" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '22' AND (QueryName LIKE '%api.2ip.ua%' ESCAPE '\\' OR QueryName LIKE '%api.ipify.org%' ESCAPE '\\' OR QueryName LIKE '%bot.whatismyipaddress.com%' ESCAPE '\\' OR QueryName LIKE '%canireachthe.net%' ESCAPE '\\' OR QueryName LIKE '%checkip.amazonaws.com%' ESCAPE '\\' OR QueryName LIKE '%checkip.dyndns.org%' ESCAPE '\\' OR QueryName LIKE '%curlmyip.com%' ESCAPE '\\' OR QueryName LIKE '%edns.ip-api.com%' ESCAPE '\\' OR QueryName LIKE '%eth0.me%' ESCAPE '\\' OR QueryName LIKE '%freegeoip.app%' ESCAPE '\\' OR QueryName LIKE '%icanhazip.com%' ESCAPE '\\' OR QueryName LIKE '%ident.me%' ESCAPE '\\' OR QueryName LIKE '%ifconfig.io%' ESCAPE '\\' OR QueryName LIKE '%ifconfig.me%' ESCAPE '\\' OR QueryName LIKE '%ip-api.com%' ESCAPE '\\' OR QueryName LIKE '%ip.anysrc.net%' ESCAPE '\\' OR QueryName LIKE '%ip.tyk.nu%' ESCAPE '\\' OR QueryName LIKE '%ipaddressworld.com%' ESCAPE '\\' OR QueryName LIKE '%ipecho.net%' ESCAPE '\\' OR QueryName LIKE '%ipinfo.io%' ESCAPE '\\' OR QueryName LIKE '%ipof.in%' ESCAPE '\\' OR QueryName LIKE '%ipv4.icanhazip.com%' ESCAPE '\\' OR QueryName LIKE '%ipv4bot.whatismyipaddress.com%' ESCAPE '\\' OR QueryName LIKE '%ipwho.is%' ESCAPE '\\' OR QueryName LIKE '%l2.io%' ESCAPE '\\' OR QueryName LIKE '%myexternalip.com%' ESCAPE '\\' OR QueryName LIKE '%wgetip.com%' ESCAPE '\\' OR QueryName LIKE '%whatismyip.akamai.com%' ESCAPE '\\' OR QueryName LIKE '%wtfismyip.com%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], "filename": "dns_query_win_susp_ipify.yml" }, { "title": "DNS Query for MEGA.io Upload Domain - Sysmon", "id": "613c03ba-0779-4a53-8a1f-47f914a4ded3", "status": "test", "description": "Detects DNS queries for subdomains used for upload to MEGA.io", "author": "Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ "attack.exfiltration", "attack.t1567.002" ], "falsepositives": [ "Legitimate DNS queries and usage of Mega" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '22' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" ], "filename": "dns_query_win_mega_nz.yml" }, { "title": "Potential SocGholish Second Stage C2 DNS Query", "id": "70761fe8-6aa2-4f80-98c1-a57049c08e66", "status": "experimental", "description": "Detects a DNS query initiated from a \"wscript\" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic", "author": "Dusty Miller", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '22' AND NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' AND QueryName REGEXP '[a-f0-9]{4,8}\\.(?:[a-z0-9\\-]+\\.){2}[a-z0-9\\-]+')" ], "filename": "dns_query_win_malware_socgholish_second_stage_c2.yml" }, { "title": "DNS Query for Ufile.io Upload Domain - Sysmon", "id": "1cbbeaaf-3c8c-4e4c-9d72-49485b6a176b", "status": "experimental", "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", "author": "yatinwad and TheDFIRReport", "tags": [ "attack.exfiltration", "attack.t1567.002" ], "falsepositives": [ "Legitimate DNS queries and usage of Ufile" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '22' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" ], "filename": "dns_query_win_ufile_io.yml" }, { "title": "Regsvr32 Network Activity - DNS", "id": "36e037c4-c228-4866-b6a3-48eb292b9955", "status": "test", "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", "author": "Dmitriy Lifanov, oscd.community", "tags": [ "attack.execution", "attack.t1559.001", "attack.defense_evasion", "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '22' AND NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\')" ], "filename": "dns_query_win_regsvr32_network_activity.yml" }, { "title": "CobaltStrike Named Pipe Pattern Regex", "id": "0e7163d4-9e19-4fa7-9be6-000c61aad77a", "status": "test", "description": "Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND (PipeName REGEXP '\\\\mojo\\.5688\\.8052\\.(?:183894939787088877|35780273329370473)[0-9a-f]{2}' OR PipeName REGEXP '\\\\wkssvc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\ntsvcs[0-9a-f]{2}' OR PipeName REGEXP '\\\\DserNamePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\SearchTextHarvester[0-9a-f]{2}' OR PipeName REGEXP '\\\\mypipe-(?:f|h)[0-9a-f]{2}' OR PipeName REGEXP '\\\\windows\\.update\\.manager[0-9a-f]{2,3}' OR PipeName REGEXP '\\\\ntsvcs_[0-9a-f]{2}' OR PipeName REGEXP '\\\\scerpc_?[0-9a-f]{2}' OR PipeName REGEXP '\\\\PGMessagePipe[0-9a-f]{2}' OR PipeName REGEXP '\\\\MsFteWds[0-9a-f]{2}' OR PipeName REGEXP '\\\\f4c3[0-9a-f]{2}' OR PipeName REGEXP '\\\\fullduplex_[0-9a-f]{2}' OR PipeName REGEXP '\\\\msrpc_[0-9a-f]{4}' OR PipeName REGEXP '\\\\win\\\\msrpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\f53f[0-9a-f]{2}' OR PipeName REGEXP '\\\\rpc_[0-9a-f]{2}' OR PipeName REGEXP '\\\\spoolss_[0-9a-f]{2}' OR PipeName REGEXP '\\\\Winsock2\\\\CatalogChangeListener-[0-9a-f]{3}-0,'))" ], "filename": "pipe_created_mal_cobaltstrike_re.yml" }, { "title": "CobaltStrike Named Pipe Patterns", "id": "85adeb13-4fc9-4e68-8a4a-c7cb2c336eb7", "status": "test", "description": "Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles", "author": "Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1055" ], "falsepositives": [ "Chrome instances using the exact same pipe name \"mojo.something\"" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND (((PipeName LIKE '\\\\mojo.5688.8052.183894939787088877%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo.5688.8052.35780273329370473%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-f%' ESCAPE '\\' OR PipeName LIKE '\\\\mypipe-h%' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs%' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\_svc%' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss%' ESCAPE '\\' OR PipeName LIKE '\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\win\\\\msrpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc%' ESCAPE '\\' OR PipeName LIKE '\\\\f53f%' ESCAPE '\\' OR PipeName LIKE '\\\\windows.update.manager%' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester%' ESCAPE '\\' OR PipeName LIKE '\\\\DserNamePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe%' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds%' ESCAPE '\\' OR PipeName LIKE '\\\\f4c3%' ESCAPE '\\' OR PipeName LIKE '\\\\fullduplex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\rpc\\_%' ESCAPE '\\') OR (PipeName LIKE '\\\\demoagent\\_11' ESCAPE '\\' OR PipeName LIKE '\\\\demoagent\\_22' ESCAPE '\\')) OR (PipeName LIKE '\\\\Winsock2\\\\CatalogChangeListener-%' ESCAPE '\\' AND PipeName LIKE '%-0,' ESCAPE '\\')) AND NOT ((PipeName LIKE '\\\\wkssvc' ESCAPE '\\' OR PipeName LIKE '\\\\spoolss' ESCAPE '\\' OR PipeName LIKE '\\\\scerpc' ESCAPE '\\' OR PipeName LIKE '\\\\ntsvcs' ESCAPE '\\' OR PipeName LIKE '\\\\SearchTextHarvester' ESCAPE '\\' OR PipeName LIKE '\\\\PGMessagePipe' ESCAPE '\\' OR PipeName LIKE '\\\\MsFteWds' ESCAPE '\\')))" ], "filename": "pipe_created_susp_cobaltstrike_pipe_patterns.yml" }, { "title": "CobaltStrike Named Pipe", "id": "d5601f8c-b26f-4ab0-9035-69e11a8d4ad2", "status": "test", "description": "Detects the creation of a named pipe as used by CobaltStrike", "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND ((PipeName LIKE '%\\\\MSSE-%' ESCAPE '\\' AND PipeName LIKE '%-server%' ESCAPE '\\') OR PipeName LIKE '\\\\postex\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\status\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\msagent\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\mojo\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\interprocess\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\samr\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\netlogon\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\srvsvc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\lsarpc\\_%' ESCAPE '\\' OR PipeName LIKE '\\\\wkssvc\\_%' ESCAPE '\\'))" ], "filename": "pipe_created_mal_cobaltstrike.yml" }, { "title": "Cred Dump-Tools Named Pipes", "id": "961d0ba2-3eea-4303-a930-2cf78bbfcc5e", "status": "test", "description": "Detects well-known credential dumping tools execution via specific named pipes", "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ "attack.credential_access", "attack.t1003.001", "attack.t1003.002", "attack.t1003.004", "attack.t1003.005" ], "falsepositives": [ "Legitimate Administrator using tool for password recovery" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND (PipeName LIKE '%\\\\lsadump%' ESCAPE '\\' OR PipeName LIKE '%\\\\cachedump%' ESCAPE '\\' OR PipeName LIKE '%\\\\wceservicepipe%' ESCAPE '\\'))" ], "filename": "pipe_created_cred_dump_tools_named_pipes.yml" }, { "title": "PsExec Default Named Pipe", "id": "f3f3a972-f982-40ad-b63c-bca6afdfad7c", "status": "test", "description": "Detects PsExec service installation and execution events (service and Sysmon)", "author": "Thomas Patzke", "tags": [ "attack.execution", "attack.t1569.002", "attack.s0029" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\')" ], "filename": "pipe_created_psexec_default_pipe.yml" }, { "title": "PAExec Default Named Pipe", "id": "f6451de4-df0a-41fa-8d72-b39f54a08db5", "status": "test", "description": "Detects PAExec default named pipe", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND PipeName LIKE '\\\\PAExec%' ESCAPE '\\')" ], "filename": "pipe_created_paexec_default_pipe.yml" }, { "title": "Turla Group Named Pipes", "id": "739915e4-1e70-4778-8b8a-17db02f66db1", "status": "test", "description": "Detects a named pipe used by Turla group samples", "author": "Markus Neis", "tags": [ "attack.g0010", "attack.execution", "attack.t1106" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND (PipeName LIKE '\\\\atctl' ESCAPE '\\' OR PipeName LIKE '\\\\userpipe' ESCAPE '\\' OR PipeName LIKE '\\\\iehelper' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\comnap' ESCAPE '\\'))" ], "filename": "pipe_created_apt_turla_namedpipes.yml" }, { "title": "ADFS Database Named Pipe Connection", "id": "1ea13e8c-03ea-409b-877d-ce5c3d2c1cb3", "status": "test", "description": "Detects suspicious local connections via a named pipe to the AD FS configuration database (Windows Internal Database).\nUsed to access information such as the AD FS configuration settings which contains sensitive information used to sign SAML tokens.\n", "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.collection", "attack.t1005" ], "falsepositives": [ "Processes in the filter condition" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND PipeName LIKE '\\\\MICROSOFT##WID\\\\tsql\\\\query' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\Microsoft.IdentityServer.ServiceHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Identity.Health.Adfs.PshSurrogate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AzureADConnect.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Tri.Sensor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tssdis.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\')))" ], "filename": "pipe_created_susp_adfs_namedpipe_connection.yml" }, { "title": "WMI Event Consumer Created Named Pipe", "id": "493fb4ab-cdcc-4c4f-818c-0e363bd1e4bb", "status": "test", "description": "Detects the WMI Event Consumer service scrcons.exe creating a named pipe", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.t1047", "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\')" ], "filename": "pipe_created_susp_wmi_consumer_namedpipe.yml" }, { "title": "DiagTrackEoP Default Named Pipe", "id": "1f7025a6-e747-4130-aac4-961eb47015f1", "status": "experimental", "description": "Detects creation of default named pipe used by the DiagTrackEoP POC", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND PipeName LIKE '%thisispipe%' ESCAPE '\\')" ], "filename": "pipe_created_diagtrack_eop_default_pipe.yml" }, { "title": "Koh Default Named Pipes", "id": "0adc67e0-a68f-4ffd-9c43-28905aad5d6a", "status": "experimental", "description": "Detects creation of default named pipes used by the Koh tool", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.credential_access", "attack.t1528", "attack.t1134.001" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND (PipeName LIKE '%\\\\imposecost%' ESCAPE '\\' OR PipeName LIKE '%\\\\imposingcost%' ESCAPE '\\'))" ], "filename": "pipe_created_koh_default_pipe.yml" }, { "title": "Alternate PowerShell Hosts Pipe", "id": "58cb02d5-78ce-4692-b3e1-dce850aae41a", "status": "test", "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Programs using PowerShell directly without invocation of a dedicated interpreter." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND PipeName LIKE '\\\\PSHost%' ESCAPE '\\' AND NOT (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ForefrontActiveDirectoryConnector.exe' ESCAPE '\\' OR NewProcessName LIKE '%c:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe' ESCAPE '\\')) OR (NewProcessName = '') OR (NewProcessName LIKE '%:\\\\Program Files%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Tools\\\\Binn\\\\SQLPS.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Citrix\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\ServerManager.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\'))))" ], "filename": "pipe_created_alternate_powershell_hosts_pipe.yml" }, { "title": "PowerShell Execution Via Named Pipe", "id": "ac7102b4-9e1e-4802-9b4f-17c5524c015c", "status": "test", "description": "Detects execution of PowerShell via creation of named pipe starting with PSHost", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "informational", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND PipeName LIKE '\\\\PSHost%' ESCAPE '\\')" ], "filename": "pipe_created_powershell_execution_pipe.yml" }, { "title": "PsExec Pipes Artifacts", "id": "9e77ed63-2ecf-4c7b-b09d-640834882028", "status": "test", "description": "Detecting use PsExec via Pipe Creation/Access to pipes", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.lateral_movement", "attack.t1021.002", "attack.execution", "attack.t1569.002" ], "falsepositives": [ "Legitimate Administrator activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND (PipeName LIKE 'psexec%' ESCAPE '\\' OR PipeName LIKE 'paexec%' ESCAPE '\\' OR PipeName LIKE 'remcom%' ESCAPE '\\' OR PipeName LIKE 'csexec%' ESCAPE '\\'))" ], "filename": "pipe_created_psexec_pipes_artifacts.yml" }, { "title": "PsExec Tool Execution From Suspicious Locations - PipeName", "id": "41504465-5e3a-4a5b-a5b4-2a0baadd4463", "status": "experimental", "description": "Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1569.002", "attack.s0029" ], "falsepositives": [ "Rare legitimate use of psexec from the locations mentioned above" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND PipeName LIKE '\\\\PSEXESVC' ESCAPE '\\' AND (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], "filename": "pipe_created_psexec_default_pipe_from_susp_location.yml" }, { "title": "Malicious Named Pipe", "id": "fe3ac066-98bb-432a-b1e7-a5229cb39d4a", "status": "test", "description": "Detects the creation of a named pipe used by known APT malware", "author": "Florian Roth (Nextron Systems), blueteam0ps, elhoim", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND (PipeName LIKE '\\\\isapi\\_http' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg' ESCAPE '\\' OR PipeName LIKE '\\\\isapi\\_dg2' ESCAPE '\\' OR PipeName LIKE '\\\\sdlrpc' ESCAPE '\\' OR PipeName LIKE '\\\\ahexec' ESCAPE '\\' OR PipeName LIKE '\\\\winsession' ESCAPE '\\' OR PipeName LIKE '\\\\lsassw' ESCAPE '\\' OR PipeName LIKE '\\\\46a676ab7f179e511e30dd2dc41bd388' ESCAPE '\\' OR PipeName LIKE '\\\\9f81f59bc58452127884ce513865ed20' ESCAPE '\\' OR PipeName LIKE '\\\\e710f28d59aa529d6792ca6ff0ca1b34' ESCAPE '\\' OR PipeName LIKE '\\\\rpchlp\\_3' ESCAPE '\\' OR PipeName LIKE '\\\\NamePipe\\_MoreWindows' ESCAPE '\\' OR PipeName LIKE '\\\\pcheap\\_reuse' ESCAPE '\\' OR PipeName LIKE '\\\\gruntsvc' ESCAPE '\\' OR PipeName LIKE '\\\\583da945-62af-10e8-4902-a8f205c72b2e' ESCAPE '\\' OR PipeName LIKE '\\\\bizkaz' ESCAPE '\\' OR PipeName LIKE '\\\\svcctl' ESCAPE '\\' OR PipeName LIKE '\\\\Posh%' ESCAPE '\\' OR PipeName LIKE '\\\\jaccdpqnvbrrxlaf' ESCAPE '\\' OR PipeName LIKE '\\\\csexecsvc' ESCAPE '\\' OR PipeName LIKE '\\\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7' ESCAPE '\\' OR PipeName LIKE '\\\\adschemerpc' ESCAPE '\\' OR PipeName LIKE '\\\\AnonymousPipe' ESCAPE '\\' OR PipeName LIKE '\\\\bc367' ESCAPE '\\' OR PipeName LIKE '\\\\bc31a7' ESCAPE '\\' OR PipeName LIKE '\\\\testPipe' ESCAPE '\\' OR PipeName LIKE '\\\\dce\\_3d' ESCAPE '\\'))" ], "filename": "pipe_created_mal_namedpipes.yml" }, { "title": "EfsPotato Named Pipe", "id": "637f689e-b4a5-4a86-be0e-0100a0a33ba2", "status": "experimental", "description": "Detects the pattern of a pipe name as used by the tool EfsPotato", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('17', '18') AND (PipeName LIKE '%\\\\pipe\\\\%' ESCAPE '\\' OR PipeName LIKE '%\\\\pipe\\\\srvsvc%' ESCAPE '\\') AND NOT (PipeName LIKE '%\\\\CtxShare%' ESCAPE '\\'))" ], "filename": "pipe_created_efspotato_namedpipe.yml" }, { "title": "WMI Event Subscription", "id": "0f06a3a5-6a09-413f-8743-e6cf35561297", "status": "test", "description": "Detects creation of WMI event subscription persistence method", "author": "Tom Ueltschi (@c_APT_ure)", "tags": [ "attack.persistence", "attack.t1546.003" ], "falsepositives": [ "Exclude legitimate (vetted) use of WMI event subscription in your network" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE EventID IN ('19', '20', '21')" ], "filename": "sysmon_wmi_event_subscription.yml" }, { "title": "Suspicious Scripting in a WMI Consumer", "id": "fe21810c-2a8c-478f-8dd3-5a287fb2a0e0", "status": "experimental", "description": "Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers", "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ "attack.execution", "attack.t1059.005" ], "falsepositives": [ "Legitimate administrative scripts" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('19', '20', '21') AND ((Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadstring%' ESCAPE '\\') OR (Destination LIKE '%new-object%' ESCAPE '\\' AND Destination LIKE '%net.webclient%' ESCAPE '\\' AND Destination LIKE '%.downloadfile%' ESCAPE '\\') OR (Destination LIKE '% iex(%' ESCAPE '\\' OR Destination LIKE '%WScript.shell%' ESCAPE '\\' OR Destination LIKE '% -nop %' ESCAPE '\\' OR Destination LIKE '% -noprofile %' ESCAPE '\\' OR Destination LIKE '% -decode %' ESCAPE '\\' OR Destination LIKE '% -enc %' ESCAPE '\\') OR (Destination LIKE '%WScript.Shell%' ESCAPE '\\' OR Destination LIKE '%System.Security.Cryptography.FromBase64Transform%' ESCAPE '\\')))" ], "filename": "sysmon_wmi_susp_scripting.yml" }, { "title": "Psexec Execution", "id": "730fc21b-eaff-474b-ad23-90fd265d4988", "status": "test", "description": "Detects user accept agreement execution in psexec commandline", "author": "omkar72", "tags": [ "attack.execution", "attack.t1569", "attack.t1021" ], "falsepositives": [ "Administrative scripts." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\psexec.exe' ESCAPE '\\' OR OriginalFileName = 'psexec.c'))" ], "filename": "proc_creation_win_sysinternals_psexec_execution.yml" }, { "title": "Potential Credential Dumping Via LSASS Process Clone", "id": "c8da0dfd-4ed0-4b68-962d-13c9c884384e", "status": "test", "description": "Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity", "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "tags": [ "attack.credential_access", "attack.t1003", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_susp_lsass_clone.yml" }, { "title": "DumpStack.log Defender Evasion", "id": "4f647cfa-b598-4e12-ad69-c68dd16caef8", "status": "test", "description": "Detects the use of the filename DumpStack.log to evade Microsoft Defender", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\DumpStack.log' ESCAPE '\\' OR CommandLine LIKE '% -o DumpStack.log%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_dumpstack_log_evasion.yml" }, { "title": "PUA - NirCmd Execution As LOCAL SYSTEM", "id": "d9047477-0359-48c9-b8c7-792cedcdc9c4", "status": "test", "description": "Detects the use of NirCmd tool for command execution as SYSTEM user", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1569.002", "attack.s0029" ], "falsepositives": [ "Legitimate use by administrators" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% runassystem %' ESCAPE '\\')" ], "filename": "proc_creation_win_pua_nircmd_as_system.yml" }, { "title": "Add Potential Suspicious New Download Source To Winget", "id": "c15a46a0-07d4-4c87-b4b6-89207835a83b", "status": "experimental", "description": "Detects usage of winget to add new potentially suspicious download sources", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\') AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}')" ], "filename": "proc_creation_win_winget_add_susp_custom_source.yml" }, { "title": "Suspicious File Download Using Office Application", "id": "0c79148b-118e-472b-bdb7-9b57b444cc19", "status": "test", "description": "Detects the usage of one of three Microsoft office applications (Word, Excel, PowerPoint) to download arbitrary files", "author": "Beyu Denis, oscd.community", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_office.yml" }, { "title": "Tasks Folder Evasion", "id": "cc4e02ba-9c06-48e2-b09e-2500cace9ae0", "status": "test", "description": "The Tasks folder in system32 and syswow64 are globally writable paths.\nAdversaries can take advantage of this and load or influence any script hosts or ANY .NET Application \nin Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr\n", "author": "Sreeman", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.execution", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%echo %' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\') AND (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\SysWow64\\\\Tasks\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_task_folder_evasion.yml" }, { "title": "Ilasm Lolbin Use Compile C-Sharp", "id": "850d55f9-6eeb-4492-ad69-a72338f65ba4", "status": "experimental", "description": "Detect use of Ilasm.exe to compile c# code into dll or exe.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1127" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\ilasm.exe' ESCAPE '\\' OR OriginalFileName = 'ilasm.exe'))" ], "filename": "proc_creation_win_lolbin_ilasm.yml" }, { "title": "Suspicious PowerShell Parent Process", "id": "754ed792-634f-40ae-b3bc-e0448d33f695", "status": "test", "description": "Detects a suspicious or uncommon parent processes of PowerShell", "author": "Teymur Kheirkhabarov, Harish Segar", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Other scripts" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%tomcat%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\amigo.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\browser.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\jbosssvc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedgecp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MicrosoftEdgeSH.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\safari.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlagent.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlserver.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR (CommandLine LIKE '%/c powershell%' ESCAPE '\\' OR CommandLine LIKE '%/c pwsh%' ESCAPE '\\') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6' OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" ], "filename": "proc_creation_win_powershell_susp_parent_process.yml" }, { "title": "HackTool - Sliver C2 Implant Activity Pattern", "id": "42333b2c-b425-441c-b70e-99404a17170f", "status": "experimental", "description": "Detects process activity patterns as seen being used by Sliver C2 framework implants", "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8%' ESCAPE '\\')" ], "filename": "proc_creation_win_hktl_sliver_c2_execution_pattern.yml" }, { "title": "Regsvr32 Spawning Explorer", "id": "6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca", "status": "experimental", "description": "Detects \"regsvr32.exe\" spawning \"explorer.exe\", which is very uncommon.", "author": "elhoim", "tags": [ "attack.defense_evasion", "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_regsvr32_spawn_explorer.yml" }, { "title": "Execute Pcwrun.EXE To Leverage Follina", "id": "6004abd0-afa4-4557-ba90-49d172e0a299", "status": "experimental", "description": "Detects indirect command execution via Program Compatibility Assistant \"pcwrun.exe\" leveraging the follina (CVE-2022-30190) vulnerability", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218", "attack.execution" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\' AND CommandLine LIKE '%../%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_pcwrun_follina.yml" }, { "title": "Suspicious HH.EXE Execution", "id": "e8a95b5e-c891-46e2-b33a-93937d3abc31", "status": "test", "description": "Detects a suspicious execution of a Microsoft HTML Help (HH.exe)", "author": "Maxim Pavlunin", "tags": [ "attack.defense_evasion", "attack.execution", "attack.initial_access", "attack.t1047", "attack.t1059.001", "attack.t1059.003", "attack.t1059.005", "attack.t1059.007", "attack.t1218", "attack.t1218.001", "attack.t1218.010", "attack.t1218.011", "attack.t1566", "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'HH.exe' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (CommandLine LIKE '%.application%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Content.Outlook\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_hh_susp_execution.yml" }, { "title": "CMSTP Execution Process Creation", "id": "7d4cdc5a-0076-40ca-aac8-f7e714570e47", "status": "stable", "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", "author": "Nik Seetharaman", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1218.003", "attack.g0069", "car.2019-04-001" ], "falsepositives": [ "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_cmstp_execution_by_creation.yml" }, { "title": "PUA - Wsudo Suspicious Execution", "id": "bdeeabc9-ff2a-4a51-be59-bb253aac7891", "status": "experimental", "description": "Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.privilege_escalation", "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\wsudo.exe' ESCAPE '\\' OR OriginalFileName = 'wsudo.exe' OR Description = 'Windows sudo utility' OR ParentProcessName LIKE '%\\\\wsudo-bridge.exe' ESCAPE '\\' OR (CommandLine LIKE '%-u System%' ESCAPE '\\' OR CommandLine LIKE '%-uSystem%' ESCAPE '\\' OR CommandLine LIKE '%-u TrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '%-uTrustedInstaller%' ESCAPE '\\' OR CommandLine LIKE '% --ti %' ESCAPE '\\')))" ], "filename": "proc_creation_win_pua_wsudo_susp_execution.yml" }, { "title": "Wab/Wabmig Unusual Parent Or Child Processes", "id": "63d1ccc0-2a43-4f4b-9289-361b308991ff", "status": "experimental", "description": "Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_wab_unusual_parents.yml" }, { "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE", "id": "42a5f1e7-9603-4f6d-97ae-3f37d130d794", "status": "experimental", "description": "Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" ], "filename": "proc_creation_win_certutil_download_file_sharing_domains.yml" }, { "title": "Suspicious Electron Application Child Processes", "id": "f26eb764-fd89-464b-85e2-dc4a8e6e77b8", "status": "experimental", "description": "Detects suspicious child processes of electron apps (teams, discord, slack...).\nThis could be a potential sign of \".asar\" file tampering (See reference section for more information)\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\slack.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\discord.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\Discord.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\NVSMI\\\\nvidia-smi.exe%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_electron_app_children.yml" }, { "title": "PUA - Advanced Port Scanner Execution", "id": "54773c5f-f1cc-4703-9126-2f797d96a69d", "status": "experimental", "description": "Detects the use of Advanced Port Scanner.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1046", "attack.t1135" ], "falsepositives": [ "Legitimate administrative use", "Tools with similar commandline (very rare)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\advanced\\_port\\_scanner%' ESCAPE '\\' OR OriginalFileName LIKE '%advanced\\_port\\_scanner%' ESCAPE '\\' OR Description LIKE '%Advanced Port Scanner%' ESCAPE '\\') OR (CommandLine LIKE '%/portable%' ESCAPE '\\' AND CommandLine LIKE '%/lng%' ESCAPE '\\')))" ], "filename": "proc_creation_win_pua_advanced_port_scanner.yml" }, { "title": "Mstsc.EXE Execution With Local RDP File", "id": "5fdce3ac-e7f9-4ecd-a3aa-a4d78ebbf0af", "status": "experimental", "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file", "author": "Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Likely with legitimate usage of \".rdp\" files" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND (CommandLine LIKE '%.rdp' ESCAPE '\\' OR CommandLine LIKE '%.rdp\"' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\WSL\\\\wslg.rdp%' ESCAPE '\\')))" ], "filename": "proc_creation_win_mstsc_run_local_rdp_file.yml" }, { "title": "Dumping of Sensitive Hives Via Reg.EXE", "id": "fd877b94-9bb5-4191-bb25-d79cbd93c167", "status": "test", "description": "Detects the usage of \"reg.exe\" in order to dump sensitive registry hives, which includes SAM, SYSTEM and SECURITY", "author": "Teymur Kheirkhabarov, Endgame, JHasenbusch, Daniil Yugoslavskiy, oscd.community, frack113", "tags": [ "attack.credential_access", "attack.t1003.002", "attack.t1003.004", "attack.t1003.005", "car.2013-07-001" ], "falsepositives": [ "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%save%' ESCAPE '\\' OR CommandLine LIKE '%export%' ESCAPE '\\' OR CommandLine LIKE '%ˢave%' ESCAPE '\\' OR CommandLine LIKE '%eˣport%' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hk˪m%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪ocal\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_loca˪\\_machine%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_˪oca˪\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢystem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\syˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢyˢtem%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ˢecurity%' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_dumping_sensitive_hives.yml" }, { "title": "DLL Loaded via CertOC.EXE", "id": "242301bc-f92f-4476-8718-78004a6efd9f", "status": "experimental", "description": "Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.", "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\'))" ], "filename": "proc_creation_win_certoc_load_dll.yml" }, { "title": "Shell32 DLL Execution in Suspicious Directory", "id": "32b96012-7892-429e-b26c-ac2bf46066ff", "status": "experimental", "description": "Detects shell32.dll executing a DLL in a suspicious directory", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_rundll32_shell32_susp_execution.yml" }, { "title": "UAC Bypass Using NTFS Reparse Point - Process", "id": "39ed3c80-e6a1-431b-9df3-911ac53d08a7", "status": "test", "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\wusa.exe\" /quiet C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\update.msu' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\\\Windows\\\\system32\\\\pe386\" /ignorecheck' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\DismHost.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_uac_bypass_ntfs_reparse_point.yml" }, { "title": "TrustedPath UAC Bypass Pattern", "id": "4ac47ed3-44c2-4b1f-9d51-bf46e8914126", "status": "test", "description": "Detects indicators of a UAC bypass method by mocking directories", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%C:\\\\Windows \\\\System32\\\\%' ESCAPE '\\')" ], "filename": "proc_creation_win_uac_bypass_trustedpath.yml" }, { "title": "Remote Access Tool - NetSupport Execution From Unusual Location", "id": "37e8d358-6408-4853-82f4-98333fca7014", "status": "experimental", "description": "Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\\Program Files')", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\client32.exe' ESCAPE '\\' OR Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=a9d50692e95b79723f3e76fcf70d023e%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_remote_access_tools_netsupport_susp_exec.yml" }, { "title": "Service DACL Abuse To Hide Services Via Sc.EXE", "id": "a537cfc3-4297-4789-92b5-345bfd845ad0", "status": "experimental", "description": "Detects usage of the \"sc.exe\" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.", "author": "Andreas Hunkeler (@Karneades)", "tags": [ "attack.persistence", "attack.defense_evasion", "attack.privilege_escalation", "attack.t1574.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\'))" ], "filename": "proc_creation_win_sc_sdset_hide_sevices.yml" }, { "title": "Suspicious Calculator Usage", "id": "737e618a-a410-49b5-bec3-9e55ff7fbc15", "status": "test", "description": "Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%\\\\calc.exe %' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" ], "filename": "proc_creation_win_susp_calc.yml" }, { "title": "Potential Binary Impersonating Sysinternals Tools", "id": "7cce6fc8-a07f-4d84-a53e-96e1879843c9", "status": "experimental", "description": "Detects binaries that use the same name as legitimate sysinternals tools to evade detection", "author": "frack113", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1218", "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\accesschk64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AccessEnum.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADInsight.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADInsight64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\adrestore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\adrestore64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autologon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autologon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autoruns.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Autoruns64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\autorunsc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\autorunsc64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Bginfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Bginfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Cacheset.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Cacheset64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Clockres.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Clockres64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Contig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Contig64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Coreinfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Coreinfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CPUSTRES.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CPUSTRES64.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ctrl2cap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Dbgview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dbgview64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktops.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktops64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\disk2vhd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\disk2vhd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\diskext.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\diskext64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Diskmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Diskmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DiskView.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DiskView64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\du.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\du64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\efsdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\FindLinks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\FindLinks64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hex2dec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hex2dec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\junction.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\junction64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ldmdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\listdlls.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\listdlls64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrdC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\loadOrdC64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logonsessions.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logonsessions64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\movefile.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\movefile64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfault64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfaultc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notmyfaultc64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntfsinfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntfsinfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pendmoves.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pendmoves64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pipelist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pipelist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\portmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Procmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Procmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psfile.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psfile64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psGetsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psGetsid64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psInfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psInfo64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pskill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pskill64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pslist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pslist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psLoggedon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psLoggedon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psping64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psshutdown.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psshutdown64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pssuspend64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RAMMap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RDCMan.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RegDelNull.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RegDelNull64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regjump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ru.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ru64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ShareEnum.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ShareEnum64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\shellRunas.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sigcheck.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sigcheck64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\streams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\streams64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\strings.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\strings64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sync.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sync64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpvcon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpvcon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tcpview64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Testlimit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Testlimit64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vmmap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vmmap64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Volumeid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Volumeid64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whois.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whois64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Winobj.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Winobj64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ZoomIt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ZoomIt64.exe' ESCAPE '\\') AND NOT ((Company IN ('Sysinternals - www.sysinternals.com', 'Sysinternals')) OR (Company = '')))" ], "filename": "proc_creation_win_sysinternals_tools_masquerading.yml" }, { "title": "Xwizard DLL Sideloading", "id": "193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1", "status": "test", "description": "Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1574.002" ], "falsepositives": [ "Windows installed on non-C drive" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NewProcessName LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_dll_sideload_xwizard.yml" }, { "title": "HackTool - Empire PowerShell UAC Bypass", "id": "3268b746-88d8-4cd3-bffc-30077d02c787", "status": "stable", "description": "Detects some Empire PowerShell UAC bypass methods", "author": "Ecco", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002", "car.2019-04-001" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update)%' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update);%' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_empire_powershell_uac_bypass.yml" }, { "title": "PUA - Chisel Tunneling Tool Execution", "id": "8b0e12da-d3c3-49db-bb4f-256703f380e5", "status": "experimental", "description": "Detects usage of the Chisel tunneling tool via the commandline arguments", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1090.001" ], "falsepositives": [ "Some false positives may occur with other tools with similar commandlines" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\chisel.exe' ESCAPE '\\' OR ((CommandLine LIKE '%exe client %' ESCAPE '\\' OR CommandLine LIKE '%exe server %' ESCAPE '\\') AND (CommandLine LIKE '%-socks5%' ESCAPE '\\' OR CommandLine LIKE '%-reverse%' ESCAPE '\\' OR CommandLine LIKE '% r:%' ESCAPE '\\' OR CommandLine LIKE '%:127.0.0.1:%' ESCAPE '\\' OR CommandLine LIKE '%-tls-skip-verify %' ESCAPE '\\' OR CommandLine LIKE '%:socks%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_pua_chisel.yml" }, { "title": "Detect Virtualbox Driver Installation OR Starting Of VMs", "id": "bab049ca-7471-4828-9024-38279a4c04da", "status": "experimental", "description": "Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.", "author": "Janantha Marasinghe", "tags": [ "attack.defense_evasion", "attack.t1564.006", "attack.t1564" ], "falsepositives": [ "This may have false positives on hosts where Virtualbox is legitimately being used for operations" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%VBoxRT.dll,RTR3Init%' ESCAPE '\\' OR CommandLine LIKE '%VBoxC.dll%' ESCAPE '\\' OR CommandLine LIKE '%VBoxDrv.sys%' ESCAPE '\\') OR (CommandLine LIKE '%startvm%' ESCAPE '\\' OR CommandLine LIKE '%controlvm%' ESCAPE '\\')))" ], "filename": "proc_creation_win_virtualbox_execution.yml" }, { "title": "Suspicious Curl.EXE Download", "id": "e218595b-bbe7-4ee5-8a96-f32a24ad3468", "status": "experimental", "description": "Detects a suspicious curl process start on Windows and outputs the requested document to a local file", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND ((CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\' OR CommandLine LIKE '%.vbe' ESCAPE '\\' OR CommandLine LIKE '%.vbs' ESCAPE '\\'))) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--silent --show-error --output %' ESCAPE '\\' AND CommandLine LIKE '%gfw-httpget-%' ESCAPE '\\' AND CommandLine LIKE '%AppData%' ESCAPE '\\')))" ], "filename": "proc_creation_win_curl_susp_download.yml" }, { "title": "Suspicious Execution of Powershell with Base64", "id": "fb843269-508c-4b76-8b8d-88679db22ce7", "status": "experimental", "description": "Commandline to launch powershell with a base64 payload", "author": "frack113", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% -Encoding %' ESCAPE '\\') OR ((ParentProcessName LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_powershell_encode.yml" }, { "title": "Execute Files with Msdeploy.exe", "id": "646bc99f-6682-4b47-a73a-17b1b64c9d34", "status": "test", "description": "Detects file execution using the msdeploy.exe lolbin", "author": "Beyu Denis, oscd.community", "tags": [ "attack.execution", "attack.t1218" ], "falsepositives": [ "System administrator Usage" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%verb:sync%' ESCAPE '\\' AND CommandLine LIKE '%-source:RunCommand%' ESCAPE '\\' AND CommandLine LIKE '%-dest:runCommand%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\msdeploy.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_msdeploy.yml" }, { "title": "Suspicious PowerShell Mailbox Export to Share", "id": "889719ef-dd62-43df-86c3-768fb08dc7c0", "status": "experimental", "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.exfiltration" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND CommandLine LIKE '% -Mailbox %' ESCAPE '\\' AND CommandLine LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" ], "filename": "proc_creation_win_powershell_mailboxexport_share.yml" }, { "title": "Potential PowerShell Command Line Obfuscation", "id": "d7bcd677-645d-4691-a8d4-7a5602b780d1", "status": "test", "description": "Detects the PowerShell command lines with special characters", "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1027", "attack.t1059.001" ], "falsepositives": [ "Amazon SSM Document Worker", "Windows Defender ATP" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine REGEXP '.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*\\+.*' OR CommandLine REGEXP '.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*\\{.*' OR CommandLine REGEXP '.*\\^.*\\^.*\\^.*\\^.*\\^.*' OR CommandLine REGEXP '.*`.*`.*`.*`.*`.*')) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Amazon\\\\SSM\\\\ssm-document-worker.exe' ESCAPE '\\') OR ((CommandLine LIKE '%new EventSource(\"Microsoft.Windows.Sense.Client.Management\"%' ESCAPE '\\' OR CommandLine LIKE '%public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_powershell_cmdline_special_characters.yml" }, { "title": "UAC Bypass Using Consent and Comctl32 - Process", "id": "1ca6bd18-0ba0-44ca-851c-92ed89a61085", "status": "test", "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\werfault.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], "filename": "proc_creation_win_uac_bypass_consent_comctl32.yml" }, { "title": "DLL Sideloading by Microsoft Defender", "id": "7002aa10-b8d4-47ae-b5ba-51ab07e228b9", "status": "experimental", "description": "Detects execution of Microsoft Defender's CLI process (MpCmdRun.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MpCmdRun.exe%' ESCAPE '\\')))" ], "filename": "proc_creation_win_mpcmdrun_dll_sideload_defender.yml" }, { "title": "Suspicious Use of PsLogList", "id": "aae1243f-d8af-40d8-ab20-33fc6d0c55bc", "status": "experimental", "description": "Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1087", "attack.t1087.001", "attack.t1087.002" ], "falsepositives": [ "Another tool that uses the command line switches of PsLogList", "Legitimate use of PsLogList by an administrator" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'psloglist.exe' OR (NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\')) AND (CommandLine LIKE '% security%' ESCAPE '\\' OR CommandLine LIKE '% application%' ESCAPE '\\' OR CommandLine LIKE '% system%' ESCAPE '\\') AND (CommandLine LIKE '% -d%' ESCAPE '\\' OR CommandLine LIKE '% /d%' ESCAPE '\\' OR CommandLine LIKE '% -x%' ESCAPE '\\' OR CommandLine LIKE '% /x%' ESCAPE '\\' OR CommandLine LIKE '% -s%' ESCAPE '\\' OR CommandLine LIKE '% /s%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% /c%' ESCAPE '\\' OR CommandLine LIKE '% -g%' ESCAPE '\\' OR CommandLine LIKE '% /g%' ESCAPE '\\'))" ], "filename": "proc_creation_win_sysinternals_psloglist.yml" }, { "title": "Sysinternals PsSuspend Suspicious Execution", "id": "4beb6ae0-f85b-41e2-8f18-8668abc8af78", "status": "experimental", "description": "Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'pssuspend.exe' OR (NewProcessName LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pssuspend64.exe' ESCAPE '\\')) AND CommandLine LIKE '%msmpeng.exe%' ESCAPE '\\')" ], "filename": "proc_creation_win_sysinternals_pssuspend_susp_execution.yml" }, { "title": "Gpscript Execution", "id": "1e59c230-6670-45bf-83b0-98903780607e", "status": "experimental", "description": "Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Legitimate uses of logon scripts distributed via group policy" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\gpscript.exe' ESCAPE '\\' OR OriginalFileName = 'GPSCRIPT.EXE') AND (CommandLine LIKE '% /logon%' ESCAPE '\\' OR CommandLine LIKE '% /startup%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_gpscript.yml" }, { "title": "Use of Adplus.exe", "id": "2f869d59-7f6a-4931-992c-cce556ff2d53", "status": "experimental", "description": "The \"AdPlus.exe\" binary that is part of the Windows SDK can be used as a lolbin to dump process memory and execute arbitrary commands", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1003.001" ], "falsepositives": [ "Legitimate usage of Adplus" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\adplus.exe' ESCAPE '\\' OR OriginalFileName = 'Adplus.exe') AND (CommandLine LIKE '% -hang %' ESCAPE '\\' OR CommandLine LIKE '% -pn %' ESCAPE '\\' OR CommandLine LIKE '% -pmn %' ESCAPE '\\' OR CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% -po %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -sc %' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_adplus.yml" }, { "title": "Disabled Volume Snapshots", "id": "dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a", "status": "test", "description": "Detects commands that temporarily turn off Volume Snapshots", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Legitimate administration" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Services\\\\VSS\\\\Diag%' ESCAPE '\\' AND CommandLine LIKE '%/d Disabled%' ESCAPE '\\')" ], "filename": "proc_creation_win_reg_volsnap_disable.yml" }, { "title": "HackTool - SILENTTRINITY Stager Execution", "id": "03552375-cc2c-4883-bbe4-7958d5a980be", "status": "test", "description": "Detects SILENTTRINITY stager use via PE metadata", "author": "Aleksey Potapov, oscd.community", "tags": [ "attack.command_and_control", "attack.t1071" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description LIKE '%st2stager%' ESCAPE '\\')" ], "filename": "proc_creation_win_hktl_silenttrinity_stager.yml" }, { "title": "Zip A Folder With PowerShell For Staging In Temp", "id": "85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98", "status": "test", "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", "author": "frack113", "tags": [ "attack.collection", "attack.t1074.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Compress-Archive %' ESCAPE '\\' AND CommandLine LIKE '% -Path %' ESCAPE '\\' AND CommandLine LIKE '% -DestinationPath %' ESCAPE '\\' AND CommandLine LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], "filename": "proc_creation_win_powershell_zip_compress.yml" }, { "title": "Use Short Name Path in Command Line", "id": "349d891d-fef0-4fe4-bc53-eee623a15969", "status": "experimental", "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1564.004" ], "falsepositives": [ "Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%~1\\\\%' ESCAPE '\\' OR CommandLine LIKE '%~2\\\\%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files\\\\GPSoftware\\\\Directory Opus\\\\dopus.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\veam.backup.shell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Everything\\\\Everything.exe' ESCAPE '\\') OR ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\' OR (CommandLine LIKE '%\\\\appdata\\\\local\\\\webex\\\\webex64\\\\meetings\\\\wbxreport.exe%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\cmd\\\\scalar.exe%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" }, { "title": "Suspect Svchost Activity", "id": "16c37b52-b141-42a5-a3ea-bbe098444397", "status": "experimental", "description": "It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.", "author": "David Burkett, @signalblur", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1055" ], "falsepositives": [ "Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rpcnetp.exe' ESCAPE '\\') OR CommandLine = ''))" ], "filename": "proc_creation_win_svchost_execution_with_no_cli_flags.yml" }, { "title": "Suspicious LOLBIN AccCheckConsole", "id": "0f6da907-5854-4be6-859a-e9958747b0aa", "status": "test", "description": "Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Legitimate use of the UI Accessibility Checker" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\AccCheckConsole.exe' ESCAPE '\\' OR OriginalFileName = 'AccCheckConsole.exe') AND (CommandLine LIKE '% -window %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_susp_acccheckconsole.yml" }, { "title": "Suspicious Microsoft OneNote Child Process", "id": "c27515df-97a9-4162-8a60-dc0eeb51b775", "status": "experimental", "description": "Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.", "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "tags": [ "attack.t1566", "attack.t1566.001", "attack.initial_access" ], "falsepositives": [ "File located in the AppData folder with trusted signature" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' AND ((OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msidb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND (CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.pif%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\FileCoAuth.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding' ESCAPE '\\')))" ], "filename": "proc_creation_win_office_onenote_susp_child_processes.yml" }, { "title": "UAC Bypass Using IDiagnostic Profile", "id": "4cbef972-f347-4170-b62a-8253f6168e6d", "status": "experimental", "description": "Detects the \"IDiagnosticProfileUAC\" UAC bypass technique", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], "filename": "proc_creation_win_uac_bypass_idiagnostic_profile.yml" }, { "title": "Powershell Token Obfuscation - Process Creation", "id": "deb9b646-a508-44ee-b7c9-d8965921c6b6", "status": "experimental", "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1027.009" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR CommandLine REGEXP '\"(\\{\\d\\})+\"\\s*-f' OR CommandLine REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'))" ], "filename": "proc_creation_win_powershell_token_obfuscation.yml" }, { "title": "Imports Registry Key From a File", "id": "73bba97f-a82d-42ce-b315-9182e76c57b1", "status": "test", "description": "Detects the import of the specified file to the registry with regedit.exe.", "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ "attack.t1112", "attack.defense_evasion" ], "falsepositives": [ "Legitimate import of keys", "Evernote" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '% /s %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')) AND (CommandLine REGEXP ':[^ \\\\]')))" ], "filename": "proc_creation_win_regedit_import_keys.yml" }, { "title": "Potential PowerShell Execution Policy Tampering - ProcCreation", "id": "cf2e938e-9a3e-4fe8-a347-411642b28a9f", "status": "experimental", "description": "Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy%' ESCAPE '\\') AND (CommandLine LIKE '%Bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\' OR CommandLine LIKE '%Unrestricted%' ESCAPE '\\'))" ], "filename": "proc_creation_win_registry_set_unsecure_powershell_policy.yml" }, { "title": "Change Default File Association To Executable Via Assoc", "id": "ae6f14e6-14de-45b0-9f44-c0986f50dc89", "status": "experimental", "description": "Detects when a program changes the default file association of any extension to an executable.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1546.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%assoc %' ESCAPE '\\' AND CommandLine LIKE '%exefile%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%.exe=exefile%' ESCAPE '\\'))" ], "filename": "proc_creation_win_cmd_assoc_tamper_exe_file_association.yml" }, { "title": "PsExec Service Execution", "id": "fdfcbd78-48f1-4a4b-90ac-d82241e368c5", "status": "experimental", "description": "Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution", "author": "Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Legitimate administrative tasks" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' OR OriginalFileName = 'psexesvc.exe'))" ], "filename": "proc_creation_win_sysinternals_psexesvc.yml" }, { "title": "Procdump Execution", "id": "2e65275c-8288-4ab4-aeb7-6274f58b6b20", "status": "experimental", "description": "Detects usage of the SysInternals Procdump utility", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036", "attack.t1003.001" ], "falsepositives": [ "Legitimate use of procdump by a developer or administrator" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_sysinternals_procdump.yml" }, { "title": "Msiexec Quiet Installation", "id": "79a87aa6-e4bd-42fc-a5bb-5e6fbdcd62f5", "status": "experimental", "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218.007" ], "falsepositives": [ "WindowsApps installing updates via the quiet flag" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName = 'msiexec.exe') AND (CommandLine LIKE '%/i%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/package%' ESCAPE '\\' OR CommandLine LIKE '%-package%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/j%' ESCAPE '\\' OR CommandLine LIKE '%-j%' ESCAPE '\\') AND (CommandLine LIKE '%/q%' ESCAPE '\\' OR CommandLine LIKE '%-q%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\Ccm32BitLauncher.exe' ESCAPE '\\' AND IntegrityLevel = 'System')))" ], "filename": "proc_creation_win_msiexec_install_quiet.yml" }, { "title": "Process Memory Dump via RdrLeakDiag.EXE", "id": "edadb1e5-5919-4e4c-8462-a9e643b02c4b", "status": "test", "description": "Detects the use of the Microsoft Windows Resource Leak Diagnostic tool \"rdrleakdiag.exe\" to dump process memory", "author": "Cedric MAURUGEON, Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((CommandLine LIKE '%fullmemdmp%' ESCAPE '\\' OR CommandLine LIKE '%/memdmp%' ESCAPE '\\' OR CommandLine LIKE '%-memdmp%' ESCAPE '\\') AND (CommandLine LIKE '% -o %' ESCAPE '\\' OR CommandLine LIKE '% /o %' ESCAPE '\\') AND (CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% /p %' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\rdrleakdiag.exe' ESCAPE '\\' OR OriginalFileName = 'RdrLeakDiag.exe') AND (CommandLine LIKE '%fullmemdmp%' ESCAPE '\\' OR CommandLine LIKE '%/memdmp%' ESCAPE '\\' OR CommandLine LIKE '%-memdmp%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_rdrleakdiag_process_dumping.yml" }, { "title": "UAC Bypass Using Windows Media Player - Process", "id": "0058b9e5-bcd7-40d4-9205-95ca5a16d7b2", "status": "test", "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\mmc.exe\" \"C:\\\\Windows\\\\system32\\\\eventvwr.msc\" /s' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))))" ], "filename": "proc_creation_win_uac_bypass_wmp.yml" }, { "title": "Potential PowerShell Execution Via DLL", "id": "6812a10b-60ea-420c-832f-dfcc33b646ba", "status": "test", "description": "Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll", "author": "Markus Neis, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'RegSvcs.exe', 'InstallUtil.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%Default.GetString%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_dll_execution.yml" }, { "title": "Potential LethalHTA Technique Execution", "id": "ed5d72a6-f8f4-479d-ba79-02f6a80d7471", "status": "test", "description": "Detects potential LethalHTA technique where the \"mshta.exe\" is spwaned by an \"svchost.exe\" process", "author": "Markus Neis", "tags": [ "attack.defense_evasion", "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_mshta_lethalhta_technique.yml" }, { "title": "Suspicious Scheduled Task Creation Involving Temp Folder", "id": "39019a4e-317f-4ce3-ae63-309a8c6b53c5", "status": "test", "description": "Detects the creation of scheduled tasks that involves a temporary folder and runs only once", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.persistence", "attack.t1053.005" ], "falsepositives": [ "Administrative activity", "Software installation" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND CommandLine LIKE '% /sc once %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" ], "filename": "proc_creation_win_schtasks_creation_temp_folder.yml" }, { "title": "Compress Data and Lock With Password for Exfiltration With 7-ZIP", "id": "9fbf5927-5261-4284-a71d-f681029ea574", "status": "test", "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", "author": "frack113", "tags": [ "attack.collection", "attack.t1560.001" ], "falsepositives": [ "Legitimate activity is expected since compressing files with a password is common." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7zr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND CommandLine LIKE '% -p%' ESCAPE '\\' AND (CommandLine LIKE '% a %' ESCAPE '\\' OR CommandLine LIKE '% u %' ESCAPE '\\'))" ], "filename": "proc_creation_win_7zip_password_compression.yml" }, { "title": "Tor Client/Browser Execution", "id": "62f7c9bf-9135-49b2-8aeb-1e54a6ecc13c", "status": "test", "description": "Detects the use of Tor or Tor-Browser to connect to onion routing networks", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1090.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (NewProcessName LIKE '%\\\\tor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Tor Browser\\\\Browser\\\\firefox.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_browsers_tor_execution.yml" }, { "title": "Copy from Admin Share", "id": "855bc8b5-2ae8-402e-a9ed-b889e6df1900", "status": "test", "description": "Detects a suspicious copy command to or from an Admin share or remote", "author": "Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali", "tags": [ "attack.lateral_movement", "attack.collection", "attack.exfiltration", "attack.t1039", "attack.t1048", "attack.t1021.002" ], "falsepositives": [ "Administrative scripts" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\') OR CommandLine LIKE '%\\\\Sysvol\\\\%' ESCAPE '\\') AND ((((NewProcessName LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE')) OR ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%copy%' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\powershell.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe%' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\'))))" ], "filename": "proc_creation_win_susp_copy_lateral_movement.yml" }, { "title": "Remote Access Tool - AnyDesk Piped Password Via CLI", "id": "b1377339-fda6-477a-b455-ac0923f9ec2c", "status": "experimental", "description": "Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Legitimate piping of the password to anydesk", "Some FP could occur with similar tools that uses the same command line '--set-password'" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%echo %' ESCAPE '\\' AND CommandLine LIKE '%.exe --set-password%' ESCAPE '\\')" ], "filename": "proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml" }, { "title": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE", "id": "48917adc-a28e-4f5d-b729-11e75da8941f", "status": "experimental", "description": "Detects the usage of \"reg.exe\" to add Defender folder exclusions. Qbot has been seen using this technique to add exlcusions for folders within AppData and ProgramData.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\Paths%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Microsoft Antimalware\\\\Exclusions\\\\Paths%' ESCAPE '\\') AND CommandLine LIKE '%ADD %' ESCAPE '\\' AND CommandLine LIKE '%/t %' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD %' ESCAPE '\\' AND CommandLine LIKE '%/v %' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\')" ], "filename": "proc_creation_win_reg_defender_exclusion.yml" }, { "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd", "id": "e9b61244-893f-427c-b287-3e708f321c6b", "status": "experimental", "description": "Detects the creation of a symbolic link between \"cmd.exe\" and the accessibility on-screen keyboard binary (osk.exe) using \"mklink\". This technique provides an elevated command prompt to the user from the login screen without the need to log in.", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1546.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%\\\\osk.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\cmd.exe%' ESCAPE '\\'))" ], "filename": "proc_creation_win_cmd_mklink_osk_cmd.yml" }, { "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS", "id": "07aa184a-870d-413d-893a-157f317f6f58", "status": "test", "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", "attack.execution", "attack.t1615", "attack.t1059.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_gather_network_info_execution.yml" }, { "title": "PowerShell Base64 Encoded Invoke Keyword", "id": "6385697e-9f1b-40bd-8817-f4a91f40508e", "status": "test", "description": "Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls", "author": "pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t", "tags": [ "attack.execution", "attack.t1059.001", "attack.defense_evasion", "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR CommandLine LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR CommandLine LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\' OR CommandLine LIKE '%SW52b2tlL%' ESCAPE '\\' OR CommandLine LIKE '%ludm9rZS%' ESCAPE '\\' OR CommandLine LIKE '%JbnZva2Ut%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_base64_invoke.yml" }, { "title": "Proxy Execution via Wuauclt", "id": "af77cf95-c469-471c-b6a0-946c685c4798", "status": "test", "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth (Nextron Systems), Sreeman, FPT.EagleEye Team", "tags": [ "attack.defense_evasion", "attack.t1218", "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%RunHandlerComServer%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /UpdateDeploymentProvider UpdateDeploymentProvider.dll %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" ], "filename": "proc_creation_win_lolbin_wuauclt.yml" }, { "title": "HackTool - SharPersist Execution", "id": "26488ad0-f9fd-4536-876f-52fea846a2e4", "status": "experimental", "description": "Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1053" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\SharPersist.exe' ESCAPE '\\' OR Product = 'SharPersist') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' OR CommandLine LIKE '% -t startupfolder -c %' ESCAPE '\\') OR (CommandLine LIKE '% -t reg -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t service -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\') OR (CommandLine LIKE '% -t schtask -c %' ESCAPE '\\' AND CommandLine LIKE '% -m add%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_sharpersist.yml" }, { "title": "PUA - Seatbelt Execution", "id": "38646daa-e78f-4ace-9de0-55547b2d30da", "status": "experimental", "description": "Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1526", "attack.t1087", "attack.t1083" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\Seatbelt.exe' ESCAPE '\\' OR OriginalFileName = 'Seatbelt.exe' OR Description = 'Seatbelt' OR (CommandLine LIKE '% DpapiMasterKeys%' ESCAPE '\\' OR CommandLine LIKE '% InterestingProcesses%' ESCAPE '\\' OR CommandLine LIKE '% InterestingFiles%' ESCAPE '\\' OR CommandLine LIKE '% CertificateThumbprints%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumBookmarks%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumHistory%' ESCAPE '\\' OR CommandLine LIKE '% ChromiumPresence%' ESCAPE '\\' OR CommandLine LIKE '% CloudCredentials%' ESCAPE '\\' OR CommandLine LIKE '% CredEnum%' ESCAPE '\\' OR CommandLine LIKE '% CredGuard%' ESCAPE '\\' OR CommandLine LIKE '% FirefoxHistory%' ESCAPE '\\' OR CommandLine LIKE '% ProcessCreationEvents%' ESCAPE '\\')) OR ((CommandLine LIKE '% -group=misc%' ESCAPE '\\' OR CommandLine LIKE '% -group=remote%' ESCAPE '\\' OR CommandLine LIKE '% -group=chromium%' ESCAPE '\\' OR CommandLine LIKE '% -group=slack%' ESCAPE '\\' OR CommandLine LIKE '% -group=system%' ESCAPE '\\' OR CommandLine LIKE '% -group=user%' ESCAPE '\\' OR CommandLine LIKE '% -group=all%' ESCAPE '\\') AND CommandLine LIKE '% -outputfile=%' ESCAPE '\\')))" ], "filename": "proc_creation_win_pua_seatbelt.yml" }, { "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE", "id": "cd1f961e-0b96-436b-b7c6-38da4583ec00", "status": "test", "description": "Detects the execution of \"logman\" utility in order to disable or delete Windows trace sessions", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001", "attack.t1070.001" ], "falsepositives": [ "Legitimate deactivation by administrative staff", "Installer tools that disable services, e.g. before log collection agent installation" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\logman.exe' ESCAPE '\\' OR OriginalFileName = 'Logman.exe') AND (CommandLine LIKE '%stop %' ESCAPE '\\' OR CommandLine LIKE '%delete %' ESCAPE '\\') AND (CommandLine LIKE '%Circular Kernel Context Logger%' ESCAPE '\\' OR CommandLine LIKE '%EventLog-%' ESCAPE '\\' OR CommandLine LIKE '%SYSMON TRACE%' ESCAPE '\\' OR CommandLine LIKE '%SysmonDnsEtwSession%' ESCAPE '\\'))" ], "filename": "proc_creation_win_logman_disable_eventlog.yml" }, { "title": "Browser Started with Remote Debugging", "id": "b3d34dc5-2efd-4ae3-845f-8ec14921f449", "status": "experimental", "description": "Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks", "author": "pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1185" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% --remote-debugging-%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' AND CommandLine LIKE '% -start-debugger-server%' ESCAPE '\\')))" ], "filename": "proc_creation_win_browsers_remote_debugging.yml" }, { "title": "Node Process Executions", "id": "df1f26d3-bea7-4700-9ea2-ad3e990cf90e", "status": "experimental", "description": "Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud", "author": "Max Altgelt (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1127", "attack.t1059.007" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NewProcessName LIKE '%\\\\Adobe Creative Cloud Experience\\\\libs\\\\node.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%Adobe Creative Cloud Experience\\\\js%' ESCAPE '\\'))" ], "filename": "proc_creation_win_node_adobe_creative_cloud_abuse.yml" }, { "title": "Suspicious X509Enrollment - Process Creation", "id": "114de787-4eb2-48cc-abdb-c0b449f93ea4", "status": "experimental", "description": "Detect use of X509Enrollment", "author": "frack113", "falsepositives": [ "Legitimate administrative script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%X509Enrollment.CBinaryConverter%' ESCAPE '\\' OR CommandLine LIKE '%884e2002-217d-11da-b2a4-000e7bbb2b09%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_x509enrollment.yml" }, { "title": "HackTool - CrackMapExec Execution Patterns", "id": "058f4380-962d-40a5-afce-50207d36d7e2", "status": "stable", "description": "Detects various execution patterns of the CrackMapExec pentesting framework", "author": "Thomas Patzke", "tags": [ "attack.execution", "attack.t1047", "attack.t1053", "attack.t1059.003", "attack.t1059.001", "attack.s0106" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%cmd.exe /Q /c % 1> \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > \\\\%\\\\%\\\\% 2>&1' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /C % > %\\\\Temp\\\\% 2>&1' ESCAPE '\\') AND (CommandLine LIKE '%powershell.exe -exec bypass -noni -nop -w 1 -C \"%' ESCAPE '\\' OR CommandLine LIKE '%powershell.exe -noni -nop -w 1 -enc %' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_crackmapexec_execution_patterns.yml" }, { "title": "Writing Of Malicious Files To The Fonts Folder", "id": "ae9b0bd7-8888-4606-b444-0ed7410cb728", "status": "test", "description": "Monitors for the hiding possible malicious files in the C:\\Windows\\Fonts\\ location. This folder doesn't require admin privillege to be written and executed from.", "author": "Sreeman", "tags": [ "attack.t1211", "attack.t1059", "attack.defense_evasion", "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%echo%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%type%' ESCAPE '\\' OR CommandLine LIKE '%file createnew%' ESCAPE '\\' OR CommandLine LIKE '%cacls%' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%.sh%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bin%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.msh%' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.jar%' ESCAPE '\\' OR CommandLine LIKE '%.pl%' ESCAPE '\\' OR CommandLine LIKE '%.inf%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.msi%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_hiding_malware_in_fonts_folder.yml" }, { "title": "Renamed AdFind Execution", "id": "df55196f-f105-44d3-a675-e9dfb6cc2f2b", "status": "test", "description": "Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1018", "attack.t1087.002", "attack.t1482", "attack.t1069.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\') OR Imphash IN ('bca5675746d13a1f246e2da3c2217492', '53e117a96057eaf19c41380d0e87f1c2') OR (Hashes LIKE '%IMPHASH=BCA5675746D13A1F246E2DA3C2217492%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=53E117A96057EAF19C41380D0E87F1C2%' ESCAPE '\\') OR OriginalFileName = 'AdFind.exe') AND NOT (NewProcessName LIKE '%\\\\AdFind.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_renamed_adfind.yml" }, { "title": "Audio Capture via PowerShell", "id": "932fb0d8-692b-4b0f-a26e-5643a50fe7d6", "status": "test", "description": "Detects audio capture via PowerShell Cmdlet.", "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.collection", "attack.t1123" ], "falsepositives": [ "Legitimate audio capture by legitimate user." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%WindowsAudioDevice-Powershell-Cmdlet%' ESCAPE '\\' OR CommandLine LIKE '%Toggle-AudioDevice%' ESCAPE '\\' OR CommandLine LIKE '%Get-AudioDevice %' ESCAPE '\\' OR CommandLine LIKE '%Set-AudioDevice %' ESCAPE '\\' OR CommandLine LIKE '%Write-AudioDevice %' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_audio_capture.yml" }, { "title": "File Download Via Bitsadmin To A Suspicious Target Folder", "id": "2ddef153-167b-4e89-86b6-757a9e65dcac", "status": "experimental", "description": "Detects usage of bitsadmin downloading a file to a suspicious target folder", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.t1197", "attack.s0190", "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_bitsadmin_download_susp_targetfolder.yml" }, { "title": "Wscript Execution from Non C Drive", "id": "5b80cf53-3a46-4adc-960b-05ec19348d74", "status": "experimental", "description": "Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.", "author": "Aaron Herman", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Legitimate scripts located on other partitions such as \"D:\"" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\') AND CommandLine LIKE '%:\\\\%' ESCAPE '\\') AND NOT (((CommandLine LIKE '% C:\\\\\\*' ESCAPE '\\' OR CommandLine LIKE '% ''C:\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \"C:\\\\\\*' ESCAPE '\\')) OR (CommandLine LIKE '%\\%%' ESCAPE '\\') OR (CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_lolbin_non_c_drive.yml" }, { "title": "SystemStateBackup Deleted Using Wbadmin.EXE", "id": "89f75308-5b1b-4390-b2d8-d6b2340efaf8", "status": "test", "description": "Deletes the Windows systemstatebackup using wbadmin.exe.\nThis technique is used by numerous ransomware families.\nThis may only be successful on server platforms that have Windows Backup enabled.\n", "author": "frack113", "tags": [ "attack.impact", "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete %' ESCAPE '\\' AND CommandLine LIKE '%systemstatebackup %' ESCAPE '\\' AND CommandLine LIKE '%-keepVersions:0%' ESCAPE '\\'))" ], "filename": "proc_creation_win_wbadmin_delete_systemstatebackup.yml" }, { "title": "Suspicious RunAs-Like Flag Combination", "id": "50d66fb0-03f8-4da0-8add-84e77d12a020", "status": "experimental", "description": "Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -u system %' ESCAPE '\\' OR CommandLine LIKE '% --user system %' ESCAPE '\\' OR CommandLine LIKE '% -u NT%' ESCAPE '\\' OR CommandLine LIKE '% -u \"NT%' ESCAPE '\\' OR CommandLine LIKE '% -u ''NT%' ESCAPE '\\' OR CommandLine LIKE '% --system %' ESCAPE '\\' OR CommandLine LIKE '% -u administrator %' ESCAPE '\\') AND (CommandLine LIKE '% -c cmd%' ESCAPE '\\' OR CommandLine LIKE '% -c \"cmd%' ESCAPE '\\' OR CommandLine LIKE '% -c powershell%' ESCAPE '\\' OR CommandLine LIKE '% -c \"powershell%' ESCAPE '\\' OR CommandLine LIKE '% --command cmd%' ESCAPE '\\' OR CommandLine LIKE '% --command powershell%' ESCAPE '\\' OR CommandLine LIKE '% -c whoami%' ESCAPE '\\' OR CommandLine LIKE '% -c wscript%' ESCAPE '\\' OR CommandLine LIKE '% -c cscript%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_privilege_escalation_cli_patterns.yml" }, { "title": "HackTool - Hydra Password Bruteforce Execution", "id": "aaafa146-074c-11eb-adc1-0242ac120002", "status": "test", "description": "Detects command line parameters used by Hydra password guessing hack tool", "author": "Vasiliy Burov", "tags": [ "attack.credential_access", "attack.t1110", "attack.t1110.001" ], "falsepositives": [ "Software that uses the caret encased keywords PASS and USER in its command line" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\' AND (CommandLine LIKE '%^USER^%' ESCAPE '\\' OR CommandLine LIKE '%^PASS^%' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_hydra.yml" }, { "title": "Read Contents From Stdin Via Cmd.EXE", "id": "241e802a-b65e-484f-88cd-c2dc10f9206d", "status": "experimental", "description": "Detect the use of \"<\" to read and potentially execute a file via cmd.exe", "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%<%' ESCAPE '\\')" ], "filename": "proc_creation_win_cmd_stdin_redirect.yml" }, { "title": "Suspicious CMD Shell Output Redirect", "id": "8e0bb260-d4b2-4fff-bb8d-3f82118e6892", "status": "experimental", "description": "Detects inline windows shell commands redirecting output via the \">\" symbol to a suspicious location", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1218" ], "falsepositives": [ "Legitimate admin scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND ((CommandLine LIKE '%> \\%USERPROFILE\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%APPDATA\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TEMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> \\%TMP\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%> C:\\\\Temp\\\\%' ESCAPE '\\') OR ((CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% >> %' ESCAPE '\\') AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_cmd_redirection_susp_folder.yml" }, { "title": "Root Certificate Installed From Susp Locations", "id": "5f6a601c-2ecb-498b-9c33-660362323afa", "status": "experimental", "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1553.004" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Import-Certificate%' ESCAPE '\\' AND CommandLine LIKE '% -FilePath %' ESCAPE '\\' AND CommandLine LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_import_cert_susp_locations.yml" }, { "title": "Visual Basic Command Line Compiler Usage", "id": "7b10f171-7f04-47c7-9fa2-5be43c76e535", "status": "test", "description": "Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.", "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ "attack.defense_evasion", "attack.t1027.004" ], "falsepositives": [ "Utilization of this tool should not be seen in enterprise environment" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\vbc.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cvtres.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_visual_basic_compiler.yml" }, { "title": "Install New Package Via Winget Local Manifest", "id": "313d6012-51a0-4d93-8dfc-de8553239e25", "status": "experimental", "description": "Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them.\nThe manifest option enables you to install an application by passing in a YAML file directly to the client.\nWinget can be used to download and install exe, msi or msix files later.\n", "author": "Sreeman, Florian Roth (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1059" ], "falsepositives": [ "Some false positives are expected in some environment that may use this functionality to install and test their custom applications" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%install%' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\') AND (CommandLine LIKE '%-m %' ESCAPE '\\' OR CommandLine LIKE '%--manifest%' ESCAPE '\\'))" ], "filename": "proc_creation_win_winget_local_install_via_manifest.yml" }, { "title": "New User Created Via Net.EXE With Never Expire Option", "id": "b9f0e6f5-09b4-4358-bae4-08408705bd5c", "status": "test", "description": "Detects creation of local users via the net.exe command with the option \"never expire\"", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1136.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%expires:never%' ESCAPE '\\'))" ], "filename": "proc_creation_win_net_user_add_never_expire.yml" }, { "title": "Potential Persistence Via Powershell Search Order Hijacking - Task", "id": "b66474aa-bd92-4333-a16c-298155b120df", "status": "experimental", "description": "Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell \"Get-Variable\" technique as seen being used in Colibri Loader", "author": "pH-T (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.persistence", "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE 'C:\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-k netsvcs%' ESCAPE '\\' AND ParentCommandLine LIKE '%-s Schedule%' ESCAPE '\\' AND (CommandLine LIKE '% -windowstyle hidden' ESCAPE '\\' OR CommandLine LIKE '% -w hidden' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass' ESCAPE '\\' OR CommandLine LIKE '% -noni' ESCAPE '\\'))" ], "filename": "proc_creation_win_schtasks_powershell_persistence.yml" }, { "title": "Taskmgr as LOCAL_SYSTEM", "id": "9fff585c-c33e-4a86-b3cd-39312079a65f", "status": "experimental", "description": "Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_taskmgr_localsystem.yml" }, { "title": "Suspicious Sigverif Execution", "id": "7d4aaec2-08ed-4430-8b96-28420e030e04", "status": "experimental", "description": "Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\sigverif.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_sigverif.yml" }, { "title": "MMC Spawning Windows Shell", "id": "05a2ab7e-ce11-4b63-86db-ab32e763e11d", "status": "test", "description": "Detects a Windows command line executable started from MMC", "author": "Karneades, Swisscom CSIRT", "tags": [ "attack.lateral_movement", "attack.t1021.003" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\BITSADMIN%' ESCAPE '\\'))" ], "filename": "proc_creation_win_mmc_susp_child_process.yml" }, { "title": "Execution of Suspicious File Type Extension", "id": "c09dad97-1c78-4f71-b127-7edb2b8e491a", "status": "experimental", "description": "Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)", "author": "Max Altgelt (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NOT ((NewProcessName LIKE '%.exe' ESCAPE '\\' OR NewProcessName LIKE '%.tmp' ESCAPE '\\' OR NewProcessName LIKE '%.scr' ESCAPE '\\')) AND NOT ((NewProcessName IN ('System', 'Registry', 'MemCompression', 'vmmem')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Config.Msi\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%.rbf' ESCAPE '\\' OR NewProcessName LIKE '%.rbs' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\Helper\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%.com' ESCAPE '\\'))) AND NOT ((NewProcessName IN ('-', '')) OR (NewProcessName = '') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%NVIDIA\\\\NvBackend\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.dat' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WinSCP.com' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.tmp%' ESCAPE '\\' AND NewProcessName LIKE '%CodeSetup%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\program\\\\soffice.bin' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\EMC NetWorker\\\\Management\\\\GST\\\\apache\\\\cgi-bin\\\\update\\_jnlp.cgi' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\WINPAKPRO\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\WINPAKPRO\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%.ngn' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\MyQ\\\\Server\\\\pcltool.dll' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio%' ESCAPE '\\') AND NewProcessName LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\LocalState\\\\rootfs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\LZMA\\_EXE' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\TBT\\_Dock\\_Firmware\\\\GetDockVer32W.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\tobedeleted\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\$Extend\\\\$Deleted\\\\%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\OfficeC2RClient.exe%' ESCAPE '\\' AND CommandLine LIKE '%/update UPDATEORCHESTRATOR displaylevel=False%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_non_exe_image.yml" }, { "title": "Suspicious aspnet_compiler.exe Execution", "id": "a01b8329-5953-4f73-ae2d-aa01e1f35f00", "status": "test", "description": "Execute C# code with the Build Provider and proper folder structure in place.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1127" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND NewProcessName LIKE '%aspnet\\_compiler.exe%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_aspnet_compiler.yml" }, { "title": "Password Provided In Command Line Of Net.EXE", "id": "d4498716-1d52-438f-8084-4a603157d131", "status": "test", "description": "Detects a when net.exe is called with a password in the command line", "author": "Tim Shelton (HAWK.IO)", "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' AND CommandLine LIKE '%:%\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%/USER:% %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% ' ESCAPE '\\')))" ], "filename": "proc_creation_win_net_use_password_plaintext.yml" }, { "title": "LOLBIN Execution Of The FTP.EXE Binary", "id": "06b401f4-107c-4ff9-947f-9ec1e7649f1e", "status": "test", "description": "Detects execution of ftp.exe script execution with the \"-s\" flag and any child processes ran by ftp.exe", "author": "Victor Sergeev, oscd.community", "tags": [ "attack.execution", "attack.t1059", "attack.defense_evasion", "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\ftp.exe' ESCAPE '\\' OR ((NewProcessName LIKE '%\\\\ftp.exe' ESCAPE '\\' OR OriginalFileName = 'ftp.exe') AND CommandLine LIKE '%-s:%' ESCAPE '\\')))" ], "filename": "proc_creation_win_lolbin_ftp.yml" }, { "title": "Write Protect For Storage Disabled", "id": "75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13", "status": "experimental", "description": "Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.", "author": "Sreeman", "tags": [ "attack.defense_evasion", "attack.t1562" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%reg add%' ESCAPE '\\' AND CommandLine LIKE '%\\\\system\\\\currentcontrolset\\\\control%' ESCAPE '\\' AND CommandLine LIKE '%write protection%' ESCAPE '\\' AND CommandLine LIKE '%0%' ESCAPE '\\' AND (CommandLine LIKE '%storage%' ESCAPE '\\' OR CommandLine LIKE '%storagedevicepolicies%' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_write_protect_for_storage_disabled.yml" }, { "title": "Unmount Share Via Net.EXE", "id": "cb7c4a03-2871-43c0-9bbb-18bbdb079896", "status": "test", "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ "attack.defense_evasion", "attack.t1070.005" ], "falsepositives": [ "Administrators or Power users may remove their shares via cmd line" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%share%' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\'))" ], "filename": "proc_creation_win_net_share_unmount.yml" }, { "title": "Suspicious Tasklist Discovery Command", "id": "63332011-f057-496c-ad8d-d2b6afb27f96", "status": "test", "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network", "author": "frack113", "tags": [ "attack.discovery", "attack.t1057" ], "falsepositives": [ "Administrator, hotline ask to user" ], "level": "informational", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%tasklist%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR OriginalFileName = 'tasklist.exe'))" ], "filename": "proc_creation_win_tasklist_basic_execution.yml" }, { "title": "Suspicious Extrac32 Execution", "id": "aa8e035d-7be4-48d3-a944-102aec04400d", "status": "experimental", "description": "Download or Copy file with Extrac32", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%extrac32.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR OriginalFileName = 'extrac32.exe') AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND (CommandLine LIKE '%/C%' ESCAPE '\\' OR CommandLine LIKE '%/Y%' ESCAPE '\\' OR CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_extrac32.yml" }, { "title": "Potential LSASS Process Dump Via Procdump", "id": "5afee48e-67dd-4e03-a783-f74259dcf998", "status": "stable", "description": "Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036", "attack.credential_access", "attack.t1003.001", "car.2013-05-009" ], "falsepositives": [ "Unlikely, because no one should dump an lsass process memory", "Another tool that uses the command line switches of Procdump" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND CommandLine LIKE '% ls%' ESCAPE '\\')" ], "filename": "proc_creation_win_sysinternals_procdump_lsass.yml" }, { "title": "HackTool - HandleKatz LSASS Dumper Execution", "id": "ca621ba5-54ab-4035-9942-d378e6fcde3c", "status": "experimental", "description": "Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\loader.exe' ESCAPE '\\' AND CommandLine LIKE '%--pid:%' ESCAPE '\\') OR (Imphash IN ('38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650') OR Hashes IN ('IMPHASH=38D9E015591BBFD4929E0D0F47FA0055', 'IMPHASH=0E2216679CA6E1094D63322E3412D650')) OR (CommandLine LIKE '%--pid:%' ESCAPE '\\' AND CommandLine LIKE '%--outfile:%' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%.obf%' ESCAPE '\\' OR CommandLine LIKE '%dump%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_hktl_handlekatz.yml" }, { "title": "Group Membership Reconnaissance Via Whoami.EXE", "id": "bd8b828d-0dca-48e1-8a63-8a58ecf2644f", "status": "experimental", "description": "Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1033" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /groups%' ESCAPE '\\' OR CommandLine LIKE '% -groups%' ESCAPE '\\'))" ], "filename": "proc_creation_win_whoami_groups_discovery.yml" }, { "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl", "id": "074e0ded-6ced-4ebd-8b4d-53f55908119d", "status": "test", "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", "author": "Julia Fomina, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1216" ], "falsepositives": [ "Unlikely" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%winrm%' ESCAPE '\\' AND (CommandLine LIKE '%format:pretty%' ESCAPE '\\' OR CommandLine LIKE '%format:\"pretty\"%' ESCAPE '\\' OR CommandLine LIKE '%format:\"text\"%' ESCAPE '\\' OR CommandLine LIKE '%format:text%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_winrm_awl_bypass.yml" }, { "title": "Renamed PAExec Execution", "id": "c4e49831-1496-40cf-8ce1-b53f942b02f9", "status": "test", "description": "Detects execution of renamed version of PAExec. Often used by attackers", "author": "Florian Roth (Nextron Systems), Jason Lynch", "tags": [ "attack.defense_evasion", "attack.t1202" ], "falsepositives": [ "Weird admins that rename their tools", "Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing", "When executed with the \"-s\" flag. PAExec will copy itself to the \"C:\\Windows\\\" directory with a different name. Usually like this \"PAExec-[XXXXX]-[ComputerName]\"" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'PAExec Application' OR OriginalFileName = 'PAExec.exe' OR Product LIKE '%PAExec%' ESCAPE '\\' OR Imphash IN ('11D40A7B7876288F919AB819CC2D9802', '6444f8a34e99b8f7d9647de66aabe516', 'dfd6aa3f7b2b1035b76b718f1ddc689f', '1a6cca4d5460b1710a12dea39e4a592c') OR (Hashes LIKE '%IMPHASH=11D40A7B7876288F919AB819CC2D9802%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6444f8a34e99b8f7d9647de66aabe516%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1a6cca4d5460b1710a12dea39e4a592c%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\paexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\PAExec-%' ESCAPE '\\'))" ], "filename": "proc_creation_win_renamed_paexec.yml" }, { "title": "Suspicious OfflineScannerShell.exe Execution From Another Folder", "id": "02b18447-ea83-4b1b-8805-714a8a34546a", "status": "test", "description": "Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NewProcessName LIKE '%\\\\OfflineScannerShell.exe' ESCAPE '\\' AND NOT ((CurrentDirectory LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\Offline\\\\' ESCAPE '\\') OR (CurrentDirectory = '')))" ], "filename": "proc_creation_win_lolbin_offlinescannershell.yml" }, { "title": "Suspicious Reg Add BitLocker", "id": "0e0255bf-2548-47b8-9582-c0955c9283f5", "status": "experimental", "description": "Detects suspicious addition to BitLocker related registry keys via the reg.exe utility", "author": "frack113", "tags": [ "attack.impact", "attack.t1486" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%REG%' ESCAPE '\\' AND CommandLine LIKE '%ADD%' ESCAPE '\\' AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\FVE%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\' AND (CommandLine LIKE '%EnableBDEWithNoTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseAdvancedStartup%' ESCAPE '\\' OR CommandLine LIKE '%UseTPM%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKey%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMKeyPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessageSource%' ESCAPE '\\' OR CommandLine LIKE '%UseTPMPIN%' ESCAPE '\\' OR CommandLine LIKE '%RecoveryKeyMessage%' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_bitlocker.yml" }, { "title": "Suspicious Download From Direct IP Via Bitsadmin", "id": "99c840f2-2012-46fd-9141-c761987550ef", "status": "experimental", "description": "Detects usage of bitsadmin downloading a file using an URL that contains an IP", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.t1197", "attack.s0190", "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" ], "filename": "proc_creation_win_bitsadmin_download_direct_ip.yml" }, { "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE", "id": "99cf1e02-00fb-4c0d-8375-563f978dfd37", "status": "test", "description": "Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.", "author": "Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.persistence", "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%D;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" ], "filename": "proc_creation_win_sc_sdset_deny_service_access.yml" }, { "title": "Execute From Alternate Data Streams", "id": "7f43c430-5001-4f8b-aaa9-c3b88f18fa5c", "status": "test", "description": "Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%txt:%' ESCAPE '\\' AND ((CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\') OR (CommandLine LIKE '%makecab %' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\') OR (CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '% export %' ESCAPE '\\') OR (CommandLine LIKE '%regedit %' ESCAPE '\\' AND CommandLine LIKE '% /E %' ESCAPE '\\') OR (CommandLine LIKE '%esentutl %' ESCAPE '\\' AND CommandLine LIKE '% /y %' ESCAPE '\\' AND CommandLine LIKE '% /d %' ESCAPE '\\' AND CommandLine LIKE '% /o %' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_alternate_data_streams.yml" }, { "title": "Persistence Via Sticky Key Backdoor", "id": "1070db9a-3e5d-412e-8e7b-7183b616e1b3", "status": "experimental", "description": "By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.\nWhen the sticky keys are \"activated\" the privilleged shell is launched.\n", "author": "Sreeman", "tags": [ "attack.t1546.008", "attack.privilege_escalation" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%/y %' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\cmd.exe C:\\\\windows\\\\system32\\\\sethc.exe%' ESCAPE '\\')" ], "filename": "proc_creation_win_cmd_sticky_keys_replace.yml" }, { "title": "Suspicious Rundll32 Activity", "id": "e593cf51-88db-4ee1-b920-37e89012a3c9", "status": "test", "description": "Detects suspicious process related to rundll32 based on arguments", "author": "juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1218.011" ], "falsepositives": [ "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%javascript:%' ESCAPE '\\' AND CommandLine LIKE '%.RegisterXLL%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURLA%' ESCAPE '\\') OR (CommandLine LIKE '%url.dll%' ESCAPE '\\' AND CommandLine LIKE '%FileProtocolHandler%' ESCAPE '\\') OR (CommandLine LIKE '%zipfldr.dll%' ESCAPE '\\' AND CommandLine LIKE '%RouteTheCall%' ESCAPE '\\') OR (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%Control\\_RunDLL%' ESCAPE '\\') OR (CommandLine LIKE '%shell32.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\') OR (CommandLine LIKE '%mshtml.dll%' ESCAPE '\\' AND CommandLine LIKE '%PrintHTML%' ESCAPE '\\') OR (CommandLine LIKE '%advpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchINFSection%' ESCAPE '\\') OR (CommandLine LIKE '%advpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%RegisterOCX%' ESCAPE '\\') OR (CommandLine LIKE '%ieadvpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchINFSection%' ESCAPE '\\') OR (CommandLine LIKE '%ieadvpack.dll%' ESCAPE '\\' AND CommandLine LIKE '%RegisterOCX%' ESCAPE '\\') OR (CommandLine LIKE '%ieframe.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%shdocvw.dll%' ESCAPE '\\' AND CommandLine LIKE '%OpenURL%' ESCAPE '\\') OR (CommandLine LIKE '%syssetup.dll%' ESCAPE '\\' AND CommandLine LIKE '%SetupInfObjectInstallAction%' ESCAPE '\\') OR (CommandLine LIKE '%setupapi.dll%' ESCAPE '\\' AND CommandLine LIKE '%InstallHinfSection%' ESCAPE '\\') OR (CommandLine LIKE '%pcwutl.dll%' ESCAPE '\\' AND CommandLine LIKE '%LaunchApplication%' ESCAPE '\\') OR (CommandLine LIKE '%dfshim.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShOpenVerbApplication%' ESCAPE '\\') OR (CommandLine LIKE '%dfshim.dll%' ESCAPE '\\' AND CommandLine LIKE '%ShOpenVerbShortcut%' ESCAPE '\\') OR (CommandLine LIKE '%scrobj.dll%' ESCAPE '\\' AND CommandLine LIKE '%GenerateTypeLib%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\') OR (CommandLine LIKE '%shimgvw.dll%' ESCAPE '\\' AND CommandLine LIKE '%ImageView\\_Fullscreen%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%shell32.dll,Control\\_RunDLL desk.cpl,screensaver,@screensaver%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\rundll32.exe\" Shell32.dll,Control\\_RunDLL \"C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.cpl\",' ESCAPE '\\')))" ], "filename": "proc_creation_win_rundll32_susp_activity.yml" }, { "title": "Use Icacls to Hide File to Everyone", "id": "4ae81040-fc1c-4249-bfa3-938d260214d9", "status": "experimental", "description": "Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1564.001" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'iCACLS.EXE' OR NewProcessName LIKE '%\\\\icacls.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/deny%' ESCAPE '\\' AND CommandLine LIKE '%S-1-1-0:%' ESCAPE '\\'))" ], "filename": "proc_creation_win_icacls_deny.yml" }, { "title": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE", "id": "01c42d3c-242d-4655-85b2-34f1739632f7", "status": "experimental", "description": "Detects usage of Dsacls to grant over permissive permissions", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1218" ], "falsepositives": [ "Legitimate administrators granting over permissive permissions to users" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\dsacls.exe' ESCAPE '\\' OR OriginalFileName = 'DSACLS.EXE') AND CommandLine LIKE '% /G %' ESCAPE '\\' AND (CommandLine LIKE '%GR%' ESCAPE '\\' OR CommandLine LIKE '%GE%' ESCAPE '\\' OR CommandLine LIKE '%GW%' ESCAPE '\\' OR CommandLine LIKE '%GA%' ESCAPE '\\' OR CommandLine LIKE '%WP%' ESCAPE '\\' OR CommandLine LIKE '%WD%' ESCAPE '\\'))" ], "filename": "proc_creation_win_dsacls_abuse_permissions.yml" }, { "title": "Use of W32tm as Timer", "id": "6da2c9f5-7c53-401b-aacb-92c040ce1215", "status": "experimental", "description": "When configured with suitable command line arguments, w32tm can act as a delay mechanism", "author": "frack113", "tags": [ "attack.discovery", "attack.t1124" ], "falsepositives": [ "Legitimate use" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR OriginalFileName = 'w32time.dll') AND (CommandLine LIKE '%/stripchart%' ESCAPE '\\' AND CommandLine LIKE '%/computer:%' ESCAPE '\\' AND CommandLine LIKE '%/period:%' ESCAPE '\\' AND CommandLine LIKE '%/dataonly%' ESCAPE '\\' AND CommandLine LIKE '%/samples:%' ESCAPE '\\'))" ], "filename": "proc_creation_win_w32tm.yml" }, { "title": "Change Default File Association Via Assoc", "id": "3d3aa6cd-6272-44d6-8afc-7e88dfef7061", "status": "test", "description": "Detects file association changes using the builtin \"assoc\" command.\nWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.\n", "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.persistence", "attack.t1546.001" ], "falsepositives": [ "Admin activity" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%assoc%' ESCAPE '\\')" ], "filename": "proc_creation_win_cmd_assoc_execution.yml" }, { "title": "Renamed Whoami Execution", "id": "f1086bf7-a0c4-4a37-9102-01e573caf4a0", "status": "test", "description": "Detects the execution of whoami that has been renamed to a different name to avoid detection", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1033", "car.2016-03-001" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'whoami.exe' AND NOT (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_renamed_whoami.yml" }, { "title": "Disabled RestrictedAdminMode For RDS - ProcCreation", "id": "28ac00d6-22d9-4a3c-927f-bbd770104573", "status": "experimental", "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\%' ESCAPE '\\' AND CommandLine LIKE '%DisableRestrictedAdmin%' ESCAPE '\\' AND CommandLine LIKE '% 1%' ESCAPE '\\')" ], "filename": "proc_creation_win_reg_lsa_disable_restricted_admin.yml" }, { "title": "WinDbg/CDB LOLBIN Usage", "id": "b5c7395f-e501-4a08-94d4-57fe7a9da9d2", "status": "test", "description": "Detects usage of \"cdb.exe\" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file", "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.execution", "attack.t1106", "attack.defense_evasion", "attack.t1218", "attack.t1127" ], "falsepositives": [ "Legitimate use of debugging tools" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\cdb.exe' ESCAPE '\\' OR OriginalFileName = 'CDB.Exe') AND (CommandLine LIKE '% -c %' ESCAPE '\\' OR CommandLine LIKE '% -cf %' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_cdb.yml" }, { "title": "Suspicious WERMGR Process Patterns", "id": "396f6630-f3ac-44e3-bfc8-1b161bc00c4e", "status": "experimental", "description": "Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc.", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))))" ], "filename": "proc_creation_win_wermgr_susp_child_process.yml" }, { "title": "Suspicious Registration via cscript.exe", "id": "28c8f68b-098d-45af-8d43-8089f3e35403", "status": "experimental", "description": "Detects when the registration of a VSS/VDS Provider as a COM+ application.", "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' AND CommandLine LIKE '%-register%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.22000.0\\\\x64%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.19041.0\\\\x64%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows Kits\\\\10\\\\bin\\\\10.0.17763.0\\\\x64%' ESCAPE '\\'))" ], "filename": "proc_creation_win_regsvr32_registration_via_cscript.yml" }, { "title": "Base64 Encoded PowerShell Command Detected", "id": "e32d4572-9826-4738-b651-95fa63747e8a", "status": "test", "description": "Detects usage of the \"FromBase64String\" function in the commandline which is used to decode a base64 encoded string", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.t1027", "attack.defense_evasion", "attack.t1140", "attack.t1059.001" ], "falsepositives": [ "Administrative script libraries" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%::FromBase64String(%' ESCAPE '\\')" ], "filename": "proc_creation_win_powershell_frombase64string.yml" }, { "title": "Suspicious Child Process Created as System", "id": "590a5f4c-6c8c-4f10-8307-89afe9453a9d", "status": "test", "description": "Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts", "author": "Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR)", "tags": [ "attack.privilege_escalation", "attack.t1134.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (ParentUser LIKE '%\\\\NETWORK SERVICE' ESCAPE '\\' OR ParentUser LIKE '%\\\\LOCAL SERVICE' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%\\\\SYSTEM' ESCAPE '\\' OR User LIKE '%\\\\Système' ESCAPE '\\' OR User LIKE '%\\\\СИСТЕМА' ESCAPE '\\') AND IntegrityLevel = 'System') AND NOT ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%DavSetCookie%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_child_process_as_system_.yml" }, { "title": "Potential Network Sniffing Activity Using Network Tools", "id": "ba1f7802-adc7-48b4-9ecb-81e227fddfd5", "status": "test", "description": "Detects potential network sniffing via use of network tools such as \"tshark\", \"windump\".\nNetwork sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.\nAn adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n", "author": "Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.discovery", "attack.t1040" ], "falsepositives": [ "Legitimate administration activity to troubleshoot network issues" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\tshark.exe' ESCAPE '\\' AND CommandLine LIKE '%-i%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\windump.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_network_sniffing.yml" }, { "title": "Suspicious Cabinet File Execution Via Msdt.EXE", "id": "dc4576d4-7467-424f-9eee-fd2b02855fe0", "status": "experimental", "description": "Detects execution of msdt.exe using the \"cab\" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190", "author": "Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113", "tags": [ "attack.defense_evasion", "attack.t1202" ], "falsepositives": [ "Legitimate usage of \".diagcab\" files" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '% /cab %' ESCAPE '\\' OR CommandLine LIKE '% -cab %' ESCAPE '\\'))" ], "filename": "proc_creation_win_msdt_susp_cab_options.yml" }, { "title": "Powershell Inline Execution From A File", "id": "ee218c12-627a-4d27-9e30-d6fb2fe22ed2", "status": "experimental", "description": "Detects inline execution of PowerShell code from a file", "author": "frack113", "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%iex %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command %' ESCAPE '\\' OR CommandLine LIKE '%icm %' ESCAPE '\\') AND (CommandLine LIKE '%cat %' ESCAPE '\\' OR CommandLine LIKE '%get-content %' ESCAPE '\\' OR CommandLine LIKE '%type %' ESCAPE '\\') AND CommandLine LIKE '% -raw%' ESCAPE '\\')" ], "filename": "proc_creation_win_powershell_exec_data_file.yml" }, { "title": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code", "id": "fbd7c32d-db2a-4418-b92c-566eb8911133", "status": "experimental", "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "App-V clients" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\SyncAppvPublishingServer.exe' ESCAPE '\\' OR OriginalFileName = 'syncappvpublishingserver.exe') AND CommandLine LIKE '%\"n; %' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" }, { "title": "Process Memory Dump Via Dotnet-Dump", "id": "53d8d3e1-ca33-4012-adf3-e05a4d652e34", "status": "experimental", "description": "Detects the execution of \"dotnet-dump\" with the \"collect\" flag. The execution could indicate potential process dumping of critical processes such as LSASS", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Process dumping is the expected behavior of the tool. So false positives are expected in legitimate usage. The PID/Process Name of the process being dumped needs to be investigated" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\dotnet-dump.exe' ESCAPE '\\' OR OriginalFileName = 'dotnet-dump.dll') AND CommandLine LIKE '%collect%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_dotnet_dump.yml" }, { "title": "Import PowerShell Modules From Suspicious Directories - ProcCreation", "id": "c31364f7-8be6-4b77-8483-dd2b5a7b69a3", "status": "experimental", "description": "Detects powershell scripts that import modules from suspicious directories", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Import-Module \"$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module ''$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module $Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module \"$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module ''$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module $Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo \"$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo ''$Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo $Env:Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo \"$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo ''$Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo $Env:Appdata\\\\%' ESCAPE '\\' OR CommandLine LIKE '%ipmo C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_import_module_susp_dirs.yml" }, { "title": "Service StartupType Change Via PowerShell Set-Service", "id": "62b20d44-1546-4e61-afce-8e175eb9473c", "status": "experimental", "description": "Detects the use of the PowerShell \"Set-Service\" cmdlet to change the startup type of a service to \"disabled\" or \"manual\"", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "False positives may occur with troubleshooting scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR OriginalFileName = 'PowerShell.EXE') AND (CommandLine LIKE '%Set-Service%' ESCAPE '\\' AND CommandLine LIKE '%-StartupType%' ESCAPE '\\' AND (CommandLine LIKE '%Disabled%' ESCAPE '\\' OR CommandLine LIKE '%Manual%' ESCAPE '\\')))" ], "filename": "proc_creation_win_powershell_set_service_disabled.yml" }, { "title": "UAC Bypass Using Disk Cleanup", "id": "b697e69c-746f-4a86-9f59-7bfff8eab881", "status": "test", "description": "Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\"\\\\system32\\\\cleanmgr.exe /autoclean /d C:' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], "filename": "proc_creation_win_uac_bypass_cleanmgr.yml" }, { "title": "Persistence Via TypedPaths - CommandLine", "id": "ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba", "status": "experimental", "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths%' ESCAPE '\\')" ], "filename": "proc_creation_win_registry_typed_paths_persistence.yml" }, { "title": "Conhost Parent Process Executions", "id": "7dc2dedd-7603-461a-bc13-15803d132355", "status": "experimental", "description": "Detects the conhost execution as parent process. Can be used to evaded defense mechanism.", "author": "omkar72", "tags": [ "attack.defense_evasion", "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' AND NOT ((Provider_Name = 'SystemTraceProvider-Process') OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND NewProcessName LIKE '%\\\\git.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% show --textconv %' ESCAPE '\\' OR ParentCommandLine LIKE '% cat-file -s %' ESCAPE '\\')) OR (ParentCommandLine LIKE '%C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4%' ESCAPE '\\' AND (CommandLine LIKE '% show --textconv %' ESCAPE '\\' OR CommandLine LIKE '% cat-file -s %' ESCAPE '\\')) OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND (ParentCommandLine LIKE '% cat-file -s %' ESCAPE '\\' OR ParentCommandLine LIKE '%show --textconv%' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR ((ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4' ESCAPE '\\' OR ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0xffffffff -ForceV1' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR ((ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0xffffffff -ForceV1''' ESCAPE '\\' OR ParentCommandLine LIKE '\\\\\\?\\?\\\\C:\\\\WINDOWS\\\\system32\\\\conhost.exe 0x4''' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\Program Files\\\\Git\\\\mingw64\\\\bin\\\\git.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_conhost_susp_child_process.yml" }, { "title": "Harvesting Of Wifi Credentials Via Netsh.EXE", "id": "42b1a5b8-353f-4f10-b256-39de4467faff", "status": "test", "description": "Detect the harvesting of wifi credentials using netsh.exe", "author": "Andreas Hunkeler (@Karneades), oscd.community", "tags": [ "attack.discovery", "attack.credential_access", "attack.t1040" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%wlan%' ESCAPE '\\' AND CommandLine LIKE '% s%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '% k%' ESCAPE '\\' AND CommandLine LIKE '%=clear%' ESCAPE '\\'))" ], "filename": "proc_creation_win_netsh_wifi_credential_harvesting.yml" }, { "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE", "id": "452bce90-6fb0-43cc-97a5-affc283139b3", "status": "experimental", "description": "Detects the usage of \"reg.exe\" to tamper with different Windows defender registry keys in order to disable some important features related to protection and detection", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Rare legitimate use by administrators to test software (should always be investigated)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\')) AND ((CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND (CommandLine LIKE '%Real-Time Protection%' ESCAPE '\\' OR CommandLine LIKE '%TamperProtection%' ESCAPE '\\')) OR (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Notification\\_Suppress%' ESCAPE '\\')))" ], "filename": "proc_creation_win_reg_defender_tampering.yml" }, { "title": "Suspicious Csc.exe Source File Folder", "id": "dcaa3f04-70c3-427a-80b4-b870d73c94c4", "status": "test", "description": "Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1027.004" ], "falsepositives": [ "Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897", "Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\choco.exe' ESCAPE '\\') OR ParentCommandLine LIKE '%\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection%' ESCAPE '\\'))" ], "filename": "proc_creation_win_csc_susp_folder.yml" }, { "title": "CMD Shell Output Redirect", "id": "4f4eaa9f-5ad4-410c-a4be-bc6132b0175a", "status": "experimental", "description": "Detects the use of the redirection character \">\" to redicrect information in commandline", "author": "frack113", "tags": [ "attack.discovery", "attack.t1082" ], "falsepositives": [ "Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Internet Download Manager\\\\IDMMsgHost.exe%' ESCAPE '\\' OR CommandLine LIKE '%chrome-extension://%' ESCAPE '\\' OR CommandLine LIKE '%\\\\.\\\\pipe\\\\chrome.nativeMessaging%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_cmd_redirect.yml" }, { "title": "Potential SMB Relay Attack Tool Execution", "id": "5589ab4f-a767-433c-961d-c91f3f704db1", "status": "test", "description": "Detects different hacktools used for relay attacks on Windows for privilege escalation", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1557.001" ], "falsepositives": [ "Legitimate files with these rare hacktool names" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%PetitPotam%' ESCAPE '\\' OR NewProcessName LIKE '%RottenPotato%' ESCAPE '\\' OR NewProcessName LIKE '%HotPotato%' ESCAPE '\\' OR NewProcessName LIKE '%JuicyPotato%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\just\\_dce\\_%' ESCAPE '\\' OR NewProcessName LIKE '%Juicy Potato%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\temp\\\\rot.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Potato.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SpoolSample.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Responder.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\LocalPotato%' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '% smbrelay%' ESCAPE '\\' OR CommandLine LIKE '% ntlmrelay%' ESCAPE '\\' OR CommandLine LIKE '%cme smb %' ESCAPE '\\' OR CommandLine LIKE '% /ntlm:NTLMhash %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PetitPotam%' ESCAPE '\\' OR CommandLine LIKE '%.exe -t % -p %' ESCAPE '\\') OR (CommandLine LIKE '%.exe -c \"{%' ESCAPE '\\' AND CommandLine LIKE '%}\" -z' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%HotPotatoes6%' ESCAPE '\\' OR NewProcessName LIKE '%HotPotatoes7%' ESCAPE '\\' OR NewProcessName LIKE '%HotPotatoes %' ESCAPE '\\'))))" ], "filename": "proc_creation_win_hktl_relay_attacks_tools.yml" }, { "title": "New Firewall Rule Added Via Netsh.EXE", "id": "cd5cfd80-aa5f-44c0-9c20-108c4ae12e3c", "status": "test", "description": "Detects the addition of a new rule to the Windows firewall via netsh", "author": "Markus Neis, Sander Wiebing", "tags": [ "attack.defense_evasion", "attack.t1562.004" ], "falsepositives": [ "Legitimate administration activity", "Software installations and removal" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% firewall %' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%\\\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\" enable=yes profile=Any%' ESCAPE '\\' OR CommandLine LIKE '%\\\\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow \"program=C:\\\\Program Files\\\\Dropbox\\\\Client\\\\Dropbox.exe\" enable=yes profile=Any%' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' AND CommandLine LIKE '%advfirewall firewall show rule name=all%' ESCAPE '\\')))" ], "filename": "proc_creation_win_netsh_fw_add_rule.yml" }, { "title": "Potential Privilege Escalation via Service Permissions Weakness", "id": "0f9c21f1-6a73-4b0e-9809-cb562cb8d981", "status": "test", "description": "Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level", "author": "Teymur Kheirkhabarov", "tags": [ "attack.privilege_escalation", "attack.t1574.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%services%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ServiceDll%' ESCAPE '\\'))" ], "filename": "proc_creation_win_registry_privilege_escalation_via_service_key.yml" }, { "title": "Renamed Sysinternals Sdelete Execution", "id": "c1d867fe-8d95-4487-aab4-e53f2d339f90", "status": "experimental", "description": "Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.impact", "attack.t1485" ], "falsepositives": [ "System administrator usage" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'sdelete.exe' AND NOT ((NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete64.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_renamed_sysinternals_sdelete.yml" }, { "title": "Remote Access Tool - ScreenConnect Backstage Mode Anomaly", "id": "7b582f1a-b318-4c6a-bf4e-66fe49bf55a5", "status": "experimental", "description": "Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Case in which administrators are allowed to use ScreenConnect's Backstage mode" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%ScreenConnect.ClientService.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_remote_access_tools_screenconnect_anomaly.yml" }, { "title": "Suspicious Svchost Process", "id": "01d2e2a1-5f09-44f7-9fc1-24faa7479b6d", "status": "experimental", "description": "Detects a suspicious svchost process start", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NOT (((ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Mrt.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rpcnet.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (ParentProcessName = '') OR (ParentProcessName = '') OR (ParentProcessName = '-')))" ], "filename": "proc_creation_win_svchost_susp_parent_process.yml" }, { "title": "Suspicious ZipExec Execution", "id": "90dcf730-1b71-4ae7-9ffc-6fcf62bd0132", "status": "test", "description": "ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.", "author": "frack113", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1218", "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%/generic:Microsoft\\_Windows\\_Shell\\_ZipFolder:filename=%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\' AND CommandLine LIKE '%/pass:%' ESCAPE '\\' AND CommandLine LIKE '%/user:%' ESCAPE '\\') OR (CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename=%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_zipexec.yml" }, { "title": "Certificate Exported Via Certutil.EXE", "id": "3ffd6f51-e6c1-47b7-94b4-c1e61d4117c5", "status": "test", "description": "Detects the execution of the certutil with the \"exportPFX\" flag which allows the utility to export certificates.", "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1027" ], "falsepositives": [ "There legitimate reasons to export certificates. Investigate the activity to determine if it's benign" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-exportPFX %' ESCAPE '\\' OR CommandLine LIKE '%/exportPFX %' ESCAPE '\\'))" ], "filename": "proc_creation_win_certutil_export_pfx.yml" }, { "title": "Suspicious Diantz Alternate Data Stream Execution", "id": "6b369ced-4b1d-48f1-b427-fdc0de0790bd", "status": "test", "description": "Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1564.004" ], "falsepositives": [ "Very Possible" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%diantz.exe%' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND CommandLine REGEXP ':[^\\\\]')" ], "filename": "proc_creation_win_lolbin_diantz_ads.yml" }, { "title": "Use of Mftrace.exe", "id": "3d48c9d3-1aa6-418d-98d3-8fd3c01a564e", "status": "experimental", "description": "The \"Trace log generation tool for Media Foundation Tools\" (Mftrace.exe) can be used to execute arbitrary binaries", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1127" ], "falsepositives": [ "Legitimate use for tracing purposes" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR OriginalFileName = 'mftrace.exe') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' AND CommandLine LIKE '%.exe' ESCAPE '\\')) OR ParentProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_mftrace.yml" }, { "title": "Potential Remote Desktop Tunneling", "id": "8a3038e8-9c9d-46f8-b184-66234a160f6f", "status": "experimental", "description": "Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", "author": "Tim Rauch", "tags": [ "attack.lateral_movement", "attack.t1021" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -L %' ESCAPE '\\' OR CommandLine LIKE '% -P %' ESCAPE '\\' OR CommandLine LIKE '% -R %' ESCAPE '\\' OR CommandLine LIKE '% -pw %' ESCAPE '\\' OR CommandLine LIKE '% -ssh %' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_remote_desktop_tunneling.yml" }, { "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)", "id": "a58353df-af43-4753-bad0-cd83ef35eef5", "status": "experimental", "description": "Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.003" ], "falsepositives": [ "Legitimate usage to restore snapshots", "Legitimate admin activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR OriginalFileName = 'ntdsutil.exe') AND ((CommandLine LIKE '%snapshot%' ESCAPE '\\' AND CommandLine LIKE '%mount %' ESCAPE '\\') OR (CommandLine LIKE '%ac%' ESCAPE '\\' AND CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% ntds%' ESCAPE '\\')))" ], "filename": "proc_creation_win_ntdsutil_susp_usage.yml" }, { "title": "WhoAmI as Parameter", "id": "e9142d84-fbe0-401d-ac50-3e519fb00c89", "status": "test", "description": "Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1033", "car.2016-03-001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%.exe whoami%' ESCAPE '\\')" ], "filename": "proc_creation_win_susp_whoami_as_param.yml" }, { "title": "Nltest.EXE Execution", "id": "903076ff-f442-475a-b667-4f246bcc203b", "status": "experimental", "description": "Detects nltest commands that can be used for information discovery", "author": "Arun Chauhan", "tags": [ "attack.discovery", "attack.t1016", "attack.t1018", "attack.t1482" ], "falsepositives": [ "Legitimate administration activity" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe'))" ], "filename": "proc_creation_win_nltest_execution.yml" }, { "title": "Suspicious Regsvr32 HTTP IP Pattern", "id": "2dd2c217-bf68-437a-b57c-fe9fd01d5de8", "status": "experimental", "description": "Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218.010" ], "falsepositives": [ "FQDNs that start with a number" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND (CommandLine LIKE '% /i:http://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:http://9%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://1%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://2%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://3%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://4%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://5%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://6%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://7%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://8%' ESCAPE '\\' OR CommandLine LIKE '% /i:https://9%' ESCAPE '\\'))" ], "filename": "proc_creation_win_regsvr32_http_pattern.yml" }, { "title": "Potential SquiblyTwo Technique Execution", "id": "8d63dadf-b91b-4187-87b6-34a1114577ea", "status": "test", "description": "Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields", "author": "Markus Neis, Florian Roth", "tags": [ "attack.defense_evasion", "attack.t1047", "attack.t1220", "attack.execution", "attack.t1059.005", "attack.t1059.007" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe' OR Imphash IN ('1B1A3F43BF37B5BFE60751F2EE2F326E', '37777A96245A3C74EB217308F3546F4C', '9D87C9D67CE724033C0B40CC4CA1B206') OR (Hashes LIKE '%IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=37777A96245A3C74EB217308F3546F4C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206%' ESCAPE '\\')) AND (CommandLine LIKE '%format:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\'))" ], "filename": "proc_creation_win_wmic_squiblytwo_bypass.yml" }, { "title": "Rundll32 UNC Path Execution", "id": "5cdb711b-5740-4fb2-ba88-f7945027afac", "status": "experimental", "description": "Detects rundll32 execution where the DLL is located on a remote location (share)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1021.002", "attack.t1218.011" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], "filename": "proc_creation_win_rundll32_unc_path.yml" }, { "title": "Add User to Local Administrators Group", "id": "ad720b90-25ad-43ff-9b5e-5c841facc8e5", "status": "experimental", "description": "Detects suspicious command line that adds an account to the local administrators/administrateurs group", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1098" ], "falsepositives": [ "Administrative activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '% administrators %' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_add_user_local_admin_group.yml" }, { "title": "Monitoring For Persistence Via BITS", "id": "b9cbbc17-d00d-4e3d-a827-b06d03d2380d", "status": "test", "description": "BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded", "author": "Sreeman", "tags": [ "attack.defense_evasion", "attack.t1197" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%bitsadmin%' ESCAPE '\\' AND CommandLine LIKE '%/SetNotifyCmdLine%' ESCAPE '\\' AND (CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\')) OR (CommandLine LIKE '%bitsadmin%' ESCAPE '\\' AND CommandLine LIKE '%/Addfile%' ESCAPE '\\' AND (CommandLine LIKE '%http:%' ESCAPE '\\' OR CommandLine LIKE '%https:%' ESCAPE '\\' OR CommandLine LIKE '%ftp:%' ESCAPE '\\' OR CommandLine LIKE '%ftps:%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_bitsadmin_potential_persistence.yml" }, { "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI", "id": "baef1ec6-2ca9-47a3-97cc-4cf2bda10b77", "status": "experimental", "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003" ], "falsepositives": [ "Other legitimate network providers used and not filtred in this rule" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\NetworkProvider%' ESCAPE '\\')" ], "filename": "proc_creation_win_registry_new_network_provider.yml" }, { "title": "New Process Created Via Wmic.EXE", "id": "526be59f-a573-4eea-b5f7-f0973207634d", "status": "test", "description": "Detects new process creation using WMIC via the \"process call create\" flag", "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", "tags": [ "attack.execution", "attack.t1047", "car.2016-03-002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" ], "filename": "proc_creation_win_wmic_process_creation.yml" }, { "title": "UAC Bypass Using DismHost", "id": "853e74f9-9392-4935-ad3b-2e8c040dae86", "status": "test", "description": "Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\DismHost.exe%' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], "filename": "proc_creation_win_uac_bypass_dismhost.yml" }, { "title": "Net.exe Execution", "id": "183e7ea8-ac4b-4c23-9aec-b3dac4e401ac", "status": "experimental", "description": "Detects execution of Net.exe, whether suspicious or benign.", "author": "Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements)", "tags": [ "attack.discovery", "attack.t1007", "attack.t1049", "attack.t1018", "attack.t1135", "attack.t1201", "attack.t1069.001", "attack.t1069.002", "attack.t1087.001", "attack.t1087.002", "attack.lateral_movement", "attack.t1021.002", "attack.s0039" ], "falsepositives": [ "Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine." ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% group%' ESCAPE '\\' OR CommandLine LIKE '% localgroup%' ESCAPE '\\' OR CommandLine LIKE '% user%' ESCAPE '\\' OR CommandLine LIKE '% view%' ESCAPE '\\' OR CommandLine LIKE '% share%' ESCAPE '\\' OR CommandLine LIKE '% accounts%' ESCAPE '\\' OR CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% start%' ESCAPE '\\'))" ], "filename": "proc_creation_win_net_susp_execution.yml" }, { "title": "Application Removed Via Wmic.EXE", "id": "b53317a0-8acf-4fd1-8de8-a5401e776b96", "status": "experimental", "description": "Uninstall an application with wmic", "author": "frac113", "tags": [ "attack.execution", "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%call%' ESCAPE '\\' OR CommandLine LIKE '%uninstall%' ESCAPE '\\'))" ], "filename": "proc_creation_win_wmic_uninstall_application.yml" }, { "title": "Arbitrary File Download Via MSPUB.EXE", "id": "3b3c7f55-f771-4dd6-8a6e-08d057a17caf", "status": "experimental", "description": "Detects usage of \"MSPUB\" (Microsoft Publisher) to download arbitrary files", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR OriginalFileName = 'MSPUB.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_mspub_download.yml" }, { "title": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code", "id": "36475a7d-0f6d-4dce-9b01-6aeb473bbaf1", "status": "experimental", "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218", "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\SyncAppvPublishingServer.vbs%' ESCAPE '\\' AND CommandLine LIKE '%;%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml" }, { "title": "Suspicious Registry Modification From ADS Via Regini.EXE", "id": "77946e79-97f1-45a2-84b4-f37b5c0d8682", "status": "experimental", "description": "Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.", "author": "Eli Salem, Sander Wiebing, oscd.community", "tags": [ "attack.t1112", "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND CommandLine REGEXP ':[^ \\\\]')" ], "filename": "proc_creation_win_regini_ads.yml" }, { "title": "Logon Scripts (UserInitMprLogonScript)", "id": "0a98a10c-685d-4ab0-bddc-b6bdd1d48458", "status": "test", "description": "Detects creation or execution of UserInitMprLogonScript persistence method", "author": "Tom Ueltschi (@c_APT_ure), Tim Shelton", "tags": [ "attack.t1037.001", "attack.persistence" ], "falsepositives": [ "Exclude legitimate logon scripts" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%UserInitMprLogonScript%' ESCAPE '\\' OR (ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%netlogon%.bat%' ESCAPE '\\' OR CommandLine LIKE '%UsrLogon.cmd%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\WINDOWS\\\\Explorer.EXE%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\proquota.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Citrix\\\\System32\\\\icast.exe' ESCAPE '\\')))))" ], "filename": "proc_creation_win_persistence_userinitmprlogonscript.yml" }, { "title": "Use NTFS Short Name in Image", "id": "3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b", "status": "experimental", "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection", "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%~1.exe%' ESCAPE '\\' OR NewProcessName LIKE '%~1.bat%' ESCAPE '\\' OR NewProcessName LIKE '%~1.msi%' ESCAPE '\\' OR NewProcessName LIKE '%~1.vbe%' ESCAPE '\\' OR NewProcessName LIKE '%~1.vbs%' ESCAPE '\\' OR NewProcessName LIKE '%~1.dll%' ESCAPE '\\' OR NewProcessName LIKE '%~1.ps1%' ESCAPE '\\' OR NewProcessName LIKE '%~1.js%' ESCAPE '\\' OR NewProcessName LIKE '%~1.hta%' ESCAPE '\\' OR NewProcessName LIKE '%~2.exe%' ESCAPE '\\' OR NewProcessName LIKE '%~2.bat%' ESCAPE '\\' OR NewProcessName LIKE '%~2.msi%' ESCAPE '\\' OR NewProcessName LIKE '%~2.vbe%' ESCAPE '\\' OR NewProcessName LIKE '%~2.vbs%' ESCAPE '\\' OR NewProcessName LIKE '%~2.dll%' ESCAPE '\\' OR NewProcessName LIKE '%~2.ps1%' ESCAPE '\\' OR NewProcessName LIKE '%~2.js%' ESCAPE '\\' OR NewProcessName LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\' OR ParentProcessName LIKE '%-installer.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\vcredi%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_ntfs_short_name_use_image.yml" }, { "title": "Execute Code with Pester.bat", "id": "59e938ff-0d6d-4dc3-b13f-36cc28734d4e", "status": "test", "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", "author": "Julia Fomina, oscd.community", "tags": [ "attack.execution", "attack.t1059.001", "attack.defense_evasion", "attack.t1216" ], "falsepositives": [ "Legitimate use of Pester for writing tests for Powershell scripts and modules" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Pester%' ESCAPE '\\' AND CommandLine LIKE '%Get-Help%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%pester%' ESCAPE '\\' AND CommandLine LIKE '%;%' ESCAPE '\\' AND (CommandLine LIKE '%help%' ESCAPE '\\' OR CommandLine LIKE '%_%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_lolbin_pester_1.yml" }, { "title": "HackTool - Windows Credential Editor (WCE) Execution", "id": "7aa7009a-28b9-4344-8c1f-159489a390df", "status": "test", "description": "Detects the use of Windows Credential Editor (WCE)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001", "attack.s0005" ], "falsepositives": [ "Another service that uses a single -s command line switch" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Imphash IN ('a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2') OR (Hashes LIKE '%IMPHASH=a53a02b997935fd8eedcb5f7abab9b9f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e96a73c7bf33a464c510ede582318bf2%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -S' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\clussvc.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_wce.yml" }, { "title": "Potential COM Objects Download Cradles Usage - Process Creation", "id": "02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf", "status": "experimental", "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", "author": "frack113", "falsepositives": [ "Legitimate use of the library" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%[Type]::GetTypeFromCLSID(%' ESCAPE '\\' AND (CommandLine LIKE '%0002DF01-0000-0000-C000-000000000046%' ESCAPE '\\' OR CommandLine LIKE '%F6D90F16-9C73-11D3-B32E-00C04F990BB4%' ESCAPE '\\' OR CommandLine LIKE '%F5078F35-C551-11D3-89B9-0000F81FE221%' ESCAPE '\\' OR CommandLine LIKE '%88d96a0a-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR CommandLine LIKE '%AFBA6B42-5692-48EA-8141-DC517DCF0EF1%' ESCAPE '\\' OR CommandLine LIKE '%AFB40FFD-B609-40A3-9828-F88BBE11E4E3%' ESCAPE '\\' OR CommandLine LIKE '%88d96a0b-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR CommandLine LIKE '%2087c2f4-2cef-4953-a8ab-66779b670495%' ESCAPE '\\' OR CommandLine LIKE '%000209FF-0000-0000-C000-000000000046%' ESCAPE '\\' OR CommandLine LIKE '%00024500-0000-0000-C000-000000000046%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_download_com_cradles.yml" }, { "title": "Php Inline Command Execution", "id": "d81871ef-5738-47ab-9797-7a9c90cd4bfb", "status": "experimental", "description": "Detects execution of php using the \"-r\" flag. This is could be used as a way to launch a reverse shell or execute live php code.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\php.exe' ESCAPE '\\' OR OriginalFileName = 'php.exe') AND CommandLine LIKE '% -r%' ESCAPE '\\')" ], "filename": "proc_creation_win_php_inline_command_execution.yml" }, { "title": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation", "id": "d75d6b6b-adb9-48f7-824b-ac2e786efe1f", "status": "experimental", "description": "Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.", "author": "frack113", "falsepositives": [ "Legitimate administrative script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%MemoryStream%' ESCAPE '\\' AND CommandLine LIKE '%H4sI%' ESCAPE '\\')" ], "filename": "proc_creation_win_powershell_frombase64string_archive.yml" }, { "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand", "id": "a6fc3c46-23b8-4996-9ea2-573f4c4d88c5", "status": "test", "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (CommandLine LIKE '%-ModuleName %' ESCAPE '\\' OR CommandLine LIKE '%-ModulePath %' ESCAPE '\\' OR CommandLine LIKE '%-ScriptBlock %' ESCAPE '\\' OR CommandLine LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_ath_remote_fxv_gpu_disablement_command.yml" }, { "title": "Suspicious Execution of Shutdown to Log Out", "id": "ec290c06-9b6b-4338-8b6b-095c0f284f10", "status": "experimental", "description": "Detects the rare use of the command line tool shutdown to logoff a user", "author": "frack113", "tags": [ "attack.impact", "attack.t1529" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\shutdown.exe' ESCAPE '\\' AND CommandLine LIKE '%/l%' ESCAPE '\\')" ], "filename": "proc_creation_win_shutdown_logoff.yml" }, { "title": "Using AppVLP To Circumvent ASR File Path Rule", "id": "9c7e131a-0f2c-4ae0-9d43-b04f4e266d43", "status": "experimental", "description": "Application Virtualization Utility is included with Microsoft Office. We are able to abuse \"AppVLP\" to execute shell commands.\nNormally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder\nor to mark a file as a system file.\n", "author": "Sreeman", "tags": [ "attack.t1218", "attack.defense_evasion", "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentProcessName LIKE '%\\\\appvlp.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\msoasb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_lolbin_appvlp.yml" }, { "title": "Fsutil Behavior Set SymlinkEvaluation", "id": "c0b2768a-dd06-4671-8339-b16ca8d1f27f", "status": "experimental", "description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n", "author": "frack113", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%behavior %' ESCAPE '\\' AND CommandLine LIKE '%set %' ESCAPE '\\' AND CommandLine LIKE '%SymlinkEvaluation%' ESCAPE '\\'))" ], "filename": "proc_creation_win_fsutil_symlinkevaluation.yml" }, { "title": "Shadow Copies Creation Using Operating Systems Utilities", "id": "b17ea6f7-6e90-447e-a799-e6c0a493d6ce", "status": "test", "description": "Shadow Copies creation using operating systems utilities, possible credential access", "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.credential_access", "attack.t1003", "attack.t1003.002", "attack.t1003.003" ], "falsepositives": [ "Legitimate administrator working with shadow copies, access for backup purposes" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_shadow_copies_creation.yml" }, { "title": "Potential Rundll32 Execution With DLL Stored In ADS", "id": "9248c7e1-2bf3-4661-a22c-600a8040b446", "status": "experimental", "description": "Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).", "author": "Harjot Singh, '@cyb3rjy0t'", "tags": [ "attack.defense_evasion", "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine REGEXP '[Rr][Uu][Nn][Dd][Ll][Ll]32(\\.[Ee][Xx][Ee])? \\S+?\\w:\\S+?:')" ], "filename": "proc_creation_win_rundll32_ads_stored_dll_execution.yml" }, { "title": "Potential Tampering With Security Products Via WMIC", "id": "847d5ff3-8a31-4737-a970-aeae8fe21765", "status": "test", "description": "Detects uninstallation or termination of security products using the WMIC utility", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Legitimate administration" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%product where %' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/nointeractive%' ESCAPE '\\') OR (CommandLine LIKE '%wmic%' ESCAPE '\\' AND CommandLine LIKE '%caption like %' ESCAPE '\\' AND (CommandLine LIKE '%call delete%' ESCAPE '\\' OR CommandLine LIKE '%call terminate%' ESCAPE '\\')) OR (CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%where %' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%carbon\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%cylance\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%endpoint\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%eset\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%malware\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Sophos\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%symantec\\%%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG %' ESCAPE '\\' OR CommandLine LIKE '%Carbon Black%' ESCAPE '\\' OR CommandLine LIKE '%CarbonBlack%' ESCAPE '\\' OR CommandLine LIKE '%Cb Defense Sensor 64-bit%' ESCAPE '\\' OR CommandLine LIKE '%Crowdstrike Sensor%' ESCAPE '\\' OR CommandLine LIKE '%Cylance %' ESCAPE '\\' OR CommandLine LIKE '%Dell Threat Defense%' ESCAPE '\\' OR CommandLine LIKE '%DLP Endpoint%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Detection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Protection%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Security%' ESCAPE '\\' OR CommandLine LIKE '%Endpoint Sensor%' ESCAPE '\\' OR CommandLine LIKE '%ESET File Security%' ESCAPE '\\' OR CommandLine LIKE '%LogRhythm System Monitor Service%' ESCAPE '\\' OR CommandLine LIKE '%Malwarebytes%' ESCAPE '\\' OR CommandLine LIKE '%McAfee Agent%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft Security Client%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Anti-Virus%' ESCAPE '\\' OR CommandLine LIKE '%Sophos AutoUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Credential Store%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Console%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Database%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Management Server%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Remote Management System%' ESCAPE '\\' OR CommandLine LIKE '%Sophos Update Manager%' ESCAPE '\\' OR CommandLine LIKE '%Threat Protection%' ESCAPE '\\' OR CommandLine LIKE '%VirusScan%' ESCAPE '\\' OR CommandLine LIKE '%Webroot SecureAnywhere%' ESCAPE '\\' OR CommandLine LIKE '%Windows Defender%' ESCAPE '\\'))" ], "filename": "proc_creation_win_wmic_uninstall_security_products.yml" }, { "title": "Potential Configuration And Service Reconnaissance Via Reg.EXE", "id": "970007b7-ce32-49d0-a4a4-fbef016950bd", "status": "test", "description": "Detects the usage of \"reg.exe\" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.", "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.discovery", "attack.t1012", "attack.t1007" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%query%' ESCAPE '\\' AND (CommandLine LIKE '%currentVersion\\\\windows%' ESCAPE '\\' OR CommandLine LIKE '%winlogon\\\\%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\shellServiceObjectDelayLoad%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\run%' ESCAPE '\\' OR CommandLine LIKE '%currentVersion\\\\policies\\\\explorer\\\\run%' ESCAPE '\\' OR CommandLine LIKE '%currentcontrolset\\\\services%' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_query_registry.yml" }, { "title": "Execution in Outlook Temp Folder", "id": "a018fdc3-46a3-44e5-9afb-2cd4af1d4b39", "status": "test", "description": "Detects a suspicious program execution in Outlook temp folder", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.initial_access", "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\')" ], "filename": "proc_creation_win_office_outlook_execution_from_temp.yml" }, { "title": "Suspicious Reg Add Open Command", "id": "dd3ee8cc-f751-41c9-ba53-5a32ed47e563", "status": "test", "description": "Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings\\\\shell\\\\open\\\\command%' ESCAPE '\\' AND CommandLine LIKE '%/ve %' ESCAPE '\\' AND CommandLine LIKE '%/d%' ESCAPE '\\') OR (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings\\\\shell\\\\open\\\\command%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%DelegateExecute%' ESCAPE '\\') OR (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%hkcu\\\\software\\\\classes\\\\ms-settings%' ESCAPE '\\')))" ], "filename": "proc_creation_win_reg_open_command.yml" }, { "title": "Import LDAP Data Interchange Format File Via Ldifde.EXE", "id": "6f535e01-ca1f-40be-ab8d-45b19c0c8b7f", "status": "experimental", "description": "Detects the execution of \"Ldifde.exe\" with the import flag \"-i\". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.\n", "author": "@gott_cyber", "tags": [ "attack.command_and_control", "attack.defense_evasion", "attack.t1218", "attack.t1105" ], "falsepositives": [ "Since the content of the files are unknown, false positives are expected" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR OriginalFileName = 'ldifde.exe') AND (CommandLine LIKE '%-i%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\'))" ], "filename": "proc_creation_win_ldifde_file_load.yml" }, { "title": "Suspicious High IntegrityLevel Conhost Legacy Option", "id": "3037d961-21e9-4732-b27a-637bcc7bf539", "status": "experimental", "description": "ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1202" ], "falsepositives": [ "Very Likely, including launching cmd.exe via Run As Administrator" ], "level": "informational", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel = 'High' AND CommandLine LIKE '%conhost.exe%' ESCAPE '\\' AND CommandLine LIKE '%0xffffffff%' ESCAPE '\\' AND CommandLine LIKE '%-ForceV1%' ESCAPE '\\')" ], "filename": "proc_creation_win_conhost_legacy_option.yml" }, { "title": "Run PowerShell Script from ADS", "id": "45a594aa-1fbd-4972-a809-ff5a99dd81b8", "status": "test", "description": "Detects PowerShell script execution from Alternate Data Stream (ADS)", "author": "Sergey Soldatov, Kaspersky Lab, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Get-Content%' ESCAPE '\\' AND CommandLine LIKE '%-Stream%' ESCAPE '\\')" ], "filename": "proc_creation_win_powershell_run_script_from_ads.yml" }, { "title": "Email Exifiltration Via Powershell", "id": "312d0384-401c-4b8b-abdf-685ffba9a332", "status": "experimental", "description": "Detects email exfiltration via powershell cmdlets", "author": "Nasreddine Bencherchali (Nextron Systems), Azure-Sentinel (idea)", "tags": [ "attack.exfiltration" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND CommandLine LIKE '%Get-Recipient%' ESCAPE '\\' AND CommandLine LIKE '%-ExpandProperty%' ESCAPE '\\' AND CommandLine LIKE '%EmailAddresses%' ESCAPE '\\' AND CommandLine LIKE '%SmtpAddress%' ESCAPE '\\' AND CommandLine LIKE '%-hidetableheaders%' ESCAPE '\\')" ], "filename": "proc_creation_win_powershell_email_exfil.yml" }, { "title": "Rundll32 InstallScreenSaver Execution", "id": "15bd98ea-55f4-4d37-b09a-e7caa0fa2221", "status": "experimental", "description": "An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver", "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec", "tags": [ "attack.t1218.011", "attack.defense_evasion" ], "falsepositives": [ "Legitimate installation of a new screensaver" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%InstallScreenSaver%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_rundll32_installscreensaver.yml" }, { "title": "Rar Usage with Password and Compression Level", "id": "faa48cae-6b25-4f00-a094-08947fef582f", "status": "test", "description": "Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.", "author": "@ROxPinTeddy", "tags": [ "attack.collection", "attack.t1560.001" ], "falsepositives": [ "Legitimate use of Winrar command line version", "Other command line tools, that use these flags" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% -hp%' ESCAPE '\\' AND (CommandLine LIKE '% -m%' ESCAPE '\\' OR CommandLine LIKE '% a %' ESCAPE '\\'))" ], "filename": "proc_creation_win_rar_compression_with_password.yml" }, { "title": "Suspicious Process Start Locations", "id": "15b75071-74cc-47e0-b4c6-b43744a62a2b", "status": "test", "description": "Detects suspicious process run from unusual locations", "author": "juju4, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1036", "car.2013-05-002" ], "falsepositives": [ "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_rundll32_run_locations.yml" }, { "title": "Potential Privilege Escalation To LOCAL SYSTEM", "id": "207b0396-3689-42d9-8399-4222658efc99", "status": "experimental", "description": "Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.resource_development", "attack.t1587.001" ], "falsepositives": [ "Weird admins that rename their tools", "Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%PsExec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\')))" ], "filename": "proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml" }, { "title": "UtilityFunctions.ps1 Proxy Dll", "id": "0403d67d-6227-4ea8-8145-4e72db7da120", "status": "experimental", "description": "Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%UtilityFunctions.ps1%' ESCAPE '\\' OR CommandLine LIKE '%RegSnapin %' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_utilityfunctions.yml" }, { "title": "Whoami.EXE Execution Anomaly", "id": "8de1cbe8-d6f5-496d-8237-5f44a721c7a0", "status": "experimental", "description": "Detects the execution of whoami.exe with suspicious parent processes.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1033", "car.2016-03-001" ], "falsepositives": [ "Admin activity", "Scripts and administrative tools used in the monitored environment", "Monitoring activity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND NOT (((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe' ESCAPE '\\') OR (ParentProcessName = '') OR (ParentProcessName = '')))" ], "filename": "proc_creation_win_whoami_parent_anomaly.yml" }, { "title": "Suspicious Parent Double Extension File Execution", "id": "5e6a80c8-2d45-4633-9ef4-fa2671a39c5c", "status": "experimental", "description": "Detect execution of suspicious double extension files in ParentCommandLine", "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036.007" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentProcessName LIKE '%.doc.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.docx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.xls.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.xlsx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.ppt.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.pptx.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.rtf.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.pdf.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.txt.lnk' ESCAPE '\\' OR ParentProcessName LIKE '%.doc.js' ESCAPE '\\' OR ParentProcessName LIKE '%.docx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.xls.js' ESCAPE '\\' OR ParentProcessName LIKE '%.xlsx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.ppt.js' ESCAPE '\\' OR ParentProcessName LIKE '%.pptx.js' ESCAPE '\\' OR ParentProcessName LIKE '%.rtf.js' ESCAPE '\\' OR ParentProcessName LIKE '%.pdf.js' ESCAPE '\\' OR ParentProcessName LIKE '%.txt.js' ESCAPE '\\') OR (ParentCommandLine LIKE '%.doc.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.lnk%' ESCAPE '\\' OR ParentCommandLine LIKE '%.doc.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.docx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xls.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR ParentCommandLine LIKE '%.txt.js%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_double_extension_parent.yml" }, { "title": "Possible Shim Database Persistence via sdbinst.exe", "id": "517490a7-115a-48c6-8862-1a481504d5a8", "status": "test", "description": "Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.", "author": "Markus Neis", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1546.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\sdbinst.exe' ESCAPE '\\' AND CommandLine LIKE '%.sdb%' ESCAPE '\\') AND NOT (CommandLine LIKE '%iisexpressshim.sdb%' ESCAPE '\\'))" ], "filename": "proc_creation_win_sdbinst_shim_persistence.yml" }, { "title": "Suspicious Shells Spawned by Java", "id": "0d34ed8b-1c12-4ff2-828c-16fc860b766d", "status": "experimental", "description": "Detects suspicious shell spawned from Java host process (e.g. log4j exploitation)", "author": "Andreas Hunkeler (@Karneades), Florian Roth", "tags": [ "attack.initial_access", "attack.persistence", "attack.privilege_escalation" ], "falsepositives": [ "Legitimate calls to system binaries", "Company specific internal usage" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_java_susp_child_process.yml" }, { "title": "LOLBAS Data Exfiltration by DataSvcUtil.exe", "id": "e290b10b-1023-4452-a4a9-eb31a9013b3a", "status": "experimental", "description": "Detects when a user performs data exfiltration by using DataSvcUtil.exe", "author": "Ialle Teixeira @teixeira0xfffff, Austin Songer @austinsonger", "tags": [ "attack.exfiltration", "attack.t1567" ], "falsepositives": [ "DataSvcUtil.exe being used may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "DataSvcUtil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%/in:%' ESCAPE '\\' OR CommandLine LIKE '%/out:%' ESCAPE '\\' OR CommandLine LIKE '%/uri:%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\DataSvcUtil.exe' ESCAPE '\\' OR OriginalFileName = 'DataSvcUtil.exe'))" ], "filename": "proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" }, { "title": "Use of FSharp Interpreters", "id": "b96b2031-7c17-4473-afe7-a30ce714db29", "status": "experimental", "description": "The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.", "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Legitimate use by a software developer." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\fsianycpu.exe' ESCAPE '\\' OR OriginalFileName = 'fsianycpu.exe' OR NewProcessName LIKE '%\\\\fsi.exe' ESCAPE '\\' OR OriginalFileName = 'fsi.exe'))" ], "filename": "proc_creation_win_lolbin_fsharp_interpreters.yml" }, { "title": "HackTool - Potential Impacket Lateral Movement Activity", "id": "10c14723-61c7-4c75-92ca-9af245723ad2", "status": "stable", "description": "Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework", "author": "Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch", "tags": [ "attack.execution", "attack.t1047", "attack.lateral_movement", "attack.t1021.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/Q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\127.0.0.1\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\' OR ParentCommandLine LIKE '%taskeng.exe%' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\' AND CommandLine LIKE '%Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%&1%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_impacket_lateral_movement.yml" }, { "title": "Suspicious Copy From or To System32", "id": "fff9d2b7-e11c-4a69-93d3-40ef66189767", "status": "test", "description": "Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk.\nOften used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations\n", "author": "Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036.003" ], "falsepositives": [ "Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/)", "When cmd.exe and xcopy.exe are called directly", "When the command contains the keywords but not in the correct order" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%copy %' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\') OR OriginalFileName IN ('robocopy.exe', 'XCOPY.EXE'))) AND (CommandLine LIKE '%\\\\System32%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SysWOW64%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_copy_system32.yml" }, { "title": "Malicious Windows Script Components File Execution by TAEF Detection", "id": "634b00d5-ccc3-4a06-ae3b-0ec8444dd51b", "status": "test", "description": "Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces\nAdversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe\n", "author": "Agro (@agro_sev) oscd.community", "tags": [ "attack.t1218" ], "falsepositives": [ "It's not an uncommon to use te.exe directly to execute legal TAEF tests" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\te.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\te.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\te.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_use_of_te_bin.yml" }, { "title": "Potential Process Injection Via Msra.EXE", "id": "744a188b-0415-4792-896f-11ddb0588dbc", "status": "experimental", "description": "Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics", "author": "Alexander McDonald", "tags": [ "attack.defense_evasion", "attack.t1055" ], "falsepositives": [ "Legitimate use of Msra.exe" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\msra.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%msra.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\route.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_msra_process_injection.yml" }, { "title": "Renamed NetSupport RAT Execution", "id": "0afbd410-de03-4078-8491-f132303cb67d", "status": "experimental", "description": "Detects the execution of a renamed \"client32.exe\" (NetSupport RAT) via Imphash, Product and OriginalFileName strings", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%NetSupport Remote Control%' ESCAPE '\\' OR OriginalFileName LIKE '%client32.exe%' ESCAPE '\\' OR Imphash = 'a9d50692e95b79723f3e76fcf70d023e' OR Hashes LIKE '%IMPHASH=A9D50692E95B79723F3E76FCF70D023E%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\client32.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_renamed_netsupport_rat.yml" }, { "title": "PUA - AdvancedRun Execution", "id": "d2b749ee-4225-417e-b20e-a8d2193cbb84", "status": "experimental", "description": "Detects the execution of AdvancedRun utility", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'AdvancedRun.exe' OR (CommandLine LIKE '% /EXEFilename %' ESCAPE '\\' AND CommandLine LIKE '% /Run%' ESCAPE '\\') OR (CommandLine LIKE '% /WindowState 0%' ESCAPE '\\' AND CommandLine LIKE '% /RunAs %' ESCAPE '\\' AND CommandLine LIKE '% /CommandLine %' ESCAPE '\\')))" ], "filename": "proc_creation_win_pua_advancedrun.yml" }, { "title": "Suspicious Program Names", "id": "efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6", "status": "test", "description": "Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Legitimate tools that accidentally match on the searched patterns" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\CVE-202%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CVE202%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\poc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact\\_protected.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\artifact32big.exe' ESCAPE '\\' OR NewProcessName LIKE '%obfuscated.exe' ESCAPE '\\' OR NewProcessName LIKE '%obfusc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\meterpreter' ESCAPE '\\') OR (CommandLine LIKE '%inject.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CVE%' ESCAPE '\\' OR CommandLine LIKE '%pupy.ps1%' ESCAPE '\\' OR CommandLine LIKE '%payload.ps1%' ESCAPE '\\' OR CommandLine LIKE '%beacon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%PowerView.ps1%' ESCAPE '\\' OR CommandLine LIKE '%bypass.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfuscated.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfusc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfus.ps1%' ESCAPE '\\' OR CommandLine LIKE '%obfs.ps1%' ESCAPE '\\' OR CommandLine LIKE '%evil.ps1%' ESCAPE '\\' OR CommandLine LIKE '%MiniDogz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\_enc.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\shell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\rshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%revshell.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\av\\_test.ps1%' ESCAPE '\\' OR CommandLine LIKE '%adrecon.ps1%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PowerUp\\_%' ESCAPE '\\' OR CommandLine LIKE '%powerup.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\a.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\p.ps1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Hound.ps1%' ESCAPE '\\' OR CommandLine LIKE '%encode.ps1%' ESCAPE '\\' OR CommandLine LIKE '%powercat.ps1%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_progname.yml" }, { "title": "Schtasks From Suspicious Folders", "id": "8a8379b8-780b-4dbf-b1e9-31c8d112fefb", "status": "experimental", "description": "Detects scheduled task creations that have suspicious action command and folder combinations", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\'))" ], "filename": "proc_creation_win_schtasks_folder_combos.yml" }, { "title": "PUA - Nimgrab Execution", "id": "74a12f18-505c-4114-8d0b-8448dd5485c6", "status": "experimental", "description": "Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Legitimate use of Nim on a developer systems" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\nimgrab.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45%' ESCAPE '\\') OR md5 = '2DD44C3C29D667F5C0EF5F9D7C7FFB8B' OR sha256 = 'F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559' OR Imphash = 'C07FDDD21D123EA9B3A08EEF44AAAC45'))" ], "filename": "proc_creation_win_pua_nimgrab.yml" }, { "title": "Suspicious Csi.exe Usage", "id": "40b95d31-1afc-469e-8d34-9a3a667d058e", "status": "experimental", "description": "Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'", "author": "Konstantin Grishchenko, oscd.community", "tags": [ "attack.execution", "attack.t1072", "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Legitimate usage by software developers" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\csi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rcsi.exe' ESCAPE '\\') OR OriginalFileName IN ('csi.exe', 'rcsi.exe')) AND Company = 'Microsoft Corporation')" ], "filename": "proc_creation_win_csi_execution.yml" }, { "title": "HackTool - KrbRelayUp Execution", "id": "12827a56-61a4-476a-a9cb-f3068f191073", "status": "experimental", "description": "Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1558.003", "attack.lateral_movement", "attack.t1550.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\KrbRelayUp.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelayUp.exe') OR (CommandLine LIKE '% relay %' ESCAPE '\\' AND CommandLine LIKE '% -Domain %' ESCAPE '\\' AND CommandLine LIKE '% -ComputerName %' ESCAPE '\\') OR (CommandLine LIKE '% krbscm %' ESCAPE '\\' AND CommandLine LIKE '% -sc %' ESCAPE '\\') OR (CommandLine LIKE '% spawn %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -cn %' ESCAPE '\\' AND CommandLine LIKE '% -cp %' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_krbrelayup.yml" }, { "title": "HackTool - Bloodhound/Sharphound Execution", "id": "f376c8a7-a2d0-4ddc-aa0c-16c17236d962", "status": "test", "description": "Detects command line parameters used by Bloodhound and Sharphound hack tools", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1087.001", "attack.t1087.002", "attack.t1482", "attack.t1069.001", "attack.t1069.002", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Other programs that use these command line option and accepts an 'All' parameter" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((Product LIKE '%SharpHound%' ESCAPE '\\' OR Description LIKE '%SharpHound%' ESCAPE '\\' OR (Company LIKE '%SpecterOps%' ESCAPE '\\' OR Company LIKE '%evil corp%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Bloodhound.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SharpHound.exe%' ESCAPE '\\')) OR (CommandLine LIKE '% -CollectionMethod All %' ESCAPE '\\' OR CommandLine LIKE '% --CollectionMethods Session %' ESCAPE '\\' OR CommandLine LIKE '% --Loop --Loopduration %' ESCAPE '\\' OR CommandLine LIKE '% --PortScanTimeout %' ESCAPE '\\' OR CommandLine LIKE '%.exe -c All -d %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Bloodhound%' ESCAPE '\\' OR CommandLine LIKE '%Get-BloodHoundData%' ESCAPE '\\') OR (CommandLine LIKE '% -JsonFolder %' ESCAPE '\\' AND CommandLine LIKE '% -ZipFileName %' ESCAPE '\\') OR (CommandLine LIKE '% DCOnly %' ESCAPE '\\' AND CommandLine LIKE '% --NoSaveCache %' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_bloodhound_sharphound.yml" }, { "title": "Regsvr32 Command Line Without DLL", "id": "50919691-7302-437f-8e10-1fe088afa145", "status": "test", "description": "Detects a regsvr.exe execution that doesn't contain a DLL in the command line", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1574", "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.ocx%' ESCAPE '\\' OR CommandLine LIKE '%.cpl%' ESCAPE '\\' OR CommandLine LIKE '%.ax%' ESCAPE '\\' OR CommandLine LIKE '%.bav%' ESCAPE '\\' OR CommandLine LIKE '%.ppl%' ESCAPE '\\'))) AND NOT (CommandLine = '')) AND NOT (CommandLine = ''))" ], "filename": "proc_creation_win_regsvr32_no_dll.yml" }, { "title": "WSL Child Process Anomaly", "id": "2267fe65-0681-42ad-9a6d-46553d3f3480", "status": "experimental", "description": "Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1218", "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wslhost.exe' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_wsl_child_processes_anomalies.yml" }, { "title": "Suspicious Invoke-WebRequest Execution", "id": "5e3cc4d8-3e68-43db-8656-eaaeefdec9cc", "status": "experimental", "description": "Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\') AND (CommandLine LIKE '% -ur%' ESCAPE '\\' OR CommandLine LIKE '% -o%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%Temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_invoke_webrequest_download.yml" }, { "title": "Suspicious New Service Creation", "id": "17a1be64-8d88-40bf-b5ff-a4f7a50ebcc8", "status": "experimental", "description": "Detects creation of a new service via \"sc\" command or the powershell \"new-service\" cmdlet with suspicious binary paths", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath=%' ESCAPE '\\') OR (CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')) AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_service_creation.yml" }, { "title": "Suspicious Desktopimgdownldr Command", "id": "bb58aa4a-b80b-415a-a2c0-2f65a4c81009", "status": "test", "description": "Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% /lockscreenurl:%' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\'))) OR (CommandLine LIKE '%reg delete%' ESCAPE '\\' AND CommandLine LIKE '%\\\\PersonalizationCSP%' ESCAPE '\\')))" ], "filename": "proc_creation_win_desktopimgdownldr_susp_execution.yml" }, { "title": "PUA - Netcat Suspicious Execution", "id": "e31033fc-33f0-4020-9a16-faf9b31cbf08", "status": "experimental", "description": "Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1095" ], "falsepositives": [ "Legitimate ncat use" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\nc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ncat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netcat.exe' ESCAPE '\\') OR (CommandLine LIKE '% -lvp %' ESCAPE '\\' OR CommandLine LIKE '% -lvnp%' ESCAPE '\\' OR CommandLine LIKE '% -l -v -p %' ESCAPE '\\' OR CommandLine LIKE '% -lv -p %' ESCAPE '\\' OR CommandLine LIKE '% -l --proxy-type http %' ESCAPE '\\' OR CommandLine LIKE '% -vnl --exec %' ESCAPE '\\' OR CommandLine LIKE '% -vnl -e %' ESCAPE '\\' OR CommandLine LIKE '% --lua-exec %' ESCAPE '\\' OR CommandLine LIKE '% --sh-exec %' ESCAPE '\\')))" ], "filename": "proc_creation_win_pua_netcat.yml" }, { "title": "Remote File Download via Desktopimgdownldr Utility", "id": "214641c2-c579-4ecb-8427-0cf19df6842e", "status": "experimental", "description": "Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "author": "Tim Rauch", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\desktopimgdownldr.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\desktopimgdownldr.exe' ESCAPE '\\' AND CommandLine LIKE '%/lockscreenurl:http%' ESCAPE '\\')" ], "filename": "proc_creation_win_desktopimgdownldr_remote_file_download.yml" }, { "title": "Suspicious PowerShell Invocation From Script Engines", "id": "95eadcb2-92e4-4ed1-9031-92547773a6db", "status": "test", "description": "Detects suspicious powershell invocations from interpreters or unusual programs", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Microsoft Operations Manager (MOM)", "Other scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\Health Service State\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_powershell_script_engine_parent.yml" }, { "title": "Windows Update Client LOLBIN", "id": "d7825193-b70a-48a4-b992-8b5b3015cc11", "status": "experimental", "description": "Detects code execution via the Windows Update client (wuauclt)", "author": "FPT.EagleEye Team", "tags": [ "attack.command_and_control", "attack.execution", "attack.t1105", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'wuauclt.exe') AND (CommandLine LIKE '%/UpdateDeploymentProvider%' ESCAPE '\\' AND CommandLine LIKE '%/RunHandlerComServer%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ClassId %' ESCAPE '\\' OR CommandLine LIKE '% wuaueng.dll %' ESCAPE '\\')))" ], "filename": "proc_creation_win_wuauclt_execution.yml" }, { "title": "SC.EXE Query Execution", "id": "57712d7a-679c-4a41-a913-87e7175ae429", "status": "experimental", "description": "Detects execution of \"sc.exe\" to query information about registered services on the system", "author": "frack113", "tags": [ "attack.discovery", "attack.t1007" ], "falsepositives": [ "Legitimate query of a service by an administrator to get more information such as the state or PID", "Keybase process \"kbfsdokan.exe\" query the dokan1 service with the following commandline \"sc query dokan1\"" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND OriginalFileName LIKE '%sc.exe' ESCAPE '\\' AND CommandLine LIKE '% query%' ESCAPE '\\')" ], "filename": "proc_creation_win_sc_query.yml" }, { "title": "Renamed PsExec Service Execution", "id": "51ae86a2-e2e1-4097-ad85-c46cb6851de4", "status": "experimental", "description": "Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Legitimate administrative tasks" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'psexesvc.exe' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_renamed_sysinternals_psexec_service.yml" }, { "title": "HackTool - CreateMiniDump Execution", "id": "36d88494-1d43-4dc0-b3fa-35c8fea0ca9d", "status": "test", "description": "Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\CreateMiniDump.exe' ESCAPE '\\' OR Imphash = '4a07f944a83e8a7c2525efa35dd30e2f' OR Hashes LIKE '%IMPHASH=4a07f944a83e8a7c2525efa35dd30e2f%' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_createminidump.yml" }, { "title": "Stop Windows Service Via Sc.EXE", "id": "81bcb81b-5b1f-474b-b373-52c871aaa7b1", "status": "experimental", "description": "Detects the stopping of a Windows service", "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.impact", "attack.t1489" ], "falsepositives": [ "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName = 'sc.exe' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\') AND CommandLine LIKE '% stop %' ESCAPE '\\') AND NOT ((CommandLine IN ('sc stop KSCWebConsoleMessageQueue', 'sc stop LGHUBUpdaterService') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_sc_stop_service.yml" }, { "title": "Unusual Child Process of dns.exe", "id": "a4e3d776-f12e-42c2-8510-9e6ed1f43ec3", "status": "experimental", "description": "Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", "author": "Tim Rauch", "tags": [ "attack.initial_access", "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_dns_susp_child_process.yml" }, { "title": "Potential RDP Tunneling Via SSH Plink", "id": "f38ce0b9-5e97-4b47-a211-7dc8d8b871da", "status": "test", "description": "Execution of plink to perform data exfiltration and tunneling", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1572" ], "falsepositives": [ "Administrative activity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:127.0.0.1:3389%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\' AND (CommandLine LIKE '% -P 443%' ESCAPE '\\' OR CommandLine LIKE '% -P 22%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_plink_susp_tunneling.yml" }, { "title": "Outlook EnableUnsafeClientMailRules Setting Enabled", "id": "55f0a3a1-846e-40eb-8273-677371b8d912", "status": "test", "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059", "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules%' ESCAPE '\\')" ], "filename": "proc_creation_win_office_outlook_enable_unsafe_client_mail_rules.yml" }, { "title": "Suspicious Where Execution", "id": "725a9768-0f5e-4cb3-aec2-bc5719c6831a", "status": "experimental", "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.discovery", "attack.t1217" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\where.exe' ESCAPE '\\' OR OriginalFileName = 'where.exe') AND (CommandLine LIKE '%places.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%formhistory.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%logins.json%' ESCAPE '\\' OR CommandLine LIKE '%key4.db%' ESCAPE '\\' OR CommandLine LIKE '%key3.db%' ESCAPE '\\' OR CommandLine LIKE '%sessionstore.jsonlz4%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Login Data%' ESCAPE '\\'))" ], "filename": "proc_creation_win_where_browser_data_recon.yml" }, { "title": "UAC Bypass WSReset", "id": "89a9a0e0-f61a-42e5-8957-b1479565a658", "status": "test", "description": "Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], "filename": "proc_creation_win_uac_bypass_wsreset_integrity_level.yml" }, { "title": "Firewall Disabled via Netsh.EXE", "id": "57c4bf16-227f-4394-8ec7-1b745ee061c3", "status": "test", "description": "Detects netsh commands that turns off the Windows firewall", "author": "Fatih Sirin", "tags": [ "attack.defense_evasion", "attack.t1562.004", "attack.s0108" ], "falsepositives": [ "Legitimate administration activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%opmode%' ESCAPE '\\' AND CommandLine LIKE '%disable%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%state%' ESCAPE '\\' AND CommandLine LIKE '%off%' ESCAPE '\\')))" ], "filename": "proc_creation_win_netsh_fw_disable.yml" }, { "title": "Privilege Escalation via Named Pipe Impersonation", "id": "9bd04a79-dabe-4f1f-a5ff-92430265c96b", "status": "experimental", "description": "Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", "author": "Tim Rauch", "tags": [ "attack.lateral_movement", "attack.t1021" ], "falsepositives": [ "Other programs that cause these patterns (please report)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE')) AND (CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_priv_escalation_via_named_pipe.yml" }, { "title": "Launch-VsDevShell.PS1 Proxy Execution", "id": "45d3a03d-f441-458c-8883-df101a3bb146", "status": "experimental", "description": "Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1216.001" ], "falsepositives": [ "Legitimate usage of the script by a developer" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Launch-VsDevShell.ps1%' ESCAPE '\\' AND (CommandLine LIKE '%VsWherePath %' ESCAPE '\\' OR CommandLine LIKE '%VsInstallationPath %' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_launch_vsdevshell.yml" }, { "title": "Ie4uinit Lolbin Use From Invalid Path", "id": "d3bf399f-b0cf-4250-8bb4-dfc192ab81dc", "status": "experimental", "description": "Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "ViberPC updater calls this binary with the following commandline \"ie4uinit.exe -ClearIconCache\"" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\ie4uinit.exe' ESCAPE '\\' OR OriginalFileName = 'IE4UINIT.EXE') AND NOT (((CurrentDirectory LIKE 'c:\\\\windows\\\\system32\\\\' ESCAPE '\\' OR CurrentDirectory LIKE 'c:\\\\windows\\\\sysWOW64\\\\' ESCAPE '\\')) OR (CurrentDirectory = '')))" ], "filename": "proc_creation_win_lolbin_ie4uinit.yml" }, { "title": "HackTool - RedMimicry Winnti Playbook Execution", "id": "95022b85-ff2a-49fa-939a-d7b8f56eeb9b", "status": "test", "description": "Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility", "author": "Alexander Rausch", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1106", "attack.t1059.003", "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%gthread-3.6.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat%' ESCAPE '\\' OR CommandLine LIKE '%sigcmm-2.4.dll%' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_redmimicry_winnti_playbook.yml" }, { "title": "DriverQuery.EXE Execution", "id": "a20def93-0709-4eae-9bd2-31206e21e6b2", "status": "experimental", "description": "Detect usage of the \"driverquery\" utility. Which can be used to perform reconnaissance on installed drivers", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery" ], "falsepositives": [ "Legitimate use by third party tools in order to investigate installed drivers" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe'))" ], "filename": "proc_creation_win_driverquery_usage.yml" }, { "title": "Greedy File Deletion Using Del", "id": "204b17ae-4007-471b-917b-b917b315c5db", "status": "experimental", "description": "Detects execution of the \"del\" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1070.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%del %' ESCAPE '\\' OR CommandLine LIKE '%erase %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\\\*.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\\\*.exe%' ESCAPE '\\'))" ], "filename": "proc_creation_win_cmd_del_greedy_deletion.yml" }, { "title": "Operator Bloopers Cobalt Strike Commands", "id": "647c7b9e-d784-4fda-b9a0-45c565a7b729", "status": "experimental", "description": "Detects use of Cobalt Strike commands accidentally entered in the CMD shell", "author": "_pete_0, TheDFIRReport", "tags": [ "attack.execution", "attack.t1059.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ((CommandLine LIKE 'cmd %' ESCAPE '\\' OR CommandLine LIKE 'cmd.exe%' ESCAPE '\\' OR CommandLine LIKE 'c:\\\\windows\\\\system32\\\\cmd.exe%' ESCAPE '\\') AND (CommandLine LIKE '%psinject%' ESCAPE '\\' OR CommandLine LIKE '%spawnas%' ESCAPE '\\' OR CommandLine LIKE '%make\\_token%' ESCAPE '\\' OR CommandLine LIKE '%remote-exec%' ESCAPE '\\' OR CommandLine LIKE '%rev2self%' ESCAPE '\\' OR CommandLine LIKE '%dcsync%' ESCAPE '\\' OR CommandLine LIKE '%logonpasswords%' ESCAPE '\\' OR CommandLine LIKE '%execute-assembly%' ESCAPE '\\' OR CommandLine LIKE '%getsystem%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_cmd.yml" }, { "title": "HackTool - Mimikatz Execution", "id": "a642964e-bead-4bed-8910-1bb4d63e3b4d", "status": "test", "description": "Detection well-known mimikatz command line arguments", "author": "Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton", "tags": [ "attack.credential_access", "attack.t1003.001", "attack.t1003.002", "attack.t1003.004", "attack.t1003.005", "attack.t1003.006" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%DumpCreds%' ESCAPE '\\' OR CommandLine LIKE '%mimikatz%' ESCAPE '\\') OR (CommandLine LIKE '%::aadcookie%' ESCAPE '\\' OR CommandLine LIKE '%::detours%' ESCAPE '\\' OR CommandLine LIKE '%::memssp%' ESCAPE '\\' OR CommandLine LIKE '%::mflt%' ESCAPE '\\' OR CommandLine LIKE '%::ncroutemon%' ESCAPE '\\' OR CommandLine LIKE '%::ngcsign%' ESCAPE '\\' OR CommandLine LIKE '%::printnightmare%' ESCAPE '\\' OR CommandLine LIKE '%::skeleton%' ESCAPE '\\' OR CommandLine LIKE '%::preshutdown%' ESCAPE '\\' OR CommandLine LIKE '%::mstsc%' ESCAPE '\\' OR CommandLine LIKE '%::multirdp%' ESCAPE '\\') OR (CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%crypto::%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%process::%' ESCAPE '\\' OR CommandLine LIKE '%vault::%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_mimikatz_command_line.yml" }, { "title": "Windows Credential Manager Access via VaultCmd", "id": "58f50261-c53b-4c88-bd12-1d71f12eda4c", "status": "experimental", "description": "List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1555.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\VaultCmd.exe' ESCAPE '\\' OR OriginalFileName = 'VAULTCMD.EXE') AND CommandLine LIKE '%/listcreds:%' ESCAPE '\\')" ], "filename": "proc_creation_win_vaultcmd_list_creds.yml" }, { "title": "Deletion of Volume Shadow Copies via WMI with PowerShell", "id": "21ff4ca9-f13a-41ad-b828-0077b2af2e40", "status": "experimental", "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", "author": "Tim Rauch", "tags": [ "attack.impact", "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Get-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%gwmi%' ESCAPE '\\' OR CommandLine LIKE '%Get-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%gcim%' ESCAPE '\\') AND CommandLine LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (CommandLine LIKE '%.Delete()%' ESCAPE '\\' OR CommandLine LIKE '%Remove-WmiObject%' ESCAPE '\\' OR CommandLine LIKE '%rwmi%' ESCAPE '\\' OR CommandLine LIKE '%Remove-CimInstance%' ESCAPE '\\' OR CommandLine LIKE '%rcim%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_shadowcopy_deletion.yml" }, { "title": "ShimCache Flush", "id": "b0524451-19af-4efa-a46f-562a977f792e", "status": "stable", "description": "Detects actions that clear the local ShimCache and remove forensic evidence", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%apphelp.dll%' ESCAPE '\\' AND (CommandLine LIKE '%ShimFlushCache%' ESCAPE '\\' OR CommandLine LIKE '%#250%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%kernel32.dll%' ESCAPE '\\' AND (CommandLine LIKE '%BaseFlushAppcompatCache%' ESCAPE '\\' OR CommandLine LIKE '%#46%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_rundll32_susp_shimcache_flush.yml" }, { "title": "Potential DLL File Download Via PowerShell Invoke-WebRequest", "id": "0f0450f3-8b47-441e-a31b-15a91dc243e2", "status": "experimental", "description": "Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet", "author": "Florian Roth (Nextron Systems), Hieu Tran", "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%IWR %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%OutFile%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\')" ], "filename": "proc_creation_win_powershell_download_dll.yml" }, { "title": "Add New Download Source To Winget", "id": "05ebafc8-7aa2-4bcd-a269-2aec93f9e842", "status": "experimental", "description": "Detects usage of winget to add new additional download sources", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1059" ], "falsepositives": [ "False positive are expected with legitimate sources" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\'))" ], "filename": "proc_creation_win_winget_add_custom_source.yml" }, { "title": "Service Started/Stopped Via Wmic.EXE", "id": "0b7163dc-7eee-4960-af17-c0cd517f92da", "status": "experimental", "description": "Detects usage of wmic to start or stop a service", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service %' ESCAPE '\\' AND CommandLine LIKE '% call %' ESCAPE '\\' AND (CommandLine LIKE '%stopservice%' ESCAPE '\\' OR CommandLine LIKE '%startservice%' ESCAPE '\\')))" ], "filename": "proc_creation_win_wmic_service_manipulation.yml" }, { "title": "SafeBoot Registry Key Deleted Via Reg.EXE", "id": "fc0e89b5-adb0-43c1-b749-c12a10ec37de", "status": "experimental", "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products", "author": "Nasreddine Bencherchali (Nextron Systems), Tim Shelton", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_delete_safeboot.yml" }, { "title": "PUA - Adidnsdump Execution", "id": "26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160", "status": "test", "description": "This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,\nUsee to Query/modify DNS records for Active Directory integrated DNS via LDAP\n", "author": "frack113", "tags": [ "attack.discovery", "attack.t1018" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\python.exe' ESCAPE '\\' AND CommandLine LIKE '%adidnsdump%' ESCAPE '\\')" ], "filename": "proc_creation_win_python_adidnsdump.yml" }, { "title": "Command Line Execution with Suspicious URL and AppData Strings", "id": "1ac8666b-046f-4201-8aba-1951aaec03a3", "status": "test", "description": "Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)", "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", "attack.command_and_control", "attack.t1059.003", "attack.t1059.001", "attack.t1105" ], "falsepositives": [ "High" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%://%' ESCAPE '\\' AND CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\')" ], "filename": "proc_creation_win_cmd_http_appdata.yml" }, { "title": "PUA - CleanWipe Execution", "id": "f44800ac-38ec-471f-936e-3fa7d9c53100", "status": "experimental", "description": "Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Legitimate administrative use (Should be investigated either way)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\SepRemovalToolNative\\_x64.exe' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\CATClean.exe' ESCAPE '\\' AND CommandLine LIKE '%--uninstall%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\NetInstaller.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WFPUnins.exe' ESCAPE '\\' AND CommandLine LIKE '%/uninstall%' ESCAPE '\\' AND CommandLine LIKE '%/enterprise%' ESCAPE '\\')))" ], "filename": "proc_creation_win_pua_cleanwipe.yml" }, { "title": "Potential File Overwrite Via Sysinternals SDelete", "id": "a4824fca-976f-4964-b334-0621379e84c4", "status": "experimental", "description": "Detects the use of SDelete to erase a file not the free space", "author": "frack113", "tags": [ "attack.impact", "attack.t1485" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'sdelete.exe' AND NOT ((CommandLine LIKE '% -h%' ESCAPE '\\' OR CommandLine LIKE '% -c%' ESCAPE '\\' OR CommandLine LIKE '% -z%' ESCAPE '\\' OR CommandLine LIKE '% /\\?%' ESCAPE '\\')))" ], "filename": "proc_creation_win_sysinternals_sdelete.yml" }, { "title": "Abused Debug Privilege by Arbitrary Parent Processes", "id": "d522eca2-2973-4391-a3e0-ef0374321dae", "status": "test", "description": "Detection of unusual child processes by different system processes", "author": "Semanur Guneysu @semanurtg, oscd.community", "tags": [ "attack.privilege_escalation", "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\searchindexer.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe'))) AND NOT (CommandLine LIKE '% route %' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_abusing_debug_privilege.yml" }, { "title": "File Decoded From Base64/Hex Via Certutil.EXE", "id": "cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7", "status": "test", "description": "Detects the execution of certutil with either the \"decode\" or \"decodehex\" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution", "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-decode %' ESCAPE '\\' OR CommandLine LIKE '%/decode %' ESCAPE '\\' OR CommandLine LIKE '%-decodehex %' ESCAPE '\\' OR CommandLine LIKE '%/decodehex %' ESCAPE '\\'))" ], "filename": "proc_creation_win_certutil_decode.yml" }, { "title": "Invoke-Obfuscation CLIP+ Launcher", "id": "b222df08-0e07-11eb-adc1-0242ac120002", "status": "test", "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%clipboard]::%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_invoke_obfuscation_clip.yml" }, { "title": "Potential NTLM Coercion Via Certutil.EXE", "id": "6c6d9280-e6d0-4b9d-80ac-254701b64916", "status": "experimental", "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '% -syncwithWU %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" ], "filename": "proc_creation_win_certutil_ntlm_coercion.yml" }, { "title": "HackTool - SharpLDAPmonitor Execution", "id": "9f8fc146-1d1a-4dbf-b8fd-dfae15e08541", "status": "experimental", "description": "Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\SharpLDAPmonitor.exe' ESCAPE '\\' OR OriginalFileName = 'SharpLDAPmonitor.exe') OR (CommandLine LIKE '%/user:%' ESCAPE '\\' AND CommandLine LIKE '%/pass:%' ESCAPE '\\' AND CommandLine LIKE '%/dcip:%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_sharp_ldap_monitor.yml" }, { "title": "Suspicious JavaScript Execution Via Mshta.EXE", "id": "67f113fa-e23d-4271-befa-30113b3e08b1", "status": "test", "description": "Detects execution of javascript code using \"mshta.exe\".", "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ "attack.defense_evasion", "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND CommandLine LIKE '%javascript%' ESCAPE '\\')" ], "filename": "proc_creation_win_mshta_javascript.yml" }, { "title": "Suspicious Add Scheduled Task Parent", "id": "9494479d-d994-40bf-a8b1-eea890237021", "status": "experimental", "description": "Detects suspicious scheduled task creations from a parent stored in a temporary folder", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1053.005" ], "falsepositives": [ "Software installers that run from temporary folders and also install scheduled tasks" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%unattended.ini%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_schtasks_parent.yml" }, { "title": "Renamed Msdt.EXE Execution", "id": "bd1c6866-65fc-44b2-be51-5588fcff82b9", "status": "experimental", "description": "Detects the execution of a renamed \"Msdt.exe\" binary", "author": "pH-T (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'msdt.exe' AND NOT (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_renamed_msdt.yml" }, { "title": "Service StartupType Change Via Sc.EXE", "id": "85c312b7-f44d-4a51-a024-d671c40b49fc", "status": "experimental", "description": "Detect the use of \"sc.exe\" to change the startup type of a service to \"disabled\" or \"demand\"", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "False positives may occur with troubleshooting scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '% config %' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\' AND (CommandLine LIKE '%disabled%' ESCAPE '\\' OR CommandLine LIKE '%demand%' ESCAPE '\\')))" ], "filename": "proc_creation_win_sc_disable_service.yml" }, { "title": "Execution in Webserver Root Folder", "id": "35efb964-e6a5-47ad-bbcd-19661854018d", "status": "test", "description": "Detects a suspicious program execution in a web service root folder (filter out false positives)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1505.003" ], "falsepositives": [ "Various applications", "Tools that include ping or nslookup command invocations" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\wwwroot\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmpub\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\htdocs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%bin\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Tools\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SMSComponent\\\\%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_execution_path_webserver.yml" }, { "title": "WSF/JSE/JS/VBA/VBE File Execution", "id": "1e33157c-53b1-41ad-bbcc-780b80b58288", "status": "test", "description": "Detects suspicious file execution by wscript and cscript", "author": "Michael Haag", "tags": [ "attack.execution", "attack.t1059.005", "attack.t1059.007" ], "falsepositives": [ "Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('wscript.exe', 'cscript.exe') OR (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND (CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\'))" ], "filename": "proc_creation_win_script_execution.yml" }, { "title": "Service Security Descriptor Tampering Via Sc.EXE", "id": "98c5aeef-32d5-492f-b174-64a691896d25", "status": "experimental", "description": "Detection of sc.exe utility adding a new service with special permission which hides that service.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.defense_evasion", "attack.privilege_escalation", "attack.t1574.011" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND CommandLine LIKE '%sdset%' ESCAPE '\\')" ], "filename": "proc_creation_win_sc_sdset_modification.yml" }, { "title": "Schtasks Creation Or Modification With SYSTEM Privileges", "id": "89ca78fd-b37c-4310-b3d3-81a023f83936", "status": "experimental", "description": "Detects the creation or update of a scheduled task to run with \"NT AUTHORITY\\SYSTEM\" privileges", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.persistence", "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND (CommandLine LIKE '% /change %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\') AND CommandLine LIKE '%/ru %' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\') OR ((CommandLine LIKE '%/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR %' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files (x86)\\\\Avira\\\\System Speedup\\\\setup\\\\avira\\_speedup\\_setup.exe%' ESCAPE '\\' OR CommandLine LIKE '%/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_schtasks_system.yml" }, { "title": "Potential Recon Activity Using Wevtutil", "id": "beaa66d6-aa1b-4e3c-80f5-e0145369bfaf", "status": "experimental", "description": "Detects usage of the wevtutil utility to perform reconnaissance", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery" ], "falsepositives": [ "Legitimate usage of the utility by administrators to query the event log" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '% qe %' ESCAPE '\\' OR CommandLine LIKE '% query-events %' ESCAPE '\\') AND (CommandLine LIKE '%Microsoft-Windows-TerminalServices-LocalSessionManager/Operational%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational%' ESCAPE '\\' OR CommandLine LIKE '%Security%' ESCAPE '\\'))" ], "filename": "proc_creation_win_wevtutil_recon.yml" }, { "title": "Suspicious Regsvr32 Execution From Remote Share", "id": "88a87a10-384b-4ad7-8871-2f9bf9259ce5", "status": "experimental", "description": "Detects REGSVR32.exe to execute DLL hosted on remote shares", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], "filename": "proc_creation_win_regsvr32_remote_share.yml" }, { "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE", "id": "a35f5a72-f347-4e36-8895-9869b0d5fc6d", "status": "test", "description": "Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall", "author": "Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1562.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%allowedprogram%' ESCAPE '\\') OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%action=allow%' ESCAPE '\\' AND CommandLine LIKE '%program=%' ESCAPE '\\')) AND (CommandLine LIKE '%\\%Public\\%\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\RECYCLER\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\SystemVolumeInformation\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\cursors\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\drivers\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\fonts\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\help\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\system32\\\\tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_netsh_fw_allow_program_in_susp_location.yml" }, { "title": "PUA - NPS Tunneling Tool Execution", "id": "68d37776-61db-42f5-bf54-27e87072d17e", "status": "experimental", "description": "Detects the use of NPS, a port forwarding and intranet penetration proxy server", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1090" ], "falsepositives": [ "Legitimate use" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\npc.exe' ESCAPE '\\' OR (CommandLine LIKE '% -server=%' ESCAPE '\\' AND CommandLine LIKE '% -vkey=%' ESCAPE '\\' AND CommandLine LIKE '% -password=%' ESCAPE '\\') OR CommandLine LIKE '% -config=npc%' ESCAPE '\\' OR ((Hashes LIKE '%MD5=AE8ACF66BFE3A44148964048B826D005%' ESCAPE '\\' OR Hashes LIKE '%SHA1=CEA49E9B9B67F3A13AD0BE1C2655293EA3C18181%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED1CC1FEBBBD6856%' ESCAPE '\\') OR md5 = 'ae8acf66bfe3a44148964048b826d005' OR sha1 = 'cea49e9b9b67f3a13ad0be1c2655293ea3c18181' OR sha256 = '5a456283392ffceeeaca3d3426c306eb470304637520d72fed1cc1febbbd6856')))" ], "filename": "proc_creation_win_pua_nps.yml" }, { "title": "Microsoft IIS Service Account Password Dumped", "id": "2d3cdeec-c0db-45b4-aa86-082f7eb75701", "status": "experimental", "description": "Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords", "author": "Tim Rauch, Janantha Marasinghe", "tags": [ "attack.credential_access", "attack.t1003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND CommandLine LIKE '%list %' ESCAPE '\\') AND ((CommandLine LIKE '% /config%' ESCAPE '\\' OR CommandLine LIKE '% /xml%' ESCAPE '\\' OR CommandLine LIKE '% -config%' ESCAPE '\\' OR CommandLine LIKE '% -xml%' ESCAPE '\\') OR ((CommandLine LIKE '% /@t%' ESCAPE '\\' OR CommandLine LIKE '% /text%' ESCAPE '\\' OR CommandLine LIKE '% /show%' ESCAPE '\\' OR CommandLine LIKE '% -@t%' ESCAPE '\\' OR CommandLine LIKE '% -text%' ESCAPE '\\' OR CommandLine LIKE '% -show%' ESCAPE '\\') AND (CommandLine LIKE '%:\\*' ESCAPE '\\' OR CommandLine LIKE '%password%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_iis_appcmd_service_account_password_dumped.yml" }, { "title": "Pubprn.vbs Proxy Execution", "id": "1fb76ab8-fa60-4b01-bddd-71e89bf555da", "status": "experimental", "description": "Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1216.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\pubprn.vbs%' ESCAPE '\\' AND CommandLine LIKE '%script:%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_pubprn.yml" }, { "title": "Potential Dosfuscation Activity", "id": "a77c1610-fc73-4019-8e29-0f51efc04a51", "status": "experimental", "description": "Detects possible payload obfuscation via the commandline", "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%^^%' ESCAPE '\\' OR CommandLine LIKE '%^|^%' ESCAPE '\\' OR CommandLine LIKE '%,;,%' ESCAPE '\\' OR CommandLine LIKE '%;;;;%' ESCAPE '\\' OR CommandLine LIKE '%;; ;;%' ESCAPE '\\' OR CommandLine LIKE '%(,(,%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC:~%' ESCAPE '\\' OR CommandLine LIKE '% c^m^d%' ESCAPE '\\' OR CommandLine LIKE '%^c^m^d%' ESCAPE '\\' OR CommandLine LIKE '% c^md%' ESCAPE '\\' OR CommandLine LIKE '% cm^d%' ESCAPE '\\' OR CommandLine LIKE '%^cm^d%' ESCAPE '\\' OR CommandLine LIKE '% s^et %' ESCAPE '\\' OR CommandLine LIKE '% s^e^t %' ESCAPE '\\' OR CommandLine LIKE '% se^t %' ESCAPE '\\'))" ], "filename": "proc_creation_win_cmd_dosfuscation.yml" }, { "title": "Lolbin Defaultpack.exe Use As Proxy", "id": "b2309017-4235-44fe-b5af-b15363011957", "status": "experimental", "description": "Detect usage of the \"defaultpack.exe\" binary as a proxy to launch other programs", "author": "frack113", "tags": [ "attack.t1218", "attack.defense_evasion", "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\defaultpack.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_defaultpack.yml" }, { "title": "Wusa Extracting Cab Files", "id": "59b39960-5f9d-4a49-9cef-1e4d2c1d0cb9", "status": "experimental", "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument which is not longer supported. This could indicate an attacker using an old technique", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "The \"extract\" flag still works on older 'wusa.exe' versions, which could be a legitimate use (monitor the path of the cab being extracted)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\')" ], "filename": "proc_creation_win_wusa_cab_files_extraction.yml" }, { "title": "Suspicious RDP Redirect Using TSCON", "id": "f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb", "status": "test", "description": "Detects a suspicious RDP session redirect using tscon.exe", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.lateral_movement", "attack.t1563.002", "attack.t1021.001", "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /dest:rdp-tcp:%' ESCAPE '\\')" ], "filename": "proc_creation_win_tscon_rdp_redirect.yml" }, { "title": "Change PowerShell Policies to an Insecure Level", "id": "87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180", "status": "experimental", "description": "Detects use of executionpolicy option to set insecure policies", "author": "frack113", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Administrator script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% -executionpolicy %' ESCAPE '\\' OR CommandLine LIKE '% -ep %' ESCAPE '\\' OR CommandLine LIKE '% -exec %' ESCAPE '\\') AND (CommandLine LIKE '%Unrestricted%' ESCAPE '\\' OR CommandLine LIKE '%bypass%' ESCAPE '\\' OR CommandLine LIKE '%RemoteSigned%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Program Files%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Code\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_powershell_set_policies_to_unsecure_level.yml" }, { "title": "Potential Suspicious Registry File Imported Via Reg.EXE", "id": "62e0298b-e994-4189-bc87-bc699aa62d97", "status": "experimental", "description": "Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility", "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.t1112", "attack.defense_evasion" ], "falsepositives": [ "Legitimate import of keys" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% import %' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_import_from_suspicious_paths.yml" }, { "title": "Control Panel Items", "id": "0ba863e6-def5-4e50-9cea-4dd8c7dc46a4", "status": "test", "description": "Detects the malicious use of a control panel item", "author": "Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1218.002", "attack.persistence", "attack.t1546" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%CurrentVersion\\\\Control Panel\\\\CPLs%' ESCAPE '\\')) OR (CommandLine LIKE '%.cpl' ESCAPE '\\' AND NOT (((CommandLine LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%System\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%regsvr32 %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\' AND CommandLine LIKE '%igfxCPL.cpl%' ESCAPE '\\')))))" ], "filename": "proc_creation_win_control_panel_item.yml" }, { "title": "File Deletion Via Del", "id": "379fa130-190e-4c3f-b7bc-6c8e834485f3", "status": "experimental", "description": "Detects execution of the builtin \"del\"/\"erase\" commands in order to delete files.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1070.004" ], "falsepositives": [ "False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%del %' ESCAPE '\\' OR CommandLine LIKE '%erase %' ESCAPE '\\') AND (CommandLine LIKE '% /f%' ESCAPE '\\' OR CommandLine LIKE '% /s%' ESCAPE '\\' OR CommandLine LIKE '% /q%' ESCAPE '\\'))" ], "filename": "proc_creation_win_cmd_del_execution.yml" }, { "title": "Wusa Extracting Cab Files From Suspicious Paths", "id": "c74c0390-3e20-41fd-a69a-128f0275a5ea", "status": "experimental", "description": "Detects usage of the \"wusa.exe\" (Windows Update Standalone Installer) utility to extract cab using the \"/extract\" argument from suspicious paths", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\' AND CommandLine LIKE '%/extract:%' ESCAPE '\\' AND (CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_wusa_cab_files_extraction_from_susp_paths.yml" }, { "title": "Suspicious Mshta.EXE Execution Patterns", "id": "e32f92d1-523e-49c3-9374-bdb13b46a3ba", "status": "experimental", "description": "Detects suspicious mshta process execution patterns", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1106" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%.htm%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\') OR (CommandLine LIKE '%mshta.exe' ESCAPE '\\' OR CommandLine LIKE '%mshta' ESCAPE '\\')))))" ], "filename": "proc_creation_win_mshta_susp_pattern.yml" }, { "title": "File Download Via Bitsadmin", "id": "d059842b-6b9d-4ed1-b5c3-5b89143c6ede", "status": "test", "description": "Detects usage of bitsadmin downloading a file", "author": "Michael Haag, FPT.EagleEye", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.t1197", "attack.s0190", "attack.t1036.003" ], "falsepositives": [ "Some legitimate apps use this, but limited." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR ((CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')))" ], "filename": "proc_creation_win_bitsadmin_download.yml" }, { "title": "Data Copied To Clipboard Via Clip.EXE", "id": "ddeff553-5233-4ae9-bbab-d64d2bd634be", "status": "test", "description": "Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.", "author": "frack113", "tags": [ "attack.collection", "attack.t1115" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\clip.exe' ESCAPE '\\' OR OriginalFileName = 'clip.exe'))" ], "filename": "proc_creation_win_clip_execution.yml" }, { "title": "Sysmon Configuration Update", "id": "87911521-7098-470b-a459-9a57fc80bdfd", "status": "test", "description": "Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Legitimate administrators might use this command to update Sysmon configuration." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-c%' ESCAPE '\\' OR CommandLine LIKE '%/c%' ESCAPE '\\'))" ], "filename": "proc_creation_win_sysinternals_sysmon_config_update.yml" }, { "title": "Disable Windows IIS HTTP Logging", "id": "e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e", "status": "experimental", "description": "Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:httplogging%' ESCAPE '\\' AND CommandLine LIKE '%dontLog:true%' ESCAPE '\\'))" ], "filename": "proc_creation_win_iis_appcmd_http_logging.yml" }, { "title": "NtdllPipe Like Activity Execution", "id": "bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2", "status": "test", "description": "Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%type \\%windir\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type \\%systemroot\\%\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%type c:\\\\windows\\\\system32\\\\ntdll.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ntdll.dll > \\\\\\\\.\\\\pipe\\\\\\*' ESCAPE '\\'))" ], "filename": "proc_creation_win_cmd_ntdllpipe_redirect.yml" }, { "title": "Use of Scriptrunner.exe", "id": "64760eef-87f7-4ed3-93fd-655668ea9420", "status": "experimental", "description": "The \"ScriptRunner.exe\" binary can be abused to proxy execution through it and bypass possible whitelisting", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1218" ], "falsepositives": [ "Legitimate use when App-v is deployed" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\ScriptRunner.exe' ESCAPE '\\' OR OriginalFileName = 'ScriptRunner.exe') AND CommandLine LIKE '% -appvscript %' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_scriptrunner.yml" }, { "title": "Suspicious WindowsTerminal Child Processes", "id": "8de89e52-f6e1-4b5b-afd1-41ecfa300d48", "status": "experimental", "description": "Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.persistence" ], "falsepositives": [ "Other legitimate \"Windows Terminal\" profiles" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentProcessName LIKE '%\\\\WindowsTerminal.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wt.exe' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% iex %' ESCAPE '\\' OR CommandLine LIKE '% icm%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Import-Module %' ESCAPE '\\' OR CommandLine LIKE '%ipmo %' ESCAPE '\\' OR CommandLine LIKE '%DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% /k %' ESCAPE '\\' OR CommandLine LIKE '% /r %' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%Import-Module%' ESCAPE '\\' AND CommandLine LIKE '%Microsoft.VisualStudio.DevShell.dll%' ESCAPE '\\' AND CommandLine LIKE '%Enter-VsDevShell%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.WindowsTerminal\\_%' ESCAPE '\\' AND CommandLine LIKE '%\\\\LocalState\\\\settings.json%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Common7\\\\Tools\\\\VsDevCmd.bat%' ESCAPE '\\')))" ], "filename": "proc_creation_win_windows_terminal_susp_children.yml" }, { "title": "Sysprep on AppData Folder", "id": "d5b9ae7a-e6fc-405e-80ff-2ff9dcc64e7e", "status": "test", "description": "Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\sysprep.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')" ], "filename": "proc_creation_win_sysprep_appdata.yml" }, { "title": "Gzip Archive Decode Via PowerShell", "id": "98767d61-b2e8-4d71-b661-e36783ee24c1", "status": "experimental", "description": "Detects attempts of decoding encoded Gzip archives via PowerShell.", "author": "Hieu Tran", "falsepositives": [ "Legitimate administrative scripts may use this functionality. Use \"ParentImage\" in combination with the script names and allowed users and applications to filter legitimate executions" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%GZipStream%' ESCAPE '\\' AND CommandLine LIKE '%::Decompress%' ESCAPE '\\')" ], "filename": "proc_creation_win_powershell_decode_gzip.yml" }, { "title": "Malicious PowerShell Commandlets - ProcessCreation", "id": "02030f2f-6199-49ec-b258-ea71b07e03dc", "status": "experimental", "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.discovery", "attack.t1482", "attack.t1087", "attack.t1087.001", "attack.t1087.002", "attack.t1069.001", "attack.t1069.002", "attack.t1069", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Add-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Add-Persistence%' ESCAPE '\\' OR CommandLine LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Check-VM%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR CommandLine LIKE '%Decrypt-Hash%' ESCAPE '\\' OR CommandLine LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Do-Exfiltration%' ESCAPE '\\' OR CommandLine LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR CommandLine LIKE '%Exploit-Jboss%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADR%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRCSV%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRExcel%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRHTML%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRJSON%' ESCAPE '\\' OR CommandLine LIKE '%Export-ADRXML%' ESCAPE '\\' OR CommandLine LIKE '%Find-Fruit%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR CommandLine LIKE '%Get-ADIDNS%' ESCAPE '\\' OR CommandLine LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR CommandLine LIKE '%Get-ChromeDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR CommandLine LIKE '%Get-FoxDump%' ESCAPE '\\' OR CommandLine LIKE '%Get-GPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-IndexedItem%' ESCAPE '\\' OR CommandLine LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-Keystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-LSASecret%' ESCAPE '\\' OR CommandLine LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR CommandLine LIKE '%Get-PassHashes%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR CommandLine LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR CommandLine LIKE '%Get-RickAstley%' ESCAPE '\\' OR CommandLine LIKE '%Get-Screenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServicePermission%' ESCAPE '\\' OR CommandLine LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR CommandLine LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR CommandLine LIKE '%Get-System%' ESCAPE '\\' OR CommandLine LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR CommandLine LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR CommandLine LIKE '%Get-Unconstrained%' ESCAPE '\\' OR CommandLine LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR CommandLine LIKE '%Get-VaultCredential%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR CommandLine LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR CommandLine LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR CommandLine LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR CommandLine LIKE '%HTTP-Login%' ESCAPE '\\' OR CommandLine LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR CommandLine LIKE '%Install-SSP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Certify%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DAFT%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DCSync%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Farmer%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Gopher%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Grouper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Lockless%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MITM6%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PortScan%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PSInject%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RunAs%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SCShell%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharp%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StandIn%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tater%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Whisker%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WireTap%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR CommandLine LIKE '%MailRaider%' ESCAPE '\\' OR CommandLine LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR CommandLine LIKE '%New-HoneyHash%' ESCAPE '\\' OR CommandLine LIKE '%New-InMemoryModule%' ESCAPE '\\' OR CommandLine LIKE '%New-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR CommandLine LIKE '%Out-Minidump%' ESCAPE '\\' OR CommandLine LIKE '%Port-Scan%' ESCAPE '\\' OR CommandLine LIKE '%PowerBreach%' ESCAPE '\\' OR CommandLine LIKE '%powercat %' ESCAPE '\\' OR CommandLine LIKE '%PowerUp%' ESCAPE '\\' OR CommandLine LIKE '%PowerView%' ESCAPE '\\' OR CommandLine LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR CommandLine LIKE '%Remove-Update%' ESCAPE '\\' OR CommandLine LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR CommandLine LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR CommandLine LIKE '%Set-MacAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR CommandLine LIKE '%Set-Wallpaper%' ESCAPE '\\' OR CommandLine LIKE '%Show-TargetScreen%' ESCAPE '\\' OR CommandLine LIKE '%Start-CaptureServer%' ESCAPE '\\' OR CommandLine LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR CommandLine LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_malicious_cmdlets.yml" }, { "title": "Potential Persistence Via Microsoft Compatibility Appraiser", "id": "f548a603-c9f2-4c89-b511-b089f7e94549", "status": "experimental", "description": "Detects manual execution of the \"Microsoft Compatibility Appraiser\" task via schtasks.\nIn order to trigger persistence stored in the \"\\AppCompatFlags\\TelemetryController\" registry key.\n", "author": "Sreeman", "tags": [ "attack.persistence", "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%run %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Application Experience\\\\Microsoft Compatibility Appraiser%' ESCAPE '\\'))" ], "filename": "proc_creation_win_schtasks_persistence_windows_telemetry.yml" }, { "title": "Execution via WorkFolders.exe", "id": "0bbc6369-43e3-453d-9944-cae58821c173", "status": "test", "description": "Detects using WorkFolders.exe to execute an arbitrary control.exe", "author": "Maxime Thiebaut (@0xThiebaut)", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Legitimate usage of the uncommon Windows Work Folders feature." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\WorkFolders.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\control.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_workfolders.yml" }, { "title": "Suspicious PowerShell Parameter Substring", "id": "36210e0d-5b19-485d-a087-c096088885f0", "status": "test", "description": "Detects suspicious PowerShell invocation with a parameter substring", "author": "Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% -windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% -windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% -windowst h%' ESCAPE '\\' OR CommandLine LIKE '% -windows h%' ESCAPE '\\' OR CommandLine LIKE '% -windo h%' ESCAPE '\\' OR CommandLine LIKE '% -wind h%' ESCAPE '\\' OR CommandLine LIKE '% -win h%' ESCAPE '\\' OR CommandLine LIKE '% -wi h%' ESCAPE '\\' OR CommandLine LIKE '% -win h %' ESCAPE '\\' OR CommandLine LIKE '% -win hi %' ESCAPE '\\' OR CommandLine LIKE '% -win hid %' ESCAPE '\\' OR CommandLine LIKE '% -win hidd %' ESCAPE '\\' OR CommandLine LIKE '% -win hidde %' ESCAPE '\\' OR CommandLine LIKE '% -NoPr %' ESCAPE '\\' OR CommandLine LIKE '% -NoPro %' ESCAPE '\\' OR CommandLine LIKE '% -NoProf %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% -NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% -nonin %' ESCAPE '\\' OR CommandLine LIKE '% -nonint %' ESCAPE '\\' OR CommandLine LIKE '% -noninte %' ESCAPE '\\' OR CommandLine LIKE '% -noninter %' ESCAPE '\\' OR CommandLine LIKE '% -nonintera %' ESCAPE '\\' OR CommandLine LIKE '% -noninterac %' ESCAPE '\\' OR CommandLine LIKE '% -noninteract %' ESCAPE '\\' OR CommandLine LIKE '% -noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% -noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% -ec %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% -encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% -encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% -encodedC %' ESCAPE '\\' OR CommandLine LIKE '% -encoded %' ESCAPE '\\' OR CommandLine LIKE '% -encode %' ESCAPE '\\' OR CommandLine LIKE '% -encod %' ESCAPE '\\' OR CommandLine LIKE '% -enco %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% -executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% -executionpol %' ESCAPE '\\' OR CommandLine LIKE '% -executionpo %' ESCAPE '\\' OR CommandLine LIKE '% -executionp %' ESCAPE '\\' OR CommandLine LIKE '% -execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% -executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% -execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% -exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass%' ESCAPE '\\' OR CommandLine LIKE '% /windowstyle h %' ESCAPE '\\' OR CommandLine LIKE '% /windowstyl h%' ESCAPE '\\' OR CommandLine LIKE '% /windowsty h%' ESCAPE '\\' OR CommandLine LIKE '% /windowst h%' ESCAPE '\\' OR CommandLine LIKE '% /windows h%' ESCAPE '\\' OR CommandLine LIKE '% /windo h%' ESCAPE '\\' OR CommandLine LIKE '% /wind h%' ESCAPE '\\' OR CommandLine LIKE '% /win h%' ESCAPE '\\' OR CommandLine LIKE '% /wi h%' ESCAPE '\\' OR CommandLine LIKE '% /win h %' ESCAPE '\\' OR CommandLine LIKE '% /win hi %' ESCAPE '\\' OR CommandLine LIKE '% /win hid %' ESCAPE '\\' OR CommandLine LIKE '% /win hidd %' ESCAPE '\\' OR CommandLine LIKE '% /win hidde %' ESCAPE '\\' OR CommandLine LIKE '% /NoPr %' ESCAPE '\\' OR CommandLine LIKE '% /NoPro %' ESCAPE '\\' OR CommandLine LIKE '% /NoProf %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfi %' ESCAPE '\\' OR CommandLine LIKE '% /NoProfil %' ESCAPE '\\' OR CommandLine LIKE '% /nonin %' ESCAPE '\\' OR CommandLine LIKE '% /nonint %' ESCAPE '\\' OR CommandLine LIKE '% /noninte %' ESCAPE '\\' OR CommandLine LIKE '% /noninter %' ESCAPE '\\' OR CommandLine LIKE '% /nonintera %' ESCAPE '\\' OR CommandLine LIKE '% /noninterac %' ESCAPE '\\' OR CommandLine LIKE '% /noninteract %' ESCAPE '\\' OR CommandLine LIKE '% /noninteracti %' ESCAPE '\\' OR CommandLine LIKE '% /noninteractiv %' ESCAPE '\\' OR CommandLine LIKE '% /ec %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComman %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComma %' ESCAPE '\\' OR CommandLine LIKE '% /encodedComm %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCom %' ESCAPE '\\' OR CommandLine LIKE '% /encodedCo %' ESCAPE '\\' OR CommandLine LIKE '% /encodedC %' ESCAPE '\\' OR CommandLine LIKE '% /encoded %' ESCAPE '\\' OR CommandLine LIKE '% /encode %' ESCAPE '\\' OR CommandLine LIKE '% /encod %' ESCAPE '\\' OR CommandLine LIKE '% /enco %' ESCAPE '\\' OR CommandLine LIKE '% /en %' ESCAPE '\\' OR CommandLine LIKE '% /executionpolic %' ESCAPE '\\' OR CommandLine LIKE '% /executionpoli %' ESCAPE '\\' OR CommandLine LIKE '% /executionpol %' ESCAPE '\\' OR CommandLine LIKE '% /executionpo %' ESCAPE '\\' OR CommandLine LIKE '% /executionp %' ESCAPE '\\' OR CommandLine LIKE '% /execution bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executio bypass%' ESCAPE '\\' OR CommandLine LIKE '% /executi bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execut bypass%' ESCAPE '\\' OR CommandLine LIKE '% /execu bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exec bypass%' ESCAPE '\\' OR CommandLine LIKE '% /exe bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ex bypass%' ESCAPE '\\' OR CommandLine LIKE '% /ep bypass%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_susp_parameter_variation.yml" }, { "title": "Ruby Inline Command Execution", "id": "20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8", "status": "experimental", "description": "Detects execution of ruby using the \"-e\" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\ruby.exe' ESCAPE '\\' OR OriginalFileName = 'ruby.exe') AND CommandLine LIKE '% -e%' ESCAPE '\\')" ], "filename": "proc_creation_win_ruby_inline_command_execution.yml" }, { "title": "Suspicious Execution of Shutdown", "id": "34ebb878-1b15-4895-b352-ca2eeb99b274", "status": "test", "description": "Use of the commandline to shutdown or reboot windows", "author": "frack113", "tags": [ "attack.impact", "attack.t1529" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\shutdown.exe' ESCAPE '\\' AND (CommandLine LIKE '%/r %' ESCAPE '\\' OR CommandLine LIKE '%/s %' ESCAPE '\\'))" ], "filename": "proc_creation_win_shutdown_execution.yml" }, { "title": "Renamed CreateDump Utility Execution", "id": "1a1ed54a-2ba4-4221-94d5-01dee560d71e", "status": "experimental", "description": "Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036", "attack.t1003.001" ], "falsepositives": [ "Command lines that use the same flags" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\' OR (CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -f %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') OR (CommandLine LIKE '% --full %' ESCAPE '\\' AND CommandLine LIKE '% --name %' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\createdump.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_renamed_createdump.yml" }, { "title": "Suspicious Execution of InstallUtil To Download", "id": "75edd216-1939-4c73-8d61-7f3a0d85b5cc", "status": "experimental", "description": "Detects the use the .NET InstallUtil.exe application in order to download arbitrary files. The files will be written to %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' OR OriginalFileName = 'InstallUtil.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_installutil_download.yml" }, { "title": "Unusually Long PowerShell CommandLine", "id": "d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6", "status": "test", "description": "Detects unusually long PowerShell command lines with a length of 1000 characters or more", "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR Description = 'Windows Powershell' OR Product = 'PowerShell Core 6') AND CommandLine REGEXP '.{1000,}')" ], "filename": "proc_creation_win_powershell_abnormal_commandline_size.yml" }, { "title": "Base64 MZ Header In CommandLine", "id": "22e58743-4ac8-4a9f-bf19-00a0428d8c5f", "status": "experimental", "description": "Detects encoded base64 MZ header in the commandline", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR CommandLine LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR CommandLine LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR CommandLine LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_inline_base64_mz_header.yml" }, { "title": "Format.com FileSystem LOLBIN", "id": "9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60", "status": "test", "description": "Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\format.com' ESCAPE '\\' AND CommandLine LIKE '%/fs:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/fs:FAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:exFAT%' ESCAPE '\\' OR CommandLine LIKE '%/fs:NTFS%' ESCAPE '\\' OR CommandLine LIKE '%/fs:UDF%' ESCAPE '\\' OR CommandLine LIKE '%/fs:ReFS%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_lolbin_format.yml" }, { "title": "File Download Using ProtocolHandler.exe", "id": "104cdb48-a7a8-4ca7-a453-32942c6e5dcb", "status": "experimental", "description": "Detects usage of \"ProtocolHandler\" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE)", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\protocolhandler.exe' ESCAPE '\\' OR OriginalFileName = 'ProtocolHandler.exe') AND ((CommandLine LIKE '%\"ms-word%' ESCAPE '\\' AND CommandLine LIKE '%.docx\"%' ESCAPE '\\') OR CommandLine LIKE '% http%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_protocolhandler_download.yml" }, { "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage", "id": "37651c2a-42cd-4a69-ae0d-22a4349aa04a", "status": "experimental", "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.defense_evasion" ], "falsepositives": [ "Installation of unsigned packages for testing purposes" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AppPackage %' ESCAPE '\\' OR CommandLine LIKE '%Add-AppxPackage %' ESCAPE '\\') AND CommandLine LIKE '% -AllowUnsigned%' ESCAPE '\\')" ], "filename": "proc_creation_win_powershell_install_unsigned_appx_packages.yml" }, { "title": "Potential Signing Bypass Via Windows Developer Features", "id": "a383dec4-deec-4e6e-913b-ed9249670848", "status": "experimental", "description": "Detects when a user enable developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\SystemSettingsAdminFlows.exe' ESCAPE '\\' OR OriginalFileName = 'SystemSettingsAdminFlows.EXE') AND CommandLine LIKE '%TurnOnDeveloperFeatures%' ESCAPE '\\' AND (CommandLine LIKE '%DeveloperUnlock%' ESCAPE '\\' OR CommandLine LIKE '%EnableSideloading%' ESCAPE '\\'))" ], "filename": "proc_creation_win_systemsettingsadminflows_turn_on_dev_features.yml" }, { "title": "XSL Script Processing", "id": "05c36dd6-79d6-4a9a-97da-3db20298ab2d", "status": "test", "description": "Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.", "author": "Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel", "tags": [ "attack.defense_evasion", "attack.t1220" ], "falsepositives": [ "WMIC.exe FP depend on scripts and administrative methods used in the monitored environment.", "Msxsl.exe is not installed by default, so unlikely.", "Static format arguments - https://petri.com/command-line-wmi-part-3" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND (CommandLine LIKE '%/format%' ESCAPE '\\' OR CommandLine LIKE '%-format%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Format:List%' ESCAPE '\\' OR CommandLine LIKE '%Format:htable%' ESCAPE '\\' OR CommandLine LIKE '%Format:hform%' ESCAPE '\\' OR CommandLine LIKE '%Format:table%' ESCAPE '\\' OR CommandLine LIKE '%Format:mof%' ESCAPE '\\' OR CommandLine LIKE '%Format:value%' ESCAPE '\\' OR CommandLine LIKE '%Format:rawxml%' ESCAPE '\\' OR CommandLine LIKE '%Format:xml%' ESCAPE '\\' OR CommandLine LIKE '%Format:csv%' ESCAPE '\\'))) OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_wmic_xsl_script_processing.yml" }, { "title": "Use of OpenConsole", "id": "814c95cc-8192-4378-a70a-f1aafd877af1", "status": "experimental", "description": "Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Legitimate use by an administrator" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'OpenConsole.exe' OR NewProcessName LIKE '%\\\\OpenConsole.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.WindowsTerminal%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_openconsole.yml" }, { "title": "Potential Product Class Reconnaissance Via Wmic.EXE", "id": "e568650b-5dcd-4658-8f34-ded0b1e13992", "status": "experimental", "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", "author": "Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community", "tags": [ "attack.execution", "attack.t1047", "car.2016-03-002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%AntiVirusProduct%' ESCAPE '\\' OR CommandLine LIKE '%FirewallProduct%' ESCAPE '\\'))" ], "filename": "proc_creation_win_wmic_recon_product_class.yml" }, { "title": "Remote Access Tool - RURAT Execution From Unusual Location", "id": "e01fa958-6893-41d4-ae03-182477c5e77d", "status": "experimental", "description": "Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\\Program Files')", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\rutserv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rfusclient.exe' ESCAPE '\\') OR Product = 'Remote Utilities') AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\Remote Utilities%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Remote Utilities%' ESCAPE '\\')))" ], "filename": "proc_creation_win_remote_access_tools_rurat_non_default_location.yml" }, { "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE", "id": "ebef4391-1a81-4761-a40a-1db446c0e625", "status": "test", "description": "Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1546.003" ], "falsepositives": [ "Legitimate software creating script event consumers" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%ActiveScriptEventConsumer%' ESCAPE '\\' AND CommandLine LIKE '% CREATE %' ESCAPE '\\')" ], "filename": "proc_creation_win_wmic_eventconsumer_creation.yml" }, { "title": "PUA - Advanced IP Scanner Execution", "id": "bef37fa2-f205-4a7b-b484-0759bfd5f86f", "status": "experimental", "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", "author": "Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy", "tags": [ "attack.discovery", "attack.t1046", "attack.t1135" ], "falsepositives": [ "Legitimate administrative use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\advanced\\_ip\\_scanner%' ESCAPE '\\' OR OriginalFileName LIKE '%advanced\\_ip\\_scanner%' ESCAPE '\\' OR Description LIKE '%Advanced IP Scanner%' ESCAPE '\\') OR (CommandLine LIKE '%/portable%' ESCAPE '\\' AND CommandLine LIKE '%/lng%' ESCAPE '\\')))" ], "filename": "proc_creation_win_pua_advanced_ip_scanner.yml" }, { "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation", "id": "c86500e9-a645-4680-98d7-f882c70c1ea3", "status": "experimental", "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.reconnaissance", "attack.discovery", "attack.credential_access", "attack.impact" ], "falsepositives": [ "Legitimate use of the library for administrative activity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '%Add-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Disable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Enable-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Export-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Get-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Grant-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Install-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Join-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%New-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Open-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Read-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Register-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Remove-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Restore-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Search-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Send-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Set-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Start-AADInt%' ESCAPE '\\' OR CommandLine LIKE '%Update-AADInt%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_aadinternals_cmdlets_execution.yml" }, { "title": "Renamed AutoHotkey.EXE Execution", "id": "0f16d9cf-0616-45c8-8fad-becc11b5a41c", "status": "test", "description": "Detects execution of a renamed autohotkey.exe binary based on PE metadata fields", "author": "Nasreddine Bencherchali", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%AutoHotkey%' ESCAPE '\\' OR Description LIKE '%AutoHotkey%' ESCAPE '\\' OR OriginalFileName IN ('AutoHotkey.exe', 'AutoHotkey.rc')) AND NOT ((NewProcessName LIKE '%\\\\AutoHotkey.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey32\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkey64\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyA32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyA32\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU32\\_UIA.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AutoHotkeyU64\\_UIA.exe' ESCAPE '\\') OR NewProcessName LIKE '%\\\\AutoHotkey%' ESCAPE '\\'))" ], "filename": "proc_creation_win_renamed_autohotkey.yml" }, { "title": "Microsoft Workflow Compiler Execution", "id": "419dbf2b-8a9b-4bea-bf99-7544b050ec8d", "status": "test", "description": "Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.", "author": "Nik Seetharaman, frack113", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1127", "attack.t1218" ], "falsepositives": [ "Legitimate MWC use (unlikely in modern enterprise environments)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR OriginalFileName = 'Microsoft.Workflow.Compiler.exe'))" ], "filename": "proc_creation_win_lolbin_workflow_compiler.yml" }, { "title": "Potential Arbitrary File Download Via MSEdge.EXE", "id": "94771a71-ba41-4b6e-a757-b531372eaab6", "status": "test", "description": "Detects usage of the \"msedge.exe\" binary as a LOLBIN to download arbitrary file via the CLI", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Software that uses MsEdge to download components in the background (see ParentImage, ParentCommandLine)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR OriginalFileName = 'msedge.exe') AND (CommandLine LIKE '%.exe http%' ESCAPE '\\' OR CommandLine LIKE '%msedge http%' ESCAPE '\\'))" ], "filename": "proc_creation_win_browsers_msedge_arbitrary_download.yml" }, { "title": "Uninstall Crowdstrike Falcon Sensor", "id": "f0f7be61-9cf5-43be-9836-99d6ef448a18", "status": "test", "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\WindowsSensor.exe%' ESCAPE '\\' AND CommandLine LIKE '% /uninstall%' ESCAPE '\\' AND CommandLine LIKE '% /quiet%' ESCAPE '\\')" ], "filename": "proc_creation_win_uninstall_crowdstrike_falcon.yml" }, { "title": "HackTool - TruffleSnout Execution", "id": "69ca006d-b9a9-47f5-80ff-ecd4d25d481a", "status": "experimental", "description": "Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.", "author": "frack113", "tags": [ "attack.discovery", "attack.t1482" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'TruffleSnout.exe' OR NewProcessName LIKE '%\\\\TruffleSnout.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_trufflesnout.yml" }, { "title": "REGISTER_APP.VBS Proxy Execution", "id": "1c8774a0-44d4-4db0-91f8-e792359c70bd", "status": "experimental", "description": "Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Legitimate usage of the script. Always investigate what's being registered to confirm if it's benign" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\register\\_app.vbs%' ESCAPE '\\' AND CommandLine LIKE '%-register%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_register_app.yml" }, { "title": "Deleted Data Overwritten Via Cipher.EXE", "id": "4b046706-5789-4673-b111-66f25fe99534", "status": "experimental", "description": "Detects usage of the \"cipher\" built-in utility in order to overwrite deleted data from disk.\nAdversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", "author": "frack113", "tags": [ "attack.impact", "attack.t1485" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'CIPHER.EXE' OR NewProcessName LIKE '%\\\\cipher.exe' ESCAPE '\\') AND CommandLine LIKE '% /w:%' ESCAPE '\\')" ], "filename": "proc_creation_win_cipher_overwrite_deleted_data.yml" }, { "title": "DllUnregisterServer Function Call Via Msiexec.EXE", "id": "84f52741-8834-4a8c-a413-2eb2269aa6c8", "status": "experimental", "description": "Detects MsiExec loading a DLL and calling its DllUnregisterServer function", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218.007" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND (CommandLine LIKE '% /z %' ESCAPE '\\' OR CommandLine LIKE '% -z %' ESCAPE '\\') AND CommandLine LIKE '%.dll%' ESCAPE '\\')" ], "filename": "proc_creation_win_msiexec_dll.yml" }, { "title": "MpiExec Lolbin", "id": "729ce0ea-5d8f-4769-9762-e35de441586d", "status": "test", "description": "Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\mpiexec.exe' ESCAPE '\\' OR Imphash = 'd8b52ef6aaa3a81501bdfff9dbb96217' OR Hashes LIKE '%IMPHASH=d8b52ef6aaa3a81501bdfff9dbb96217%' ESCAPE '\\') AND (CommandLine LIKE '% /n 1 %' ESCAPE '\\' OR CommandLine LIKE '% -n 1 %' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_mpiexec.yml" }, { "title": "Suspicious Cmdl32 Execution", "id": "f37aba28-a9e6-4045-882c-d5004043b337", "status": "experimental", "description": "lolbas Cmdl32 is use to download a payload to evade antivirus", "author": "frack113", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1218", "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR OriginalFileName = 'CMDL32.EXE') AND (CommandLine LIKE '%/vpn %' ESCAPE '\\' AND CommandLine LIKE '%/lan %' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_cmdl32.yml" }, { "title": "PsExec Service Child Process Execution as LOCAL SYSTEM", "id": "7c0dcd3d-acf8-4f71-9570-f448b0034f94", "status": "experimental", "description": "Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE 'C:\\\\Windows\\\\PSEXESVC.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))" ], "filename": "proc_creation_win_sysinternals_psexesvc_as_system.yml" }, { "title": "Set Suspicious Files as System Files Using Attrib.EXE", "id": "efec536f-72e8-4656-8960-5e85d091345b", "status": "experimental", "description": "Detects the usage of attrib with the \"+s\" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1564.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s%' ESCAPE '\\' AND (CommandLine LIKE '% \\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.hta%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (CommandLine LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\'))" ], "filename": "proc_creation_win_attrib_system_susp_paths.yml" }, { "title": "Suspicious GrpConv Execution", "id": "f14e169e-9978-4c69-acb3-1cff8200bc36", "status": "experimental", "description": "Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%grpconv.exe -o%' ESCAPE '\\' OR CommandLine LIKE '%grpconv -o%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_susp_grpconv.yml" }, { "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet", "id": "435e10e4-992a-4281-96f3-38b11106adde", "status": "experimental", "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1033" ], "falsepositives": [ "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Get-ADComputer %' ESCAPE '\\' AND CommandLine LIKE '% -Filter \\*' ESCAPE '\\' AND (CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% | Select %' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%Set-Content%' ESCAPE '\\' OR CommandLine LIKE '%Add-Content%' ESCAPE '\\')))" ], "filename": "proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" }, { "title": "HackTool - Impacket Tools Execution", "id": "4627c6ae-6899-46e2-aa0c-6ebcb1becd19", "status": "test", "description": "Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1557.001" ], "falsepositives": [ "Legitimate use of the impacket tools" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\goldenPac%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\karmaSMB%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\kintercept%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntlmrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rpcdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\samrdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\secretsdump%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbexec%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbrelayx%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmiexec%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmipersist%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\atexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dcomexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dpapi\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findDelegation\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetADUsers\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetNPUsers\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getPac\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getST\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\getTGT\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\GetUserSPNs\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ifmap\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mimikatz\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netview\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nmapAnswerMachine\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opdump\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rdp\\_check\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sambaPipe\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbclient\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smbserver\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sniffer\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sniff\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\split\\_windows.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ticketer\\_windows.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_impacket_tools.yml" }, { "title": "Potential Commandline Obfuscation Using Escape Characters", "id": "f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd", "status": "test", "description": "Detects potential commandline obfuscation using known escape characters", "author": "juju4", "tags": [ "attack.defense_evasion", "attack.t1140" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%h^t^t^p%' ESCAPE '\\' OR CommandLine LIKE '%h\"t\"t\"p%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_cli_obfuscation_escape_char.yml" }, { "title": "New Kernel Driver Via SC.EXE", "id": "431a1fdb-4799-4f3b-91c3-a683b003fc49", "status": "experimental", "description": "Detects creation of a new service (kernel driver) with the type \"kernel\"", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ "Rare legitimate installation of kernel drivers via sc.exe" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND (CommandLine LIKE '%create%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\') AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND CommandLine LIKE '%type%' ESCAPE '\\' AND CommandLine LIKE '%kernel%' ESCAPE '\\')" ], "filename": "proc_creation_win_sc_new_kernel_driver.yml" }, { "title": "Taskmgr as Parent", "id": "3d7679bd-0c00-440c-97b0-3f204273e6c7", "status": "test", "description": "Detects the creation of a process from Windows task manager", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036" ], "falsepositives": [ "Administrative activity" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\resmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_taskmgr_susp_child_process.yml" }, { "title": "Suspicious DLL Loaded via CertOC.EXE", "id": "84232095-ecca-4015-b0d7-7726507ee793", "status": "experimental", "description": "Detects when a user installs certificates by using CertOC.exe to load the target DLL file.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND (CommandLine LIKE '% -LoadDLL %' ESCAPE '\\' OR CommandLine LIKE '% /LoadDLL %' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Appdata\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_certoc_load_dll_susp_locations.yml" }, { "title": "DLL Execution Via Register-cimprovider.exe", "id": "a2910908-e86f-4687-aeba-76a5f996e652", "status": "test", "description": "Detects using register-cimprovider.exe to execute arbitrary dll file.", "author": "Ivan Dyachkov, Yulia Fomina, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1574" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\register-cimprovider.exe' ESCAPE '\\' AND CommandLine LIKE '%-path%' ESCAPE '\\' AND CommandLine LIKE '%dll%' ESCAPE '\\')" ], "filename": "proc_creation_win_registry_cimprovider_dll_load.yml" }, { "title": "Suspicious Rundll32 Without Any CommandLine Params", "id": "1775e15e-b61b-4d14-a1a3-80981298085a", "status": "experimental", "description": "Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1202" ], "falsepositives": [ "Possible but rare" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NOT ((ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_rundll32_no_params.yml" }, { "title": "Java Running with Remote Debugging", "id": "8f88e3f6-2a49-48f5-a5c4-2f7eedf78710", "status": "test", "description": "Detects a JAVA process running with remote debugging allowing more than just localhost to connect", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.t1203", "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%transport=dt\\_socket,address=%' ESCAPE '\\' AND (CommandLine LIKE '%jre1.%' ESCAPE '\\' OR CommandLine LIKE '%jdk1.%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%address=127.0.0.1%' ESCAPE '\\' OR CommandLine LIKE '%address=localhost%' ESCAPE '\\')))" ], "filename": "proc_creation_win_java_remote_debugging.yml" }, { "title": "Proxy Execution Via Explorer.exe", "id": "9eb271b9-24ae-4cd4-9465-19cfc1047f3e", "status": "test", "description": "Attackers can use explorer.exe for evading defense mechanisms", "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Legitimate explorer.exe run from cmd.exe" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%explorer.exe%' ESCAPE '\\')" ], "filename": "proc_creation_win_explorer_lolbin_execution.yml" }, { "title": "Suspicious Download From File-Sharing Website Via Bitsadmin", "id": "8518ed3d-f7c9-4601-a26c-f361a4256a0c", "status": "experimental", "description": "Detects usage of bitsadmin downloading a file from a suspicious domain", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.t1197", "attack.s0190", "attack.t1036.003" ], "falsepositives": [ "Some legitimate apps use this, but limited." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.ghostbin.co/%' ESCAPE '\\' OR CommandLine LIKE '%.hastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%.paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%anonfiles.com%' ESCAPE '\\' OR CommandLine LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR CommandLine LIKE '%ddns.net%' ESCAPE '\\' OR CommandLine LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%mediafire.com%' ESCAPE '\\' OR CommandLine LIKE '%mega.nz%' ESCAPE '\\' OR CommandLine LIKE '%paste.ee%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.com%' ESCAPE '\\' OR CommandLine LIKE '%pastebin.pl%' ESCAPE '\\' OR CommandLine LIKE '%pastetext.net%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.com%' ESCAPE '\\' OR CommandLine LIKE '%privatlab.net%' ESCAPE '\\' OR CommandLine LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR CommandLine LIKE '%send.exploit.in%' ESCAPE '\\' OR CommandLine LIKE '%sendspace.com%' ESCAPE '\\' OR CommandLine LIKE '%storage.googleapis.com%' ESCAPE '\\' OR CommandLine LIKE '%transfer.sh%' ESCAPE '\\' OR CommandLine LIKE '%ufile.io%' ESCAPE '\\'))" ], "filename": "proc_creation_win_bitsadmin_download_file_sharing_domains.yml" }, { "title": "Suspicious Process Patterns NTDS.DIT Exfil", "id": "8bc64091-6875-4881-aaf9-7bd25b5dda08", "status": "experimental", "description": "Detects suspicious process patterns used in NTDS.DIT exfiltration", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((NewProcessName LIKE '%\\\\NTDSDump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NTDSDumpEx.exe' ESCAPE '\\') OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND CommandLine LIKE '%system.hiv%' ESCAPE '\\') OR CommandLine LIKE '%NTDSgrab.ps1%' ESCAPE '\\') OR (CommandLine LIKE '%ac i ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%/c copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\') OR (CommandLine LIKE '%activate instance ntds%' ESCAPE '\\' AND CommandLine LIKE '%create full%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%ntds.dit%' ESCAPE '\\')) OR (CommandLine LIKE '%ntds.dit%' ESCAPE '\\' AND ((ParentProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))))" ], "filename": "proc_creation_win_susp_ntds.yml" }, { "title": "Suspicious Rundll32 Invoking Inline VBScript", "id": "1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd", "status": "test", "description": "Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%Execute%' ESCAPE '\\' AND CommandLine LIKE '%RegRead%' ESCAPE '\\' AND CommandLine LIKE '%window.close%' ESCAPE '\\')" ], "filename": "proc_creation_win_rundll32_inline_vbs.yml" }, { "title": "Add SafeBoot Keys Via Reg Utility", "id": "d7662ff6-9e97-4596-a61d-9839e32dee8d", "status": "experimental", "description": "Detects execution of \"reg.exe\" commands with the \"add\" or \"copy\" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot%' ESCAPE '\\' AND (CommandLine LIKE '% copy %' ESCAPE '\\' OR CommandLine LIKE '% add %' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_add_safeboot.yml" }, { "title": "PowerShell DownloadFile", "id": "8f70ac5f-1f6f-4f8e-b454-db19561216c5", "status": "test", "description": "Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001", "attack.command_and_control", "attack.t1104", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%System.Net.WebClient%' ESCAPE '\\')" ], "filename": "proc_creation_win_powershell_susp_ps_downloadfile.yml" }, { "title": "Suspicious Vsls-Agent Command With AgentExtensionPath Load", "id": "43103702-5886-11ed-9b6a-0242ac120002", "status": "experimental", "description": "Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter", "author": "bohops", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "False positives depend on custom use of vsls-agent.exe" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\vsls-agent.exe' ESCAPE '\\' AND CommandLine LIKE '%--agentExtensionPath%' ESCAPE '\\') AND NOT (CommandLine LIKE '%Microsoft.VisualStudio.LiveShare.Agent.%' ESCAPE '\\'))" ], "filename": "proc_creation_win_vslsagent_agentextensionpath_load.yml" }, { "title": "PUA - DefenderCheck Execution", "id": "f0ca6c24-3225-47d5-b1f5-352bf07ecfa7", "status": "experimental", "description": "Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1027.005" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\DefenderCheck.exe' ESCAPE '\\' OR Description = 'DefenderCheck'))" ], "filename": "proc_creation_win_pua_defendercheck.yml" }, { "title": "Obfuscated IP Download", "id": "cb5a2333-56cf-4562-8fcb-22ba1bca728d", "status": "experimental", "description": "Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.discovery" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\') AND ((CommandLine LIKE '%//0x%' ESCAPE '\\' OR CommandLine LIKE '%.0x%' ESCAPE '\\' OR CommandLine LIKE '%.00x%' ESCAPE '\\') OR (CommandLine LIKE '%http://\\%%' ESCAPE '\\' AND CommandLine LIKE '%\\%2e%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_obfuscated_ip_download.yml" }, { "title": "Suspicious Execution Of PDQDeployRunner", "id": "12b8e9f5-96b2-41e1-9a42-8c6779a5c184", "status": "experimental", "description": "Detects suspicious execution of \"PDQDeployRunner\" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Legitimate use of the PDQDeploy tool to execute these commands" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentProcessName LIKE '%PDQDeployRunner-%' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\') OR (CommandLine LIKE '%iex %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%http%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -encodedcommand %' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% -w hidden%' ESCAPE '\\')))" ], "filename": "proc_creation_win_pdqdeploy_runner_susp_children.yml" }, { "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs", "id": "3a6586ad-127a-4d3b-a677-1e6eacdf8fde", "status": "test", "description": "Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.", "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1059.005", "attack.t1059.001", "attack.t1218" ], "falsepositives": [ "Administrative scripts", "Microsoft SCCM" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\')) AND NOT ((CurrentDirectory LIKE '%\\\\ccmcache\\\\%' ESCAPE '\\') OR ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\setup-scheduledtask.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\set-selfhealing.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\check-workspacehealth.ps1%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\nessus\\_%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_shell_spawn_susp_program.yml" }, { "title": "Suspicious Powercfg Execution To Change Lock Screen Timeout", "id": "f8d6a15e-4bc8-4c27-8e5d-2b10f0b73e5b", "status": "experimental", "description": "Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout", "author": "frack113", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\powercfg.exe' ESCAPE '\\' OR OriginalFileName = 'PowerCfg.exe') AND ((CommandLine LIKE '%/setacvalueindex %' ESCAPE '\\' AND CommandLine LIKE '%SCHEME\\_CURRENT%' ESCAPE '\\' AND CommandLine LIKE '%SUB\\_VIDEO%' ESCAPE '\\' AND CommandLine LIKE '%VIDEOCONLOCK%' ESCAPE '\\') OR (CommandLine LIKE '%-change %' ESCAPE '\\' AND CommandLine LIKE '%-standby-timeout-%' ESCAPE '\\')))" ], "filename": "proc_creation_win_powercfg_execution.yml" }, { "title": "UAC Bypass Using MSConfig Token Modification - Process", "id": "ad92e3f9-7eb6-460e-96b1-582b0ccbb980", "status": "test", "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\msconfig.exe\" -5' ESCAPE '\\')" ], "filename": "proc_creation_win_uac_bypass_msconfig_gui.yml" }, { "title": "Webshell Recon Detection Via CommandLine & Processes", "id": "f64e5c19-879c-4bae-b471-6d84c8339677", "status": "test", "description": "Detects processes spawned from web servers (php, tomcat, iis...etc) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands", "author": "Cian Heasley, Florian Roth", "tags": [ "attack.persistence", "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND (CommandLine LIKE '%perl --help%' ESCAPE '\\' OR CommandLine LIKE '%python --help%' ESCAPE '\\' OR CommandLine LIKE '%python -h%' ESCAPE '\\' OR CommandLine LIKE '%python3 --help%' ESCAPE '\\' OR CommandLine LIKE '%python3 -h%' ESCAPE '\\' OR CommandLine LIKE '%wget --help%' ESCAPE '\\' OR CommandLine LIKE '%perl -h%' ESCAPE '\\'))" ], "filename": "proc_creation_win_webshell_recon_detection.yml" }, { "title": "Private Keys Reconnaissance Via CommandLine Tools", "id": "213d6a77-3d55-4ce8-ba74-fcfef741974e", "status": "test", "description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1552.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%.key%' ESCAPE '\\' OR CommandLine LIKE '%.pgp%' ESCAPE '\\' OR CommandLine LIKE '%.gpg%' ESCAPE '\\' OR CommandLine LIKE '%.ppk%' ESCAPE '\\' OR CommandLine LIKE '%.p12%' ESCAPE '\\' OR CommandLine LIKE '%.pem%' ESCAPE '\\' OR CommandLine LIKE '%.pfx%' ESCAPE '\\' OR CommandLine LIKE '%.cer%' ESCAPE '\\' OR CommandLine LIKE '%.p7b%' ESCAPE '\\' OR CommandLine LIKE '%.asc%' ESCAPE '\\') AND (((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%dir %' ESCAPE '\\') OR (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Get-ChildItem %' ESCAPE '\\') OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE'))" ], "filename": "proc_creation_win_susp_private_keys_recon.yml" }, { "title": "Audit Policy Tampering Via Auditpol", "id": "0a13e132-651d-11eb-ae93-0242ac130002", "status": "test", "description": "Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", "author": "Janantha Marasinghe (https://github.com/blueteam0ps)", "tags": [ "attack.defense_evasion", "attack.t1562.002" ], "falsepositives": [ "Administrator or administrator scripts might leverage the flags mentioned in the detection section. Either way, it should always be monitored" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\auditpol.exe' ESCAPE '\\' OR OriginalFileName = 'AUDITPOL.EXE') AND (CommandLine LIKE '%disable%' ESCAPE '\\' OR CommandLine LIKE '%clear%' ESCAPE '\\' OR CommandLine LIKE '%remove%' ESCAPE '\\' OR CommandLine LIKE '%restore%' ESCAPE '\\'))" ], "filename": "proc_creation_win_auditpol_susp_execution.yml" }, { "title": "Suspicious Rundll32 Setupapi.dll Activity", "id": "285b85b1-a555-4095-8652-a8a4106af63f", "status": "test", "description": "setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.", "author": "Konstantin Grishchenko, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1218.011" ], "falsepositives": [ "Scripts and administrative tools that use INF files for driver installation with setupapi.dll" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%setupapi.dll%' ESCAPE '\\' AND ParentCommandLine LIKE '%InstallHinfSection%' ESCAPE '\\')" ], "filename": "proc_creation_win_rundll32_setupapi_installhinfsection.yml" }, { "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE", "id": "455b9d50-15a1-4b99-853f-8d37655a4c1b", "status": "experimental", "description": "Detects active directory enumeration activity using known AdFind CLI flags", "author": "frack113", "tags": [ "attack.discovery", "attack.t1087.002" ], "falsepositives": [ "Authorized administrative activity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%lockoutduration%' ESCAPE '\\' OR CommandLine LIKE '%lockoutthreshold%' ESCAPE '\\' OR CommandLine LIKE '%lockoutobservationwindow%' ESCAPE '\\' OR CommandLine LIKE '%maxpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdage%' ESCAPE '\\' OR CommandLine LIKE '%minpwdlength%' ESCAPE '\\' OR CommandLine LIKE '%pwdhistorylength%' ESCAPE '\\' OR CommandLine LIKE '%pwdproperties%' ESCAPE '\\') OR CommandLine LIKE '%-sc admincountdmp%' ESCAPE '\\' OR CommandLine LIKE '%-sc exchaddresses%' ESCAPE '\\'))" ], "filename": "proc_creation_win_pua_adfind_enumeration.yml" }, { "title": "New Service Creation Using PowerShell", "id": "c02e96b7-c63a-4c47-bd83-4a9f74afcfb2", "status": "test", "description": "Detects the creation of a new service using powershell.", "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ "Legitimate administrator or user creates a service for legitimate reasons.", "Software installation" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%New-Service%' ESCAPE '\\' AND CommandLine LIKE '%-BinaryPathName%' ESCAPE '\\')" ], "filename": "proc_creation_win_powershell_create_service.yml" }, { "title": "HackTool - CrackMapExec PowerShell Obfuscation", "id": "6f8b3439-a203-45dc-a88b-abf57ea15ccf", "status": "test", "description": "The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.", "author": "Thomas Patzke", "tags": [ "attack.execution", "attack.t1059.001", "attack.defense_evasion", "attack.t1027.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%join%split%' ESCAPE '\\' OR CommandLine LIKE '%( $ShellId[1]+$ShellId[13]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $PSHome[%]+$PSHOME[%]+%' ESCAPE '\\' OR CommandLine LIKE '%( $env:Public[13]+$env:Public[5]+''x'')%' ESCAPE '\\' OR CommandLine LIKE '%( $env:ComSpec[4,%,25]-Join'''')%' ESCAPE '\\' OR CommandLine LIKE '%[1,3]+''x''-Join'''')%' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml" }, { "title": "Hidden Powershell in Link File Pattern", "id": "30e92f50-bb5a-4884-98b5-d20aa80f3d7a", "status": "test", "description": "Detects events that appear when a user click on a link file with a powershell command in it", "author": "frack113", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Legitimate commands in .lnk files" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%.lnk%' ESCAPE '\\')" ], "filename": "proc_creation_win_susp_embed_exe_lnk.yml" }, { "title": "UAC Bypass Tools Using ComputerDefaults", "id": "3c05e90d-7eba-4324-9972-5d7f711a60a8", "status": "test", "description": "Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (IntegrityLevel IN ('High', 'System') AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\ComputerDefaults.exe' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%:\\\\Windows\\\\System32%' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files%' ESCAPE '\\')))" ], "filename": "proc_creation_win_uac_bypass_computerdefaults.yml" }, { "title": "Potential Active Directory Enumeration Using AD Module - ProcCreation", "id": "70bc5215-526f-4477-963c-a47a5c9ebd12", "status": "experimental", "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", "author": "frack113", "tags": [ "attack.reconnaissance", "attack.discovery", "attack.impact" ], "falsepositives": [ "Legitimate use of the library for administrative activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Import-Module %' ESCAPE '\\' OR CommandLine LIKE '%ipmo %' ESCAPE '\\') AND CommandLine LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\')" ], "filename": "proc_creation_win_powershell_active_directory_module_dll_import.yml" }, { "title": "Download Arbitrary Files Via PresentationHost.exe", "id": "b124ddf4-778d-418e-907f-6dd3fc0d31cd", "status": "experimental", "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files to download arbitrary files", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\presentationhost.exe' ESCAPE '\\' OR OriginalFileName = 'PresentationHost.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_presentationhost_download.yml" }, { "title": "Suspicious HWP Sub Processes", "id": "023394c4-29d5-46ab-92b8-6a534c6f447b", "status": "test", "description": "Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.initial_access", "attack.t1566.001", "attack.execution", "attack.t1203", "attack.t1059.003", "attack.g0032" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\Hwp.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\gbb.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_hwp_exploits.yml" }, { "title": "PowerShell Base64 Encoded Reflective Assembly Load", "id": "62b7ccc9-23b4-471e-aa15-6da3663c4d59", "status": "test", "description": "Detects base64 encoded .NET reflective loading of Assembly", "author": "Christian Burkard (Nextron Systems), pH-T (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001", "attack.defense_evasion", "attack.t1027", "attack.t1620" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\' OR CommandLine LIKE '%AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC%' ESCAPE '\\' OR CommandLine LIKE '%BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp%' ESCAPE '\\' OR CommandLine LIKE '%AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK%' ESCAPE '\\' OR CommandLine LIKE '%WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA%' ESCAPE '\\' OR CommandLine LIKE '%sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA%' ESCAPE '\\' OR CommandLine LIKE '%bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_base64_reflection_assembly_load.yml" }, { "title": "Suspicious Recursive Takeown", "id": "554601fb-9b71-4bcc-abf4-21a611be4fde", "status": "experimental", "description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1222.001" ], "falsepositives": [ "Scripts created by developers and admins", "Administrative activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\takeown.exe' ESCAPE '\\' AND CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%/r%' ESCAPE '\\')" ], "filename": "proc_creation_win_takeown_recursive_own.yml" }, { "title": "Python Spawning Pretty TTY on Windows", "id": "480e7e51-e797-47e3-8d72-ebfce65b6d8d", "status": "experimental", "description": "Detects python spawning a pretty tty", "author": "Nextron Systems", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%python.exe' ESCAPE '\\' OR NewProcessName LIKE '%python3.exe' ESCAPE '\\' OR NewProcessName LIKE '%python2.exe' ESCAPE '\\') AND ((CommandLine LIKE '%import pty%' ESCAPE '\\' AND CommandLine LIKE '%.spawn(%' ESCAPE '\\') OR CommandLine LIKE '%from pty import spawn%' ESCAPE '\\'))" ], "filename": "proc_creation_win_python_pty_spawn.yml" }, { "title": "Use of TTDInject.exe", "id": "b27077d6-23e6-45d2-81a0-e2b356eea5fd", "status": "experimental", "description": "Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1127" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%ttdinject.exe' ESCAPE '\\' OR OriginalFileName = 'TTDInject.EXE'))" ], "filename": "proc_creation_win_lolbin_ttdinject.yml" }, { "title": "Potential AMSI Bypass Using NULL Bits - ProcessCreation", "id": "92a974db-ab84-457f-9ec0-55db83d7a825", "status": "experimental", "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%if(0){{{0}}}'' -f $(0 -as [char]) +%' ESCAPE '\\' OR CommandLine LIKE '%#%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_amsi_null_bits_bypass.yml" }, { "title": "Changing Existing Service ImagePath Value Via Reg.EXE", "id": "9b0b7ac3-6223-47aa-a3fd-e8f211e637db", "status": "test", "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", "author": "frack113", "tags": [ "attack.persistence", "attack.t1574.011" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND CommandLine LIKE '% ImagePath %' ESCAPE '\\' AND (CommandLine LIKE '% /d %' ESCAPE '\\' OR CommandLine LIKE '% -d %' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_service_imagepath_change.yml" }, { "title": "Wlrmdr Lolbin Use as Launcher", "id": "9cfc00b6-bfb7-49ce-9781-ef78503154bb", "status": "experimental", "description": "Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute", "author": "frack113, manasmbellani", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR (((NewProcessName LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR OriginalFileName = 'WLRMNDR.EXE') AND (CommandLine LIKE '%-s %' ESCAPE '\\' AND CommandLine LIKE '%-f %' ESCAPE '\\' AND CommandLine LIKE '%-t %' ESCAPE '\\' AND CommandLine LIKE '%-m %' ESCAPE '\\' AND CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-u %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\') OR (ParentProcessName = '-')))))" ], "filename": "proc_creation_win_lolbin_wlrmdr.yml" }, { "title": "Sysinternals PsService Execution", "id": "3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f", "status": "experimental", "description": "Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", "attack.persistence", "attack.t1543.003" ], "falsepositives": [ "Legitimate use of PsService by an administrator" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'psservice.exe' OR (NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_sysinternals_psservice.yml" }, { "title": "Regsvr32 Anomaly", "id": "8e2b24c9-4add-46a0-b4bb-0057b4e6187d", "status": "experimental", "description": "Detects various anomalies in relation to regsvr32.exe", "author": "Florian Roth (Nextron Systems), oscd.community, Tim Shelton", "tags": [ "attack.defense_evasion", "attack.t1218.010", "car.2019-04-002", "car.2019-04-003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%/i:%' ESCAPE '\\' AND CommandLine LIKE '%ftp%' ESCAPE '\\' AND CommandLine LIKE '%scrobj.dll' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\..\\\\Windows\\\\System32\\\\regsvr32.exe %' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND (CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.bin' ESCAPE '\\' OR CommandLine LIKE '%.tmp' ESCAPE '\\' OR CommandLine LIKE '%.temp' ESCAPE '\\' OR CommandLine LIKE '%.txt' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebEx64\\\\Meetings\\\\atucfobj.dll%' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Program Files\\\\Box\\\\Box\\\\FS\\\\streem.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Box\\\\Box\\\\Temp\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%/s C:\\\\Windows\\\\System32\\\\RpcProxy\\\\RpcProxy.dll' ESCAPE '\\')))" ], "filename": "proc_creation_win_regsvr32_anomalies.yml" }, { "title": "PowerShell Get-Clipboard Cmdlet Via CLI", "id": "b9aeac14-2ffd-4ad3-b967-1354a4e628c3", "status": "test", "description": "Detects usage of the 'Get-Clipboard' cmdlet via CLI", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.collection", "attack.t1115" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Get-Clipboard%' ESCAPE '\\')" ], "filename": "proc_creation_win_powershell_get_clipboard.yml" }, { "title": "UAC Bypass Using ChangePK and SLUI", "id": "503d581c-7df0-4bbe-b9be-5840c0ecc1fc", "status": "test", "description": "Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\changepk.exe' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\slui.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], "filename": "proc_creation_win_uac_bypass_changepk_slui.yml" }, { "title": "PrintBrm ZIP Creation of Extraction", "id": "cafeeba3-01da-4ab4-b6c4-a31b1d9730c7", "status": "experimental", "description": "Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1105", "attack.defense_evasion", "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\PrintBrm.exe' ESCAPE '\\' AND CommandLine LIKE '% -f%' ESCAPE '\\' AND CommandLine LIKE '%.zip%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_printbrm.yml" }, { "title": "Suspicious Service Path Modification", "id": "138d3531-8793-4f50-a2cd-f291b2863d78", "status": "test", "description": "Detects service path modification via the \"sc\" binary to a suspicious command or path", "author": "Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd %' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%svchost%' ESCAPE '\\' OR CommandLine LIKE '%dllhost%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\'))" ], "filename": "proc_creation_win_sc_service_path_modification.yml" }, { "title": "HackTool - ADCSPwn Execution", "id": "cd8c163e-a19b-402e-bdd5-419ff5859f12", "status": "test", "description": "Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1557.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% --adcs %' ESCAPE '\\' AND CommandLine LIKE '% --port %' ESCAPE '\\')" ], "filename": "proc_creation_win_hktl_adcspwn.yml" }, { "title": "Suspicious Msiexec Quiet Install From Remote Location", "id": "8150732a-0c9d-4a99-82b9-9efb9b90c40c", "status": "experimental", "description": "Detects usage of Msiexec.exe to install packages hosted remotely quietly", "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "medium", "tags": [ "attack.defense_evasion", "attack.t1218.007" ], "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName = 'msiexec.exe') AND (CommandLine LIKE '%/i%' ESCAPE '\\' OR CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/package%' ESCAPE '\\' OR CommandLine LIKE '%-package%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/j%' ESCAPE '\\' OR CommandLine LIKE '%-j%' ESCAPE '\\') AND (CommandLine LIKE '%/q%' ESCAPE '\\' OR CommandLine LIKE '%-q%' ESCAPE '\\') AND (CommandLine LIKE '%http%' ESCAPE '\\' OR CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\'))" ], "filename": "proc_creation_win_msiexec_install_remote.yml" }, { "title": "Suspicious IIS Module Registration", "id": "043c4b8b-3a54-4780-9682-081cb6b8185c", "status": "test", "description": "Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors", "author": "Florian Roth (Nextron Systems), Microsoft (idea)", "falsepositives": [ "Administrative activity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND (CommandLine LIKE '%appcmd.exe add module%' ESCAPE '\\' OR (CommandLine LIKE '% system.enterpriseservices.internal.publish%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\') OR (CommandLine LIKE '%gacutil%' ESCAPE '\\' AND CommandLine LIKE '% /I%' ESCAPE '\\')))" ], "filename": "proc_creation_win_iis_susp_module_registration.yml" }, { "title": "Findstr Launching .lnk File", "id": "33339be3-148b-4e16-af56-ad16ec6c7e7b", "status": "test", "description": "Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack", "author": "Trent Liffick", "tags": [ "attack.defense_evasion", "attack.t1036", "attack.t1202", "attack.t1027.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%.lnk' ESCAPE '\\')" ], "filename": "proc_creation_win_findstr_lnk.yml" }, { "title": "Sdiagnhost Calling Suspicious Child Process", "id": "f3d39c45-de1a-4486-a687-ab126124f744", "status": "experimental", "description": "Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)", "author": "Nextron Systems", "tags": [ "attack.defense_evasion", "attack.t1036", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_sdiagnhost_susp_child.yml" }, { "title": "PowerShell Web Download and Execution", "id": "85b0b087-eddf-4a2b-b033-d771fa2b9775", "status": "experimental", "description": "Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Scripts or tools that download files and execute them" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\') AND (CommandLine LIKE '%IEX(%' ESCAPE '\\' OR CommandLine LIKE '%IEX (%' ESCAPE '\\' OR CommandLine LIKE '%I`EX%' ESCAPE '\\' OR CommandLine LIKE '%IE`X%' ESCAPE '\\' OR CommandLine LIKE '%I`E`X%' ESCAPE '\\' OR CommandLine LIKE '%| IEX%' ESCAPE '\\' OR CommandLine LIKE '%|IEX %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Expression%' ESCAPE '\\' OR CommandLine LIKE '%;iex $%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_download_iex.yml" }, { "title": "Suspicious Hacktool Execution - PE Metadata", "id": "37c1333a-a0db-48be-b64b-7393b2386e3b", "status": "experimental", "description": "Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Company = 'Cube0x0')" ], "filename": "proc_creation_win_hktl_execution_via_pe_metadata.yml" }, { "title": "Suspicious Call by Ordinal", "id": "e79a9e79-eb72-4e78-a628-0e7e8f59e89c", "status": "stable", "description": "Detects suspicious calls of DLLs in rundll32.dll exports by ordinal", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218.011" ], "falsepositives": [ "False positives depend on scripts and administrative tools used in the monitored environment", "Windows control panel elements have been identified as source (mmc)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%,#%' ESCAPE '\\' OR CommandLine LIKE '%, #%' ESCAPE '\\' OR CommandLine LIKE '%.dll #%' ESCAPE '\\' OR CommandLine LIKE '%.ocx #%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%EDGEHTML.dll%' ESCAPE '\\' AND CommandLine LIKE '%#141%' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Tracker.exe%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\FileTracker32.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker32.dll\",#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll,#1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\FileTracker64.dll\",#1%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_rundll32_by_ordinal.yml" }, { "title": "LSA PPL Protection Disabled Via Reg.EXE", "id": "8c0eca51-0f88-4db2-9183-fdfb10c703f9", "status": "experimental", "description": "Detects the usage of the \"reg.exe\" utility to disable PPL protection on the LSA process", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.010" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '% /d 0%' ESCAPE '\\' AND CommandLine LIKE '% /v RunAsPPL %' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_lsa_ppl_protection_disabled.yml" }, { "title": "Suspicious Windows App Activity", "id": "f91ed517-a6ba-471d-9910-b3b4a398c0f3", "status": "experimental", "description": "Detects suspicious children of application launched from inside the WindowsApps directory. This could be a sign of a rogue \".appx\" package installation/execution", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentProcessName LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\poweshell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%Base64%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_appx_execution.yml" }, { "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines", "id": "f26c6093-6f14-4b12-800f-0fcb46f5ffd0", "status": "test", "description": "Detects base64 encoded strings used in hidden malicious PowerShell command lines", "author": "John Lambert (rule)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '% hidden %' ESCAPE '\\' AND (CommandLine LIKE '%AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%aXRzYWRtaW4gL3RyYW5zZmVy%' ESCAPE '\\' OR CommandLine LIKE '%IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%JpdHNhZG1pbiAvdHJhbnNmZX%' ESCAPE '\\' OR CommandLine LIKE '%YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%Yml0c2FkbWluIC90cmFuc2Zlc%' ESCAPE '\\' OR CommandLine LIKE '%AGMAaAB1AG4AawBfAHMAaQB6AGUA%' ESCAPE '\\' OR CommandLine LIKE '%JABjAGgAdQBuAGsAXwBzAGkAegBlA%' ESCAPE '\\' OR CommandLine LIKE '%JGNodW5rX3Npem%' ESCAPE '\\' OR CommandLine LIKE '%QAYwBoAHUAbgBrAF8AcwBpAHoAZQ%' ESCAPE '\\' OR CommandLine LIKE '%RjaHVua19zaXpl%' ESCAPE '\\' OR CommandLine LIKE '%Y2h1bmtfc2l6Z%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg%' ESCAPE '\\' OR CommandLine LIKE '%lPLkNvbXByZXNzaW9u%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA%' ESCAPE '\\' OR CommandLine LIKE '%SU8uQ29tcHJlc3Npb2%' ESCAPE '\\' OR CommandLine LIKE '%Ty5Db21wcmVzc2lvb%' ESCAPE '\\' OR CommandLine LIKE '%AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ%' ESCAPE '\\' OR CommandLine LIKE '%kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA%' ESCAPE '\\' OR CommandLine LIKE '%lPLk1lbW9yeVN0cmVhb%' ESCAPE '\\' OR CommandLine LIKE '%SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A%' ESCAPE '\\' OR CommandLine LIKE '%SU8uTWVtb3J5U3RyZWFt%' ESCAPE '\\' OR CommandLine LIKE '%Ty5NZW1vcnlTdHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%4ARwBlAHQAQwBoAHUAbgBrA%' ESCAPE '\\' OR CommandLine LIKE '%5HZXRDaHVua%' ESCAPE '\\' OR CommandLine LIKE '%AEcAZQB0AEMAaAB1AG4Aaw%' ESCAPE '\\' OR CommandLine LIKE '%LgBHAGUAdABDAGgAdQBuAGsA%' ESCAPE '\\' OR CommandLine LIKE '%LkdldENodW5r%' ESCAPE '\\' OR CommandLine LIKE '%R2V0Q2h1bm%' ESCAPE '\\' OR CommandLine LIKE '%AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A%' ESCAPE '\\' OR CommandLine LIKE '%QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA%' ESCAPE '\\' OR CommandLine LIKE '%RIUkVBRF9JTkZPNj%' ESCAPE '\\' OR CommandLine LIKE '%SFJFQURfSU5GTzY0%' ESCAPE '\\' OR CommandLine LIKE '%VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA%' ESCAPE '\\' OR CommandLine LIKE '%VEhSRUFEX0lORk82N%' ESCAPE '\\' OR CommandLine LIKE '%AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA%' ESCAPE '\\' OR CommandLine LIKE '%cmVhdGVSZW1vdGVUaHJlYW%' ESCAPE '\\' OR CommandLine LIKE '%MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA%' ESCAPE '\\' OR CommandLine LIKE '%NyZWF0ZVJlbW90ZVRocmVhZ%' ESCAPE '\\' OR CommandLine LIKE '%Q3JlYXRlUmVtb3RlVGhyZWFk%' ESCAPE '\\' OR CommandLine LIKE '%QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA%' ESCAPE '\\' OR CommandLine LIKE '%0AZQBtAG0AbwB2AGUA%' ESCAPE '\\' OR CommandLine LIKE '%1lbW1vdm%' ESCAPE '\\' OR CommandLine LIKE '%AGUAbQBtAG8AdgBlA%' ESCAPE '\\' OR CommandLine LIKE '%bQBlAG0AbQBvAHYAZQ%' ESCAPE '\\' OR CommandLine LIKE '%bWVtbW92Z%' ESCAPE '\\' OR CommandLine LIKE '%ZW1tb3Zl%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_hidden_b64_cmd.yml" }, { "title": "HackTool - SafetyKatz Execution", "id": "b1876533-4ed5-4a83-90f3-b8645840a413", "status": "experimental", "description": "Detects the execution of the hacktool SafetyKatz via PE information and default Image name", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\SafetyKatz.exe' ESCAPE '\\' OR OriginalFileName = 'SafetyKatz.exe' OR Description = 'SafetyKatz'))" ], "filename": "proc_creation_win_hktl_safetykatz.yml" }, { "title": "Potential Data Stealing Via Chromium Headless Debugging", "id": "3e8207c5-fcd2-4ea6-9418-15d45b4890e4", "status": "experimental", "description": "Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1185" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%--remote-debugging-%' ESCAPE '\\' AND CommandLine LIKE '%--user-data-dir%' ESCAPE '\\' AND CommandLine LIKE '%--headless%' ESCAPE '\\')" ], "filename": "proc_creation_win_browsers_chromium_headless_debugging.yml" }, { "title": "New Remote Desktop Connection Initiated Via Mstsc.EXE", "id": "954f0af7-62dd-418f-b3df-a84bc2c7a774", "status": "experimental", "description": "Detects the usage of \"mstsc.exe\" with the \"/v\" flag to initiate a connection to a remote server.\nAdversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n", "author": "frack113", "tags": [ "attack.lateral_movement", "attack.t1021.001" ], "falsepositives": [ "WSL (Windows Sub System For Linux)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND CommandLine LIKE '% /v:%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Microsoft\\\\WSL\\\\wslg.rdp%' ESCAPE '\\')))" ], "filename": "proc_creation_win_mstsc_remote_connection.yml" }, { "title": "PUA - WebBrowserPassView Execution", "id": "d0dae994-26c6-4d2d-83b5-b3c8b79ae513", "status": "experimental", "description": "Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1555.003" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Web Browser Password Viewer' OR NewProcessName LIKE '%\\\\WebBrowserPassView.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_pua_webbrowserpassview.yml" }, { "title": "PowerShell Web Download", "id": "6e897651-f157-4d8f-aaeb-df8151488385", "status": "experimental", "description": "Detects suspicious ways to download files or content using PowerShell", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Scripts or tools that download files" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%.DownloadString(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest %' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_download_cradles.yml" }, { "title": "HackTool - Rubeus Execution", "id": "7ec2c172-dceb-4c10-92c9-87c1881b7e18", "status": "stable", "description": "Detects the execution of the hacktool Rubeus via PE information of command line parameters", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003", "attack.t1558.003", "attack.lateral_movement", "attack.t1550.003" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\Rubeus.exe' ESCAPE '\\' OR OriginalFileName = 'Rubeus.exe' OR Description = 'Rubeus' OR (CommandLine LIKE '%asreproast %' ESCAPE '\\' OR CommandLine LIKE '%dump /service:krbtgt %' ESCAPE '\\' OR CommandLine LIKE '%dump /luid:0x%' ESCAPE '\\' OR CommandLine LIKE '%kerberoast %' ESCAPE '\\' OR CommandLine LIKE '%createnetonly /program:%' ESCAPE '\\' OR CommandLine LIKE '%ptt /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%/impersonateuser:%' ESCAPE '\\' OR CommandLine LIKE '%renew /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%asktgt /user:%' ESCAPE '\\' OR CommandLine LIKE '%harvest /interval:%' ESCAPE '\\' OR CommandLine LIKE '%s4u /user:%' ESCAPE '\\' OR CommandLine LIKE '%s4u /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%hash /password:%' ESCAPE '\\' OR CommandLine LIKE '%golden /aes256:%' ESCAPE '\\' OR CommandLine LIKE '%silver /user:%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_rubeus.yml" }, { "title": "Renamed FTP.EXE Execution", "id": "277a4393-446c-449a-b0ed-7fdc7795244c", "status": "test", "description": "Detects the execution of a renamed \"ftp.exe\" binary based on the PE metadata fields", "author": "Victor Sergeev, oscd.community", "tags": [ "attack.execution", "attack.t1059", "attack.defense_evasion", "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'ftp.exe' AND NOT (NewProcessName LIKE '%\\\\ftp.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_renamed_ftp.yml" }, { "title": "Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution", "id": "a20391f8-76fb-437b-abc0-dba2df1952c6", "status": "test", "description": "Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Legitimate use by developers as part of NodeJS development with Visual Studio Tools" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\Microsoft.NodejsTools.PressAnyKey.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_pressanykey_lolbin_execution.yml" }, { "title": "Suspicious Greedy Compression Using Rar.EXE", "id": "afe52666-401e-4a02-b4ff-5d128990b8cb", "status": "experimental", "description": "Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes", "author": "X__Junior (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR Description = 'Command line RAR' OR (CommandLine LIKE '%.exe a %' ESCAPE '\\' OR CommandLine LIKE '% a -m%' ESCAPE '\\')) AND (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% -r %' ESCAPE '\\' AND (CommandLine LIKE '% C:\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\\\\\\\*.%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '% \\%public\\%%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '% C:\\\\$Recycle.bin\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_rar_susp_greedy_compression.yml" }, { "title": "Suspicious PowerShell Download and Execute Pattern", "id": "e6c54d94-498c-4562-a37c-b469d8e9a275", "status": "experimental", "description": "Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Software installers that pull packages from remote systems and execute them" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%IEX ((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX (New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX((New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%IEX(New-Object Net.WebClient).DownloadString%' ESCAPE '\\' OR CommandLine LIKE '% -command (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '% -c (New-Object System.Net.WebClient).DownloadFile(%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_susp_download_patterns.yml" }, { "title": "File With Suspicious Extension Downloaded Via Bitsadmin", "id": "5b80a791-ad9b-4b75-bcc1-ad4e1e89c200", "status": "experimental", "description": "Detects usage of bitsadmin downloading a file with a suspicious extension", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.t1197", "attack.s0190", "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%.asax%' ESCAPE '\\' OR CommandLine LIKE '%.ashx%' ESCAPE '\\' OR CommandLine LIKE '%.asmx%' ESCAPE '\\' OR CommandLine LIKE '%.asp%' ESCAPE '\\' OR CommandLine LIKE '%.aspx%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cfm%' ESCAPE '\\' OR CommandLine LIKE '%.cgi%' ESCAPE '\\' OR CommandLine LIKE '%.chm%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.jsp%' ESCAPE '\\' OR CommandLine LIKE '%.jspx%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.ps1%' ESCAPE '\\' OR CommandLine LIKE '%.psm1%' ESCAPE '\\' OR CommandLine LIKE '%.scf%' ESCAPE '\\' OR CommandLine LIKE '%.sct%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\' OR CommandLine LIKE '%.war%' ESCAPE '\\' OR CommandLine LIKE '%.wsf%' ESCAPE '\\' OR CommandLine LIKE '%.wsh%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.rar%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], "filename": "proc_creation_win_bitsadmin_download_susp_extensions.yml" }, { "title": "Potential WinAPI Calls Via CommandLine", "id": "ba3f5c1b-6272-4119-9dbd-0bc8d21c2702", "status": "experimental", "description": "Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1106" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%AddSecurityPackage%' ESCAPE '\\' OR CommandLine LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR CommandLine LIKE '%Advapi32%' ESCAPE '\\' OR CommandLine LIKE '%CloseHandle%' ESCAPE '\\' OR CommandLine LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR CommandLine LIKE '%CreatePseudoConsole%' ESCAPE '\\' OR CommandLine LIKE '%CreateRemoteThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateThread%' ESCAPE '\\' OR CommandLine LIKE '%CreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%DangerousGetHandle%' ESCAPE '\\' OR CommandLine LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR CommandLine LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR CommandLine LIKE '%FreeHGlobal%' ESCAPE '\\' OR CommandLine LIKE '%FreeLibrary%' ESCAPE '\\' OR CommandLine LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR CommandLine LIKE '%GetLogonSessionData%' ESCAPE '\\' OR CommandLine LIKE '%GetModuleHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetProcAddress%' ESCAPE '\\' OR CommandLine LIKE '%GetProcessHandle%' ESCAPE '\\' OR CommandLine LIKE '%GetTokenInformation%' ESCAPE '\\' OR CommandLine LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR CommandLine LIKE '%kernel32%' ESCAPE '\\' OR CommandLine LIKE '%LoadLibrary%' ESCAPE '\\' OR CommandLine LIKE '%memcpy%' ESCAPE '\\' OR CommandLine LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR CommandLine LIKE '%ntdll%' ESCAPE '\\' OR CommandLine LIKE '%OpenDesktop%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcess%' ESCAPE '\\' OR CommandLine LIKE '%OpenProcessToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%OpenWindowStation%' ESCAPE '\\' OR CommandLine LIKE '%PtrToString%' ESCAPE '\\' OR CommandLine LIKE '%QueueUserApc%' ESCAPE '\\' OR CommandLine LIKE '%ReadProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR CommandLine LIKE '%secur32%' ESCAPE '\\' OR CommandLine LIKE '%SetThreadToken%' ESCAPE '\\' OR CommandLine LIKE '%VirtualAlloc%' ESCAPE '\\' OR CommandLine LIKE '%VirtualFree%' ESCAPE '\\' OR CommandLine LIKE '%VirtualProtect%' ESCAPE '\\' OR CommandLine LIKE '%WaitForSingleObject%' ESCAPE '\\' OR CommandLine LIKE '%WriteInt32%' ESCAPE '\\' OR CommandLine LIKE '%WriteProcessMemory%' ESCAPE '\\' OR CommandLine LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' AND CommandLine LIKE '%GetLoadLibraryWAddress32%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_inline_win_api_access.yml" }, { "title": "Suspicious Runscripthelper.exe", "id": "eca49c87-8a75-4f13-9c73-a5a29e845f03", "status": "test", "description": "Detects execution of powershell scripts via Runscripthelper.exe", "author": "Victor Sergeev, oscd.community", "tags": [ "attack.execution", "attack.t1059", "attack.defense_evasion", "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\Runscripthelper.exe' ESCAPE '\\' AND CommandLine LIKE '%surfacecheck%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_runscripthelper.yml" }, { "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION", "id": "e9f55347-2928-4c06-88e5-1a7f8169942e", "status": "test", "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%&&set%' ESCAPE '\\' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%{0}%' ESCAPE '\\' OR CommandLine LIKE '%{1}%' ESCAPE '\\' OR CommandLine LIKE '%{2}%' ESCAPE '\\' OR CommandLine LIKE '%{3}%' ESCAPE '\\' OR CommandLine LIKE '%{4}%' ESCAPE '\\' OR CommandLine LIKE '%{5}%' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_invoke_obfuscation_via_var.yml" }, { "title": "Uncommon One Time Only Scheduled Task At 00:00", "id": "970823b7-273b-460a-8afc-3a6811998529", "status": "experimental", "description": "Detects scheduled task creation events that include suspicious actions, and is run once at 00:00", "author": "pH-T (Nextron Systems)", "falsepositives": [ "Software installation" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\schtasks.exe%' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32.exe%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%once%' ESCAPE '\\' AND CommandLine LIKE '%00:00%' ESCAPE '\\'))" ], "filename": "proc_creation_win_schtasks_one_time_only_midnight_task.yml" }, { "title": "Bypass UAC via WSReset.exe", "id": "d797268e-28a9-49a7-b9a8-2f5039011c5c", "status": "test", "description": "Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.", "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, Florian Roth", "tags": [ "attack.privilege_escalation", "attack.defense_evasion", "attack.t1548.002" ], "falsepositives": [ "Unknown sub processes of Wsreset.exe" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentProcessName LIKE '%\\\\wsreset.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR OriginalFileName = 'CONHOST.EXE'))" ], "filename": "proc_creation_win_uac_bypass_wsreset.yml" }, { "title": "Suspicious Command With Teams Objects Paths", "id": "d2eb17db-1d39-41dc-b57f-301f6512fa75", "status": "experimental", "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", "author": "@SerkinValery", "tags": [ "attack.credential_access", "attack.t1528" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_teams_suspicious_command_line_cred_access.yml" }, { "title": "Port Forwarding Attempt Via SSH", "id": "327f48c1-a6db-4eb8-875a-f6981f1b0183", "status": "experimental", "description": "Detects suspicious SSH tunnel port forwarding to a local port", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.lateral_movement", "attack.t1572", "attack.t1021.001", "attack.t1021.004" ], "falsepositives": [ "Administrative activity using a remote port forwarding to a local port" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')" ], "filename": "proc_creation_win_ssh_port_forward.yml" }, { "title": "Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN", "id": "d80d5c81-04ba-45b4-84e4-92eba40e0ad3", "status": "test", "description": "dotnet.exe will execute any DLL and execute unsigned code", "author": "Beyu Denis, oscd.community", "tags": [ "attack.execution", "attack.t1218" ], "falsepositives": [ "System administrator Usage" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\dotnet.exe' ESCAPE '\\' OR OriginalFileName = '.NET Host') AND (CommandLine LIKE '%.dll' ESCAPE '\\' OR CommandLine LIKE '%.csproj' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_dotnet.yml" }, { "title": "Execution via Diskshadow.exe", "id": "0c2f8629-7129-4a8a-9897-7e0768f13ff2", "status": "test", "description": "Detects using Diskshadow.exe to execute arbitrary code in text file", "author": "Ivan Dyachkov, oscd.community", "tags": [ "attack.execution", "attack.t1218" ], "falsepositives": [ "False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\diskshadow.exe' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_diskshadow.yml" }, { "title": "SQLite Chromium Profile Data DB Access", "id": "24c77512-782b-448a-8950-eddb0785fc71", "status": "experimental", "description": "Detect usage of the \"sqlite\" binary to query databases in Chromium-based browsers for potential data stealing.", "author": "TropChaud", "tags": [ "attack.credential_access", "attack.t1539", "attack.t1555.003", "attack.collection", "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'SQLite' OR (NewProcessName LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Opera Software\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\ChromiumViewer\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%Login Data%' ESCAPE '\\' OR CommandLine LIKE '%Cookies%' ESCAPE '\\' OR CommandLine LIKE '%Web Data%' ESCAPE '\\' OR CommandLine LIKE '%History%' ESCAPE '\\' OR CommandLine LIKE '%Bookmarks%' ESCAPE '\\'))" ], "filename": "proc_creation_win_sqlite_chromium_profile_data.yml" }, { "title": "Remote Access Tool - ScreenConnect Execution", "id": "57bff678-25d1-4d6c-8211-8ca106d12053", "status": "test", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Legitimate usage of the tool" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'ScreenConnect Service' OR Product = 'ScreenConnect' OR Company = 'ScreenConnect Software'))" ], "filename": "proc_creation_win_remote_access_tools_screenconnect.yml" }, { "title": "Enumeration for Credentials in Registry", "id": "e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1", "status": "test", "description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1552.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '% query %' ESCAPE '\\' AND CommandLine LIKE '%/t %' ESCAPE '\\' AND CommandLine LIKE '%REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/s%' ESCAPE '\\') AND ((CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%HKLM%' ESCAPE '\\') OR (CommandLine LIKE '%/f %' ESCAPE '\\' AND CommandLine LIKE '%HKCU%' ESCAPE '\\') OR CommandLine LIKE '%HKCU\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions%' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_enumeration_for_credentials_in_registry.yml" }, { "title": "Time Travel Debugging Utility Usage", "id": "0b4ae027-2a2d-4b93-8c7e-962caaba5b2a", "status": "test", "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ "attack.defense_evasion", "attack.credential_access", "attack.t1218", "attack.t1003.001" ], "falsepositives": [ "Legitimate usage by software developers/testers" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\tttracer.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_tttracer_mod_load.yml" }, { "title": "Suspicious Cabinet File Expansion", "id": "9f107a84-532c-41af-b005-8d12a607639f", "status": "test", "description": "Adversaries can use the built-in expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack", "author": "Bhabesh Raj", "tags": [ "attack.execution", "attack.t1218" ], "falsepositives": [ "System administrator Usage" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\expand.exe' ESCAPE '\\' AND (CommandLine LIKE '%.cab%' ESCAPE '\\' OR CommandLine LIKE '%/F:%' ESCAPE '\\' OR CommandLine LIKE '%-F:%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp\\\\%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\Temp\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_expand_cabinet_files.yml" }, { "title": "Raccine Uninstall", "id": "a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc", "status": "test", "description": "Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Legitimate deinstallation by administrative staff" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%taskkill %' ESCAPE '\\' AND CommandLine LIKE '%RaccineSettings.exe%' ESCAPE '\\') OR (CommandLine LIKE '%reg.exe%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Tray%' ESCAPE '\\') OR (CommandLine LIKE '%schtasks%' ESCAPE '\\' AND CommandLine LIKE '%/DELETE%' ESCAPE '\\' AND CommandLine LIKE '%Raccine Rules Updater%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_disable_raccine.yml" }, { "title": "Curl.EXE Execution With Custom UserAgent", "id": "3286d37a-00fd-41c2-a624-a672dcd34e60", "status": "test", "description": "Detects execution of curl.exe with custom useragent options", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1071.001" ], "falsepositives": [ "Scripts created by developers and admins", "Administrative activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -A %' ESCAPE '\\' OR CommandLine LIKE '% --user-agent %' ESCAPE '\\'))" ], "filename": "proc_creation_win_curl_useragent.yml" }, { "title": "PUA - Ngrok Execution", "id": "ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31", "status": "test", "description": "Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available.\nInvolved domains are bin.equinox.io for download and *.ngrok.io for connections.\n", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1572" ], "falsepositives": [ "Another tool that uses the command line switches of Ngrok", "Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% tcp 139%' ESCAPE '\\' OR CommandLine LIKE '% tcp 445%' ESCAPE '\\' OR CommandLine LIKE '% tcp 3389%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5985%' ESCAPE '\\' OR CommandLine LIKE '% tcp 5986%' ESCAPE '\\') OR (CommandLine LIKE '% start %' ESCAPE '\\' AND CommandLine LIKE '%--all%' ESCAPE '\\' AND CommandLine LIKE '%--config%' ESCAPE '\\' AND CommandLine LIKE '%.yml%' ESCAPE '\\') OR (NewProcessName LIKE '%ngrok.exe' ESCAPE '\\' AND (CommandLine LIKE '% tcp %' ESCAPE '\\' OR CommandLine LIKE '% http %' ESCAPE '\\' OR CommandLine LIKE '% authtoken %' ESCAPE '\\')) OR (CommandLine LIKE '%.exe authtoken %' ESCAPE '\\' OR CommandLine LIKE '%.exe start --all%' ESCAPE '\\')))" ], "filename": "proc_creation_win_pua_ngrok.yml" }, { "title": "User Discovery And Export Via Get-ADUser Cmdlet", "id": "1114e048-b69c-4f41-bc20-657245ae6e3f", "status": "experimental", "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1033" ], "falsepositives": [ "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Get-ADUser %' ESCAPE '\\' AND CommandLine LIKE '% -Filter \\*' ESCAPE '\\' AND (CommandLine LIKE '% > %' ESCAPE '\\' OR CommandLine LIKE '% | Select %' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%Set-Content%' ESCAPE '\\' OR CommandLine LIKE '%Add-Content%' ESCAPE '\\')))" ], "filename": "proc_creation_win_powershell_user_discovery_get_aduser.yml" }, { "title": "Start Windows Service Via Net.EXE", "id": "2a072a96-a086-49fa-bcb5-15cc5a619093", "status": "test", "description": "Detects the usage of the \"net.exe\" command to start a service using the \"start\" flag", "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.execution", "attack.t1569.002" ], "falsepositives": [ "Legitimate administrator or user executes a service for legitimate reasons." ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% start %' ESCAPE '\\')" ], "filename": "proc_creation_win_net_start_service.yml" }, { "title": "Malicious PE Execution by Microsoft Visual Studio Debugger", "id": "15c7904e-6ad1-4a45-9b46-5fb25df37fd2", "status": "test", "description": "There is an option for a MS VS Just-In-Time Debugger \"vsjitdebugger.exe\" to launch specified executable and attach a debugger.\nThis option may be used adversaries to execute malicious code by signed verified binary.\nThe debugger is installed alongside with Microsoft Visual Studio package.\n", "author": "Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community", "tags": [ "attack.t1218", "attack.defense_evasion" ], "falsepositives": [ "The process spawned by vsjitdebugger.exe is uncommon." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentProcessName LIKE '%\\\\vsjitdebugger.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\vsimmersiveactivatehelper%.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\devenv.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_use_of_vsjitdebugger_bin.yml" }, { "title": "Fake Instance Of Hxtsr.exe", "id": "4e762605-34a8-406d-b72e-c1a089313320", "status": "test", "description": "HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.\nHxTsr.exe is part of Outlook apps, because it resides in a hidden \"WindowsApps\" subfolder of \"C:\\Program Files\".\nIts path includes a version number, e.g., \"C:\\Program Files\\WindowsApps\\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\\HxTsr.exe\".\nAny instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe\n", "author": "Sreeman", "tags": [ "attack.defense_evasion", "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NewProcessName = 'hxtsr.exe' AND NOT (CurrentDirectory LIKE 'C:\\\\program files\\\\windowsapps\\\\microsoft.windowscommunicationsapps\\_%' ESCAPE '\\' AND CurrentDirectory LIKE '%\\\\hxtsr.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_hxtsr_masquerading.yml" }, { "title": "WScript or CScript Dropper", "id": "cea72823-df4d-4567-950c-0b579eaf0846", "status": "test", "description": "Detects wscript/cscript executions of scripts located in user directories", "author": "Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community", "tags": [ "attack.execution", "attack.t1059.005", "attack.t1059.007" ], "falsepositives": [ "Winzip", "Other self-extractors" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.jse%' ESCAPE '\\' OR CommandLine LIKE '%.vbe%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.vba%' ESCAPE '\\' OR CommandLine LIKE '%.vbs%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\winzip%' ESCAPE '\\'))" ], "filename": "proc_creation_win_malware_script_dropper.yml" }, { "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder", "id": "065b00ca-5d5c-4557-ac95-64a6d0b64d86", "status": "experimental", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Legitimate use of AnyDesk from a non-standard folder" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH') AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%Program Files (x86)\\\\AnyDesk%' ESCAPE '\\' OR NewProcessName LIKE '%Program Files\\\\AnyDesk%' ESCAPE '\\')))" ], "filename": "proc_creation_win_remote_access_tools_anydesk_susp_exec.yml" }, { "title": "Findstr LSASS", "id": "fe63010f-8823-4864-a96b-a7b4a0f7b929", "status": "experimental", "description": "Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1552.006" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '%lsass%' ESCAPE '\\') OR (CommandLine LIKE '% /i lsass.exe%' ESCAPE '\\' OR CommandLine LIKE '% /i \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr \"lsass%' ESCAPE '\\' OR CommandLine LIKE '%findstr.exe \"lsass%' ESCAPE '\\')))" ], "filename": "proc_creation_win_findstr_lsass.yml" }, { "title": "Suspicious Encoded PowerShell Command Line", "id": "ca2092a1-c273-4878-9b4b-0d60115bf5ea", "status": "test", "description": "Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)", "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community", "tags": [ "attack.execution", "attack.t1059.001" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '% -e%' ESCAPE '\\' AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAA%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% UwB%' ESCAPE '\\' OR CommandLine LIKE '% cwB%' ESCAPE '\\')) OR (CommandLine LIKE '%.exe -ENCOD %' ESCAPE '\\' OR CommandLine LIKE '% BA^J e-%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '% -ExecutionPolicy remotesigned %' ESCAPE '\\')))" ], "filename": "proc_creation_win_powershell_base64_encoded_cmd.yml" }, { "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE", "id": "0d5675be-bc88-4172-86d3-1e96a4476536", "status": "experimental", "description": "Detects the execution of \"reg.exe\" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\\Control\\Terminal Server' values", "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "tags": [ "attack.defense_evasion", "attack.lateral_movement", "attack.t1021.001", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '% add %' ESCAPE '\\' AND CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\Terminal Server%' ESCAPE '\\' AND CommandLine LIKE '%REG\\_DWORD%' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')) AND ((CommandLine LIKE '%Licensing Core%' ESCAPE '\\' AND CommandLine LIKE '%EnableConcurrentSessions%' ESCAPE '\\') OR (CommandLine LIKE '%WinStations\\\\RDP-Tcp%' ESCAPE '\\' OR CommandLine LIKE '%MaxInstanceCount%' ESCAPE '\\' OR CommandLine LIKE '%fEnableWinStation%' ESCAPE '\\' OR CommandLine LIKE '%TSUserEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSEnabled%' ESCAPE '\\' OR CommandLine LIKE '%TSAppCompat%' ESCAPE '\\' OR CommandLine LIKE '%IdleWinStationPoolCount%' ESCAPE '\\' OR CommandLine LIKE '%TSAdvertise%' ESCAPE '\\' OR CommandLine LIKE '%AllowTSConnections%' ESCAPE '\\' OR CommandLine LIKE '%fSingleSessionPerUser%' ESCAPE '\\' OR CommandLine LIKE '%fDenyTSConnections%' ESCAPE '\\')))" ], "filename": "proc_creation_win_reg_rdp_keys_tamper.yml" }, { "title": "PUA - 3Proxy Execution", "id": "f38a82d2-fba3-4781-b549-525efbec8506", "status": "experimental", "description": "Detects the use of 3proxy, a tiny free proxy server", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1572" ], "falsepositives": [ "Administrative activity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\3proxy.exe' ESCAPE '\\' OR Description = '3proxy - tiny proxy server' OR CommandLine LIKE '%.exe -i127.0.0.1 -p%' ESCAPE '\\'))" ], "filename": "proc_creation_win_pua_3proxy_execution.yml" }, { "title": "Suspicious VBoxDrvInst.exe Parameters", "id": "b7b19cb6-9b32-4fc4-a108-73f19acfe262", "status": "test", "description": "Detect VBoxDrvInst.exe run with parameters allowing processing INF file.\nThis allows to create values in the registry and install drivers.\nFor example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys\n", "author": "Konstantin Grishchenko, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\VBoxDrvInst.exe' ESCAPE '\\' AND CommandLine LIKE '%driver%' ESCAPE '\\' AND CommandLine LIKE '%executeinf%' ESCAPE '\\')" ], "filename": "proc_creation_win_virtualbox_vboxdrvinst_execution.yml" }, { "title": "Lolbin Ssh.exe Use As Proxy", "id": "7d6d30b8-5b91-4b90-a891-46cccaf29598", "status": "experimental", "description": "Detect usage of the \"ssh.exe\" binary as a proxy to launch other programs", "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1202" ], "falsepositives": [ "Legitimate usage for administration purposes" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\OpenSSH\\\\sshd.exe' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND (CommandLine LIKE '%ProxyCommand=%' ESCAPE '\\' OR (CommandLine LIKE '%PermitLocalCommand%' ESCAPE '\\' AND CommandLine LIKE '%LocalCommand%' ESCAPE '\\')))))" ], "filename": "proc_creation_win_lolbin_ssh.yml" }, { "title": "Windows Defender Download Activity", "id": "46123129-1024-423e-9fae-43af4a0fa9a5", "status": "test", "description": "Detect the use of Windows Defender to download payloads", "author": "Matthew Matchen", "tags": [ "attack.defense_evasion", "attack.t1218", "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%MpCmdRun.exe%' ESCAPE '\\' OR Description = 'Microsoft Malware Protection Command Line Utility') AND (CommandLine LIKE '%DownloadFile%' ESCAPE '\\' AND CommandLine LIKE '%url%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_susp_mpcmdrun_download.yml" }, { "title": "HackTool - SecurityXploded Execution", "id": "7679d464-4f74-45e2-9e01-ac66c5eb041a", "status": "stable", "description": "Detects the execution of SecurityXploded Tools", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1555" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Company = 'SecurityXploded' OR NewProcessName LIKE '%PasswordDump.exe' ESCAPE '\\' OR OriginalFileName LIKE '%PasswordDump.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_secutyxploded.yml" }, { "title": "Potential Command Line Path Traversal Evasion Attempt", "id": "1327381e-6ab0-4f38-b583-4c1b8346a56b", "status": "experimental", "description": "Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036" ], "falsepositives": [ "Google Drive", "Citrix" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\Windows\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\..\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\..\\\\..\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.exe\\\\..\\\\%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\Google\\\\Drive\\\\googledrivesync.exe\\\\..\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\Citrix\\\\Virtual Smart Card\\\\Citrix.Authentication.VirtualSmartcard.Launcher.exe\\\\..\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_commandline_path_traversal_evasion.yml" }, { "title": "Conhost.exe CommandLine Path Traversal", "id": "ee5e119b-1f75-4b34-add8-3be976961e39", "status": "experimental", "description": "detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentCommandLine LIKE '%conhost%' ESCAPE '\\' AND CommandLine LIKE '%/../../%' ESCAPE '\\')" ], "filename": "proc_creation_win_conhost_path_traversal.yml" }, { "title": "File Download Via Bitsadmin To An Uncommon Target Folder", "id": "6e30c82f-a9f8-4aab-b79c-7c12bce6f248", "status": "experimental", "description": "Detects usage of bitsadmin downloading a file to uncommon target folder", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.t1197", "attack.s0190", "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR OriginalFileName = 'bitsadmin.exe') AND (CommandLine LIKE '% /transfer %' ESCAPE '\\' OR CommandLine LIKE '% /create %' ESCAPE '\\' OR CommandLine LIKE '% /addfile %' ESCAPE '\\') AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" }, { "title": "Exports Critical Registry Keys To a File", "id": "82880171-b475-4201-b811-e9c826cd5eaa", "status": "test", "description": "Detects the export of a crital Registry key to a file.", "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ "attack.exfiltration", "attack.t1012" ], "falsepositives": [ "Dumping hives for legitimate purpouse i.e. backup or forensic investigation" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\') AND (CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\') AND (CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))" ], "filename": "proc_creation_win_regedit_export_critical_keys.yml" }, { "title": "Suspicious Download from Office Domain", "id": "00d49ed5-4491-4271-a8db-650a4ef6f8c1", "status": "experimental", "description": "Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Scripts or tools that download attachments from these domains (OneNote, Outlook 365)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\') OR (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile(%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString(%' ESCAPE '\\')) AND (CommandLine LIKE '%https://attachment.outlook.live.net/owa/%' ESCAPE '\\' OR CommandLine LIKE '%https://onenoteonlinesync.onenote.com/onenoteonlinesync/%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_download_office_domain.yml" }, { "title": "Suspicious Use of CSharp Interactive Console", "id": "a9e416a8-e613-4f8b-88b8-a7d1d1af2f61", "status": "test", "description": "Detects the execution of CSharp interactive console by PowerShell", "author": "Michael R. (@nahamike01)", "tags": [ "attack.execution", "attack.t1127" ], "falsepositives": [ "Possible depending on environment. Pair with other factors such as net connections, command-line args, etc." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\csi.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND OriginalFileName = 'csi.exe')" ], "filename": "proc_creation_win_csi_use_of_csharp_console.yml" }, { "title": "Run PowerShell Script from Redirected Input Stream", "id": "c83bf4b5-cdf0-437c-90fa-43d734f7c476", "status": "test", "description": "Detects PowerShell script execution via input stream redirect", "author": "Moriarty Meng (idea), Anton Kutepov (rule), oscd.community", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND CommandLine REGEXP '\\s-\\s*<')" ], "filename": "proc_creation_win_powershell_run_script_from_input_stream.yml" }, { "title": "Suspicious Execution of Taskkill", "id": "86085955-ea48-42a2-9dd3-85d4c36b167d", "status": "experimental", "description": "Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.", "author": "frack113", "tags": [ "attack.impact", "attack.t1489" ], "falsepositives": [ "Expected FP with some processes using this techniques to terminate one of their processes during installations and updates" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR OriginalFileName = 'taskkill.exe') AND (CommandLine LIKE '% /f%' ESCAPE '\\' AND CommandLine LIKE '% /im %' ESCAPE '\\'))" ], "filename": "proc_creation_win_taskkill_execution.yml" }, { "title": "Lolbin Runexehelper Use As Proxy", "id": "cd71385d-fd9b-4691-9b98-2b1f7e508714", "status": "experimental", "description": "Detect usage of the \"runexehelper.exe\" binary as a proxy to launch other programs", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\runexehelper.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_runexehelper.yml" }, { "title": "ZOHO Dctask64 Process Injection", "id": "6345b048-8441-43a7-9bed-541133633d7a", "status": "test", "description": "Detects suspicious process injection using ZOHO's dctask64.exe", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%DesktopCentral\\_Agent\\\\agent%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_dctask64_proc_inject.yml" }, { "title": "Disable Windows Defender AV Security Monitoring", "id": "a7ee1722-c3c5-aeff-3212-c777e4733217", "status": "experimental", "description": "Detects attackers attempting to disable Windows Defender using Powershell", "author": "ok @securonix invrep-de, oscd.community, frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%-DisableBehaviorMonitoring $true%' ESCAPE '\\' OR CommandLine LIKE '%-DisableRuntimeMonitoring $true%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND ((CommandLine LIKE '%stop%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\') OR (CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%WinDefend%' ESCAPE '\\' AND CommandLine LIKE '%start=disabled%' ESCAPE '\\')))))" ], "filename": "proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" }, { "title": "Suspicious Outlook Child Process", "id": "208748f7-881d-47ac-a29c-07ea84bf691d", "status": "test", "description": "Detects a suspicious process spawning from an Outlook process.", "author": "Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team", "tags": [ "attack.execution", "attack.t1204.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\OUTLOOK.EXE' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_office_outlook_susp_child_processes.yml" }, { "title": "HackTool - XORDump Execution", "id": "66e563f9-1cbd-4a22-a957-d8b7c0f44372", "status": "test", "description": "Detects suspicious use of XORDump process memory dumping utility", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036", "attack.t1003.001" ], "falsepositives": [ "Another tool that uses the command line switches of XORdump" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\xordump.exe' ESCAPE '\\' OR (CommandLine LIKE '% -process lsass.exe %' ESCAPE '\\' OR CommandLine LIKE '% -m comsvcs %' ESCAPE '\\' OR CommandLine LIKE '% -m dbghelp %' ESCAPE '\\' OR CommandLine LIKE '% -m dbgcore %' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_xordump.yml" }, { "title": "Remote Access Tool - ScreenConnect Suspicious Execution", "id": "75bfe6e6-cd8e-429e-91d3-03921e1d7962", "status": "test", "description": "Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.initial_access", "attack.t1133" ], "falsepositives": [ "Legitimate use by administrative staff" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%e=Access&%' ESCAPE '\\' AND CommandLine LIKE '%y=Guest&%' ESCAPE '\\' AND CommandLine LIKE '%&p=%' ESCAPE '\\' AND CommandLine LIKE '%&c=%' ESCAPE '\\' AND CommandLine LIKE '%&k=%' ESCAPE '\\')" ], "filename": "proc_creation_win_remote_access_tools_screenconnect_access.yml" }, { "title": "Fsutil Drive Enumeration", "id": "63de06b9-a385-40b5-8b32-73f2b9ef84b6", "status": "experimental", "description": "Attackers may leverage fsutil to enumerated connected drives.", "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", "tags": [ "attack.discovery", "attack.t1120" ], "falsepositives": [ "Certain software or administrative tasks may trigger false positives." ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND CommandLine LIKE '%drives%' ESCAPE '\\')" ], "filename": "proc_creation_win_fsutil_drive_enumeration.yml" }, { "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation", "id": "56c217c3-2de2-479b-990f-5c109ba8458f", "status": "test", "description": "Detects the creation of a schtask via PowerSploit or Empire Default Configuration.", "author": "Markus Neis, @Karneades", "tags": [ "attack.execution", "attack.persistence", "attack.privilege_escalation", "attack.s0111", "attack.g0022", "attack.g0060", "car.2013-08-001", "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe -NonI%' ESCAPE '\\' AND CommandLine LIKE '%/TN Updater /TR%' ESCAPE '\\' AND (CommandLine LIKE '%/SC ONLOGON%' ESCAPE '\\' OR CommandLine LIKE '%/SC DAILY /ST%' ESCAPE '\\' OR CommandLine LIKE '%/SC ONIDLE%' ESCAPE '\\' OR CommandLine LIKE '%/SC HOURLY%' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" }, { "title": "Potential RDP Session Hijacking Activity", "id": "224f140f-3553-4cd1-af78-13d81bf9f7cc", "status": "experimental", "description": "Detects potential RDP Session Hijacking activity on Windows systems", "author": "@juju4", "tags": [ "attack.execution" ], "falsepositives": [ "Administrative activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\tscon.exe' ESCAPE '\\' OR OriginalFileName = 'tscon.exe') AND IntegrityLevel = 'SYSTEM')" ], "filename": "proc_creation_win_tscon_rdp_session_hijacking.yml" }, { "title": "Webshell Detection With Command Line Keywords", "id": "bed2a484-9348-4143-8a8a-b801c979301c", "status": "experimental", "description": "Detects certain command line parameters often used during reconnaissance activity via web shells", "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, Anton Kutepov, oscd.community", "tags": [ "attack.persistence", "attack.t1505.003", "attack.t1018", "attack.t1033", "attack.t1087" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((OriginalFileName IN ('net.exe', 'net1.exe') AND (CommandLine LIKE '% user %' ESCAPE '\\' OR CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% group %' ESCAPE '\\')) OR (OriginalFileName = 'ping.exe' AND CommandLine LIKE '% -n %' ESCAPE '\\') OR (CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%cd /d %' ESCAPE '\\') OR (OriginalFileName = 'wmic.exe' AND CommandLine LIKE '% /node:%' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\quser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pathping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tracert.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\') OR OriginalFileName IN ('whoami.exe', 'sysinfo.exe', 'quser.exe', 'ipconfig.exe', 'pathping.exe', 'tracert.exe', 'netstat.exe', 'schtasks.exe', 'VSSADMIN.EXE', 'wevtutil.exe', 'tasklist.exe')) OR (CommandLine LIKE '% Test-NetConnection %' ESCAPE '\\' OR CommandLine LIKE '%dir \\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_webshell_detection.yml" }, { "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE", "id": "f63b56ee-3f79-4b8a-97fb-5c48007e8573", "status": "test", "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1574.002", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/config%' ESCAPE '\\' AND CommandLine LIKE '%/serverlevelplugindll%' ESCAPE '\\')" ], "filename": "proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" }, { "title": "PUA - NSudo Execution", "id": "771d1eb5-9587-4568-95fb-9ec44153a012", "status": "experimental", "description": "Detects the use of NSudo tool for command execution", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "tags": [ "attack.execution", "attack.t1569.002", "attack.s0029" ], "falsepositives": [ "Legitimate use by administrators" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\NSudo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NSudoLC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NSudoLG.exe' ESCAPE '\\') OR OriginalFileName IN ('NSudo.exe', 'NSudoLC.exe', 'NSudoLG.exe')) AND (CommandLine LIKE '%-U:S %' ESCAPE '\\' OR CommandLine LIKE '%-U:T %' ESCAPE '\\' OR CommandLine LIKE '%-U:E %' ESCAPE '\\' OR CommandLine LIKE '%-P:E %' ESCAPE '\\' OR CommandLine LIKE '%-M:S %' ESCAPE '\\' OR CommandLine LIKE '%-M:H %' ESCAPE '\\' OR CommandLine LIKE '%-U=S %' ESCAPE '\\' OR CommandLine LIKE '%-U=T %' ESCAPE '\\' OR CommandLine LIKE '%-U=E %' ESCAPE '\\' OR CommandLine LIKE '%-P=E %' ESCAPE '\\' OR CommandLine LIKE '%-M=S %' ESCAPE '\\' OR CommandLine LIKE '%-M=H %' ESCAPE '\\' OR CommandLine LIKE '%-ShowWindowMode:Hide%' ESCAPE '\\'))" ], "filename": "proc_creation_win_pua_nsudo.yml" }, { "title": "Suspicious Execution of InstallUtil Without Log", "id": "d042284c-a296-4988-9be5-f424fadcc28c", "status": "test", "description": "Uses the .NET InstallUtil.exe application in order to execute image without log", "author": "frack113", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\' AND NewProcessName LIKE '%Microsoft.NET\\\\Framework%' ESCAPE '\\' AND CommandLine LIKE '%/logfile= %' ESCAPE '\\' AND CommandLine LIKE '%/LogToConsole=false%' ESCAPE '\\')" ], "filename": "proc_creation_win_instalutil_no_log_execution.yml" }, { "title": "PUA - Radmin Viewer Utility Execution", "id": "5817e76f-4804-41e6-8f1d-5fa0b3ecae2d", "status": "test", "description": "Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines", "author": "frack113", "tags": [ "attack.execution", "attack.lateral_movement", "attack.t1072" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Radmin Viewer' OR Product = 'Radmin Viewer' OR OriginalFileName = 'Radmin.exe'))" ], "filename": "proc_creation_win_pua_radmin.yml" }, { "title": "Potential Data Exfiltration Activity Via CommandLine Tools", "id": "7d1aaf3d-4304-425c-b7c3-162055e0b3ab", "status": "experimental", "description": "Detects the use of various CLI utilities exfiltrating data via web requests", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\') AND CommandLine LIKE '% -ur%' ESCAPE '\\' AND CommandLine LIKE '% -me%' ESCAPE '\\' AND CommandLine LIKE '% -b%' ESCAPE '\\' AND CommandLine LIKE '% POST %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' AND CommandLine LIKE '%--ur%' ESCAPE '\\' AND (CommandLine LIKE '% -d %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\'))) AND ((CommandLine LIKE '%ToBase64String%' ESCAPE '\\' OR CommandLine LIKE '%whoami%' ESCAPE '\\' OR CommandLine LIKE '%nltest%' ESCAPE '\\' OR CommandLine LIKE '%ifconfig%' ESCAPE '\\' OR CommandLine LIKE '%hostname%' ESCAPE '\\' OR CommandLine LIKE '%net view%' ESCAPE '\\' OR CommandLine LIKE '%qprocess%' ESCAPE '\\' OR CommandLine LIKE '%netstat%' ESCAPE '\\' OR CommandLine LIKE '%systeminfo%' ESCAPE '\\' OR CommandLine LIKE '%tasklist%' ESCAPE '\\' OR CommandLine LIKE '%sc query%' ESCAPE '\\') OR (CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_data_exfiltration_via_cli.yml" }, { "title": "HackTool - SharpImpersonation Execution", "id": "f89b08d0-77ad-4728-817b-9b16c5a69c7a", "status": "experimental", "description": "Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", "author": "Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.defense_evasion", "attack.t1134.001", "attack.t1134.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\SharpImpersonation.exe' ESCAPE '\\' OR OriginalFileName = 'SharpImpersonation.exe' OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% binary:%' ESCAPE '\\') OR (CommandLine LIKE '% user:%' ESCAPE '\\' AND CommandLine LIKE '% shellcode:%' ESCAPE '\\') OR (CommandLine LIKE '% technique:CreateProcessAsUserW%' ESCAPE '\\' OR CommandLine LIKE '% technique:ImpersonateLoggedOnuser%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_sharp_impersonation.yml" }, { "title": "Execute Code with Pester.bat as Parent", "id": "18988e1b-9087-4f8a-82fe-0414dce49878", "status": "experimental", "description": "Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)", "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.execution", "attack.t1059.001", "attack.defense_evasion", "attack.t1216" ], "falsepositives": [ "Legitimate use of Pester for writing tests for Powershell scripts and modules" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%\\\\WindowsPowerShell\\\\Modules\\\\Pester\\\\%' ESCAPE '\\' AND (ParentCommandLine LIKE '%{ Invoke-Pester -EnableExit ;%' ESCAPE '\\' OR ParentCommandLine LIKE '%{ Get-Help \"%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_pester.yml" }, { "title": "Mavinject Inject DLL Into Running Process", "id": "4f73421b-5a0b-4bbf-a892-5a7fb99bea66", "status": "experimental", "description": "Detects process injection using the signed Windows tool \"Mavinject\" via the \"INJECTRUNNING\" flag", "author": "frack113, Florian Roth", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1055.001", "attack.t1218.013" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '% /INJECTRUNNING %' ESCAPE '\\' AND NOT (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\AppVClient.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_mavinject_process_injection.yml" }, { "title": "CreateDump Process Dump", "id": "515c8be5-e5df-4c5e-8f6d-a4a2f05e4b48", "status": "experimental", "description": "Detects uses of the createdump.exe LOLOBIN utility to dump process memory", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036", "attack.t1003.001" ], "falsepositives": [ "Command lines that use the same flags" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\createdump.exe' ESCAPE '\\' OR OriginalFileName LIKE 'FX\\_VER\\_INTERNALNAME\\_STR' ESCAPE '\\') AND (CommandLine LIKE '% -u %' ESCAPE '\\' OR CommandLine LIKE '% --full %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% --name %' ESCAPE '\\' OR CommandLine LIKE '%.dmp %' ESCAPE '\\'))" ], "filename": "proc_creation_win_createdump_lolbin_execution.yml" }, { "title": "Discovery of a System Time", "id": "b243b280-65fe-48df-ba07-6ddea7646427", "status": "test", "description": "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.", "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ "attack.discovery", "attack.t1124" ], "falsepositives": [ "Legitimate use of the system utilities to discover system time for legitimate reason" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '%time%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\w32tm.exe' ESCAPE '\\' AND CommandLine LIKE '%tz%' ESCAPE '\\')))" ], "filename": "proc_creation_win_remote_time_discovery.yml" }, { "title": "Download Arbitrary Files Via MSOHTMED.EXE", "id": "459f2f98-397b-4a4a-9f47-6a5ec2f1c69d", "status": "experimental", "description": "Detects usage of \"MSOHTMED\" to download arbitrary files", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\MSOHTMED.exe' ESCAPE '\\' OR OriginalFileName = 'MsoHtmEd.exe') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_msohtmed_download.yml" }, { "title": "Invoke-Obfuscation Via Use Clip", "id": "e1561947-b4e3-4a74-9bdd-83baed21bdb5", "status": "test", "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%clip%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%clipboard%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%i`%' ESCAPE '\\' OR CommandLine LIKE '%n`%' ESCAPE '\\' OR CommandLine LIKE '%v`%' ESCAPE '\\' OR CommandLine LIKE '%o`%' ESCAPE '\\' OR CommandLine LIKE '%k`%' ESCAPE '\\' OR CommandLine LIKE '%e`%' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_clip.yml" }, { "title": "LOLBIN From Abnormal Drive", "id": "d4ca7c59-e9e4-42d8-bf57-91a776efcb87", "status": "test", "description": "Detects LOLBINs executing from an abnormal drive such as a mounted ISO.", "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Angelo Violetti - SEC Consult '@angelo_violetti'", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Rare false positives could occur on servers with multiple drives." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\') OR OriginalFileName IN ('RUNDLL32.EXE', 'CALC.EXE', 'MSHTA.EXE', 'cscript.exe', 'wscript.exe', 'REGSVR32.EXE', 'installutil.exe', 'CMSTP.EXE')) AND NOT ((CurrentDirectory LIKE '%C:\\\\%' ESCAPE '\\') OR (CurrentDirectory = '') OR (CurrentDirectory = '')))" ], "filename": "proc_creation_win_lolbin_not_from_c_drive.yml" }, { "title": "Suspicious Remote Child Process From Outlook", "id": "e212d415-0e93-435f-9e1a-f29005bb4723", "status": "test", "description": "Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).", "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059", "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND NewProcessName LIKE '\\\\\\\\\\*' ESCAPE '\\')" ], "filename": "proc_creation_win_office_outlook_susp_child_processes_remote.yml" }, { "title": "PUA - Mouse Lock Execution", "id": "c9192ad9-75e5-43eb-8647-82a0a5b493e3", "status": "test", "description": "In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool \"Mouse Lock\" as being used for both credential access and collection in security incidents.", "author": "Cian Heasley", "tags": [ "attack.credential_access", "attack.collection", "attack.t1056.002" ], "falsepositives": [ "Legitimate uses of Mouse Lock software" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%Mouse Lock%' ESCAPE '\\' OR Company LIKE '%Misc314%' ESCAPE '\\' OR CommandLine LIKE '%Mouse Lock\\_%' ESCAPE '\\'))" ], "filename": "proc_creation_win_pua_mouselock_execution.yml" }, { "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE", "id": "7e6237fe-3ddb-438f-9381-9bf9de5af8d0", "status": "experimental", "description": "Detects when an internet hosted webdav share is mounted using the \"net.exe\" utility", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.lateral_movement", "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% http%' ESCAPE '\\'))" ], "filename": "proc_creation_win_net_use_mount_internet_share.yml" }, { "title": "Suspicious CodePage Switch Via CHCP", "id": "c7942406-33dd-4377-a564-0f62db0593a3", "status": "test", "description": "Detects a code page switch in command line or batch scripts to a rare language", "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.t1036", "attack.defense_evasion" ], "falsepositives": [ "Administrative activity (adjust code pages according to your organization's region)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '% 936' ESCAPE '\\' OR CommandLine LIKE '% 1258' ESCAPE '\\'))" ], "filename": "proc_creation_win_chcp_codepage_switch.yml" }, { "title": "HTML Help HH.EXE Suspicious Child Process", "id": "52cad028-0ff0-4854-8f67-d25dfcbc78b4", "status": "test", "description": "Detects a suspicious child process of a Microsoft HTML Help (HH.exe)", "author": "Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.initial_access", "attack.t1047", "attack.t1059.001", "attack.t1059.003", "attack.t1059.005", "attack.t1059.007", "attack.t1218", "attack.t1218.001", "attack.t1218.010", "attack.t1218.011", "attack.t1566", "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertUtil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSHTA.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_hh_html_help_susp_child_process.yml" }, { "title": "HackTool - LocalPotato Execution", "id": "6bd75993-9888-4f91-9404-e1e4e4e34b77", "status": "experimental", "description": "Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "cve.2023.21746" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\LocalPotato.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe -i C:\\\\%' ESCAPE '\\' AND CommandLine LIKE '%-o Windows\\\\%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=E1742EE971D6549E8D4D81115F88F1FC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DD82066EFBA94D7556EF582F247C8BB5%' ESCAPE '\\') OR Imphash IN ('E1742EE971D6549E8D4D81115F88F1FC', 'DD82066EFBA94D7556EF582F247C8BB5')))" ], "filename": "proc_creation_win_hktl_localpotato.yml" }, { "title": "Sideloading Link.EXE", "id": "6e968eb1-5f05-4dac-94e9-fd0c5cb49fd6", "status": "experimental", "description": "Detects the execution utitilies often found in Visual Studio tools that hardcode the call to the binary \"link.exe\". They can be abused to sideload any binary with the same name", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\link.exe' ESCAPE '\\' AND CommandLine LIKE '%LINK /%' ESCAPE '\\') AND NOT (((ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\VC\\\\Tools\\\\MSVC\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_lolbin_sideload_link_binary.yml" }, { "title": "Suspicious Subsystem for Linux Bash Execution", "id": "5edc2273-c26f-406c-83f3-f4d948e740dd", "status": "experimental", "description": "Performs execution of specified file, can be used for defensive evasion.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%bash.exe%' ESCAPE '\\' AND CommandLine LIKE '%-c %' ESCAPE '\\') AND NOT (((ParentCommandLine LIKE '%C:\\\\Program Files\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Git\\\\post-install.bat%' ESCAPE '\\' OR ParentCommandLine LIKE '%echo /etc/post-install/%.post%' ESCAPE '\\') OR CommandLine LIKE '%echo /etc/post-install/%.post%' ESCAPE '\\')))" ], "filename": "proc_creation_win_lolbin_bash.yml" }, { "title": "Use of Squirrel.exe", "id": "45239e6a-b035-4aaf-b339-8ad379fcb67e", "status": "experimental", "description": "Detects the usage of the \"Squirrel.exe\" binary as a LOLBIN. This binary is part of multiple software installations (Slack, Teams, Discord, etc.)", "author": "Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1218" ], "falsepositives": [ "Expected FP with some electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop,...Etc)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\squirrel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\update.exe' ESCAPE '\\') AND (((CommandLine LIKE '% --download %' ESCAPE '\\' OR CommandLine LIKE '% --update %' ESCAPE '\\' OR CommandLine LIKE '% --updateRollback=%' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\') OR (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--processStartAndWait%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '% --processStart%' ESCAPE '\\' AND CommandLine LIKE '%Discord.exe%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%GitHubDesktop.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--createShortcut%' ESCAPE '\\' OR CommandLine LIKE '%--processStartAndWait%' ESCAPE '\\')) OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%Teams.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\')) OR (CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\Update.exe%' ESCAPE '\\' AND CommandLine LIKE '%Yammer.exe%' ESCAPE '\\' AND (CommandLine LIKE '%--processStart%' ESCAPE '\\' OR CommandLine LIKE '%--createShortcut%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_lolbin_squirrel.yml" }, { "title": "UAC Bypass via ICMLuaUtil", "id": "49f2f17b-b4c8-4172-a68b-d5bf95d05130", "status": "experimental", "description": "Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '%/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '%/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe'))" ], "filename": "proc_creation_win_uac_bypass_icmluautil.yml" }, { "title": "New Root Certificate Installed Via Certutil.EXE", "id": "d2125259-ddea-4c1c-9c22-977eb5b29cf0", "status": "test", "description": "Detects execution of \"certutil\" with the \"addstore\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ "attack.defense_evasion", "attack.t1553.004" ], "falsepositives": [ "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%/addstore%' ESCAPE '\\' OR CommandLine LIKE '%-addstore%' ESCAPE '\\') AND CommandLine LIKE '%root%' ESCAPE '\\')" ], "filename": "proc_creation_win_certutil_certificate_installation.yml" }, { "title": "Regedit as Trusted Installer", "id": "883835a7-df45-43e4-bf1d-4268768afda4", "status": "test", "description": "Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1548" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\TrustedInstaller.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_regedit_trustedinstaller.yml" }, { "title": "Sysinternals PsSuspend Execution", "id": "48bbc537-b652-4b4e-bd1d-281172df448f", "status": "experimental", "description": "Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", "attack.persistence", "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'pssuspend.exe' OR (NewProcessName LIKE '%\\\\pssuspend.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pssuspend64.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_sysinternals_pssuspend_execution.yml" }, { "title": "Start of NT Virtual DOS Machine", "id": "16905e21-66ee-42fe-b256-1318ada2d770", "status": "experimental", "description": "Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications", "author": "frack113", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (NewProcessName LIKE '%\\\\ntvdm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrstub.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_16bit_application.yml" }, { "title": "Suspicious Key Manager Access", "id": "a4694263-59a8-4608-a3a0-6f8d3a51664c", "status": "experimental", "description": "Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1555.004" ], "falsepositives": [ "Administrative activity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%keymgr%' ESCAPE '\\' AND CommandLine LIKE '%KRShowKeyMgr%' ESCAPE '\\'))" ], "filename": "proc_creation_win_rundll32_keymgr.yml" }, { "title": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet", "id": "c8a180d6-47a3-4345-a609-53f9c3d834fc", "status": "experimental", "description": "Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1087.001" ], "falsepositives": [ "Administrative activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Get-LocalGroupMember %' ESCAPE '\\' AND (CommandLine LIKE '%domain admins%' ESCAPE '\\' OR CommandLine LIKE '% administrator%' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\' OR CommandLine LIKE '%enterprise admins%' ESCAPE '\\' OR CommandLine LIKE '%Exchange Trusted Subsystem%' ESCAPE '\\' OR CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_get_localgroup_member_recon.yml" }, { "title": "Suspicious Schtasks Schedule Type With High Privileges", "id": "7a02e22e-b885-4404-b38b-1ddc7e65258a", "status": "experimental", "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1053.005" ], "falsepositives": [ "Some installers were seen using this method of creation unfortunately. Filter them in your environment" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\') AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))" ], "filename": "proc_creation_win_schtasks_schedule_type_system.yml" }, { "title": "File or Folder Permissions Modifications", "id": "37ae075c-271b-459b-8d7b-55ad5f993dd8", "status": "test", "description": "Detects a file or folder's permissions being modified or tampered with.", "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1222.001" ], "falsepositives": [ "Users interacting with the files on their own (unlikely unless privileged users).", "Dynatrace app" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\cacls.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\icacls.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND (CommandLine LIKE '%/grant%' ESCAPE '\\' OR CommandLine LIKE '%/setowner%' ESCAPE '\\' OR CommandLine LIKE '%/inheritance:r%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' AND CommandLine LIKE '%-r%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\takeown.exe' ESCAPE '\\') AND NOT ((CommandLine LIKE '%ICACLS C:\\\\ProgramData\\\\dynatrace\\\\gateway\\\\config\\\\connectivity.history /reset' ESCAPE '\\') OR (CommandLine LIKE '%ICACLS C:\\\\ProgramData\\\\dynatrace\\\\gateway\\\\config\\\\config.properties /grant :r %' ESCAPE '\\' AND CommandLine LIKE '%S-1-5-19:F%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_file_permission_modifications.yml" }, { "title": "CMSTP UAC Bypass via COM Object Access", "id": "4b60e6f2-bf39-47b4-b4ea-398e33cfe253", "status": "stable", "description": "Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)", "author": "Nik Seetharaman, Christian Burkard (Nextron Systems)", "tags": [ "attack.execution", "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002", "attack.t1218.003", "attack.g0069", "car.2019-04-001" ], "falsepositives": [ "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}%' ESCAPE '\\' OR ParentCommandLine LIKE '% /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}%' ESCAPE '\\') AND IntegrityLevel IN ('High', 'System'))" ], "filename": "proc_creation_win_uac_bypass_cmstp_com_object_access.yml" }, { "title": "Suspicious Shells Spawn by Java Utility Keytool", "id": "90fb5e62-ca1f-4e22-b42e-cc521874c938", "status": "experimental", "description": "Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)", "author": "Andreas Hunkeler (@Karneades)", "tags": [ "attack.initial_access", "attack.persistence", "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\keytool.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_java_keytool_susp_child_process.yml" }, { "title": "Suspicious Processes Spawned by WinRM", "id": "5cc2cda8-f261-4d88-a2de-e9e193c86716", "status": "experimental", "description": "Detects suspicious processes including shells spawnd from WinRM host process", "author": "Andreas Hunkeler (@Karneades), Markus Neis", "tags": [ "attack.t1190", "attack.initial_access", "attack.persistence", "attack.privilege_escalation" ], "falsepositives": [ "Legitimate WinRM usage" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_winrm_susp_child_process.yml" }, { "title": "Process Access via TrolleyExpress Exclusion", "id": "4c0aaedc-154c-4427-ada0-d80ef9c9deb6", "status": "experimental", "description": "Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218.011", "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\TrolleyExpress 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 7%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 8%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe 9%' ESCAPE '\\' OR CommandLine LIKE '%\\\\TrolleyExpress.exe -ma %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' AND NOT ((OriginalFileName LIKE '%CtxInstall%' ESCAPE '\\') OR (OriginalFileName = '')))))" ], "filename": "proc_creation_win_citrix_trolleyexpress_procdump.yml" }, { "title": "Esentutl Steals Browser Information", "id": "6a69f62d-ce75-4b57-8dce-6351eb55b362", "status": "experimental", "description": "One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe", "author": "frack113", "tags": [ "attack.collection", "attack.t1005" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName = 'esentutl.exe') AND (CommandLine LIKE '%/r%' ESCAPE '\\' OR CommandLine LIKE '%-r%' ESCAPE '\\') AND CommandLine LIKE '%\\\\Windows\\\\WebCache%' ESCAPE '\\')" ], "filename": "proc_creation_win_esentutl_webcache.yml" }, { "title": "Usage Of Web Request Commands And Cmdlets", "id": "9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d", "status": "test", "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine", "author": "James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\' OR CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Net.WebClient%' ESCAPE '\\' OR CommandLine LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%Resume-BitsTransfer%' ESCAPE '\\' OR CommandLine LIKE '%[System.Net.WebRequest]::create%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RestMethod%' ESCAPE '\\' OR CommandLine LIKE '%WinHttp.WinHttpRequest%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" }, { "title": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd", "id": "7c8af9b2-dcae-41a2-a9db-b28c288b5f08", "status": "experimental", "description": "Detects usage of \"appcmd\" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Legitimate usage of appcmd to add new URL rewrite rules" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%section:system.webServer/rewrite/globalRules%' ESCAPE '\\' AND CommandLine LIKE '%commit:%' ESCAPE '\\'))" ], "filename": "proc_creation_win_iis_appcmd_susp_rewrite_rule.yml" }, { "title": "Remote Access Tool - GoToAssist Execution", "id": "b6d98a4f-cef0-4abf-bbf6-24132854a83d", "status": "test", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'GoTo Opener' OR Product = 'GoTo Opener' OR Company = 'LogMeIn, Inc.'))" ], "filename": "proc_creation_win_remote_access_tools_gotoopener.yml" }, { "title": "Application Whitelisting Bypass via Bginfo", "id": "aaf46cdc-934e-4284-b329-34aa701e3771", "status": "test", "description": "Execute VBscript code that is referenced within the *.bgi file.", "author": "Beyu Denis, oscd.community", "tags": [ "attack.execution", "attack.t1059.005", "attack.defense_evasion", "attack.t1218", "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\bginfo.exe' ESCAPE '\\' AND CommandLine LIKE '%/popup%' ESCAPE '\\' AND CommandLine LIKE '%/nolicprompt%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_bginfo.yml" }, { "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE", "id": "68bcd73b-37ef-49cb-95fc-edc809730be6", "status": "experimental", "description": "Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '% service get %' ESCAPE '\\' AND CommandLine LIKE '%name,displayname,pathname,startmode%' ESCAPE '\\'))" ], "filename": "proc_creation_win_wmic_recon_unquoted_service_search.yml" }, { "title": "HackTool - SharpChisel Execution", "id": "cf93e05e-d798-4d9e-b522-b0248dc61eaf", "status": "experimental", "description": "Detects usage of the Sharp Chisel via the commandline arguments", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1090.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\SharpChisel.exe' ESCAPE '\\' OR Product = 'SharpChisel'))" ], "filename": "proc_creation_win_hktl_sharp_chisel.yml" }, { "title": "Suspicious PowerShell IEX Execution Patterns", "id": "09576804-7a05-458e-a817-eb718ca91f54", "status": "experimental", "description": "Detects suspicious ways to run Invoke-Execution using IEX alias", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Legitimate scripts that use IEX" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% | iex;%' ESCAPE '\\' OR CommandLine LIKE '% | iex %' ESCAPE '\\' OR CommandLine LIKE '% | iex}%' ESCAPE '\\' OR CommandLine LIKE '% | IEX ;%' ESCAPE '\\' OR CommandLine LIKE '% | IEX -Error%' ESCAPE '\\' OR CommandLine LIKE '% | IEX (new%' ESCAPE '\\' OR CommandLine LIKE '%);IEX %' ESCAPE '\\') AND (CommandLine LIKE '%::FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '%.GetString([System.Convert]::%' ESCAPE '\\')) OR (CommandLine LIKE '%)|iex;$%' ESCAPE '\\' OR CommandLine LIKE '%);iex($%' ESCAPE '\\' OR CommandLine LIKE '%);iex $%' ESCAPE '\\' OR CommandLine LIKE '% | IEX | %' ESCAPE '\\')))" ], "filename": "proc_creation_win_powershell_iex_patterns.yml" }, { "title": "Suspicious Kernel Dump Using Dtrace", "id": "7124aebe-4cd7-4ccb-8df0-6d6b93c96795", "status": "test", "description": "Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\dtrace.exe' ESCAPE '\\' AND CommandLine LIKE '%lkd(0)%' ESCAPE '\\') OR (CommandLine LIKE '%syscall:::return%' ESCAPE '\\' AND CommandLine LIKE '%lkd(%' ESCAPE '\\')))" ], "filename": "proc_creation_win_dtrace_kernel_dump.yml" }, { "title": "Suspicious Execution of Systeminfo", "id": "0ef56343-059e-4cb6-adc1-4c3c967c5e46", "status": "experimental", "description": "Detects usage of the \"systeminfo\" command to retrieve information", "author": "frack113", "tags": [ "attack.discovery", "attack.t1082" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR OriginalFileName = 'sysinfo.exe'))" ], "filename": "proc_creation_win_systeminfo_execution.yml" }, { "title": "Invoke-Obfuscation STDIN+ Launcher", "id": "6c96fc76-0eb1-11eb-adc1-0242ac120002", "status": "test", "description": "Detects Obfuscated use of stdin to execute PowerShell", "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%powershell%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (CommandLine LIKE '%noexit%' ESCAPE '\\' OR (CommandLine LIKE '%input%' ESCAPE '\\' AND CommandLine LIKE '%$%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_invoke_obfuscation_stdin.yml" }, { "title": "PUA - CsExec Execution", "id": "d08a2711-ee8b-4323-bdec-b7d85e892b31", "status": "experimental", "description": "Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.resource_development", "attack.t1587.001", "attack.execution", "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\csexec.exe' ESCAPE '\\' OR Description = 'csexec'))" ], "filename": "proc_creation_win_pua_csexec.yml" }, { "title": "New User Created Via Net.EXE", "id": "cd219ff3-fa99-45d4-8380-a7d15116c6dc", "status": "test", "description": "Identifies the creation of local users via the net.exe command.", "author": "Endgame, JHasenbusch (adapted to Sigma for oscd.community)", "tags": [ "attack.persistence", "attack.t1136.001" ], "falsepositives": [ "Legitimate user creation.", "Better use event IDs for user creation rather than command line rules." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '%user%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\'))" ], "filename": "proc_creation_win_net_user_add.yml" }, { "title": "Abuse of Service Permissions to Hide Services Via Set-Service", "id": "514e4c3a-c77d-4cde-a00f-046425e2301e", "status": "experimental", "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.defense_evasion", "attack.privilege_escalation", "attack.t1574.011" ], "falsepositives": [ "Rare intended use of hidden services" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%DCLCWPDTSD%' ESCAPE '\\') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_hide_services_via_set_service.yml" }, { "title": "Dllhost.EXE Execution Anomaly", "id": "e7888eb1-13b0-4616-bd99-4bc0c2b054b9", "status": "experimental", "description": "Detects a \"dllhost\" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1055" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%dllhost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_dllhost_no_cli_execution.yml" }, { "title": "PUA - Rclone Execution", "id": "e37db05d-d1f9-49c8-b464-cee1a4b11638", "status": "experimental", "description": "Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc", "author": "Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ "attack.exfiltration", "attack.t1567.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%--config %' ESCAPE '\\' AND CommandLine LIKE '%--no-check-certificate %' ESCAPE '\\' AND CommandLine LIKE '% copy %' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\rclone.exe' ESCAPE '\\' OR Description = 'Rsync for cloud storage') AND (CommandLine LIKE '%pass%' ESCAPE '\\' OR CommandLine LIKE '%user%' ESCAPE '\\' OR CommandLine LIKE '%copy%' ESCAPE '\\' OR CommandLine LIKE '%sync%' ESCAPE '\\' OR CommandLine LIKE '%config%' ESCAPE '\\' OR CommandLine LIKE '%lsd%' ESCAPE '\\' OR CommandLine LIKE '%remote%' ESCAPE '\\' OR CommandLine LIKE '%ls%' ESCAPE '\\' OR CommandLine LIKE '%mega%' ESCAPE '\\' OR CommandLine LIKE '%pcloud%' ESCAPE '\\' OR CommandLine LIKE '%ftp%' ESCAPE '\\' OR CommandLine LIKE '%ignore-existing%' ESCAPE '\\' OR CommandLine LIKE '%auto-confirm%' ESCAPE '\\' OR CommandLine LIKE '%transfers%' ESCAPE '\\' OR CommandLine LIKE '%multi-thread-streams%' ESCAPE '\\' OR CommandLine LIKE '%no-check-certificate %' ESCAPE '\\'))))" ], "filename": "proc_creation_win_pua_rclone_execution.yml" }, { "title": "Directory Removal Via Rmdir", "id": "41ca393d-538c-408a-ac27-cf1e038be80c", "status": "experimental", "description": "Detects execution of the builtin \"rmdir\" command in order to delete directories.\nAdversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1070.004" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND CommandLine LIKE '%rmdir%' ESCAPE '\\' AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%/q%' ESCAPE '\\'))" ], "filename": "proc_creation_win_cmd_rmdir_execution.yml" }, { "title": "Use of PktMon.exe", "id": "f956c7c1-0f60-4bc5-b7d7-b39ab3c08908", "status": "test", "description": "Tools to Capture Network Packets on the windows 10 with October 2018 Update or later.", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1040" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\pktmon.exe' ESCAPE '\\' OR OriginalFileName = 'PktMon.exe'))" ], "filename": "proc_creation_win_lolbin_pktmon.yml" }, { "title": "JSC Convert Javascript To Executable", "id": "52788a70-f1da-40dd-8fbd-73b5865d6568", "status": "experimental", "description": "Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1127" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\jsc.exe' ESCAPE '\\' AND CommandLine LIKE '%.js%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_jsc.yml" }, { "title": "Potential Suspicious Windows Feature Enabled - ProcCreation", "id": "c740d4cf-a1e9-41de-bb16-8a46a4f57918", "status": "experimental", "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Legitimate usage of the features listed in the rule." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Enable-WindowsOptionalFeature%' ESCAPE '\\' AND CommandLine LIKE '%-Online%' ESCAPE '\\' AND CommandLine LIKE '%-FeatureName%' ESCAPE '\\' AND (CommandLine LIKE '%TelnetServer%' ESCAPE '\\' OR CommandLine LIKE '%Internet-Explorer-Optional-amd64%' ESCAPE '\\' OR CommandLine LIKE '%TFTP%' ESCAPE '\\' OR CommandLine LIKE '%SMB1Protocol%' ESCAPE '\\' OR CommandLine LIKE '%Client-ProjFS%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft-Windows-Subsystem-Linux%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" }, { "title": "Potential DLL Injection Or Execution Using Tracker.exe", "id": "148431ce-4b70-403d-8525-fcc2993f29ea", "status": "test", "description": "Detects potential DLL injection and execution using \"Tracker.exe\"", "author": "Avneet Singh @v3t0_, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\tracker.exe' ESCAPE '\\' OR Description = 'Tracker') AND (CommandLine LIKE '% /d %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% /ERRORREPORT:PROMPT %' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Msbuild\\\\Current\\\\Bin\\\\amd64\\\\MSBuild.exe' ESCAPE '\\'))))" ], "filename": "proc_creation_win_lolbin_tracker.yml" }, { "title": "Potential Download/Upload Activity Using Type Command", "id": "aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f", "status": "experimental", "description": "Detects usage of the \"type\" command to download/upload data from WebDAV server", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%type %' ESCAPE '\\' AND CommandLine LIKE '% > \\\\\\\\\\*' ESCAPE '\\') OR (CommandLine LIKE '%type \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '% > %' ESCAPE '\\')))" ], "filename": "proc_creation_win_lolbin_type.yml" }, { "title": "Remote Access Tool - AnyDesk Silent Installation", "id": "114e7f1c-f137-48c8-8f54-3088c24ce4b9", "status": "test", "description": "Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.", "author": "Ján Trenčanský", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Legitimate deployment of AnyDesk" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%--install%' ESCAPE '\\' AND CommandLine LIKE '%--start-with-win%' ESCAPE '\\' AND CommandLine LIKE '%--silent%' ESCAPE '\\')" ], "filename": "proc_creation_win_remote_access_tools_anydesk_silent_install.yml" }, { "title": "Dumping Process via Sqldumper.exe", "id": "23ceaf5c-b6f1-4a32-8559-f2ff734be516", "status": "test", "description": "Detects process dump via legitimate sqldumper.exe binary", "author": "Kirill Kiryanov, oscd.community", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Legitimate MSSQL Server actions" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\sqldumper.exe' ESCAPE '\\' AND (CommandLine LIKE '%0x0110%' ESCAPE '\\' OR CommandLine LIKE '%0x01100:40%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_susp_sqldumper_activity.yml" }, { "title": "Computer System Reconnaissance Via Wmic.EXE", "id": "9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f", "status": "experimental", "description": "Detects execution of wmic utility with the \"computersystem\" flag in order to obtain information about the machine such as the domain, username, model, etc.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", "attack.execution", "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%computersystem%' ESCAPE '\\')" ], "filename": "proc_creation_win_wmic_recon_computersystem.yml" }, { "title": "Suspicious NTLM Authentication on the Printer Spooler Service", "id": "bb76d96b-821c-47cf-944b-7ce377864492", "status": "experimental", "description": "Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service", "author": "Elastic (idea), Tobias Michalski (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.credential_access", "attack.t1212" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND (CommandLine LIKE '%spoolss%' ESCAPE '\\' OR CommandLine LIKE '%srvsvc%' ESCAPE '\\' OR CommandLine LIKE '%/print/pipe/%' ESCAPE '\\')))" ], "filename": "proc_creation_win_rundll32_ntlmrelay.yml" }, { "title": "Registry Modification Via Regini.EXE", "id": "5f60740a-f57b-4e76-82a1-15b6ff2cb134", "status": "experimental", "description": "Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.", "author": "Eli Salem, Sander Wiebing, oscd.community", "tags": [ "attack.t1112", "attack.defense_evasion" ], "falsepositives": [ "Legitimate modification of keys" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\regini.exe' ESCAPE '\\' OR OriginalFileName = 'REGINI.EXE') AND NOT (CommandLine REGEXP ':[^ \\\\]'))" ], "filename": "proc_creation_win_regini_execution.yml" }, { "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution", "id": "52ff7941-8211-46f9-84f8-9903efb7077d", "status": "test", "description": "Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1134.004" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\SelectMyParent.exe' ESCAPE '\\' OR (CommandLine LIKE '%PPID-spoof%' ESCAPE '\\' OR CommandLine LIKE '%ppid\\_spoof%' ESCAPE '\\' OR CommandLine LIKE '%spoof-ppid%' ESCAPE '\\' OR CommandLine LIKE '%spoof\\_ppid%' ESCAPE '\\' OR CommandLine LIKE '%ppidspoof%' ESCAPE '\\' OR CommandLine LIKE '%spoofppid%' ESCAPE '\\' OR CommandLine LIKE '%spoofedppid%' ESCAPE '\\' OR CommandLine LIKE '% -spawnto %' ESCAPE '\\') OR (OriginalFileName LIKE '%PPID-spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%ppid\\_spoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof-ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoof\\_ppid%' ESCAPE '\\' OR OriginalFileName LIKE '%ppidspoof%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofppid%' ESCAPE '\\' OR OriginalFileName LIKE '%spoofedppid%' ESCAPE '\\') OR Description = 'SelectMyParent' OR Imphash IN ('04d974875bd225f00902b4cad9af3fbc', 'a782af154c9e743ddf3f3eb2b8f3d16e', '89059503d7fbf470e68f7e63313da3ad', 'ca28337632625c8281ab8a130b3d6bad') OR (Hashes LIKE '%IMPHASH=04D974875BD225F00902B4CAD9AF3FBC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89059503D7FBF470E68F7E63313DA3AD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CA28337632625C8281AB8A130B3D6BAD%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_selectmyparent.yml" }, { "title": "WMI Backdoor Exchange Transport Agent", "id": "797011dc-44f4-4e6f-9f10-a8ceefbe566b", "status": "test", "description": "Detects a WMI backdoor in Exchange Transport Agents via WMI event filters", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1546.003" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentProcessName LIKE '%\\\\EdgeTransport.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Bin\\\\OleConverter.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" }, { "title": "Potential System Information Discovery Via Wmic.EXE", "id": "9d5a1274-922a-49d0-87f3-8c653483b909", "status": "experimental", "description": "Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,\nincluding OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS,\nand GPU driver products/versions.\nSome of these commands were used by Aurora Stealer in late 2022/early 2023.\n", "author": "TropChaud", "tags": [ "attack.discovery", "attack.t1082" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'WMI Commandline Utility' OR OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND (CommandLine LIKE '%cpu get name%' ESCAPE '\\' OR CommandLine LIKE '%MEMPHYSICAL get MaxCapacity%' ESCAPE '\\' OR CommandLine LIKE '%baseboard get product%' ESCAPE '\\' OR CommandLine LIKE '%baseboard get version%' ESCAPE '\\' OR CommandLine LIKE '%bios get SMBIOSBIOSVersion%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get name%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get DriverVersion%' ESCAPE '\\' OR CommandLine LIKE '%path win32\\_VideoController get VideoModeDescription%' ESCAPE '\\' OR CommandLine LIKE '%OS get Caption,OSArchitecture,Version%' ESCAPE '\\' OR CommandLine LIKE '%DISKDRIVE get Caption%' ESCAPE '\\'))" ], "filename": "proc_creation_win_wmic_recon_system_info_discovery.yml" }, { "title": "DirLister Execution", "id": "b4dc61f5-6cce-468e-a608-b48b469feaa2", "status": "experimental", "description": "Detect the usage of \"DirLister.exe\" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.", "author": "frack113", "tags": [ "attack.discovery", "attack.t1083" ], "falsepositives": [ "Legitimate use by users" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'DirLister.exe' OR NewProcessName LIKE '%\\\\dirlister.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_dirlister_execution.yml" }, { "title": "Password Protected Compressed File Extraction Via 7Zip", "id": "b717b8fd-6467-4d7d-b3d3-27f9a463af77", "status": "experimental", "description": "Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.collection", "attack.t1560.001" ], "falsepositives": [ "Legitimate activity is expected since extracting files with a password can be common in some environement." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7zr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '% -p%' ESCAPE '\\' AND CommandLine LIKE '% x %' ESCAPE '\\' AND CommandLine LIKE '% -o%' ESCAPE '\\'))" ], "filename": "proc_creation_win_7zip_password_extraction.yml" }, { "title": "Delete Important Scheduled Task", "id": "dbc1f800-0fe0-4bc0-9c66-292c2abe3f78", "status": "experimental", "description": "Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.impact", "attack.t1489" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/delete%' ESCAPE '\\' AND CommandLine LIKE '%/tn%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" ], "filename": "proc_creation_win_schtasks_delete.yml" }, { "title": "RunDLL32 Spawning Explorer", "id": "caa06de8-fdef-4c91-826a-7f9e163eef4b", "status": "experimental", "description": "Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way", "author": "elhoim, CD_ROM_", "tags": [ "attack.defense_evasion", "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (ParentCommandLine LIKE '%\\\\shell32.dll,Control\\_RunDLL%' ESCAPE '\\'))" ], "filename": "proc_creation_win_rundll32_spawn_explorer.yml" }, { "title": "HackTool - SharpEvtMute Execution", "id": "bedfc8ad-d1c7-4e37-a20e-e2b0dbee759c", "status": "experimental", "description": "Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\SharpEvtMute.exe' ESCAPE '\\' OR Description = 'SharpEvtMute' OR (CommandLine LIKE '%--Filter \"rule %' ESCAPE '\\' OR CommandLine LIKE '%--Encoded --Filter \\\\\"%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_sharpevtmute.yml" }, { "title": "Renamed Mavinject.EXE Execution", "id": "e6474a1b-5390-49cd-ab41-8d88655f7394", "status": "experimental", "description": "Detects the execution of a renamed version of the \"Mavinject\" process. Which can be abused to perform process injection using the \"/INJECTRUNNING\" flag", "author": "frack113, Florian Roth", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1055.001", "attack.t1218.013" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName IN ('mavinject32.exe', 'mavinject64.exe') AND NOT ((NewProcessName LIKE '%\\\\mavinject32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mavinject64.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_renamed_mavinject.yml" }, { "title": "Stop Windows Service Via PowerShell Stop-Service", "id": "c49c5062-0966-4170-9efd-9968c913a6cf", "status": "experimental", "description": "Detects the stopping of a Windows service", "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.impact", "attack.t1489" ], "falsepositives": [ "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND CommandLine LIKE '%Stop-Service %' ESCAPE '\\')" ], "filename": "proc_creation_win_powershell_stop_service.yml" }, { "title": "HackTool - Impersonate Execution", "id": "cf0c254b-22f1-4b2b-8221-e137b3c0af94", "status": "experimental", "description": "Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively", "author": "Sai Prashanth Pulisetti @pulisettis", "tags": [ "attack.privilege_escalation", "attack.defense_evasion", "attack.t1134.001", "attack.t1134.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%impersonate.exe%' ESCAPE '\\' AND (CommandLine LIKE '% list %' ESCAPE '\\' OR CommandLine LIKE '% exec %' ESCAPE '\\' OR CommandLine LIKE '% adduser %' ESCAPE '\\')) OR ((Hashes LIKE '%MD5=9520714AB576B0ED01D1513691377D01%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0A358FFC1697B7A07D0E817AC740DF62%' ESCAPE '\\') OR md5 = '9520714AB576B0ED01D1513691377D01' OR sha256 = 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' OR Imphash = '0A358FFC1697B7A07D0E817AC740DF62')))" ], "filename": "proc_creation_win_hktl_impersonate.yml" }, { "title": "Curl Download And Execute Combination", "id": "21dd6d38-2b18-4453-9404-a0fe4a0cc288", "status": "test", "description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", "author": "Sreeman, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1218", "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /c %' ESCAPE '\\' AND CommandLine LIKE '%curl %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\' AND CommandLine LIKE '%-o%' ESCAPE '\\' AND CommandLine LIKE '%&%' ESCAPE '\\')" ], "filename": "proc_creation_win_cmd_curl_download_exec_combo.yml" }, { "title": "Psr.exe Capture Screenshots", "id": "2158f96f-43c2-43cb-952a-ab4580f32382", "status": "test", "description": "The psr.exe captures desktop screenshots and saves them on the local machine", "author": "Beyu Denis, oscd.community", "tags": [ "attack.collection", "attack.t1113" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\Psr.exe' ESCAPE '\\' AND CommandLine LIKE '%/start%' ESCAPE '\\')" ], "filename": "proc_creation_win_psr_capture_screenshots.yml" }, { "title": "Suspicious Microsoft Office Child Process", "id": "438025f9-5856-4663-83f7-52f878a70a50", "status": "test", "description": "Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)", "author": "Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1047", "attack.t1204.002", "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (OriginalFileName IN ('bitsadmin.exe', 'CertOC.exe', 'CertUtil.exe', 'Cmd.Exe', 'CMSTP.EXE', 'cscript.exe', 'curl.exe', 'HH.exe', 'IEExec.exe', 'InstallUtil.exe', 'javaw.exe', 'Microsoft.Workflow.Compiler.exe', 'msdt.exe', 'MSHTA.EXE', 'msiexec.exe', 'Msxsl.exe', 'odbcconf.exe', 'pcalua.exe', 'PowerShell.EXE', 'RegAsm.exe', 'RegSvcs.exe', 'REGSVR32.exe', 'RUNDLL32.exe', 'schtasks.exe', 'ScriptRunner.exe', 'wmic.exe', 'WorkFolders.exe', 'wscript.exe') OR (NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\control.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ieexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\installutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft.Workflow.Compiler.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msidb.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\workfolders.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_office_susp_child_processes.yml" }, { "title": "AgentExecutor PowerShell Execution", "id": "7efd2c8d-8b18-45b7-947d-adfe9ed04f61", "status": "experimental", "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Legitimate use via Intune management. You exclude script paths and names to reduce FP rate" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_agentexecutor.yml" }, { "title": "Recon Information for Export with Command Prompt", "id": "aa2efee7-34dd-446e-8a37-40790a66efd7", "status": "experimental", "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", "author": "frack113", "tags": [ "attack.collection", "attack.t1119" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\tree.com' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\doskey.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\') OR OriginalFileName IN ('wmic.exe', 'DOSKEY.EXE', 'sc.exe')) AND (ParentCommandLine LIKE '% > \\%TEMP\\%\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '% > \\%TMP\\%\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_recon.yml" }, { "title": "PowerShell Get-Process LSASS", "id": "b2815d0d-7481-4bf0-9b6c-a4c48a94b349", "status": "test", "description": "Detects a \"Get-Process\" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1552.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Get-Process lsas%' ESCAPE '\\' OR CommandLine LIKE '%ps lsas%' ESCAPE '\\' OR CommandLine LIKE '%gps lsas%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_getprocess_lsass.yml" }, { "title": "Suspicious Spool Service Child Process", "id": "dcdbc940-0bff-46b2-95f3-2d73f848e33b", "status": "test", "description": "Detects suspicious print spool service (spoolsv.exe) child processes.", "author": "Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)", "tags": [ "attack.execution", "attack.t1203", "attack.privilege_escalation", "attack.t1068" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND IntegrityLevel = 'System') AND ((((((NewProcessName LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskkill.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wget.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cipher.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\write.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wuauclt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%start%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%.spl%' ESCAPE '\\' OR CommandLine LIKE '%route add%' ESCAPE '\\' OR CommandLine LIKE '%program files%' ESCAPE '\\')))) OR (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%add portopening%' ESCAPE '\\' OR CommandLine LIKE '%rule name%' ESCAPE '\\')))) OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '%.spl%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_spoolsv_susp_child_processes.yml" }, { "title": "Regasm/Regsvcs Suspicious Execution", "id": "cc368ed0-2411-45dc-a222-510ace303cb2", "status": "experimental", "description": "Detects suspicious execution of Regasm/Regsvcs utilities", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218.009" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((((NewProcessName LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND (CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\Regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Regasm.exe' ESCAPE '\\') OR OriginalFileName IN ('RegSvcs.exe', 'RegAsm.exe')) AND NOT ((CommandLine LIKE '%.dll%' ESCAPE '\\') OR ((CommandLine LIKE '%\\\\Regasm.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regasm.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe\"' ESCAPE '\\' OR CommandLine LIKE '%\\\\Regsvcs.exe' ESCAPE '\\'))))))" ], "filename": "proc_creation_win_lolbin_regasm.yml" }, { "title": "UAC Bypass via Windows Firewall Snap-In Hijack", "id": "e52cb31c-10ed-4aea-bcb7-593c9f4a315b", "status": "experimental", "description": "Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in", "author": "Tim Rauch", "tags": [ "attack.privilege_escalation", "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%WF.msc%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_uac_bypass_hijacking_firwall_snap_in.yml" }, { "title": "HackTool - Quarks PwDump Execution", "id": "0685b176-c816-4837-8e7b-1216f346636b", "status": "experimental", "description": "Detects usage of the Quarks PwDump tool via commandline arguments", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\QuarksPwDump.exe' ESCAPE '\\' OR CommandLine IN (' -dhl', ' --dump-hash-local', ' -dhdc', ' --dump-hash-domain-cached', ' --dump-bitlocker', ' -dhd ', ' --dump-hash-domain ', '--ntds-file')))" ], "filename": "proc_creation_win_hktl_quarks_pwdump.yml" }, { "title": "Custom Class Execution via Xwizard", "id": "53d4bb30-3f36-4e8a-b078-69d36c4a79ff", "status": "test", "description": "Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.", "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\xwizard.exe' ESCAPE '\\' AND CommandLine REGEXP '\\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\\}')" ], "filename": "proc_creation_win_lolbin_class_exec_xwizard.yml" }, { "title": "Imports Registry Key From an ADS", "id": "0b80ade5-6997-4b1d-99a1-71701778ea61", "status": "test", "description": "Detects the import of a alternate datastream to the registry with regedit.exe.", "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ "attack.t1112", "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND ((CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '%.reg%' ESCAPE '\\') AND CommandLine REGEXP ':[^ \\\\]')) AND NOT ((CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /a %' ESCAPE '\\' OR CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\')))" ], "filename": "proc_creation_win_regedit_import_keys_ads.yml" }, { "title": "Audio Capture via SoundRecorder", "id": "83865853-59aa-449e-9600-74b9d89a6d6e", "status": "test", "description": "Detect attacker collecting audio via SoundRecorder application.", "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ "attack.collection", "attack.t1123" ], "falsepositives": [ "Legitimate audio capture by legitimate user." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\SoundRecorder.exe' ESCAPE '\\' AND CommandLine LIKE '%/FILE%' ESCAPE '\\')" ], "filename": "proc_creation_win_soundrecorder_audio_capture.yml" }, { "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE", "id": "b57ba453-b384-4ab9-9f40-1038086b4e53", "status": "test", "description": "Detects dump of credentials in VeeamBackup dbo", "author": "frack113", "tags": [ "attack.collection", "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\sqlcmd.exe' ESCAPE '\\' AND CommandLine LIKE '%SELECT%' ESCAPE '\\' AND CommandLine LIKE '%TOP%' ESCAPE '\\' AND CommandLine LIKE '%[VeeamBackup].[dbo].[Credentials]%' ESCAPE '\\')" ], "filename": "proc_creation_win_sqlcmd_veeam_dump.yml" }, { "title": "Cmd.EXE Missing Space Characters Execution Anomaly", "id": "a16980c2-0c56-4de0-9a79-17971979efdd", "status": "experimental", "description": "Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.\nThis could be a sign of obfuscation of a fat finger problem (typo by the developer).\n", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cmd.exe/c%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/k%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/r%' ESCAPE '\\' OR CommandLine LIKE '%\\\\cmd/r%' ESCAPE '\\' OR CommandLine LIKE '%\"cmd/r%' ESCAPE '\\') OR (CommandLine LIKE '%/cwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/cpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/cschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/cbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/ccertutil%' ESCAPE '\\' OR CommandLine LIKE '%/kwhoami%' ESCAPE '\\' OR CommandLine LIKE '%/kpowershell%' ESCAPE '\\' OR CommandLine LIKE '%/kschtasks%' ESCAPE '\\' OR CommandLine LIKE '%/kbitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%/kcertutil%' ESCAPE '\\') OR (CommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r%' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\')) OR (CommandLine LIKE '%AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\resources\\\\app\\\\node\\_modules%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe/c .' ESCAPE '\\' OR CommandLine = 'cmd.exe /c')))" ], "filename": "proc_creation_win_cmd_no_space_execution.yml" }, { "title": "Process Dumping Via Comsvcs.DLL", "id": "646ea171-dded-4578-8a4d-65e9822892e3", "status": "test", "description": "Detects a process memory dump via \"comsvcs.dll\" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)", "author": "Florian Roth (Nextron Systems), Modexp, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.credential_access", "attack.t1036", "attack.t1003.001", "car.2013-05-009" ], "falsepositives": [ "Unlikely, because no one should dump the process memory in that way" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR CommandLine LIKE '%rundll32%' ESCAPE '\\') AND (CommandLine LIKE '%comsvcs%' ESCAPE '\\' AND CommandLine LIKE '%full%' ESCAPE '\\' AND (CommandLine LIKE '%24 %' ESCAPE '\\' OR CommandLine LIKE '%#24%' ESCAPE '\\' OR CommandLine LIKE '%#+24%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\'))) OR CommandLine LIKE '%#-4294967272%' ESCAPE '\\'))" ], "filename": "proc_creation_win_rundll32_process_dump_via_comsvcs.yml" }, { "title": "Arbitrary Command Execution Using WSL", "id": "dec44ca7-61ad-493c-bfd7-8819c5faa09b", "status": "test", "description": "Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary linux and windows commands", "author": "oscd.community, Zach Stanford @svch0st, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1218", "attack.t1202" ], "falsepositives": [ "Automation and orchestration scripts may use this method to execute scripts etc.", "Legitimate use by Windows to kill processes opened via WSL (example VsCode WSL server)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR OriginalFileName = 'wsl.exe') AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --exec%' ESCAPE '\\' OR CommandLine LIKE '% --system%' ESCAPE '\\' OR CommandLine LIKE '% --shell-type %' ESCAPE '\\' OR CommandLine LIKE '% /mnt/c%' ESCAPE '\\' OR CommandLine LIKE '% --user root%' ESCAPE '\\' OR CommandLine LIKE '% -u root%' ESCAPE '\\' OR CommandLine LIKE '%--debug-shell%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -e kill %' ESCAPE '\\')))" ], "filename": "proc_creation_win_wsl_lolbin_execution.yml" }, { "title": "Suspicious DumpMinitool Execution", "id": "eb1c4225-1c23-4241-8dd4-051389fde4ce", "status": "experimental", "description": "Detects suspicious ways to use the \"DumpMinitool.exe\" binary", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DumpMinitool.x86.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DumpMinitool.arm64.exe' ESCAPE '\\') OR OriginalFileName IN ('DumpMinitool.exe', 'DumpMinitool.x86.exe', 'DumpMinitool.arm64.exe')) AND ((NOT ((NewProcessName LIKE '%\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Extensions\\\\%' ESCAPE '\\')) OR CommandLine LIKE '%.txt%' ESCAPE '\\') OR ((CommandLine LIKE '% Full%' ESCAPE '\\' OR CommandLine LIKE '% Mini%' ESCAPE '\\' OR CommandLine LIKE '% WithHeap%' ESCAPE '\\') AND NOT (CommandLine LIKE '%--dumpType%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_dumpminitool_susp_execution.yml" }, { "title": "Suspicious File Execution From Internet Hosted WebDav Share", "id": "f0507c0f-a3a2-40f5-acc6-7f543c334993", "status": "experimental", "description": "Detects the execution of the \"net use\" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files", "author": "pH-T (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\cmd.exe%' ESCAPE '\\' OR OriginalFileName = 'Cmd.EXE') AND (CommandLine LIKE '% net use http%' ESCAPE '\\' AND CommandLine LIKE '%& start /b %' ESCAPE '\\' AND CommandLine LIKE '%\\\\DavWWWRoot\\\\%' ESCAPE '\\') AND (CommandLine LIKE '%.exe %' ESCAPE '\\' OR CommandLine LIKE '%.dll %' ESCAPE '\\' OR CommandLine LIKE '%.bat %' ESCAPE '\\' OR CommandLine LIKE '%.vbs %' ESCAPE '\\' OR CommandLine LIKE '%.ps1 %' ESCAPE '\\'))" ], "filename": "proc_creation_win_cmd_net_use_and_exec_combo.yml" }, { "title": "Suspicious Scan Loop Network", "id": "f8ad2e2c-40b6-4117-84d7-20b89896ab23", "status": "test", "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", "author": "frack113", "tags": [ "attack.execution", "attack.t1059", "attack.discovery", "attack.t1018" ], "falsepositives": [ "Legitimate script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%for %' ESCAPE '\\' OR CommandLine LIKE '%foreach %' ESCAPE '\\') AND (CommandLine LIKE '%nslookup%' ESCAPE '\\' OR CommandLine LIKE '%ping%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_network_scan_loop.yml" }, { "title": "Potential Product Reconnaissance Via Wmic.EXE", "id": "15434e33-5027-4914-88d5-3d4145ec25a9", "status": "experimental", "description": "Detects the execution of WMIC in order to get a list of firewall and antivirus products", "author": "Nasreddine Bencherchali", "tags": [ "attack.execution", "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%Product%' ESCAPE '\\')" ], "filename": "proc_creation_win_wmic_recon_product.yml" }, { "title": "Potential Meterpreter/CobaltStrike Activity", "id": "15619216-e993-4721-b590-4c520615a67d", "status": "test", "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting", "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ "attack.privilege_escalation", "attack.t1134.001", "attack.t1134.002" ], "falsepositives": [ "Commandlines containing components like cmd accidentally", "Jobs and services started with cmd" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' AND ((CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%echo%' ESCAPE '\\' AND CommandLine LIKE '%\\\\pipe\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%cmd%' ESCAPE '\\' OR CommandLine LIKE '%\\%COMSPEC\\%%' ESCAPE '\\')) OR (CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%.dll,a%' ESCAPE '\\' AND CommandLine LIKE '%/p:%' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%MpCmdRun%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_meterpreter_getsystem.yml" }, { "title": "PowerShell SAM Copy", "id": "1af57a4b-460a-4738-9034-db68b880c665", "status": "test", "description": "Detects suspicious PowerShell scripts accessing SAM hives", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.002" ], "falsepositives": [ "Some rare backup scenarios", "PowerShell scripts fixing HiveNightmare / SeriousSAM ACLs" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND CommandLine LIKE '%System32\\\\config\\\\sam%' ESCAPE '\\' AND (CommandLine LIKE '%Copy-Item%' ESCAPE '\\' OR CommandLine LIKE '%cp $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%cpi $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%copy $\\_.%' ESCAPE '\\' OR CommandLine LIKE '%.File]::Copy(%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_sam_access.yml" }, { "title": "Suspicious WMIC Execution Via Office Process", "id": "e1693bc8-7168-4eab-8718-cdcaa68a1738", "status": "experimental", "description": "Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).", "author": "Vadim Khrykov, Cyb3rEng", "tags": [ "attack.t1204.002", "attack.t1047", "attack.t1218.010", "attack.execution", "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EQNEDT32.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND (CommandLine LIKE '%process%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%call%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%verclsid%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')))" ], "filename": "proc_creation_win_wmic_susp_execution_via_office_process.yml" }, { "title": "DeviceCredentialDeployment Execution", "id": "b8b1b304-a60f-4999-9a6e-c547bde03ffd", "status": "experimental", "description": "Detects the execution of DeviceCredentialDeployment to hide a process from view", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unlikely" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\DeviceCredentialDeployment.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_device_credential_deployment.yml" }, { "title": "Suspicious Process Created Via Wmic.EXE", "id": "3c89a1e8-0fba-449e-8f1b-8409d6267ec8", "status": "test", "description": "Detects WMIC executing \"process call create\" with suspicious calls to processes such as \"rundll32\", \"regsrv32\", etc.", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%process %' ESCAPE '\\' AND CommandLine LIKE '%call %' ESCAPE '\\' AND CommandLine LIKE '%create %' ESCAPE '\\' AND (CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\'))" ], "filename": "proc_creation_win_wmic_susp_process_creation.yml" }, { "title": "Suspicious Add Scheduled Command Pattern", "id": "f2c64357-b1d2-41b7-849f-34d2682c0fad", "status": "experimental", "description": "Detects suspicious scheduled task creations with commands that are uncommon", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1053.005" ], "falsepositives": [ "Software installers that run from temporary folders and also install scheduled tasks" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\') AND (((CommandLine LIKE '%/sc minute %' ESCAPE '\\' OR CommandLine LIKE '%/ru system %' ESCAPE '\\') AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r%' ESCAPE '\\')) OR (CommandLine LIKE '% bypass %' ESCAPE '\\' OR CommandLine LIKE '%.DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%.DownloadFile%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% IEX%' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '%/c start /min %' ESCAPE '\\' OR CommandLine LIKE '% curl %' ESCAPE '\\') OR (CommandLine LIKE '%/xml C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%wscript.exe%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_schtasks_susp_pattern.yml" }, { "title": "Scheduled Task Creation", "id": "92626ddd-662c-49e3-ac59-f6535f12d189", "status": "test", "description": "Detects the creation of scheduled tasks in user session", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.persistence", "attack.privilege_escalation", "attack.t1053.005", "attack.s0111", "car.2013-08-001" ], "falsepositives": [ "Administrative activity", "Software installation" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\') AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], "filename": "proc_creation_win_schtasks_creation.yml" }, { "title": "CL_LoadAssembly.ps1 Proxy Execution", "id": "c57872c7-614f-4d7f-a40d-b78c8df2d30d", "status": "experimental", "description": "Detects the use of a Microsoft signed script to execute commands and bypassing AppLocker.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\CL\\_LoadAssembly.ps1%' ESCAPE '\\' OR CommandLine LIKE '%LoadAssemblyFromPath %' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_cl_loadassembly.yml" }, { "title": "ConvertTo-SecureString Cmdlet Usage Via CommandLine", "id": "74403157-20f5-415d-89a7-c505779585cf", "status": "test", "description": "Detects usage of the \"ConvertTo-SecureString\" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity", "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Legitimate use to pass password to different powershell commands" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%ConvertTo-SecureString%' ESCAPE '\\')" ], "filename": "proc_creation_win_powershell_cmdline_convertto_securestring.yml" }, { "title": "Suspicious SYSTEM User Process Creation", "id": "2617e7ed-adb7-40ba-b0f3-8f9945fe6c09", "status": "test", "description": "Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)", "author": "Florian Roth (Nextron Systems), David ANDRE (additional keywords)", "falsepositives": [ "Administrative activity", "Scripts and administrative tools used in the monitored environment", "Monitoring activity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((IntegrityLevel = 'System' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND ((NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '% /urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -urlcache %' ESCAPE '\\' OR CommandLine LIKE '% -e% JAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% -e% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% -e% IAB%' ESCAPE '\\' OR CommandLine LIKE '% -e% PAA%' ESCAPE '\\' OR CommandLine LIKE '% -e% aQBlAHgA%' ESCAPE '\\' OR CommandLine LIKE '%vssadmin delete shadows%' ESCAPE '\\' OR CommandLine LIKE '%reg SAVE HKLM%' ESCAPE '\\' OR CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '%dpapi::%' ESCAPE '\\' OR CommandLine LIKE '%event::clear%' ESCAPE '\\' OR CommandLine LIKE '%event::drop%' ESCAPE '\\' OR CommandLine LIKE '%id::modify%' ESCAPE '\\' OR CommandLine LIKE '%kerberos::%' ESCAPE '\\' OR CommandLine LIKE '%lsadump::%' ESCAPE '\\' OR CommandLine LIKE '%misc::%' ESCAPE '\\' OR CommandLine LIKE '%privilege::%' ESCAPE '\\' OR CommandLine LIKE '%rpc::%' ESCAPE '\\' OR CommandLine LIKE '%sekurlsa::%' ESCAPE '\\' OR CommandLine LIKE '%sid::%' ESCAPE '\\' OR CommandLine LIKE '%token::%' ESCAPE '\\' OR CommandLine LIKE '%vault::cred%' ESCAPE '\\' OR CommandLine LIKE '%vault::list%' ESCAPE '\\' OR CommandLine LIKE '% p::d %' ESCAPE '\\' OR CommandLine LIKE '%;iex(%' ESCAPE '\\' OR CommandLine LIKE '%MiniDump%' ESCAPE '\\' OR CommandLine LIKE '%net user %' ESCAPE '\\'))) AND NOT ((CommandLine = 'ping 127.0.0.1 -n 5') OR (NewProcessName LIKE '%\\\\PING.EXE' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\bin\\\\javaws.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\bin\\\\jp2launcher.exe' ESCAPE '\\' AND CommandLine LIKE '% -ma %' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_system_user_anomaly.yml" }, { "title": "Suspicious Binary In User Directory Spawned From Office Application", "id": "aa3a6f94-890e-4e22-b634-ffdfd54792cc", "status": "experimental", "description": "Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)", "author": "Jason Lynch", "tags": [ "attack.execution", "attack.t1204.002", "attack.g0046", "car.2013-05-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentProcessName LIKE '%\\\\WINWORD.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\POWERPNT.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSPUB.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\VISIO.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\EQNEDT32.exe' ESCAPE '\\') AND NewProcessName LIKE 'C:\\\\users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%.exe' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Teams.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_office_spawn_exe_from_users_directory.yml" }, { "title": "Suspicious Scheduled Task Creation via Masqueraded XML File", "id": "dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c", "status": "experimental", "description": "Detects the creation of a scheduled task using the \"-XML\" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence", "author": "Swachchhanda Shrawan Poudel, Elastic (idea)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.t1036.005", "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/create%' ESCAPE '\\' OR CommandLine LIKE '%-create%' ESCAPE '\\') AND (CommandLine LIKE '%/xml%' ESCAPE '\\' OR CommandLine LIKE '%-xml%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%.xml%' ESCAPE '\\') OR (IntegrityLevel = 'System') OR (ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%:\\\\WINDOWS\\\\Installer\\\\MSI%' ESCAPE '\\' AND ParentCommandLine LIKE '%.tmp,zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\'))) AND NOT (((ParentProcessName LIKE '%:\\\\ProgramData\\\\OEM\\\\UpgradeTool\\\\CareCenter\\_%\\\\BUnzip\\\\Setup\\_msi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files\\\\Axis Communications\\\\AXIS Camera Station\\\\SetupActions.exe' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files\\\\Axis Communications\\\\AXIS Device Manager\\\\AdmSetupActions.exe' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files (x86)\\\\Zemana\\\\AntiMalware\\\\AntiMalware.exe' ESCAPE '\\' OR ParentProcessName LIKE '%:\\\\Program Files\\\\Dell\\\\SupportAssist\\\\pcdrcui.exe' ESCAPE '\\'))))" ], "filename": "proc_creation_win_schtasks_schedule_via_masqueraded_xml_file.yml" }, { "title": "Suspicious Driver Install by pnputil.exe", "id": "a2ea3ae7-d3d0-40a0-a55c-25a45c87cac1", "status": "test", "description": "Detects when a possible suspicious driver is being installed via pnputil.exe lolbin", "author": "Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger", "tags": [ "attack.persistence", "attack.t1547" ], "falsepositives": [ "Pnputil.exe being used may be performed by a system administrator.", "Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.", "Pnputil.exe being executed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%-i%' ESCAPE '\\' OR CommandLine LIKE '%/install%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%/add-driver%' ESCAPE '\\' OR CommandLine LIKE '%.inf%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\pnputil.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" }, { "title": "Stop Windows Service Via Net.EXE", "id": "88872991-7445-4a22-90b2-a3adadb0e827", "status": "experimental", "description": "Detects the stopping of a Windows service", "author": "Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.impact", "attack.t1489" ], "falsepositives": [ "There are many legitimate reasons to stop a service. This rule isn't looking for any suspicious behaviour in particular. Filter legitimate activity accordingly" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('net.exe', 'net1.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\')" ], "filename": "proc_creation_win_net_stop_service.yml" }, { "title": "Potential Suspicious Mofcomp Execution", "id": "1dd05363-104e-4b4a-b963-196a534b03a1", "status": "experimental", "description": "Detects execution of the \"mofcomp\" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline.\nThe \"mofcomp\" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.\nAttackers abuse this utility to install malicious MOF scripts\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\mofcomp.exe' ESCAPE '\\' OR OriginalFileName = 'mofcomp.exe') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%temp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%tmp\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\'))) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.mof' ESCAPE '\\'))) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.mof' ESCAPE '\\')))" ], "filename": "proc_creation_win_mofcomp_execution.yml" }, { "title": "DLL Sideloading by VMware Xfer Utility", "id": "ebea773c-a8f1-42ad-a856-00cb221966e8", "status": "experimental", "description": "Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1574.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NewProcessName LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_dll_sideload_vmware_xfer.yml" }, { "title": "HackTool - Certipy Execution", "id": "6938366d-8954-4ddc-baff-c830b3ba8fcd", "status": "experimental", "description": "Detects Certipy a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.", "author": "pH-T (Nextron Systems)", "tags": [ "attack.discovery", "attack.credential_access", "attack.t1649" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\Certipy.exe' ESCAPE '\\' OR OriginalFileName = 'Certipy.exe' OR Description LIKE '%Certipy%' ESCAPE '\\') OR ((CommandLine LIKE '% auth %' ESCAPE '\\' OR CommandLine LIKE '% find %' ESCAPE '\\' OR CommandLine LIKE '% forge %' ESCAPE '\\' OR CommandLine LIKE '% relay %' ESCAPE '\\' OR CommandLine LIKE '% req %' ESCAPE '\\' OR CommandLine LIKE '% shadow %' ESCAPE '\\') AND (CommandLine LIKE '% -bloodhound%' ESCAPE '\\' OR CommandLine LIKE '% -ca-pfx %' ESCAPE '\\' OR CommandLine LIKE '% -dc-ip %' ESCAPE '\\' OR CommandLine LIKE '% -kirbi%' ESCAPE '\\' OR CommandLine LIKE '% -old-bloodhound%' ESCAPE '\\' OR CommandLine LIKE '% -pfx %' ESCAPE '\\' OR CommandLine LIKE '% -target%' ESCAPE '\\' OR CommandLine LIKE '% -username %' ESCAPE '\\' OR CommandLine LIKE '% -vulnerable%' ESCAPE '\\' OR CommandLine LIKE '%auth -pfx%' ESCAPE '\\' OR CommandLine LIKE '%shadow auto%' ESCAPE '\\' OR CommandLine LIKE '%shadow list%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_hktl_certipy.yml" }, { "title": "Suspicious WebDav Client Execution", "id": "982e9f2d-1a85-4d5b-aea4-31f5e97c6555", "status": "experimental", "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397\n", "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ "attack.exfiltration", "attack.t1048.003", "cve.2023.23397" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-s WebClient%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\' AND CommandLine REGEXP '://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}') AND NOT (((CommandLine LIKE '%://10.%' ESCAPE '\\' OR CommandLine LIKE '%://192.168.%' ESCAPE '\\' OR CommandLine LIKE '%://172.16.%' ESCAPE '\\' OR CommandLine LIKE '%://172.17.%' ESCAPE '\\' OR CommandLine LIKE '%://172.18.%' ESCAPE '\\' OR CommandLine LIKE '%://172.19.%' ESCAPE '\\' OR CommandLine LIKE '%://172.20.%' ESCAPE '\\' OR CommandLine LIKE '%://172.21.%' ESCAPE '\\' OR CommandLine LIKE '%://172.22.%' ESCAPE '\\' OR CommandLine LIKE '%://172.23.%' ESCAPE '\\' OR CommandLine LIKE '%://172.24.%' ESCAPE '\\' OR CommandLine LIKE '%://172.25.%' ESCAPE '\\' OR CommandLine LIKE '%://172.26.%' ESCAPE '\\' OR CommandLine LIKE '%://172.27.%' ESCAPE '\\' OR CommandLine LIKE '%://172.28.%' ESCAPE '\\' OR CommandLine LIKE '%://172.29.%' ESCAPE '\\' OR CommandLine LIKE '%://172.30.%' ESCAPE '\\' OR CommandLine LIKE '%://172.31.%' ESCAPE '\\' OR CommandLine LIKE '%://127.%' ESCAPE '\\' OR CommandLine LIKE '%://169.254.%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_rundll32_webdav_client_susp_execution.yml" }, { "title": "Hardware Model Reconnaissance Via Wmic.EXE", "id": "3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d", "status": "experimental", "description": "Detects the execution of WMIC with the \"csproduct\" which is used to obtain information such as hardware models and vendor information", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1047", "car.2016-03-002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%csproduct%' ESCAPE '\\')" ], "filename": "proc_creation_win_wmic_recon_csproduct.yml" }, { "title": "Process Reconnaissance Via Wmic.EXE", "id": "221b251a-357a-49a9-920a-271802777cc0", "status": "experimental", "description": "Detects the execution of \"wmic\" with the \"process\" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.", "author": "frack113", "tags": [ "attack.execution", "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%process%' ESCAPE '\\') AND NOT (CommandLine LIKE '%call%' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\'))" ], "filename": "proc_creation_win_wmic_recon_process.yml" }, { "title": "Renamed SysInternals DebugView Execution", "id": "cd764533-2e07-40d6-a718-cfeec7f2da7f", "status": "test", "description": "Detects suspicious renamed SysInternals DebugView execution", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.resource_development", "attack.t1588.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Product = 'Sysinternals DebugView' AND NOT (OriginalFileName = 'Dbgview.exe' AND NewProcessName LIKE '%\\\\Dbgview.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_renamed_sysinternals_debugview.yml" }, { "title": "Rundll32 Execution Without Parameters", "id": "5bb68627-3198-40ca-b458-49f973db8752", "status": "test", "description": "Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module", "author": "Bartlomiej Czyz, Relativity", "tags": [ "attack.lateral_movement", "attack.t1021.002", "attack.t1570", "attack.execution", "attack.t1569.002" ], "falsepositives": [ "False positives may occur if a user called rundll32 from CLI with no options" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine IN ('rundll32.exe', 'rundll32'))" ], "filename": "proc_creation_win_rundll32_without_parameters.yml" }, { "title": "Suspicious MsiExec Embedding Parent", "id": "4a2a2c3e-209f-4d01-b513-4155a540b469", "status": "experimental", "description": "Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads", "author": "frack113", "tags": [ "attack.t1218.007", "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%MsiExec.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%-Embedding %' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%\\\\DismFoDInstall.cmd%' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\MsiExec.exe -Embedding %' ESCAPE '\\' AND ParentCommandLine LIKE '%Global\\\\MSI0000%' ESCAPE '\\')))" ], "filename": "proc_creation_win_msiexec_embedding.yml" }, { "title": "Possible Privilege Escalation via Weak Service Permissions", "id": "d937b75f-a665-4480-88a5-2f20e9f9b22a", "status": "test", "description": "Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand", "author": "Teymur Kheirkhabarov", "tags": [ "attack.persistence", "attack.defense_evasion", "attack.privilege_escalation", "attack.t1574.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND IntegrityLevel = 'Medium') AND ((CommandLine LIKE '%config%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\') OR (CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command%' ESCAPE '\\')))" ], "filename": "proc_creation_win_sc_change_sevice_image_path_by_non_admin.yml" }, { "title": "Sdclt Child Processes", "id": "da2738f2-fadb-4394-afa7-0a0674885afa", "status": "test", "description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\sdclt.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_sdclt_child_process.yml" }, { "title": "Suspicious File Characteristics Due to Missing Fields", "id": "9637e8a5-7131-4f7f-bdc7-2b05d8670c43", "status": "test", "description": "Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe", "author": "Markus Neis, Sander Wiebing", "tags": [ "attack.execution", "attack.t1059.006" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((Description LIKE '\\?' ESCAPE '\\' AND FileVersion LIKE '\\?' ESCAPE '\\') OR (Description LIKE '\\?' ESCAPE '\\' AND Product LIKE '\\?' ESCAPE '\\')) OR (Description LIKE '\\?' ESCAPE '\\' AND Company LIKE '\\?' ESCAPE '\\')) AND NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\')" ], "filename": "proc_creation_win_susp_file_characteristics.yml" }, { "title": "Suspicious Msiexec Execute Arbitrary DLL", "id": "6f4191bb-912b-48a8-9ce7-682769541e6d", "status": "experimental", "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218.007" ], "falsepositives": [ "Legitimate script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND (CommandLine LIKE '% /y%' ESCAPE '\\' OR CommandLine LIKE '% -y%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\ScriptingObjectModel.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\SoftwareUpdateAdmin.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y \"C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" /Y C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Bonjour\\\\mdnsNSP.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\ScriptingObjectModel.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Program Files (x86)\\\\Apple Software Update\\\\SoftwareUpdateAdmin.dll%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y \"C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsiExec.exe\" -Y C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_msiexec_execute_dll.yml" }, { "title": "InfDefaultInstall.exe .inf Execution", "id": "ce7cf472-6fcc-490a-9481-3786840b5d9b", "status": "test", "description": "Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%InfDefaultInstall.exe %' ESCAPE '\\' AND CommandLine LIKE '%.inf%' ESCAPE '\\')" ], "filename": "proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" }, { "title": "HackTool - winPEAS Execution", "id": "98b53e78-ebaf-46f8-be06-421aafd176d9", "status": "experimental", "description": "WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz", "author": "Georg Lauenstein (sure[secure])", "tags": [ "attack.privilege_escalation", "attack.t1082", "attack.t1087", "attack.t1046" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'winPEAS.exe' OR (NewProcessName LIKE '%\\\\winPEASany.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASany\\_ofs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx64\\_ofs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx86.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winPEASx86\\_ofs.exe' ESCAPE '\\') OR (CommandLine LIKE '% applicationsinfo%' ESCAPE '\\' OR CommandLine LIKE '% browserinfo%' ESCAPE '\\' OR CommandLine LIKE '% eventsinfo%' ESCAPE '\\' OR CommandLine LIKE '% fileanalysis%' ESCAPE '\\' OR CommandLine LIKE '% filesinfo%' ESCAPE '\\' OR CommandLine LIKE '% processinfo%' ESCAPE '\\' OR CommandLine LIKE '% servicesinfo%' ESCAPE '\\' OR CommandLine LIKE '% windowscreds%' ESCAPE '\\') OR CommandLine LIKE '%https://github.com/carlospolop/PEASS-ng/releases/latest/download/%' ESCAPE '\\' OR ParentCommandLine LIKE '% -linpeas' ESCAPE '\\' OR CommandLine LIKE '% -linpeas' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_winpeas.yml" }, { "title": "Mstsc.EXE Execution From Uncommon Parent", "id": "ff3b6b39-e765-42f9-bb2c-ea6761e0e0f6", "status": "experimental", "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.lateral_movement" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\CCleanerBrowser.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\whale.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe'))" ], "filename": "proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml" }, { "title": "Replace.exe Usage", "id": "9292293b-8496-4715-9db6-37028dcda4b3", "status": "experimental", "description": "Detects the use of Replace.exe which can be used to replace file with another file", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\replace.exe' ESCAPE '\\' AND (CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%-a%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_replace.yml" }, { "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE", "id": "c9fbe8e9-119d-40a6-9b59-dd58a5d84429", "status": "test", "description": "Detects potential malicious and unauthorized usage of bcdedit.exe", "author": "@neu5ron", "tags": [ "attack.defense_evasion", "attack.t1070", "attack.persistence", "attack.t1542.003" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND (CommandLine LIKE '%delete%' ESCAPE '\\' OR CommandLine LIKE '%deletevalue%' ESCAPE '\\' OR CommandLine LIKE '%import%' ESCAPE '\\' OR CommandLine LIKE '%safeboot%' ESCAPE '\\' OR CommandLine LIKE '%network%' ESCAPE '\\'))" ], "filename": "proc_creation_win_bcdedit_susp_execution.yml" }, { "title": "Audit Policy Tampering Via NT Resource Kit Auditpol", "id": "c6c56ada-612b-42d1-9a29-adad3c5c2c1e", "status": "test", "description": "Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.\nThis can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.002" ], "falsepositives": [ "The old auditpol utility isn't available by default on recent versions of Windows as it was replaced by a newer version. The FP rate should be very low except for tools that use a similar flag structure" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%/logon:none%' ESCAPE '\\' OR CommandLine LIKE '%/system:none%' ESCAPE '\\' OR CommandLine LIKE '%/sam:none%' ESCAPE '\\' OR CommandLine LIKE '%/privilege:none%' ESCAPE '\\' OR CommandLine LIKE '%/object:none%' ESCAPE '\\' OR CommandLine LIKE '%/process:none%' ESCAPE '\\' OR CommandLine LIKE '%/policy:none%' ESCAPE '\\'))" ], "filename": "proc_creation_win_auditpol_nt_resource_kit_usage.yml" }, { "title": "Suspicious ConfigSecurityPolicy Execution", "id": "1f0f6176-6482-4027-b151-00071af39d7e", "status": "experimental", "description": "Upload file, credentials or data exfiltration with Binary part of Windows Defender", "author": "frack113", "tags": [ "attack.exfiltration", "attack.t1567" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%ConfigSecurityPolicy.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ConfigSecurityPolicy.exe' ESCAPE '\\' OR OriginalFileName = 'ConfigSecurityPolicy.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_configsecuritypolicy.yml" }, { "title": "Disable Important Scheduled Task", "id": "9ac94dc8-9042-493c-ba45-3b5e7c86b980", "status": "experimental", "description": "Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities", "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.impact", "attack.t1489" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Change%' ESCAPE '\\' AND CommandLine LIKE '%/TN%' ESCAPE '\\' AND CommandLine LIKE '%/disable%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\'))" ], "filename": "proc_creation_win_schtasks_disable.yml" }, { "title": "Remote CHM File Download/Execution Via HH.EXE", "id": "f57c58b3-ee69-4ef5-9041-455bf39aaa89", "status": "experimental", "description": "Detects the usage of \"hh.exe\" to execute/download remotely hosted \".chm\" files.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'HH.exe' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], "filename": "proc_creation_win_hh_chm_remote_download_or_execution.yml" }, { "title": "VsCode Child Process Anomaly", "id": "5a3164f2-b373-4152-93cf-090b13c12d27", "status": "experimental", "description": "Detects uncommon or suspicious child processes spawning from a VsCode \"code.exe\" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1218", "attack.t1202" ], "falsepositives": [ "In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentProcessName LIKE '%\\\\code.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-Expressions%' ESCAPE '\\' OR CommandLine LIKE '%IEX%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Command%' ESCAPE '\\' OR CommandLine LIKE '%ICM%' ESCAPE '\\' OR CommandLine LIKE '%DownloadString%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\')) OR (NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_vscode_child_processes_anomalies.yml" }, { "title": "MSExchange Transport Agent Installation", "id": "83809e84-4475-4b69-bc3e-4aad8568612f", "status": "test", "description": "Detects the Installation of a Exchange Transport Agent", "author": "Tobias Michalski (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1505.002" ], "falsepositives": [ "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Install-TransportAgent%' ESCAPE '\\')" ], "filename": "proc_creation_win_powershell_msexchange_transport_agent.yml" }, { "title": "Boot Configuration Tampering Via Bcdedit.EXE", "id": "1444443e-6757-43e4-9ea4-c8fc705f79a2", "status": "stable", "description": "Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.", "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ "attack.impact", "attack.t1490" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR OriginalFileName = 'bcdedit.exe') AND CommandLine LIKE '%set%' ESCAPE '\\' AND ((CommandLine LIKE '%bootstatuspolicy%' ESCAPE '\\' AND CommandLine LIKE '%ignoreallfailures%' ESCAPE '\\') OR (CommandLine LIKE '%recoveryenabled%' ESCAPE '\\' AND CommandLine LIKE '%no%' ESCAPE '\\')))" ], "filename": "proc_creation_win_bcdedit_boot_conf_tamper.yml" }, { "title": "HackTool - Wmiexec Default Powershell Command", "id": "022eaba8-f0bf-4dd9-9217-4604b0bb3bb0", "status": "experimental", "description": "Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.lateral_movement" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc%' ESCAPE '\\')" ], "filename": "proc_creation_win_hktl_wmiexec_default_powershell.yml" }, { "title": "Suspicious MSHTA Child Process", "id": "03cc0c25-389f-4bf8-b48d-11878079f1ca", "status": "test", "description": "Detects a suspicious process spawning from an \"mshta.exe\" process, which could be indicative of a malicious HTA script execution", "author": "Michael Haag", "tags": [ "attack.defense_evasion", "attack.t1218.005", "car.2013-02-003", "car.2013-03-001", "car.2014-04-003" ], "falsepositives": [ "Printer software / driver installations", "HP software" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'wscript.exe', 'cscript.exe', 'Bash.exe', 'reg.exe', 'REGSVR32.EXE', 'bitsadmin.exe')))" ], "filename": "proc_creation_win_mshta_susp_child_processes.yml" }, { "title": "HackTool - PCHunter Execution", "id": "fca949cc-79ca-446e-8064-01aa7e52ece5", "status": "experimental", "description": "Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\PCHunter64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PCHunter32.exe' ESCAPE '\\') OR OriginalFileName = 'PCHunter.exe' OR Description = 'Epoolsoft Windows Information View Tools' OR (Hashes LIKE '%SHA1=5F1CBC3D99558307BC1250D084FA968521482025%' ESCAPE '\\' OR Hashes LIKE '%MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=444D210CEA1FF8112F256A4997EED7FF%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB%' ESCAPE '\\' OR Hashes LIKE '%MD5=228DD0C2E6287547E26FFBD973A40F14%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0479F44DF47CFA2EF1CCC4416A538663%' ESCAPE '\\') OR md5 IN ('228dd0c2e6287547e26ffbd973a40f14', '987b65cd9b9f4e9a1afd8f8b48cf64a7') OR sha1 IN ('5f1cbc3d99558307bc1250d084fa968521482025', '3fb89787cb97d902780da080545584d97fb1c2eb') OR sha256 IN ('2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32', '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c') OR Imphash IN ('444d210cea1ff8112f256a4997eed7ff', '0479f44df47cfa2ef1ccc4416a538663')))" ], "filename": "proc_creation_win_hktl_pchunter.yml" }, { "title": "Rundll32 JS RunHTMLApplication Pattern", "id": "9f06447a-a33a-4cbe-a94f-a3f43184a7a3", "status": "test", "description": "Detects suspicious command line patterns used when rundll32 is used to run JavaScript code", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%javascript%' ESCAPE '\\' AND CommandLine LIKE '%..\\\\..\\\\mshtml,RunHTMLApplication%' ESCAPE '\\') OR CommandLine LIKE '%;document.write();GetObject(\"script%' ESCAPE '\\'))" ], "filename": "proc_creation_win_rundll32_js_runhtmlapplication.yml" }, { "title": "Application Whitelisting Bypass via Dnx.exe", "id": "81ebd28b-9607-4478-bf06-974ed9d53ed7", "status": "test", "description": "Execute C# code located in the consoleapp folder", "author": "Beyu Denis, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1218", "attack.t1027.004" ], "falsepositives": [ "Legitimate use of dnx.exe by legitimate user" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\dnx.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_dnx.yml" }, { "title": "Process Creation Using Sysnative Folder", "id": "3c1b5fb0-c72f-45ba-abd1-4d4c353144ab", "status": "experimental", "description": "Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)", "author": "Max Altgelt (Nextron Systems)", "tags": [ "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE 'C:\\\\Windows\\\\Sysnative\\\\%' ESCAPE '\\')" ], "filename": "proc_creation_win_susp_sysnative.yml" }, { "title": "HackTool - Covenant PowerShell Launcher", "id": "c260b6db-48ba-4b4a-a76f-2f67644e99d2", "status": "test", "description": "Detects suspicious command lines used in Covenant luanchers", "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1059.001", "attack.t1564.003" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%-Sta%' ESCAPE '\\' AND CommandLine LIKE '%-Nop%' ESCAPE '\\' AND CommandLine LIKE '%-Window%' ESCAPE '\\' AND CommandLine LIKE '%Hidden%' ESCAPE '\\' AND (CommandLine LIKE '%-Command%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\')) OR (CommandLine LIKE '%sv o (New-Object IO.MemorySteam);sv d %' ESCAPE '\\' OR CommandLine LIKE '%mshta file.hta%' ESCAPE '\\' OR CommandLine LIKE '%GruntHTTP%' ESCAPE '\\' OR CommandLine LIKE '%-EncodedCommand cwB2ACAAbwAgA%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_covenant.yml" }, { "title": "File Download Via Curl.EXE", "id": "9a517fca-4ba3-4629-9278-a68694697b81", "status": "experimental", "description": "Detects file download using curl.exe", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Scripts created by developers and admins", "Administrative activity", "The \"\\Git\\usr\\bin\\sh.exe\" process uses the \"--output\" flag to download a specific file in the temp directory with the pattern \"gfw-httpget-xxxxxxxx.txt \"" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND (CommandLine LIKE '% -O%' ESCAPE '\\' OR CommandLine LIKE '%--remote-name%' ESCAPE '\\' OR CommandLine LIKE '%--output%' ESCAPE '\\'))" ], "filename": "proc_creation_win_curl_download.yml" }, { "title": "Renamed Jusched.EXE Execution", "id": "edd8a48c-1b9f-4ba1-83aa-490338cd1ccb", "status": "test", "description": "Detects the execution of a renamed \"jusched.exe\" as seen used by the cobalt group", "author": "Markus Neis, Swisscom", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Description IN ('Java Update Scheduler', 'Java(TM) Update Scheduler') AND NOT (NewProcessName LIKE '%\\\\jusched.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_renamed_jusched.yml" }, { "title": "Using SettingSyncHost.exe as LOLBin", "id": "b2ddd389-f676-4ac4-845a-e00781a48e5f", "status": "test", "description": "Detects using SettingSyncHost.exe to run hijacked binary", "author": "Anton Kutepov, oscd.community", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1574.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) AND (ParentCommandLine LIKE '%cmd.exe /c%' ESCAPE '\\' AND ParentCommandLine LIKE '%RoamDiag.cmd%' ESCAPE '\\' AND ParentCommandLine LIKE '%-outputpath%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_settingsynchost.yml" }, { "title": "DNS Exfiltration and Tunneling Tools Execution", "id": "98a96a5a-64a0-4c42-92c5-489da3866cb0", "status": "test", "description": "Well-known DNS Exfiltration tools execution", "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.exfiltration", "attack.t1048.001", "attack.command_and_control", "attack.t1071.004", "attack.t1132.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\iodine.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dnscat2%' ESCAPE '\\'))" ], "filename": "proc_creation_win_dns_exfiltration_tools_execution.yml" }, { "title": "PowerShell Base64 Encoded FromBase64String Cmdlet", "id": "fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c", "status": "test", "description": "Detects usage of a base64 encoded \"FromBase64String\" cmdlet in a process command line", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1140", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%OjpGcm9tQmFzZTY0U3RyaW5n%' ESCAPE '\\' OR CommandLine LIKE '%o6RnJvbUJhc2U2NFN0cmluZ%' ESCAPE '\\' OR CommandLine LIKE '%6OkZyb21CYXNlNjRTdHJpbm%' ESCAPE '\\' OR (CommandLine LIKE '%OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA%' ESCAPE '\\' OR CommandLine LIKE '%oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw%' ESCAPE '\\')))" ], "filename": "proc_creation_win_powershell_base64_frombase64string.yml" }, { "title": "Query Usage To Exfil Data", "id": "53ef0cef-fa24-4f25-a34a-6c72dfa2e6e2", "status": "experimental", "description": "Detects usage of \"query.exe\" a system binary to exfil information such as \"sessions\" and \"processes\" for later use", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\query.exe' ESCAPE '\\' AND (CommandLine LIKE '%session >%' ESCAPE '\\' OR CommandLine LIKE '%process >%' ESCAPE '\\'))" ], "filename": "proc_creation_win_query_session_exfil.yml" }, { "title": "Wscript Shell Run In CommandLine", "id": "2c28c248-7f50-417a-9186-a85b223010ee", "status": "experimental", "description": "Detects the presence of the keywords \"Wscript\", \"Shell\" and \"Run\" in the command, which could indicate a suspicious activity", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Rare legitimate inline scripting by some administrators" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Wscript.%' ESCAPE '\\' AND CommandLine LIKE '%.Shell%' ESCAPE '\\' AND CommandLine LIKE '%.Run%' ESCAPE '\\')" ], "filename": "proc_creation_win_script_wscript_shell_cli.yml" }, { "title": "Suspicious MSDT Parent Process", "id": "7a74da6b-ea76-47db-92cc-874ad90df734", "status": "experimental", "description": "Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation", "author": "Nextron Systems", "tags": [ "attack.defense_evasion", "attack.t1036", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe'))" ], "filename": "proc_creation_win_msdt_susp_parent.yml" }, { "title": "UAC Bypass Abusing Winsat Path Parsing - Process", "id": "7a01183d-71a2-46ad-ad5c-acd989ac1793", "status": "test", "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\Windows \\\\system32\\\\winsat.exe%' ESCAPE '\\')" ], "filename": "proc_creation_win_uac_bypass_winsat.yml" }, { "title": "Net WebClient Casing Anomalies", "id": "c86133ad-4725-4bd0-8170-210788e0a7ba", "status": "experimental", "description": "Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%TgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAGIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAEUAYg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcARQBiA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBlAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgBXAGUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAFcAZQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AdwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAFQALgB3AEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAVAAuAHcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQB0AC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBFAHQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAEUAdAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4AZQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%TgBlAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%OAGUAVAAuAFcARQBCA%' ESCAPE '\\' OR CommandLine LIKE '%bgBFAFQALgBXAEUAQg%' ESCAPE '\\' OR CommandLine LIKE '%4ARQBUAC4AVwBFAEIA%' ESCAPE '\\' OR CommandLine LIKE '%uAEUAVAAuAFcARQBCA%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_webclient_casing.yml" }, { "title": "UAC Bypass Using PkgMgr and DISM", "id": "a743ceba-c771-4d75-97eb-8a90f7f4844c", "status": "test", "description": "Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\pkgmgr.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' AND IntegrityLevel IN ('High', 'System'))" ], "filename": "proc_creation_win_uac_bypass_pkgmgr_dism.yml" }, { "title": "Invoke-Obfuscation Obfuscated IEX Invocation", "id": "4bf943c6-5146-4273-98dd-e958fd1e3abf", "status": "test", "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block", "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR CommandLine REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR CommandLine REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR CommandLine REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR CommandLine REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR CommandLine REGEXP '\\$VerbosePreference\\.ToString\\(' OR CommandLine REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" ], "filename": "proc_creation_win_hktl_invoke_obfuscation_obfuscated_iex_commandline.yml" }, { "title": "Exports Registry Key To a File", "id": "f0e53e89-8d22-46ea-9db5-9d4796ee2f8a", "status": "test", "description": "Detects the export of the target Registry key to a file.", "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ "attack.exfiltration", "attack.t1012" ], "falsepositives": [ "Legitimate export of keys" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\' OR OriginalFileName = 'REGEDIT.EXE') AND (CommandLine LIKE '% /E %' ESCAPE '\\' OR CommandLine LIKE '% -E %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%hklm%' ESCAPE '\\' OR CommandLine LIKE '%hkey\\_local\\_machine%' ESCAPE '\\')) AND ((CommandLine LIKE '%\\\\system' ESCAPE '\\' OR CommandLine LIKE '%\\\\sam' ESCAPE '\\' OR CommandLine LIKE '%\\\\security' ESCAPE '\\'))))" ], "filename": "proc_creation_win_regedit_export_keys.yml" }, { "title": "Windows Defender Definition Files Removed", "id": "9719a8aa-401c-41af-8108-ced7ec9cd75c", "status": "test", "description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR OriginalFileName = 'MpCmdRun.exe') AND (CommandLine LIKE '% -RemoveDefinitions%' ESCAPE '\\' AND CommandLine LIKE '% -All%' ESCAPE '\\'))" ], "filename": "proc_creation_win_mpcmdrun_remove_windows_defender_definition.yml" }, { "title": "UAC Bypass Using Event Viewer RecentViews", "id": "30fc8de7-d833-40c4-96b6-28319fbc4f6c", "status": "test", "description": "Detects the pattern of UAC Bypass using Event Viewer RecentViews", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\Event Viewer\\\\RecentViews%' ESCAPE '\\' OR CommandLine LIKE '%\\\\EventV~1\\\\RecentViews%' ESCAPE '\\') AND CommandLine LIKE '%>%' ESCAPE '\\')" ], "filename": "proc_creation_win_uac_bypass_eventvwr_recentviews.yml" }, { "title": "ImagingDevices Unusual Parent/Child Processes", "id": "f11f2808-adb4-46c0-802a-8660db50fa99", "status": "experimental", "description": "Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND NewProcessName LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') OR ParentProcessName LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_imagingdevices_unusual_parents.yml" }, { "title": "New Network Trace Capture Started Via Netsh.EXE", "id": "d3c3861d-c504-4c77-ba55-224ba82d0118", "status": "test", "description": "Detects the execution of netsh with the \"trace\" flag in order to start a network capture", "author": "Kutepov Anton, oscd.community", "tags": [ "attack.discovery", "attack.credential_access", "attack.t1040" ], "falsepositives": [ "Legitimate administration activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\'))" ], "filename": "proc_creation_win_netsh_packet_capture.yml" }, { "title": "Suspicious Windows Update Agent Empty Cmdline", "id": "52d097e2-063e-4c9c-8fbb-855c8948d135", "status": "experimental", "description": "Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\Wuauclt.exe' ESCAPE '\\' OR OriginalFileName = 'Wuauclt.exe') AND CommandLine LIKE '%\\\\Wuauclt.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_wuauclt_no_cli_flags_execution.yml" }, { "title": "Suspicious Certreq Command to Download", "id": "4480827a-9799-4232-b2c4-ccc6c4e9e12b", "status": "experimental", "description": "Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\certreq.exe' ESCAPE '\\' OR OriginalFileName = 'CertReq.exe') AND (CommandLine LIKE '% -Post %' ESCAPE '\\' AND CommandLine LIKE '% -config %' ESCAPE '\\' AND CommandLine LIKE '% http%' ESCAPE '\\' AND CommandLine LIKE '% C:\\\\windows\\\\win.ini %' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_susp_certreq_download.yml" }, { "title": "Potential Persistence Attempt Via Existing Service Tampering", "id": "38879043-7e1e-47a9-8d46-6bec88e201df", "status": "test", "description": "Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.", "author": "Sreeman", "tags": [ "attack.persistence", "attack.t1543.003", "attack.t1574.011" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((CommandLine LIKE '%sc %' ESCAPE '\\' AND CommandLine LIKE '%config %' ESCAPE '\\' AND CommandLine LIKE '%binpath=%' ESCAPE '\\') OR (CommandLine LIKE '%sc %' ESCAPE '\\' AND CommandLine LIKE '%failure%' ESCAPE '\\' AND CommandLine LIKE '%command=%' ESCAPE '\\')) OR (((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%FailureCommand%' ESCAPE '\\') OR (CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%ImagePath%' ESCAPE '\\')) AND (CommandLine LIKE '%.sh%' ESCAPE '\\' OR CommandLine LIKE '%.exe%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine LIKE '%.bin$%' ESCAPE '\\' OR CommandLine LIKE '%.bat%' ESCAPE '\\' OR CommandLine LIKE '%.cmd%' ESCAPE '\\' OR CommandLine LIKE '%.js%' ESCAPE '\\' OR CommandLine LIKE '%.msh$%' ESCAPE '\\' OR CommandLine LIKE '%.reg$%' ESCAPE '\\' OR CommandLine LIKE '%.scr%' ESCAPE '\\' OR CommandLine LIKE '%.ps%' ESCAPE '\\' OR CommandLine LIKE '%.vb%' ESCAPE '\\' OR CommandLine LIKE '%.jar%' ESCAPE '\\' OR CommandLine LIKE '%.pl%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_sc_service_tamper_for_persistence.yml" }, { "title": "HackTool - UACMe Akagi Execution", "id": "d38d2fa4-98e6-4a24-aff1-410b0c9ad177", "status": "experimental", "description": "Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata", "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'UACMe' OR Company IN ('REvol Corp', 'APT 92', 'UG North', 'Hazardous Environments', 'CD Project Rekt') OR Description IN ('UACMe main module', 'Pentesting utility') OR OriginalFileName IN ('Akagi.exe', 'Akagi64.exe') OR (NewProcessName LIKE '%\\\\Akagi64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Akagi.exe' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\') OR Imphash IN ('767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b')))" ], "filename": "proc_creation_win_hktl_uacme.yml" }, { "title": "Suspicious Serv-U Process Pattern", "id": "58f4ea09-0fc2-4520-ba18-b85c540b0eaf", "status": "experimental", "description": "Detects a suspicious process pattern which could be a sign of an exploited Serv-U service", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1555", "cve.2021.35211" ], "falsepositives": [ "Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\Serv-U.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_servu_susp_child_process.yml" }, { "title": "Rundll32 Registered COM Objects", "id": "f1edd233-30b5-4823-9e6a-c4171b24d316", "status": "test", "description": "load malicious registered COM objects", "author": "frack113", "tags": [ "attack.privilege_escalation", "attack.persistence", "attack.t1546.015" ], "falsepositives": [ "Legitimate use" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ((CommandLine LIKE '%-sta %' ESCAPE '\\' OR CommandLine LIKE '%-localserver %' ESCAPE '\\') AND CommandLine LIKE '%{%' ESCAPE '\\' AND CommandLine LIKE '%}%' ESCAPE '\\'))" ], "filename": "proc_creation_win_rundll32_registered_com_objects.yml" }, { "title": "Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell", "id": "692f0bec-83ba-4d04-af7e-e884a96059b6", "status": "stable", "description": "Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.", "author": "Markus Neis @Karneades", "tags": [ "attack.execution", "attack.t1047", "attack.t1059.001" ], "falsepositives": [ "AppvClient", "CCM", "WinRM" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')))" ], "filename": "proc_creation_win_wmiprvse_spawns_powershell.yml" }, { "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE", "id": "37db85d1-b089-490a-a59a-c7b6f984f480", "status": "test", "description": "Detects usage of \"findstr\" with the argument \"385201\". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).", "author": "frack113", "tags": [ "attack.discovery", "attack.t1518.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND CommandLine LIKE '% 385201%' ESCAPE '\\')" ], "filename": "proc_creation_win_findstr_sysmon_discovery_via_default_altitude.yml" }, { "title": "Suspicious AgentExecutor PowerShell Execution", "id": "c0b40568-b1e9-4b03-8d6c-b096da6da9ab", "status": "experimental", "description": "Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy \"Bypass\" or any binary named \"powershell.exe\" located in the path provided by 6th positional argument", "author": "Nasreddine Bencherchali (Nextron Systems), memory-shards", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\AgentExecutor.exe' ESCAPE '\\' OR OriginalFileName = 'AgentExecutor.exe') AND (CommandLine LIKE '% -powershell%' ESCAPE '\\' OR CommandLine LIKE '% -remediationScript%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_lolbin_agentexecutor_susp_usage.yml" }, { "title": "System Network Connections Discovery Via Net.EXE", "id": "1c67a717-32ba-409b-a45d-0fb704a73a81", "status": "experimental", "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", "author": "frack113", "tags": [ "attack.discovery", "attack.t1049" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND ((CommandLine LIKE '% use' ESCAPE '\\' OR CommandLine LIKE '% sessions' ESCAPE '\\') OR (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% sessions %' ESCAPE '\\')))" ], "filename": "proc_creation_win_net_network_connections_discovery.yml" }, { "title": "Potential Encoded PowerShell Patterns In CommandLine", "id": "cdf05894-89e7-4ead-b2b0-0a5f97a90f2f", "status": "test", "description": "Detects specific combinations of encoding methods in PowerShell via the commandline", "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (((CommandLine LIKE '%ToInt%' ESCAPE '\\' OR CommandLine LIKE '%ToDecimal%' ESCAPE '\\' OR CommandLine LIKE '%ToByte%' ESCAPE '\\' OR CommandLine LIKE '%ToUint%' ESCAPE '\\' OR CommandLine LIKE '%ToSingle%' ESCAPE '\\' OR CommandLine LIKE '%ToSByte%' ESCAPE '\\') AND (CommandLine LIKE '%ToChar%' ESCAPE '\\' OR CommandLine LIKE '%ToString%' ESCAPE '\\' OR CommandLine LIKE '%String%' ESCAPE '\\')) OR ((CommandLine LIKE '%char%' ESCAPE '\\' AND CommandLine LIKE '%join%' ESCAPE '\\') OR (CommandLine LIKE '%split%' ESCAPE '\\' AND CommandLine LIKE '%join%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_powershell_encoding_patterns.yml" }, { "title": "Suspicious Hacktool Execution - Imphash", "id": "24e3e58a-646b-4b50-adef-02ef935b9fc8", "status": "experimental", "description": "Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Legitimate use of one of these tools" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b') OR (Hashes LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_execution_via_imphashes.yml" }, { "title": "Invoke-Obfuscation Via Stdin", "id": "9c14c9fa-1a63-4a64-8e57-d19280559490", "status": "test", "description": "Detects Obfuscated Powershell via Stdin in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND (CommandLine LIKE '%environment%' ESCAPE '\\' OR CommandLine LIKE '%invoke%' ESCAPE '\\' OR CommandLine LIKE '%input%' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_invoke_obfuscation_via_stdin.yml" }, { "title": "Sensitive Registry Access via Volume Shadow Copy", "id": "f57f8d16-1f39-4dcb-a604-6c73d9b54b3d", "status": "experimental", "description": "Detects a command that accesses password storing registry hives via volume shadow backups", "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ "attack.impact", "attack.t1490" ], "falsepositives": [ "Some rare backup scenarios" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\NTDS.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SECURITY%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\tmp\\\\log%' ESCAPE '\\'))" ], "filename": "proc_creation_win_malware_conti_shadowcopy.yml" }, { "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments", "id": "a7c3d773-caef-227e-a7e7-c2f13c622329", "status": "experimental", "description": "Detects attackers using tooling with bad opsec defaults.\nE.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.\nOne trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.\n", "author": "Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218.011" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND CommandLine LIKE '%WerFault.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%rundll32.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvcs.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regasm.exe' ESCAPE '\\' AND CommandLine LIKE '%regasm.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '%regsvr32.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" }, { "title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe", "id": "65d2be45-8600-4042-b4c0-577a1ff8a60e", "status": "test", "description": "Detects defence evasion attempt via odbcconf.exe execution to load DLL", "author": "Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1218.008" ], "falsepositives": [ "Legitimate use of odbcconf.exe by legitimate user" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR OriginalFileName = 'odbcconf.exe') AND (CommandLine LIKE '%-a%' ESCAPE '\\' OR CommandLine LIKE '%-f%' ESCAPE '\\' OR CommandLine LIKE '%/a%' ESCAPE '\\' OR CommandLine LIKE '%/f%' ESCAPE '\\' OR CommandLine LIKE '%regsvr%' ESCAPE '\\')) OR (ParentProcessName LIKE '%\\\\odbcconf.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE'))))" ], "filename": "proc_creation_win_odbcconf_susp_exec.yml" }, { "title": "Operator Bloopers Cobalt Strike Modules", "id": "4f154fb6-27d1-4813-a759-78b93e0b9c48", "status": "experimental", "description": "Detects Cobalt Strike module/commands accidentally entered in CMD shell", "author": "_pete_0, TheDFIRReport", "tags": [ "attack.execution", "attack.t1059.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Cmd.Exe' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') AND (CommandLine LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR CommandLine LIKE '%zerologon%' ESCAPE '\\' OR CommandLine LIKE '%av\\_query%' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_cobaltstrike_bloopers_modules.yml" }, { "title": "DLL Execution via Rasautou.exe", "id": "cd3d1298-eb3b-476c-ac67-12847de55813", "status": "test", "description": "Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.", "author": "Julia Fomina, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unlikely" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\rasautou.exe' ESCAPE '\\' OR OriginalFileName = 'rasdlui.exe') AND (CommandLine LIKE '% -d %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_rasautou_dll_execution.yml" }, { "title": "Use of VisualUiaVerifyNative.exe", "id": "b30a8bc5-e21b-4ca2-9420-0a94019ac56a", "status": "experimental", "description": "VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.", "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Legitimate testing of Microsoft UI parts." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\VisualUiaVerifyNative.exe' ESCAPE '\\' OR OriginalFileName = 'VisualUiaVerifyNative.exe'))" ], "filename": "proc_creation_win_lolbin_visualuiaverifynative.yml" }, { "title": "PUA - Process Hacker / System Informer Execution", "id": "811e0002-b13b-4a15-9d00-a613fce66e42", "status": "experimental", "description": "Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Sometimes used by developers or system administrators for debugging purposes" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\ProcessHacker\\_%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\SystemInformer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ProcessHacker.exe' ESCAPE '\\') OR OriginalFileName IN ('ProcessHacker.exe', 'Process Hacker', 'SystemInformer.exe') OR Description IN ('Process Hacker', 'System Informer') OR Product = 'Process Hacker' OR (Hashes LIKE '%MD5=68F9B52895F4D34E74112F3129B3B00D%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E%' ESCAPE '\\' OR Hashes LIKE '%SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF%' ESCAPE '\\' OR Hashes LIKE '%MD5=B365AF317AE730A67C936F21432B9C71%' ESCAPE '\\' OR Hashes LIKE '%SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=3695333C60DEDECDCAFF1590409AA462%' ESCAPE '\\') OR md5 IN ('68f9b52895f4d34e74112f3129b3b00d', 'b365af317ae730a67c936f21432b9c71') OR sha1 IN ('c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e', 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d') OR sha256 IN ('d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f', 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4') OR Imphash IN ('04de0ad9c37eb7bd52043d2ecac958df', '3695333c60dedecdcaff1590409aa462')))" ], "filename": "proc_creation_win_pua_process_hacker.yml" }, { "title": "Suspicious Schtasks From Env Var Folder", "id": "81325ce1-be01-4250-944f-b4789644556f", "status": "experimental", "description": "Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1053.005" ], "falsepositives": [ "Benign scheduled tasks creations or executions that happen often during software installations", "Software that uses the AppData folder and scheduled tasks to update the software in the AppData folders" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /create %' ESCAPE '\\' AND (CommandLine LIKE '%\\%AppData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\')) OR (ParentCommandLine LIKE '%\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' AND (CommandLine LIKE '%\\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs%' ESCAPE '\\'))) AND NOT (((CommandLine LIKE '%update\\_task.xml%' ESCAPE '\\' OR CommandLine LIKE '%/Create /TN TVInstallRestore /TR%' ESCAPE '\\') OR ParentCommandLine LIKE '%unattended.ini%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /Xml \"C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\.CR.%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_Security\\_Installation.xml%' ESCAPE '\\') OR (CommandLine LIKE '%/Create /F /TN%' ESCAPE '\\' AND CommandLine LIKE '%/Xml %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND CommandLine LIKE '%Avira\\_%' ESCAPE '\\' AND (CommandLine LIKE '%.tmp\\\\UpdateFallbackTask.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\WatchdogServiceControlManagerTimeout.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\SystrayAutostart.xml%' ESCAPE '\\' OR CommandLine LIKE '%.tmp\\\\MaintenanceTask.xml%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/Create /TN \"klcp\\_update\" /XML %' ESCAPE '\\' AND CommandLine LIKE '%\\\\klcp\\_update\\_task.xml%' ESCAPE '\\')))" ], "filename": "proc_creation_win_schtasks_env_folder.yml" }, { "title": "MSHTA Suspicious Execution 01", "id": "cc7abbd0-762b-41e3-8a26-57ad50d2eea3", "status": "test", "description": "Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism", "author": "Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)", "tags": [ "attack.defense_evasion", "attack.t1140", "attack.t1218.005", "attack.execution", "attack.t1059.007", "cve.2020.1599" ], "falsepositives": [ "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' AND (CommandLine LIKE '%vbscript%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.lnk%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.zip%' ESCAPE '\\' OR CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], "filename": "proc_creation_win_mshta_susp_execution.yml" }, { "title": "WMI Persistence - Script Event Consumer", "id": "ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e", "status": "test", "description": "Detects WMI script event consumers", "author": "Thomas Patzke", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1546.003" ], "falsepositives": [ "Legitimate event consumers", "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\' AND ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_wmi_persistence_script_event_consumer.yml" }, { "title": "Active Directory Structure Export Via Ldifde.EXE", "id": "4f7a6757-ff79-46db-9687-66501a02d9ec", "status": "experimental", "description": "Detects the execution of \"ldifde.exe\" in order to export organizational Active Directory structure.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.exfiltration" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR OriginalFileName = 'ldifde.exe') AND CommandLine LIKE '%-f%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% -i%' ESCAPE '\\')))" ], "filename": "proc_creation_win_ldifde_export.yml" }, { "title": "Abusing IEExec To Download Payloads", "id": "9801abb8-e297-4dbf-9fbd-57dde0e830ad", "status": "experimental", "description": "Detects execution of the IEExec utility to download payloads", "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\IEExec.exe' ESCAPE '\\' OR OriginalFileName = 'IEExec.exe') AND (CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%http://%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_ieexec_download.yml" }, { "title": "Use of UltraVNC Remote Access Software", "id": "145322e4-0fd3-486b-81ca-9addc75736d8", "status": "experimental", "description": "An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'VNCViewer' OR Product = 'UltraVNC VNCViewer' OR Company = 'UltraVNC' OR OriginalFileName = 'VNCViewer.exe'))" ], "filename": "proc_creation_win_ultravnc.yml" }, { "title": "HackTool - Certify Execution", "id": "762f2482-ff21-4970-8939-0aa317a886bb", "status": "experimental", "description": "Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.", "author": "pH-T (Nextron Systems)", "tags": [ "attack.discovery", "attack.credential_access", "attack.t1649" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\Certify.exe' ESCAPE '\\' OR OriginalFileName = 'Certify.exe' OR Description LIKE '%Certify%' ESCAPE '\\') OR ((CommandLine LIKE '%.exe cas %' ESCAPE '\\' OR CommandLine LIKE '%.exe find %' ESCAPE '\\' OR CommandLine LIKE '%.exe pkiobjects %' ESCAPE '\\' OR CommandLine LIKE '%.exe request %' ESCAPE '\\' OR CommandLine LIKE '%.exe download %' ESCAPE '\\') AND (CommandLine LIKE '% /vulnerable%' ESCAPE '\\' OR CommandLine LIKE '% /template:%' ESCAPE '\\' OR CommandLine LIKE '% /altname:%' ESCAPE '\\' OR CommandLine LIKE '% /domain:%' ESCAPE '\\' OR CommandLine LIKE '% /path:%' ESCAPE '\\' OR CommandLine LIKE '% /ca:%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_hktl_certify.yml" }, { "title": "7Zip Compressing Dump Files", "id": "ec570e53-4c76-45a9-804d-dc3f355ff7a7", "status": "experimental", "description": "Detects a suspicious 7zip execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.collection", "attack.t1560.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description LIKE '%7-Zip%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7zr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7za.exe' ESCAPE '\\') OR OriginalFileName IN ('7z.exe', '7za.exe')) AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" ], "filename": "proc_creation_win_7zip_exfil_dmp_files.yml" }, { "title": "Use Short Name Path in Image", "id": "a96970af-f126-420d-90e1-d37bf25e50e1", "status": "experimental", "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection", "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1564.004" ], "falsepositives": [ "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%~1\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%~2\\\\%' ESCAPE '\\') AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\') OR Product = 'InstallShield (R)' OR Description = 'InstallShield (R) Setup Engine' OR Company = 'InstallShield Software Corporation') OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR (NewProcessName LIKE '%~1\\\\unzip.exe' ESCAPE '\\' OR NewProcessName LIKE '%~1\\\\7zG.exe' ESCAPE '\\'))))" ], "filename": "proc_creation_win_susp_ntfs_short_name_path_use_image.yml" }, { "title": "Suspicious Workstation Locking via Rundll32", "id": "3b5b0213-0460-4e3f-8937-3abf98ff7dcc", "status": "experimental", "description": "Detects a suspicious call to the user32.dll function that locks the user workstation", "author": "frack113", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Scripts or links on the user desktop used to lock the workstation instead of Windows+L or the menu option" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%user32.dll,%' ESCAPE '\\' AND CommandLine LIKE '%LockWorkStation%' ESCAPE '\\')" ], "filename": "proc_creation_win_rundll32_user32_dll.yml" }, { "title": "Use of Forfiles For Execution", "id": "9aa5106d-bce3-4b13-86df-3a20f1d5cf0b", "status": "experimental", "description": "Execute commands and binaries from the context of \"forfiles\". This is used as a LOLBIN for example to bypass application whitelisting.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Legitimate use via a batch script or by an administrator." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR OriginalFileName = 'forfiles.exe') AND (CommandLine LIKE '% /p %' ESCAPE '\\' OR CommandLine LIKE '% -p %' ESCAPE '\\') AND (CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% -m %' ESCAPE '\\') AND (CommandLine LIKE '% /c %' ESCAPE '\\' OR CommandLine LIKE '% -c %' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_forfiles.yml" }, { "title": "New Generic Credentials Added Via Cmdkey.EXE", "id": "b1ec66c6-f4d1-4b5c-96dd-af28ccae7727", "status": "experimental", "description": "Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface.", "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.005" ], "falsepositives": [ "Legitimate usage for administration purposes" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /g%' ESCAPE '\\' AND CommandLine LIKE '% /u%' ESCAPE '\\' AND CommandLine LIKE '% /p%' ESCAPE '\\'))" ], "filename": "proc_creation_win_cmdkey_adding_generic_creds.yml" }, { "title": "Suspicious Modification Of Scheduled Tasks", "id": "1c0e41cd-21bb-4433-9acc-4a2cd6367b9b", "status": "experimental", "description": "Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location\nAttackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on\nInstead they modify the task after creation to include their malicious payload\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /Change %' ESCAPE '\\' AND CommandLine LIKE '% /TN %' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\%ProgramData\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%appdata\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%comspec\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%localappdata\\%%' ESCAPE '\\') AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\' OR CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%bash.exe%' ESCAPE '\\' OR CommandLine LIKE '%bash %' ESCAPE '\\' OR CommandLine LIKE '%scrcons%' ESCAPE '\\' OR CommandLine LIKE '%wmic %' ESCAPE '\\' OR CommandLine LIKE '%wmic.exe%' ESCAPE '\\' OR CommandLine LIKE '%forfiles%' ESCAPE '\\' OR CommandLine LIKE '%scriptrunner%' ESCAPE '\\' OR CommandLine LIKE '%hh.exe%' ESCAPE '\\' OR CommandLine LIKE '%hh %' ESCAPE '\\'))" ], "filename": "proc_creation_win_schtasks_change.yml" }, { "title": "Potential Arbitrary DLL Load Using Winword", "id": "f7375e28-5c14-432f-b8d1-1db26c832df3", "status": "test", "description": "Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.", "author": "Victor Sergeev, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR OriginalFileName = 'WinWord.exe') AND (CommandLine LIKE '%/l %' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\'))" ], "filename": "proc_creation_win_office_winword_dll_load.yml" }, { "title": "Suspicious UltraVNC Execution", "id": "871b9555-69ca-4993-99d3-35a59f9f3599", "status": "test", "description": "Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)", "author": "Bhabesh Raj", "tags": [ "attack.lateral_movement", "attack.g0047", "attack.t1021.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%-autoreconnect %' ESCAPE '\\' AND CommandLine LIKE '%-connect %' ESCAPE '\\' AND CommandLine LIKE '%-id:%' ESCAPE '\\')" ], "filename": "proc_creation_win_ultravnc_susp_execution.yml" }, { "title": "Potential Recon Activity Using DriverQuery.EXE", "id": "9fc3072c-dc8f-4bf7-b231-18950000fadd", "status": "experimental", "description": "Detect usage of the \"driverquery\" utility to perform reconnaissance on installed drivers", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%driverquery.exe' ESCAPE '\\' OR OriginalFileName = 'drvqry.exe') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_driverquery_recon.yml" }, { "title": "Phishing Pattern ISO in Archive", "id": "fcdf69e5-a3d3-452a-9724-26f2308bf2b1", "status": "experimental", "description": "Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.initial_access", "attack.t1566" ], "falsepositives": [ "Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentProcessName LIKE '%\\\\Winrar.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\7zFM.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\peazip.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\isoburn.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PowerISO.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ImgBurn.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_archiver_iso_phishing.yml" }, { "title": "Kavremover Dropped Binary LOLBIN Usage", "id": "d047726b-c71c-4048-a99b-2e2f50dc107d", "status": "experimental", "description": "Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.", "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "tags": [ "attack.defense_evasion", "attack.t1127" ], "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '% run run-cmd %' ESCAPE '\\' AND NOT ((ParentProcessName LIKE '%\\\\kavremover.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cleanapi.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_lolbin_kavremover.yml" }, { "title": "Suspicious Atbroker Execution", "id": "f24bcaea-0cd1-11eb-adc1-0242ac120002", "status": "test", "description": "Atbroker executing non-deafualt Assistive Technology applications", "author": "Mateusz Wydra, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Legitimate, non-default assistive technology applications execution" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%AtBroker.exe' ESCAPE '\\' AND CommandLine LIKE '%start%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%animations%' ESCAPE '\\' OR CommandLine LIKE '%audiodescription%' ESCAPE '\\' OR CommandLine LIKE '%caretbrowsing%' ESCAPE '\\' OR CommandLine LIKE '%caretwidth%' ESCAPE '\\' OR CommandLine LIKE '%colorfiltering%' ESCAPE '\\' OR CommandLine LIKE '%cursorscheme%' ESCAPE '\\' OR CommandLine LIKE '%filterkeys%' ESCAPE '\\' OR CommandLine LIKE '%focusborderheight%' ESCAPE '\\' OR CommandLine LIKE '%focusborderwidth%' ESCAPE '\\' OR CommandLine LIKE '%highcontrast%' ESCAPE '\\' OR CommandLine LIKE '%keyboardcues%' ESCAPE '\\' OR CommandLine LIKE '%keyboardpref%' ESCAPE '\\' OR CommandLine LIKE '%magnifierpane%' ESCAPE '\\' OR CommandLine LIKE '%messageduration%' ESCAPE '\\' OR CommandLine LIKE '%minimumhitradius%' ESCAPE '\\' OR CommandLine LIKE '%mousekeys%' ESCAPE '\\' OR CommandLine LIKE '%Narrator%' ESCAPE '\\' OR CommandLine LIKE '%osk%' ESCAPE '\\' OR CommandLine LIKE '%overlappedcontent%' ESCAPE '\\' OR CommandLine LIKE '%showsounds%' ESCAPE '\\' OR CommandLine LIKE '%soundsentry%' ESCAPE '\\' OR CommandLine LIKE '%stickykeys%' ESCAPE '\\' OR CommandLine LIKE '%togglekeys%' ESCAPE '\\' OR CommandLine LIKE '%windowarranging%' ESCAPE '\\' OR CommandLine LIKE '%windowtracking%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingtimeout%' ESCAPE '\\' OR CommandLine LIKE '%windowtrackingzorder%' ESCAPE '\\')))" ], "filename": "proc_creation_win_lolbin_susp_atbroker.yml" }, { "title": "Tap Installer Execution", "id": "99793437-3e16-439b-be0f-078782cf953d", "status": "test", "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques", "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "tags": [ "attack.exfiltration", "attack.t1048" ], "falsepositives": [ "Legitimate OpenVPN TAP insntallation" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NewProcessName LIKE '%\\\\tapinstall.exe' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Avast Software\\\\SecureLine VPN\\\\tapinstall.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\SecureLine VPN\\\\tapinstall.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\OpenVPN Connect\\\\drivers\\\\tap\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Proton Technologies\\\\ProtonVPNTap\\\\installer\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_tapinstall_execution.yml" }, { "title": "Permission Check Via Accesschk.EXE", "id": "c625d754-6a3d-4f65-9c9a-536aea960d37", "status": "test", "description": "Detects the usage of the \"Accesschk\" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges", "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1069.001" ], "falsepositives": [ "System administrator Usage" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product LIKE '%AccessChk' ESCAPE '\\' OR Description LIKE '%Reports effective permissions%' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\accesschk.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\accesschk64.exe' ESCAPE '\\') OR OriginalFileName = 'accesschk.exe') AND (CommandLine LIKE '%uwcqv %' ESCAPE '\\' OR CommandLine LIKE '%kwsu %' ESCAPE '\\' OR CommandLine LIKE '%qwsu %' ESCAPE '\\' OR CommandLine LIKE '%uwdqs %' ESCAPE '\\'))" ], "filename": "proc_creation_win_sysinternals_accesschk_check_permissions.yml" }, { "title": "Renamed Vmnat.exe Execution", "id": "7b4f794b-590a-4ad4-ba18-7964a2832205", "status": "experimental", "description": "Detects renamed vmnat.exe or portable version that can be used for DLL side-loading", "author": "elhoim", "tags": [ "attack.defense_evasion", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'vmnat.exe' AND NOT ((NewProcessName LIKE '%vmnat.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_renamed_vmnat.yml" }, { "title": "Suspicious SysAidServer Child", "id": "60bfeac3-0d35-4302-8efb-1dd16f715bc6", "status": "experimental", "description": "Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%SysAidServer%' ESCAPE '\\')" ], "filename": "proc_creation_win_java_sysaidserver_susp_child_process.yml" }, { "title": "Application Whitelisting Bypass via PresentationHost.exe", "id": "d22e2925-cfd8-463f-96f6-89cec9d9bc5f", "status": "experimental", "description": "Detects usage of \"PresentationHost\" which is a utility that runs \".xbap\" (Browser Applications) files. It can be abused to run malicious \".xbap\" files any bypass AWL", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1218" ], "falsepositives": [ "Legitimate \".xbap\" being executed via \"PresentationHost\"" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\presentationhost.exe' ESCAPE '\\' OR OriginalFileName = 'PresentationHost.exe') AND CommandLine LIKE '%.xbap%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Program Files%' ESCAPE '\\')))" ], "filename": "proc_creation_win_lolbin_presentationhost.yml" }, { "title": "Suspicious Compression Tool Parameters", "id": "27a72a60-7e5e-47b1-9d17-909c9abafdcd", "status": "test", "description": "Detects suspicious command line arguments of common data compression tools", "author": "Florian Roth (Nextron Systems), Samir Bousseaden", "tags": [ "attack.collection", "attack.t1560.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName LIKE '7z%.exe' ESCAPE '\\' OR OriginalFileName LIKE '%rar.exe' ESCAPE '\\' OR OriginalFileName LIKE '%Command%Line%RAR%' ESCAPE '\\') AND (CommandLine LIKE '% -p%' ESCAPE '\\' OR CommandLine LIKE '% -ta%' ESCAPE '\\' OR CommandLine LIKE '% -tb%' ESCAPE '\\' OR CommandLine LIKE '% -sdel%' ESCAPE '\\' OR CommandLine LIKE '% -dw%' ESCAPE '\\' OR CommandLine LIKE '% -hp%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE 'C:\\\\Program%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_compression_params.yml" }, { "title": "Hiding Files with Attrib.exe", "id": "4281cb20-2994-4580-aa63-c8b86d019934", "status": "test", "description": "Detects usage of attrib.exe to hide files from users.", "author": "Sami Ruohonen", "tags": [ "attack.defense_evasion", "attack.t1564.001" ], "falsepositives": [ "IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)", "Msiexec.exe hiding desktop.ini" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +h %' ESCAPE '\\') AND NOT ((CommandLine LIKE '%\\\\desktop.ini %' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '+R +H +S +A \\\\\\*.cui' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\\\*.bat' ESCAPE '\\')))" ], "filename": "proc_creation_win_attrib_hiding_files.yml" }, { "title": "Potential Defense Evasion Via Binary Rename", "id": "36480ae1-a1cb-4eaa-a0d6-29801d7e9142", "status": "test", "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", "author": "Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)", "tags": [ "attack.defense_evasion", "attack.t1036.003" ], "falsepositives": [ "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName IN ('Cmd.Exe', 'CONHOST.EXE', '7z.exe', 'WinRAR.exe', 'wevtutil.exe', 'net.exe', 'net1.exe', 'netsh.exe', 'InstallUtil.exe') AND NOT ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\7z.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WinRAR.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\InstallUtil.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_renamed_binary.yml" }, { "title": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call", "id": "9c0295ce-d60d-40bd-bd74-84673b7592b1", "status": "test", "description": "Detects suspicious base64 encoded and obfuscated \"LOAD\" keyword used in .NET \"reflection.assembly\"", "author": "pH-T (Nextron Systems)", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1059.001", "attack.t1027" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvACIAKwAiAGEAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACIATABvAGEAIgArACIAZAAiACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvACcAKwAnAGEAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA%' ESCAPE '\\' OR CommandLine LIKE '%OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ%' ESCAPE '\\' OR CommandLine LIKE '%oAOgAoACcATABvAGEAJwArACcAZAAnACkA%' ESCAPE '\\' OR CommandLine LIKE '%6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" }, { "title": "PDQ Deploy Remote Adminstartion Tool Execution", "id": "d679950c-abb7-43a6-80fb-2a480c4fc450", "status": "experimental", "description": "Detect use of PDQ Deploy remote admin tool", "author": "frack113", "tags": [ "attack.execution", "attack.lateral_movement", "attack.t1072" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'PDQ Deploy Console' OR Product = 'PDQ Deploy' OR Company = 'PDQ.com' OR OriginalFileName = 'PDQDeployConsole.exe'))" ], "filename": "proc_creation_win_pdqdeploy_execution.yml" }, { "title": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE", "id": "dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45", "status": "experimental", "description": "Detects the execution of wmic with the \"qfe\" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND CommandLine LIKE '% qfe%' ESCAPE '\\')" ], "filename": "proc_creation_win_wmic_recon_hotfix.yml" }, { "title": "Suspicious Windows Service Tampering", "id": "ce72ef99-22f1-43d4-8695-419dcb5d9330", "status": "experimental", "description": "Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts", "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", "attack.t1489" ], "falsepositives": [ "Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%143Svc%' ESCAPE '\\' OR CommandLine LIKE '%Acronis VSS Provider%' ESCAPE '\\' OR CommandLine LIKE '%AcronisAgent%' ESCAPE '\\' OR CommandLine LIKE '%AcrSch2Svc%' ESCAPE '\\' OR CommandLine LIKE '%Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%ARSM%' ESCAPE '\\' OR CommandLine LIKE '%aswBcc%' ESCAPE '\\' OR CommandLine LIKE '%Avast Business Console Client Antivirus Service%' ESCAPE '\\' OR CommandLine LIKE '%avast! Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%AVG Antivirus%' ESCAPE '\\' OR CommandLine LIKE '%avgAdminClient%' ESCAPE '\\' OR CommandLine LIKE '%AvgAdminServer%' ESCAPE '\\' OR CommandLine LIKE '%AVP1%' ESCAPE '\\' OR CommandLine LIKE '%BackupExec%' ESCAPE '\\' OR CommandLine LIKE '%bedbg%' ESCAPE '\\' OR CommandLine LIKE '%BITS%' ESCAPE '\\' OR CommandLine LIKE '%BrokerInfrastructure%' ESCAPE '\\' OR CommandLine LIKE '%Client Agent 7.60%' ESCAPE '\\' OR CommandLine LIKE '%Core Browsing Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Mail Protection%' ESCAPE '\\' OR CommandLine LIKE '%Core Scanning Server%' ESCAPE '\\' OR CommandLine LIKE '%DCAgent%' ESCAPE '\\' OR CommandLine LIKE '%EhttpSr%' ESCAPE '\\' OR CommandLine LIKE '%ekrn%' ESCAPE '\\' OR CommandLine LIKE '%Enterprise Client Service%' ESCAPE '\\' OR CommandLine LIKE '%epag%' ESCAPE '\\' OR CommandLine LIKE '%EPIntegrationService%' ESCAPE '\\' OR CommandLine LIKE '%EPProtectedService%' ESCAPE '\\' OR CommandLine LIKE '%EPRedline%' ESCAPE '\\' OR CommandLine LIKE '%EPSecurityService%' ESCAPE '\\' OR CommandLine LIKE '%EPUpdateService%' ESCAPE '\\' OR CommandLine LIKE '%EraserSvc11710%' ESCAPE '\\' OR CommandLine LIKE '%EsgShKernel%' ESCAPE '\\' OR CommandLine LIKE '%ESHASRV%' ESCAPE '\\' OR CommandLine LIKE '%FA\\_Scheduler%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdGuardianDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%FirebirdServerDefaultInstance%' ESCAPE '\\' OR CommandLine LIKE '%HealthTLService%' ESCAPE '\\' OR CommandLine LIKE '%HISSQLFDLauncherSSHAREPOINIT%' ESCAPE '\\' OR CommandLine LIKE '%hmpalertsvc%' ESCAPE '\\' OR CommandLine LIKE '%HMS%' ESCAPE '\\' OR CommandLine LIKE '%IISAdmin%' ESCAPE '\\' OR CommandLine LIKE '%IMANSVC%' ESCAPE '\\' OR CommandLine LIKE '%IMAP4Svc%' ESCAPE '\\' OR CommandLine LIKE '%KAVFS%' ESCAPE '\\' OR CommandLine LIKE '%KAVFSGT%' ESCAPE '\\' OR CommandLine LIKE '%kavfsslp%' ESCAPE '\\' OR CommandLine LIKE '%klbackupdisk%' ESCAPE '\\' OR CommandLine LIKE '%klbackupflt%' ESCAPE '\\' OR CommandLine LIKE '%klflt%' ESCAPE '\\' OR CommandLine LIKE '%klhk%' ESCAPE '\\' OR CommandLine LIKE '%KLIF%' ESCAPE '\\' OR CommandLine LIKE '%klim6%' ESCAPE '\\' OR CommandLine LIKE '%klkbdflt%' ESCAPE '\\' OR CommandLine LIKE '%klmouflt%' ESCAPE '\\' OR CommandLine LIKE '%klnagent%' ESCAPE '\\' OR CommandLine LIKE '%klpd%' ESCAPE '\\' OR CommandLine LIKE '%kltap%' ESCAPE '\\' OR CommandLine LIKE '%KSDE1.0.0%' ESCAPE '\\' OR CommandLine LIKE '%LogProcessorService%' ESCAPE '\\' OR CommandLine LIKE '%M8EndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%macmnsvc%' ESCAPE '\\' OR CommandLine LIKE '%masvc%' ESCAPE '\\' OR CommandLine LIKE '%MBAMService%' ESCAPE '\\' OR CommandLine LIKE '%MBCloudEA%' ESCAPE '\\' OR CommandLine LIKE '%MBEndpointAgent%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeDLPAgentService%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeEngineService%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEEEVENTPARSERSRV%' ESCAPE '\\' OR CommandLine LIKE '%McAfeeFramework%' ESCAPE '\\' OR CommandLine LIKE '%MCAFEETOMCATSRV530%' ESCAPE '\\' OR CommandLine LIKE '%McShield%' ESCAPE '\\' OR CommandLine LIKE '%McTaskManager%' ESCAPE '\\' OR CommandLine LIKE '%mfefire%' ESCAPE '\\' OR CommandLine LIKE '%mfemms%' ESCAPE '\\' OR CommandLine LIKE '%mfevto%' ESCAPE '\\' OR CommandLine LIKE '%mfevtp%' ESCAPE '\\' OR CommandLine LIKE '%mfewc%' ESCAPE '\\' OR CommandLine LIKE '%MMS%' ESCAPE '\\' OR CommandLine LIKE '%mozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%MsDtsServer%' ESCAPE '\\' OR CommandLine LIKE '%MSExchange%' ESCAPE '\\' OR CommandLine LIKE '%msftesq1SPROO%' ESCAPE '\\' OR CommandLine LIKE '%msftesql$PROD%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SQL\\_2008%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$SYSTEM\\_BGC%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAP$TPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPS%' ESCAPE '\\' OR CommandLine LIKE '%MSOLAPSTPSAMA%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ!I.SPROFXENGAGEMEHT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SHAREPOINT%' ESCAPE '\\' OR CommandLine LIKE '%MSSQ0SOPHOS%' ESCAPE '\\' OR CommandLine LIKE '%MSSQL%' ESCAPE '\\' OR CommandLine LIKE '%MySQL%' ESCAPE '\\' OR CommandLine LIKE '%NanoServiceMain%' ESCAPE '\\' OR CommandLine LIKE '%NetMsmqActivator%' ESCAPE '\\' OR CommandLine LIKE '%ntrtscan%' ESCAPE '\\' OR CommandLine LIKE '%ofcservice%' ESCAPE '\\' OR CommandLine LIKE '%Online Protection System%' ESCAPE '\\' OR CommandLine LIKE '%OracleClientCache80%' ESCAPE '\\' OR CommandLine LIKE '%PandaAetherAgent%' ESCAPE '\\' OR CommandLine LIKE '%PccNTUpd%' ESCAPE '\\' OR CommandLine LIKE '%PDVFSService%' ESCAPE '\\' OR CommandLine LIKE '%POP3Svc%' ESCAPE '\\' OR CommandLine LIKE '%POVFSService%' ESCAPE '\\' OR CommandLine LIKE '%PSUAService%' ESCAPE '\\' OR CommandLine LIKE '%Quick Update Service%' ESCAPE '\\' OR CommandLine LIKE '%RepairService%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer%' ESCAPE '\\' OR CommandLine LIKE '%ReportServer$%' ESCAPE '\\' OR CommandLine LIKE '%RESvc%' ESCAPE '\\' OR CommandLine LIKE '%RpcEptMapper%' ESCAPE '\\' OR CommandLine LIKE '%sacsvr%' ESCAPE '\\' OR CommandLine LIKE '%SamSs%' ESCAPE '\\' OR CommandLine LIKE '%SAVAdminService%' ESCAPE '\\' OR CommandLine LIKE '%SAVService%' ESCAPE '\\' OR CommandLine LIKE '%ScSecSvc%' ESCAPE '\\' OR CommandLine LIKE '%SDRSVC%' ESCAPE '\\' OR CommandLine LIKE '%SentinelAgent%' ESCAPE '\\' OR CommandLine LIKE '%SentinelHelperService%' ESCAPE '\\' OR CommandLine LIKE '%SepMasterService%' ESCAPE '\\' OR CommandLine LIKE '%ShMonitor%' ESCAPE '\\' OR CommandLine LIKE '%Smcinst%' ESCAPE '\\' OR CommandLine LIKE '%SmcService%' ESCAPE '\\' OR CommandLine LIKE '%SMTPSvc%' ESCAPE '\\' OR CommandLine LIKE '%SNAC%' ESCAPE '\\' OR CommandLine LIKE '%SntpService%' ESCAPE '\\' OR CommandLine LIKE '%Sophos%' ESCAPE '\\' OR CommandLine LIKE '%SQ1SafeOLRService%' ESCAPE '\\' OR CommandLine LIKE '%SQL Backups%' ESCAPE '\\' OR CommandLine LIKE '%SQL Server%' ESCAPE '\\' OR CommandLine LIKE '%SQLAgent%' ESCAPE '\\' OR CommandLine LIKE '%SQLBrowser%' ESCAPE '\\' OR CommandLine LIKE '%SQLsafe%' ESCAPE '\\' OR CommandLine LIKE '%SQLSERVERAGENT%' ESCAPE '\\' OR CommandLine LIKE '%SQLTELEMETRY%' ESCAPE '\\' OR CommandLine LIKE '%SQLWriter%' ESCAPE '\\' OR CommandLine LIKE '%SSISTELEMETRY130%' ESCAPE '\\' OR CommandLine LIKE '%SstpSvc%' ESCAPE '\\' OR CommandLine LIKE '%svcGenericHost%' ESCAPE '\\' OR CommandLine LIKE '%swc\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_filter%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_service%' ESCAPE '\\' OR CommandLine LIKE '%swi\\_update%' ESCAPE '\\' OR CommandLine LIKE '%Symantec%' ESCAPE '\\' OR CommandLine LIKE '%Telemetryserver%' ESCAPE '\\' OR CommandLine LIKE '%ThreatLockerService%' ESCAPE '\\' OR CommandLine LIKE '%TMBMServer%' ESCAPE '\\' OR CommandLine LIKE '%TmCCSF%' ESCAPE '\\' OR CommandLine LIKE '%TmFilter%' ESCAPE '\\' OR CommandLine LIKE '%TMiCRCScanService%' ESCAPE '\\' OR CommandLine LIKE '%tmlisten%' ESCAPE '\\' OR CommandLine LIKE '%TMLWCSService%' ESCAPE '\\' OR CommandLine LIKE '%TmPfw%' ESCAPE '\\' OR CommandLine LIKE '%TmPreFilter%' ESCAPE '\\' OR CommandLine LIKE '%TmProxy%' ESCAPE '\\' OR CommandLine LIKE '%TMSmartRelayService%' ESCAPE '\\' OR CommandLine LIKE '%tmusa%' ESCAPE '\\' OR CommandLine LIKE '%Trend Micro Deep Security Manager%' ESCAPE '\\' OR CommandLine LIKE '%TrueKey%' ESCAPE '\\' OR CommandLine LIKE '%UI0Detect%' ESCAPE '\\' OR CommandLine LIKE '%UTODetect%' ESCAPE '\\' OR CommandLine LIKE '%Veeam%' ESCAPE '\\' OR CommandLine LIKE '%VeemaDep/oySvc%' ESCAPE '\\' OR CommandLine LIKE '%Veritas System Recovery%' ESCAPE '\\' OR CommandLine LIKE '%VSApiNt%' ESCAPE '\\' OR CommandLine LIKE '%VSS%' ESCAPE '\\' OR CommandLine LIKE '%W3Svc%' ESCAPE '\\' OR CommandLine LIKE '%wbengine%' ESCAPE '\\' OR CommandLine LIKE '%WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%WeanClOudSve%' ESCAPE '\\' OR CommandLine LIKE '%Weems JY%' ESCAPE '\\' OR CommandLine LIKE '%WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%wozyprobackup%' ESCAPE '\\' OR CommandLine LIKE '%WRSVC%' ESCAPE '\\' OR CommandLine LIKE '%Zoolz 2 Service%' ESCAPE '\\') AND ((((OriginalFileName IN ('net.exe', 'net1.exe') OR (NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\')) AND CommandLine LIKE '% stop %' ESCAPE '\\') OR ((OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '%Stop-Service %' ESCAPE '\\' OR CommandLine LIKE '%Remove-Service %' ESCAPE '\\'))) OR ((OriginalFileName = 'sc.exe' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\') AND (CommandLine LIKE '% stop %' ESCAPE '\\' OR CommandLine LIKE '% delete %' ESCAPE '\\' OR CommandLine LIKE '% pause %' ESCAPE '\\'))))" ], "filename": "proc_creation_win_susp_service_tamper.yml" }, { "title": "Suspicious Process Parents", "id": "cbec226f-63d9-4eca-9f52-dfb6652f24df", "status": "experimental", "description": "Detects suspicious parent processes that should not have any children or should only have a single possible child program", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentProcessName LIKE '%\\\\minesweeper.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winver.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\calc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\win32calc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\')) OR (NewProcessName = '')))))" ], "filename": "proc_creation_win_susp_parents.yml" }, { "title": "Potential Windows Defender Tampering Via Wmic.EXE", "id": "51cbac1e-eee3-4a90-b1b7-358efb81fa0a", "status": "experimental", "description": "Detects potential tampering with Windows Defender settings such as adding exclusion using wmic", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1546.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'wmic.exe' OR NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\') AND CommandLine LIKE '%/Namespace:\\\\\\\\root\\\\Microsoft\\\\Windows\\\\Defender%' ESCAPE '\\')" ], "filename": "proc_creation_win_wmic_namespace_defender.yml" }, { "title": "Wab Execution From Non Default Location", "id": "395907ee-96e5-4666-af2e-2ca91688e151", "status": "experimental", "description": "Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\wab.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wabmig.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Mail\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Windows Mail\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_wab_execution_from_non_default_location.yml" }, { "title": "Remote Access Tool - NetSupport Execution", "id": "758ff488-18d5-4cbe-8ec4-02b6285a434f", "status": "experimental", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'NetSupport Client Configurator' OR Product = 'NetSupport Remote Control' OR Company = 'NetSupport Ltd' OR OriginalFileName = 'PCICFGUI.EXE'))" ], "filename": "proc_creation_win_remote_access_tools_netsupport.yml" }, { "title": "Active Directory Structure Export Via Csvde.EXE", "id": "e5d36acd-acb4-4c6f-a13f-9eb203d50099", "status": "experimental", "description": "Detects the execution of \"csvde.exe\" in order to export organizational Active Directory structure.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.exfiltration" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\csvde.exe' ESCAPE '\\' OR OriginalFileName = 'csvde.exe') AND CommandLine LIKE '% -f%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% -i%' ESCAPE '\\')))" ], "filename": "proc_creation_win_csvde_export.yml" }, { "title": "Delete All Scheduled Tasks", "id": "220457c1-1c9f-4c2e-afe6-9598926222c1", "status": "experimental", "description": "Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.impact", "attack.t1489" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '% /delete %' ESCAPE '\\' AND CommandLine LIKE '%/tn \\*' ESCAPE '\\' AND CommandLine LIKE '% /f%' ESCAPE '\\')" ], "filename": "proc_creation_win_schtasks_delete_all.yml" }, { "title": "Exfiltration and Tunneling Tools Execution", "id": "c75309a3-59f8-4a8d-9c2c-4c927ad50555", "status": "test", "description": "Execution of well known tools for data exfiltration and tunneling", "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.exfiltration", "attack.command_and_control", "attack.t1041", "attack.t1572", "attack.t1071.001" ], "falsepositives": [ "Legitimate Administrator using tools" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\socat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\stunnel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\httptunnel.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_exfiltration_and_tunneling_tools_execution.yml" }, { "title": "Renamed Remote Utilities RAT (RURAT) Execution", "id": "9ef27c24-4903-4192-881a-3adde7ff92a5", "status": "experimental", "description": "Detects execution of renamed Remote Utilities (RURAT) via Product PE header field", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.collection", "attack.command_and_control", "attack.discovery", "attack.s0592" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Product = 'Remote Utilities' AND NOT ((NewProcessName LIKE '%\\\\rutserv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rfusclient.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_renamed_rurat.yml" }, { "title": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE", "id": "d95de845-b83c-4a9a-8a6a-4fc802ebf6c0", "status": "experimental", "description": "Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE", "author": "Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1087.001", "attack.t1087.002" ], "falsepositives": [ "Inventory tool runs", "Administrative activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND ((((CommandLine LIKE '% group %' ESCAPE '\\' OR CommandLine LIKE '% localgroup %' ESCAPE '\\') AND (CommandLine LIKE '%domain admins%' ESCAPE '\\' OR CommandLine LIKE '% administrator%' ESCAPE '\\' OR CommandLine LIKE '% administrateur%' ESCAPE '\\' OR CommandLine LIKE '%enterprise admins%' ESCAPE '\\' OR CommandLine LIKE '%Exchange Trusted Subsystem%' ESCAPE '\\' OR CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\' OR CommandLine LIKE '% /do%' ESCAPE '\\')) AND NOT (CommandLine LIKE '% /add%' ESCAPE '\\')) OR (CommandLine LIKE '% accounts %' ESCAPE '\\' AND CommandLine LIKE '% /do%' ESCAPE '\\')))" ], "filename": "proc_creation_win_net_groups_and_accounts_recon.yml" }, { "title": "Potential Browser Data Stealing", "id": "47147b5b-9e17-4d76-b8d2-7bac24c5ce1b", "status": "experimental", "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1555.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%copy-item%' ESCAPE '\\' OR CommandLine LIKE '%copy %' ESCAPE '\\' OR CommandLine LIKE '%cpi %' ESCAPE '\\' OR CommandLine LIKE '% cp %' ESCAPE '\\' OR CommandLine LIKE '%move %' ESCAPE '\\' OR CommandLine LIKE '%move-item%' ESCAPE '\\' OR CommandLine LIKE '% mi %' ESCAPE '\\' OR CommandLine LIKE '% mv %' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\robocopy.exe' ESCAPE '\\') OR OriginalFileName IN ('XCOPY.EXE', 'robocopy.exe')) AND (CommandLine LIKE '%\\\\Opera Software\\\\Opera Stable\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Mozilla\\\\Firefox\\\\Profiles%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Edge\\\\User Data\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_copy_browser_data.yml" }, { "title": "Service Reconnaissance Via Wmic.EXE", "id": "76f55eaa-d27f-4213-9d45-7b0e4b60bbae", "status": "experimental", "description": "An adversary might use WMI to check if a certain remote service is running on a remote device.\nWhen the test completes, a service information will be displayed on the screen if it exists.\nA common feedback message is that \"No instance(s) Available\" if the service queried is not running.\nA common error message is \"Node - (provided IP or default) ERROR Description =The RPC server is unavailable\" if the provided remote host is unreachable\n", "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%service%' ESCAPE '\\')" ], "filename": "proc_creation_win_wmic_recon_service.yml" }, { "title": "Powershell Defender Exclusion", "id": "17769c90-230e-488b-a463-e05c08e9d48f", "status": "experimental", "description": "Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Possible Admin Activity", "Other Cmdlets that may use the same parameters" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Add-MpPreference %' ESCAPE '\\' OR CommandLine LIKE '%Set-MpPreference %' ESCAPE '\\') AND (CommandLine LIKE '% -ExclusionPath %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionExtension %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionProcess %' ESCAPE '\\' OR CommandLine LIKE '% -ExclusionIpAddress %' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_defender_exclusion.yml" }, { "title": "PUA - DIT Snapshot Viewer", "id": "d3b70aad-097e-409c-9df2-450f80dc476b", "status": "test", "description": "Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.", "author": "Furkan Caliskan (@caliskanfurkan_)", "tags": [ "attack.credential_access", "attack.t1003.003" ], "falsepositives": [ "Legitimate admin usage" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\ditsnap.exe' ESCAPE '\\' OR CommandLine LIKE '%ditsnap.exe%' ESCAPE '\\'))" ], "filename": "proc_creation_win_pua_ditsnap.yml" }, { "title": "HackTool - CrackMapExec Execution", "id": "42a993dd-bb3e-48c8-b372-4d6684c4106c", "status": "test", "description": "This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\crackmapexec.exe' ESCAPE '\\' OR CommandLine LIKE '% -M pe\\_inject %' ESCAPE '\\' OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -x %' ESCAPE '\\') OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -H ''NTHASH''%' ESCAPE '\\') OR (CommandLine LIKE '% mssql %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -d %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -H %' ESCAPE '\\' AND CommandLine LIKE '% -M %' ESCAPE '\\' AND CommandLine LIKE '% -o %' ESCAPE '\\') OR (CommandLine LIKE '% smb %' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% --local-auth%' ESCAPE '\\')) OR (CommandLine LIKE '% --local-auth%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% 10.%' ESCAPE '\\' AND CommandLine LIKE '% 192.168.%' ESCAPE '\\' AND CommandLine LIKE '%/24 %' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_crackmapexec_execution.yml" }, { "title": "HackTool - Pypykatz Credentials Dumping Activity", "id": "a29808fd-ef50-49ff-9c7a-59a9b040b404", "status": "test", "description": "Detects the usage of \"pypykatz\" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1003.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (NewProcessName LIKE '%\\\\pypykatz.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\python.exe' ESCAPE '\\') AND CommandLine LIKE '%live%' ESCAPE '\\' AND CommandLine LIKE '%registry%' ESCAPE '\\')" ], "filename": "proc_creation_win_hktl_pypykatz.yml" }, { "title": "Gpg4Win Decrypt Files From Suspicious Locations", "id": "e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d", "status": "experimental", "description": "Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI", "author": "Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\gpg2.exe' ESCAPE '\\' OR Product = 'GNU Privacy Guard (GnuPG)' OR Company = 'g10 Code GmbH') AND CommandLine LIKE '%-passphrase%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%C:\\\\temp%' ESCAPE '\\'))" ], "filename": "proc_creation_win_gpg4win_susp_usage.yml" }, { "title": "Always Install Elevated Windows Installer", "id": "cd951fdc-4b2f-47f5-ba99-a33bf61e3770", "status": "experimental", "description": "Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege", "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", "tags": [ "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "System administrator usage", "Anti virus products", "WindowsApps located in \"C:\\Program Files\\WindowsApps\\\"" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\Windows\\\\Installer\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%msi%' ESCAPE '\\' AND NewProcessName LIKE '%tmp' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND IntegrityLevel = 'System')) AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\') OR (CommandLine LIKE '%\\\\system32\\\\msiexec.exe /V' ESCAPE '\\' OR ParentCommandLine LIKE '%\\\\system32\\\\msiexec.exe /V' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\Sophos\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\Avira\\\\%' ESCAPE '\\') OR ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Avast Software\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\%' ESCAPE '\\')) OR ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Update\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_susp_always_install_elevated_windows_installer.yml" }, { "title": "Potential PsExec Remote Execution", "id": "ea011323-7045-460b-b2d7-0f7442ea6b38", "status": "experimental", "description": "Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.resource_development", "attack.t1587.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%accepteula%' ESCAPE '\\' AND CommandLine LIKE '% -u %' ESCAPE '\\' AND CommandLine LIKE '% -p %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\')" ], "filename": "proc_creation_win_sysinternals_psexec_remote_execution.yml" }, { "title": "Arbitrary MSI Download Via Devinit.EXE", "id": "90d50722-0483-4065-8e35-57efaadd354d", "status": "test", "description": "Detects a certain command line flag combination used by \"devinit.exe\", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% -t msi-install %' ESCAPE '\\' AND CommandLine LIKE '% -i http%' ESCAPE '\\')" ], "filename": "proc_creation_win_devinit_lolbin_usage.yml" }, { "title": "Renamed ProcDump Execution", "id": "4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67", "status": "test", "description": "Detects the execution of a renamed ProcDump executable often used by attackers or malware", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036.003" ], "falsepositives": [ "Procdump illegaly bundled with legitimate software", "Administrators who rename binaries (should be investigated)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'procdump' OR ((CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '% /ma %' ESCAPE '\\') AND (CommandLine LIKE '% -accepteula %' ESCAPE '\\' OR CommandLine LIKE '% /accepteula %' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_renamed_sysinternals_procdump.yml" }, { "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet", "id": "a95b9b42-1308-4735-a1af-abb1c5e6f5ac", "status": "experimental", "description": "Detects suspicious DACL modifications via the \"Set-Service\" cmdlet using the \"SecurityDescriptorSddl\" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR OriginalFileName = 'pwsh.dll') AND (CommandLine LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR CommandLine LIKE '%-sd %' ESCAPE '\\') AND (CommandLine LIKE '%Set-Service %' ESCAPE '\\' AND CommandLine LIKE '%D;;%' ESCAPE '\\' AND (CommandLine LIKE '%;;;IU%' ESCAPE '\\' OR CommandLine LIKE '%;;;SU%' ESCAPE '\\' OR CommandLine LIKE '%;;;BA%' ESCAPE '\\' OR CommandLine LIKE '%;;;SY%' ESCAPE '\\' OR CommandLine LIKE '%;;;WD%' ESCAPE '\\')))" ], "filename": "proc_creation_win_powershell_service_dacl_modification_set_service.yml" }, { "title": "IIS Native-Code Module Command Line Installation", "id": "9465ddf4-f9e4-4ebd-8d98-702df3a93239", "status": "test", "description": "Detects suspicious IIS native-code module installations via command line", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1505.003" ], "falsepositives": [ "Unknown as it may vary from organisation to organisation how admins use to install IIS modules" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\appcmd.exe' ESCAPE '\\' OR OriginalFileName = 'appcmd.exe') AND (CommandLine LIKE '%install%' ESCAPE '\\' AND CommandLine LIKE '%module%' ESCAPE '\\' AND (CommandLine LIKE '%/name:%' ESCAPE '\\' OR CommandLine LIKE '%-name:%' ESCAPE '\\'))) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_iis_appcmd_susp_module_install.yml" }, { "title": "Renamed BrowserCore.EXE Execution", "id": "8a4519e8-e64a-40b6-ae85-ba8ad2177559", "status": "experimental", "description": "Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)", "author": "Max Altgelt (Nextron Systems)", "tags": [ "attack.t1528", "attack.t1036.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'BrowserCore.exe' AND NOT ((NewProcessName LIKE '%\\\\BrowserCore.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_renamed_browsercore.yml" }, { "title": "Suspicious GUP Usage", "id": "0a4f6091-223b-41f6-8743-f322ec84930b", "status": "test", "description": "Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1574.002" ], "falsepositives": [ "Execution of tools named GUP.exe and located in folders different than Notepad++\\updater" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NewProcessName LIKE '%\\\\GUP.exe' ESCAPE '\\' AND NOT (((NewProcessName LIKE '%\\\\Program Files\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Program Files (x86)\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Notepad++\\\\updater\\\\GUP.exe' ESCAPE '\\'))))" ], "filename": "proc_creation_win_gup_suspicious_execution.yml" }, { "title": "Use of VSIISExeLauncher.exe", "id": "18749301-f1c5-4efc-a4c3-276ff1f5b6f8", "status": "experimental", "description": "The \"VSIISExeLauncher.exe\" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1127" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\VSIISExeLauncher.exe' ESCAPE '\\' OR OriginalFileName = 'VSIISExeLauncher.exe') AND (CommandLine LIKE '% -p %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_vsiisexelauncher.yml" }, { "title": "Copy From VolumeShadowCopy Via Cmd.EXE", "id": "c73124a7-3e89-44a3-bdc1-25fe4df754b1", "status": "experimental", "description": "Detects the execution of the builtin \"copy\" command that targets a shadow copy (sometimes used to copy registry hives that are in use)", "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ "attack.impact", "attack.t1490" ], "falsepositives": [ "Backup scenarios using the commandline" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%\\\\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], "filename": "proc_creation_win_cmd_shadowcopy_access.yml" }, { "title": "VMToolsd Suspicious Child Process", "id": "5687f942-867b-4578-ade7-1e341c46e99a", "status": "experimental", "description": "Detects suspicious child process creations of VMware Tools process which may indicate persistence setup", "author": "behops, Bhabesh Raj", "tags": [ "attack.execution", "attack.persistence", "attack.t1059" ], "falsepositives": [ "Legitimate use by administrator" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'RUNDLL32.EXE', 'REGSVR32.EXE', 'wscript.exe', 'cscript.exe'))) AND NOT ((CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweron-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\poweroff-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\resume-vm-default.bat%' ESCAPE '\\' OR CommandLine LIKE '%\\\\VMware\\\\VMware Tools\\\\suspend-vm-default.bat%' ESCAPE '\\')))" ], "filename": "proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" }, { "title": "Remote Access Tool - AnyDesk Execution", "id": "b52e84a3-029e-4529-b09b-71d19dd27e94", "status": "test", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\AnyDesk.exe' ESCAPE '\\' OR Description = 'AnyDesk' OR Product = 'AnyDesk' OR Company = 'AnyDesk Software GmbH'))" ], "filename": "proc_creation_win_remote_access_tools_anydesk.yml" }, { "title": "PUA - Potential PE Metadata Tamper Using Rcedit", "id": "0c92f2e6-f08f-4b73-9216-ecb0ca634689", "status": "experimental", "description": "Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.", "author": "Micah Babinski", "tags": [ "attack.defense_evasion", "attack.t1036.003", "attack.t1036", "attack.t1027.005", "attack.t1027" ], "falsepositives": [ "Legitimate use of the tool by administrators or users to update metadata of a binary" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\rcedit-x64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rcedit-x86.exe' ESCAPE '\\') OR Description = 'Edit resources of exe' OR Product = 'rcedit') AND CommandLine LIKE '%--set-%' ESCAPE '\\' AND (CommandLine LIKE '%OriginalFileName%' ESCAPE '\\' OR CommandLine LIKE '%CompanyName%' ESCAPE '\\' OR CommandLine LIKE '%FileDescription%' ESCAPE '\\' OR CommandLine LIKE '%ProductName%' ESCAPE '\\' OR CommandLine LIKE '%ProductVersion%' ESCAPE '\\' OR CommandLine LIKE '%LegalCopyright%' ESCAPE '\\'))" ], "filename": "proc_creation_win_pua_rcedit_execution.yml" }, { "title": "WMIC Remote Command Execution", "id": "7773b877-5abb-4a3e-b9c9-fd0369b59b00", "status": "experimental", "description": "Detects the execution of WMIC to query information on a remote system", "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\WMIC.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '%/node:%' ESCAPE '\\') AND NOT (((CommandLine LIKE '%/node:127.0.0.1 %' ESCAPE '\\' OR CommandLine LIKE '%/node:localhost %' ESCAPE '\\'))))" ], "filename": "proc_creation_win_wmic_remote_execution.yml" }, { "title": "Non Interactive PowerShell Process Spawned", "id": "f4bbd493-b796-416e-bbf2-121235348529", "status": "test", "description": "Detects non-interactive PowerShell activity by looking at powershell.exe with a non user process such as \"explorer.exe\" as a parent.", "author": "Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Legitimate programs executing PowerShell scripts" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND NOT (((ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\CompatTelRunner.exe' ESCAPE '\\') OR ParentProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% --ms-enable-electron-run-as-node %' ESCAPE '\\')))" ], "filename": "proc_creation_win_powershell_non_interactive_execution.yml" }, { "title": "Sysmon Driver Unloaded Via Fltmc.EXE", "id": "4d7cda18-1b12-4e52-b45c-d28653210df8", "status": "test", "description": "Detects possible Sysmon filter driver unloaded via fltmc.exe", "author": "Kirill Kiryanov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1070", "attack.t1562", "attack.t1562.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND (CommandLine LIKE '%unload%' ESCAPE '\\' AND CommandLine LIKE '%sysmon%' ESCAPE '\\'))" ], "filename": "proc_creation_win_fltmc_unload_driver_sysmon.yml" }, { "title": "Suspicious Rundll32 Activity Invoking Sys File", "id": "731231b9-0b5d-4219-94dd-abb6959aa7ea", "status": "test", "description": "Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND (CommandLine LIKE '%.sys,%' ESCAPE '\\' OR CommandLine LIKE '%.sys %' ESCAPE '\\'))" ], "filename": "proc_creation_win_rundll32_sys.yml" }, { "title": "Tamper Windows Defender Remove-MpPreference", "id": "07e3cb2c-0608-410d-be4b-1511cb1a0448", "status": "experimental", "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (CommandLine LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR CommandLine LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR CommandLine LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_tamper_defender_remove_mppreference.yml" }, { "title": "Potential MsiExec Masquerading", "id": "e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144", "status": "test", "description": "Detects the execution of msiexec.exe from an uncommon directory", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\msiexec.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_msiexec_masquerading.yml" }, { "title": "ETW Logging Tamper In .NET Processes", "id": "41421f44-58f9-455d-838a-c398859841d4", "status": "test", "description": "Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", "attack.t1562" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%COMPlus\\_ETWEnabled%' ESCAPE '\\' OR CommandLine LIKE '%COMPlus\\_ETWFlags%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_etw_modification_cmdline.yml" }, { "title": "Suspicious Extexport Execution", "id": "fb0b815b-f5f6-4f50-970f-ffe21f253f7a", "status": "experimental", "description": "Extexport.exe loads dll and is execute from other folder the original path", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%Extexport.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Extexport.exe' ESCAPE '\\' OR OriginalFileName = 'extexport.exe'))" ], "filename": "proc_creation_win_lolbin_extexport.yml" }, { "title": "UAC Bypass via Event Viewer", "id": "be344333-921d-4c4d-8bb8-e584cf584780", "status": "test", "description": "Detects UAC bypass method using Windows event viewer", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002", "car.2019-04-001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\SysWOW64\\\\WerFault.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\WerFault.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_uac_bypass_eventvwr.yml" }, { "title": "Explorer Process Tree Break", "id": "949f1ffb-6e85-4f00-ae1e-c3c5b190d605", "status": "test", "description": "Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries,\nwhich is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from \"svchost\"\n", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber", "tags": [ "attack.defense_evasion", "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}%' ESCAPE '\\' OR (CommandLine LIKE '%explorer.exe%' ESCAPE '\\' AND CommandLine LIKE '% /root,%' ESCAPE '\\')))" ], "filename": "proc_creation_win_explorer_break_process_tree.yml" }, { "title": "Filter Driver Unloaded Via Fltmc.EXE", "id": "4931188c-178e-4ee7-a348-39e8a7a56821", "status": "test", "description": "Detect filter driver unloading activity via fltmc.exe", "author": "Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1070", "attack.t1562", "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\fltMC.exe' ESCAPE '\\' OR OriginalFileName = 'fltMC.exe') AND CommandLine LIKE '%unload%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%unload rtp\\_filesystem\\_filter' ESCAPE '\\')))" ], "filename": "proc_creation_win_fltmc_unload_driver.yml" }, { "title": "Suspicious WmiPrvSE Child Process", "id": "8a582fe2-0882-4b89-a82a-da6b2dc32937", "status": "test", "description": "Detects suspicious and uncommon child processes of WmiPrvSE", "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1047", "attack.t1204.002", "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ((NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%cscript%' ESCAPE '\\' OR CommandLine LIKE '%mshta%' ESCAPE '\\' OR CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%pwsh%' ESCAPE '\\' OR CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%rundll32%' ESCAPE '\\' OR CommandLine LIKE '%wscript%' ESCAPE '\\')))) AND NOT ((NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_wmiprvse_susp_child_processes.yml" }, { "title": "Potential AMSI Bypass Via .NET Reflection", "id": "30edb182-aa75-42c0-b0a9-e998bb29067c", "status": "test", "description": "Detects Request to \"amsiInitFailed\" that can be used to disable AMSI Scanning", "author": "Markus Neis, @Kostastsale", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%System.Management.Automation.AmsiUtils%' ESCAPE '\\' OR CommandLine LIKE '%amsiInitFailed%' ESCAPE '\\') OR (CommandLine LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND CommandLine LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND CommandLine LIKE '%NonPublic,Static%' ESCAPE '\\')))" ], "filename": "proc_creation_win_powershell_amsi_init_failed_bypass.yml" }, { "title": "Potential Execution of Sysinternals Tools", "id": "7cccd811-7ae9-4ebe-9afd-cb5c406b824b", "status": "experimental", "description": "Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools", "author": "Markus Neis", "tags": [ "attack.resource_development", "attack.t1588.002" ], "falsepositives": [ "Legitimate use of SysInternals tools", "Programs that use the same command line flag" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -accepteula%' ESCAPE '\\' OR CommandLine LIKE '% /accepteula%' ESCAPE '\\'))" ], "filename": "proc_creation_win_sysinternals_eula_accepted.yml" }, { "title": "Suspicious Network Command", "id": "a29c1813-ab1f-4dde-b489-330b952e91ae", "status": "experimental", "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", "tags": [ "attack.discovery", "attack.t1016" ], "falsepositives": [ "Administrator, hotline ask to user" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%ipconfig /all%' ESCAPE '\\' OR CommandLine LIKE '%netsh interface show interface%' ESCAPE '\\' OR CommandLine LIKE '%arp -a%' ESCAPE '\\' OR CommandLine LIKE '%nbtstat -n%' ESCAPE '\\' OR CommandLine LIKE '%net config%' ESCAPE '\\' OR CommandLine LIKE '%route print%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_network_command.yml" }, { "title": "Suspicious PowerShell Invocations - Specific - ProcessCreation", "id": "536e2947-3729-478c-9903-745aaffe60d2", "status": "experimental", "description": "Detects suspicious PowerShell invocation command parameters", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%-nop%' ESCAPE '\\' AND CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%-noni%' ESCAPE '\\' AND CommandLine LIKE '%-nop%' ESCAPE '\\' AND CommandLine LIKE '% -c %' ESCAPE '\\' AND CommandLine LIKE '%iex%' ESCAPE '\\' AND CommandLine LIKE '%New-Object%' ESCAPE '\\') OR (CommandLine LIKE '% -w %' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%-ep%' ESCAPE '\\' AND CommandLine LIKE '%bypass%' ESCAPE '\\' AND CommandLine LIKE '%-Enc%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%\\\\software\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%bypass%' ESCAPE '\\' AND CommandLine LIKE '%-noprofile%' ESCAPE '\\' AND CommandLine LIKE '%-windowstyle%' ESCAPE '\\' AND CommandLine LIKE '%hidden%' ESCAPE '\\' AND CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%system.net.webclient%' ESCAPE '\\' AND CommandLine LIKE '%.download%' ESCAPE '\\') OR (CommandLine LIKE '%iex%' ESCAPE '\\' AND CommandLine LIKE '%New-Object%' ESCAPE '\\' AND CommandLine LIKE '%Net.WebClient%' ESCAPE '\\' AND CommandLine LIKE '%.Download%' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR CommandLine LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_powershell_invocation_specific.yml" }, { "title": "Suspicious Script Execution From Temp Folder", "id": "a6a39bdb-935c-4f0a-ab77-35f4bbf44d33", "status": "experimental", "description": "Detects a suspicious script executions from temporary folder", "author": "Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Administrative scripts" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR CommandLine LIKE '%\\%TEMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%TMP\\%%' ESCAPE '\\' OR CommandLine LIKE '%\\%LocalAppData\\%\\\\Temp%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '% >%' ESCAPE '\\' OR CommandLine LIKE '%Out-File%' ESCAPE '\\' OR CommandLine LIKE '%ConvertTo-Json%' ESCAPE '\\' OR CommandLine LIKE '%-WindowStyle hidden -Verb runAs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Temp\\\\Amazon\\\\EC2-Windows\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_script_exec_from_temp.yml" }, { "title": "PUA - NirCmd Execution", "id": "4e2ed651-1906-4a59-a78a-18220fca1b22", "status": "experimental", "description": "Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1569.002", "attack.s0029" ], "falsepositives": [ "Legitimate use by administrators" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\NirCmd.exe' ESCAPE '\\' OR OriginalFileName = 'NirCmd.exe' OR (CommandLine LIKE '% execmd %' ESCAPE '\\' OR CommandLine LIKE '%.exe script %' ESCAPE '\\' OR CommandLine LIKE '%.exe shexec %' ESCAPE '\\' OR CommandLine LIKE '% runinteractive %' ESCAPE '\\')) OR ((CommandLine LIKE '% exec %' ESCAPE '\\' OR CommandLine LIKE '% exec2 %' ESCAPE '\\') AND (CommandLine LIKE '% show %' ESCAPE '\\' OR CommandLine LIKE '% hide %' ESCAPE '\\'))))" ], "filename": "proc_creation_win_pua_nircmd.yml" }, { "title": "Bypass UAC via Fodhelper.exe", "id": "7f741dcf-fc22-4759-87b4-9ae8376676a2", "status": "test", "description": "Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.", "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", "tags": [ "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Legitimate use of fodhelper.exe utility by legitimate user" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\fodhelper.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_uac_bypass_fodhelper.yml" }, { "title": "New Service Creation Using Sc.EXE", "id": "85ff530b-261d-48c6-a441-facaa2e81e48", "status": "test", "description": "Detects the creation of a new service using the \"sc.exe\" utility.", "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ "Legitimate administrator or user creates a service for legitimate reasons.", "Software installation" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' AND CommandLine LIKE '%create%' ESCAPE '\\' AND CommandLine LIKE '%binPath%' ESCAPE '\\')" ], "filename": "proc_creation_win_sc_create_service.yml" }, { "title": "Suspicious XOR Encoded PowerShell Command", "id": "bb780e0c-16cf-4383-8383-1e5471db6cf9", "status": "test", "description": "Detects presence of a potentially xor encoded powershell command", "author": "Sami Ruohonen, Harish Segar, Tim Shelton, Teymur Kheirkhabarov, Vasiliy Burov, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1059.001", "attack.t1140", "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR Description = 'Windows PowerShell' OR Product = 'PowerShell Core 6') AND CommandLine LIKE '%bxor%' ESCAPE '\\' AND (CommandLine LIKE '%ForEach%' ESCAPE '\\' OR CommandLine LIKE '%for(%' ESCAPE '\\' OR CommandLine LIKE '%for %' ESCAPE '\\' OR CommandLine LIKE '%-join %' ESCAPE '\\' OR CommandLine LIKE '%-join''%' ESCAPE '\\' OR CommandLine LIKE '%-join\"%' ESCAPE '\\' OR CommandLine LIKE '%-join`%' ESCAPE '\\' OR CommandLine LIKE '%::Join%' ESCAPE '\\' OR CommandLine LIKE '%[char]%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_xor_commandline.yml" }, { "title": "Remote PowerShell Session Host Process (WinRM)", "id": "734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8", "status": "test", "description": "Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).", "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.execution", "attack.t1059.001", "attack.t1021.006" ], "falsepositives": [ "Legitimate usage of remote Powershell, e.g. for monitoring purposes." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_winrm_remote_powershell_session_process.yml" }, { "title": "Suspicious CustomShellHost Execution", "id": "84b14121-9d14-416e-800b-f3b829c5a14d", "status": "experimental", "description": "Detects the execution of CustomShellHost binary where the child isn't located in 'C:\\Windows\\explorer.exe'", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentProcessName LIKE '%\\\\CustomShellHost.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_customshellhost.yml" }, { "title": "MsiExec Web Install", "id": "f7b5f842-a6af-4da5-9e95-e32478f3cd2f", "status": "test", "description": "Detects suspicious msiexec process starts with web addresses as parameter", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218.007", "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% msiexec%' ESCAPE '\\' AND CommandLine LIKE '%://%' ESCAPE '\\')" ], "filename": "proc_creation_win_msiexec_web_install.yml" }, { "title": "Suspicious PowerShell Encoded Command Patterns", "id": "b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c", "status": "experimental", "description": "Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Other tools that work with encoded scripts in the command line instead of script files" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.Exe', 'pwsh.dll')) AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% -en %' ESCAPE '\\' OR CommandLine LIKE '% -enc %' ESCAPE '\\' OR CommandLine LIKE '% -enco%' ESCAPE '\\') AND (CommandLine LIKE '% JAB%' ESCAPE '\\' OR CommandLine LIKE '% SUVYI%' ESCAPE '\\' OR CommandLine LIKE '% SQBFAFgA%' ESCAPE '\\' OR CommandLine LIKE '% aWV4I%' ESCAPE '\\' OR CommandLine LIKE '% IAB%' ESCAPE '\\' OR CommandLine LIKE '% PAA%' ESCAPE '\\' OR CommandLine LIKE '% aQBlAHgA%' ESCAPE '\\')) AND NOT (((ParentProcessName LIKE '%C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\gc\\_worker.exe%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_powershell_encoded_cmd_patterns.yml" }, { "title": "Exchange PowerShell Snap-Ins Usage", "id": "25676e10-2121-446e-80a4-71ff8506af47", "status": "experimental", "description": "Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27", "author": "FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001", "attack.collection", "attack.t1114" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-PSSnapin%' ESCAPE '\\' AND (CommandLine LIKE '%Microsoft.Exchange.Powershell.Snapin%' ESCAPE '\\' OR CommandLine LIKE '%Microsoft.Exchange.Management.PowerShell.SnapIn%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND CommandLine LIKE '%$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null%' ESCAPE '\\')))" ], "filename": "proc_creation_win_powershell_snapins_hafnium.yml" }, { "title": "Shadow Copies Deletion Using Operating Systems Utilities", "id": "c947b146-0abc-4c87-9c64-b17e9d7274a2", "status": "stable", "description": "Shadow Copies deletion using operating systems utilities", "author": "Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)", "tags": [ "attack.defense_evasion", "attack.impact", "attack.t1070", "attack.t1490" ], "falsepositives": [ "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason", "LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\diskshadow.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'wmic.exe', 'VSSADMIN.EXE', 'diskshadow.exe')) AND (CommandLine LIKE '%shadow%' ESCAPE '\\' AND CommandLine LIKE '%delete%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\wbadmin.exe' ESCAPE '\\' OR OriginalFileName = 'WBADMIN.EXE') AND (CommandLine LIKE '%delete%' ESCAPE '\\' AND CommandLine LIKE '%catalog%' ESCAPE '\\' AND CommandLine LIKE '%quiet%' ESCAPE '\\'))) OR ((NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR OriginalFileName = 'VSSADMIN.EXE') AND (CommandLine LIKE '%resize%' ESCAPE '\\' AND CommandLine LIKE '%shadowstorage%' ESCAPE '\\' AND (CommandLine LIKE '%unbounded%' ESCAPE '\\' OR CommandLine LIKE '%/MaxSize=%' ESCAPE '\\')))))" ], "filename": "proc_creation_win_susp_shadow_copies_deletion.yml" }, { "title": "Weak or Abused Passwords In CLI", "id": "91edcfb1-2529-4ac2-9ecc-7617f895c7e4", "status": "experimental", "description": "Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution" ], "falsepositives": [ "Legitimate usage of the passwords by users via commandline (should be discouraged)", "Other currently unknown false positives" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%Asd123.aaaa%' ESCAPE '\\' OR CommandLine LIKE '%password123%' ESCAPE '\\' OR CommandLine LIKE '%123456789%' ESCAPE '\\' OR CommandLine LIKE '%P@ssw0rd!%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_weak_or_abused_passwords.yml" }, { "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE", "id": "5b768e71-86f2-4879-b448-81061cbae951", "status": "experimental", "description": "Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.collection", "attack.t1560.001" ], "falsepositives": [ "Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '% user %' ESCAPE '\\' AND (CommandLine LIKE '% Järjestelmänvalvoja %' ESCAPE '\\' OR CommandLine LIKE '% Rendszergazda %' ESCAPE '\\' OR CommandLine LIKE '% Администратор %' ESCAPE '\\' OR CommandLine LIKE '% Administrateur %' ESCAPE '\\' OR CommandLine LIKE '% Administrador %' ESCAPE '\\' OR CommandLine LIKE '% Administratör %' ESCAPE '\\' OR CommandLine LIKE '% Administrator %' ESCAPE '\\' OR CommandLine LIKE '% guest %' ESCAPE '\\' OR CommandLine LIKE '% DefaultAccount %' ESCAPE '\\' OR CommandLine LIKE '% \"Järjestelmänvalvoja\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Rendszergazda\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Администратор\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrateur\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrador\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administratör\" %' ESCAPE '\\' OR CommandLine LIKE '% \"Administrator\" %' ESCAPE '\\' OR CommandLine LIKE '% \"guest\" %' ESCAPE '\\' OR CommandLine LIKE '% \"DefaultAccount\" %' ESCAPE '\\' OR CommandLine LIKE '% ''Järjestelmänvalvoja'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Rendszergazda'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Администратор'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrateur'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrador'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administratör'' %' ESCAPE '\\' OR CommandLine LIKE '% ''Administrator'' %' ESCAPE '\\' OR CommandLine LIKE '% ''guest'' %' ESCAPE '\\' OR CommandLine LIKE '% ''DefaultAccount'' %' ESCAPE '\\')) AND NOT (CommandLine LIKE '%guest%' ESCAPE '\\' AND CommandLine LIKE '%/active no%' ESCAPE '\\'))" ], "filename": "proc_creation_win_net_default_accounts_manipulation.yml" }, { "title": "Suspicious Usage Of ShellExec_RunDLL", "id": "d87bd452-6da1-456e-8155-7dc988157b7d", "status": "experimental", "description": "Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%ShellExec\\_RunDLL%' ESCAPE '\\' AND (CommandLine LIKE '%regsvr32%' ESCAPE '\\' OR CommandLine LIKE '%msiexec%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%odbcconf%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%iex%' ESCAPE '\\' OR CommandLine LIKE '%comspec%' ESCAPE '\\'))" ], "filename": "proc_creation_win_rundll32_susp_shellexec_execution.yml" }, { "title": "New Root Certificate Installed Via CertMgr.EXE", "id": "ff992eac-6449-4c60-8c1d-91c9722a1d48", "status": "test", "description": "Detects execution of \"certmgr\" with the \"add\" flag in order to install a new certificate on the system.\nAdversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.\n", "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ "attack.defense_evasion", "attack.t1553.004" ], "falsepositives": [ "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\CertMgr.exe' ESCAPE '\\' OR OriginalFileName = 'CERTMGT.EXE') AND (CommandLine LIKE '%/add%' ESCAPE '\\' AND CommandLine LIKE '%root%' ESCAPE '\\'))" ], "filename": "proc_creation_win_certmgr_certificate_installation.yml" }, { "title": "Bypass UAC via CMSTP", "id": "e66779cc-383e-4224-a3a4-267eeb585c40", "status": "test", "description": "Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files", "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ "attack.privilege_escalation", "attack.defense_evasion", "attack.t1548.002", "attack.t1218.003" ], "falsepositives": [ "Legitimate use of cmstp.exe utility by legitimate user" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR OriginalFileName = 'CMSTP.EXE') AND (CommandLine LIKE '%/s%' ESCAPE '\\' OR CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/au%' ESCAPE '\\' OR CommandLine LIKE '%-au%' ESCAPE '\\' OR CommandLine LIKE '%/ni%' ESCAPE '\\' OR CommandLine LIKE '%-ni%' ESCAPE '\\'))" ], "filename": "proc_creation_win_uac_bypass_cmstp.yml" }, { "title": "Suspicious Download Via Certutil.EXE", "id": "19b08b1c-861d-4e75-a1ef-ea0c1baf202b", "status": "test", "description": "Detects the execution of certutil with certain flags that allow the utility to download files.", "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND CommandLine LIKE '%http%' ESCAPE '\\')" ], "filename": "proc_creation_win_certutil_download.yml" }, { "title": "Copying Sensitive Files with Credential Data", "id": "e7be6119-fc37-43f0-ad4f-1f3f99be2f9f", "status": "test", "description": "Files with well-known filenames (sensitive files with credential data) copying", "author": "Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.credential_access", "attack.t1003.002", "attack.t1003.003", "car.2013-07-001", "attack.s0404" ], "falsepositives": [ "Copying sensitive files for legitimate use (eg. backup) or forensic investigation by legitimate incident responder or forensic invetigator" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\esentutl.exe' ESCAPE '\\') AND (CommandLine LIKE '%vss%' ESCAPE '\\' OR CommandLine LIKE '% /m %' ESCAPE '\\' OR CommandLine LIKE '% /y %' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\windows\\\\ntds\\\\ntds.dit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\system %' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\repair\\\\security%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\sam%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\system%' ESCAPE '\\' OR CommandLine LIKE '%\\\\config\\\\RegBack\\\\security%' ESCAPE '\\')))" ], "filename": "proc_creation_win_esentutl_sensitive_file_copy.yml" }, { "title": "Suspicious Double Extension File Execution", "id": "1cdd9a09-06c9-4769-99ff-626e2b3991b8", "status": "stable", "description": "Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns", "author": "Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.initial_access", "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (NewProcessName LIKE '%.doc.exe' ESCAPE '\\' OR NewProcessName LIKE '%.docx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.xls.exe' ESCAPE '\\' OR NewProcessName LIKE '%.xlsx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.ppt.exe' ESCAPE '\\' OR NewProcessName LIKE '%.pptx.exe' ESCAPE '\\' OR NewProcessName LIKE '%.rtf.exe' ESCAPE '\\' OR NewProcessName LIKE '%.pdf.exe' ESCAPE '\\' OR NewProcessName LIKE '%.txt.exe' ESCAPE '\\' OR NewProcessName LIKE '% .exe' ESCAPE '\\' OR NewProcessName LIKE '%\\_\\_\\_\\_\\_\\_.exe' ESCAPE '\\' OR NewProcessName LIKE '%.doc.js' ESCAPE '\\' OR NewProcessName LIKE '%.docx.js' ESCAPE '\\' OR NewProcessName LIKE '%.xls.js' ESCAPE '\\' OR NewProcessName LIKE '%.xlsx.js' ESCAPE '\\' OR NewProcessName LIKE '%.ppt.js' ESCAPE '\\' OR NewProcessName LIKE '%.pptx.js' ESCAPE '\\' OR NewProcessName LIKE '%.rtf.js' ESCAPE '\\' OR NewProcessName LIKE '%.pdf.js' ESCAPE '\\' OR NewProcessName LIKE '%.txt.js' ESCAPE '\\') AND (CommandLine LIKE '%.doc.exe%' ESCAPE '\\' OR CommandLine LIKE '%.docx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xls.exe%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.exe%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.exe%' ESCAPE '\\' OR CommandLine LIKE '%.txt.exe%' ESCAPE '\\' OR CommandLine LIKE '% .exe%' ESCAPE '\\' OR CommandLine LIKE '%\\_\\_\\_\\_\\_\\_.exe%' ESCAPE '\\' OR CommandLine LIKE '%.doc.js%' ESCAPE '\\' OR CommandLine LIKE '%.docx.js%' ESCAPE '\\' OR CommandLine LIKE '%.xls.js%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx.js%' ESCAPE '\\' OR CommandLine LIKE '%.ppt.js%' ESCAPE '\\' OR CommandLine LIKE '%.pptx.js%' ESCAPE '\\' OR CommandLine LIKE '%.rtf.js%' ESCAPE '\\' OR CommandLine LIKE '%.pdf.js%' ESCAPE '\\' OR CommandLine LIKE '%.txt.js%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_double_extension.yml" }, { "title": "Devtoolslauncher.exe Executes Specified Binary", "id": "cc268ac1-42d9-40fd-9ed3-8c4e1a5b87e6", "status": "test", "description": "The Devtoolslauncher.exe executes other binary", "author": "Beyu Denis, oscd.community (rule), @_felamos (idea)", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Legitimate use of devtoolslauncher.exe by legitimate user" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\devtoolslauncher.exe' ESCAPE '\\' AND CommandLine LIKE '%LaunchForDeploy%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_devtoolslauncher.yml" }, { "title": "Reg Add Suspicious Paths", "id": "b7e2a8d4-74bb-4b78-adc9-3f92af2d4829", "status": "experimental", "description": "Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys", "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1112", "attack.t1562.001" ], "falsepositives": [ "Rare legitimate add to registry via cli (to these locations)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND (CommandLine LIKE '%\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\Currentversion\\\\Winlogon%' ESCAPE '\\' OR CommandLine LIKE '%\\\\CurrentControlSet\\\\Control\\\\SecurityProviders\\\\WDigest%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_susp_paths.yml" }, { "title": "Winrar Compressing Dump Files", "id": "1ac14d38-3dfc-4635-92c7-e3fd1c5f5bfc", "status": "experimental", "description": "Detects a suspicious winrar execution that involves a file with a \".dmp\"/\".dump\" extension, which could be a step in a process of dump file exfiltration", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.collection", "attack.t1560.001" ], "falsepositives": [ "Legitimate use of WinRAR with a command line in which .dmp appears accidentally" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\'))" ], "filename": "proc_creation_win_winrar_dmp.yml" }, { "title": "UAC Bypass Using IEInstal - Process", "id": "80fc36aa-945e-4181-89f2-2f907ab6775d", "status": "test", "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND IntegrityLevel IN ('High', 'System') AND ParentProcessName LIKE '%\\\\ieinstal.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%consent.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_uac_bypass_ieinstal.yml" }, { "title": "Shells Spawned by Java", "id": "dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0", "status": "experimental", "description": "Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)", "author": "Andreas Hunkeler (@Karneades), Nasreddine Bencherchali", "tags": [ "attack.initial_access", "attack.persistence", "attack.privilege_escalation" ], "falsepositives": [ "Legitimate calls to system binaries", "Company specific internal usage" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%build%' ESCAPE '\\' AND CommandLine LIKE '%build%' ESCAPE '\\'))" ], "filename": "proc_creation_win_java_susp_child_process_2.yml" }, { "title": "System File Execution Location Anomaly", "id": "e4a6b256-3e47-40fc-89d2-7a477edd6915", "status": "experimental", "description": "Detects a Windows program executable started from a suspicious folder", "author": "Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1036" ], "falsepositives": [ "Exotic software" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dashost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\atbroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certreq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\consent.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\defrag.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhst3g.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logonui.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dwm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntoskrnl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dfrgui.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_system_exe_anomaly.yml" }, { "title": "HackTool - SharpView Execution", "id": "b2317cfa-4a47-4ead-b3ff-297438c0bc2d", "status": "experimental", "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", "author": "frack113", "tags": [ "attack.discovery", "attack.t1049", "attack.t1069.002", "attack.t1482", "attack.t1135", "attack.t1033" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'SharpView.exe' OR NewProcessName LIKE '%\\\\SharpView.exe' ESCAPE '\\' OR (CommandLine LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Convert-ADName%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-SID%' ESCAPE '\\' OR CommandLine LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR CommandLine LIKE '%Convert-SidToName%' ESCAPE '\\' OR CommandLine LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainProcess%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainShare%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR CommandLine LIKE '%Find-ForeignUser%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR CommandLine LIKE '%Find-GPOLocation%' ESCAPE '\\' OR CommandLine LIKE '%Find-Interesting%' ESCAPE '\\' OR CommandLine LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR CommandLine LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-DFSshare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainController%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainForeign%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainGUIDMap%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSID%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestGlobalCatalog%' ESCAPE '\\' OR CommandLine LIKE '%Get-ForestTrust%' ESCAPE '\\' OR CommandLine LIKE '%Get-GptTmpl%' ESCAPE '\\' OR CommandLine LIKE '%Get-GroupsXML%' ESCAPE '\\' OR CommandLine LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetComputer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetDomain%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetFileServer%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetForest%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGPO%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetGroupMember%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetOU%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetProcess%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSession%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetShare%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSite%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetSubnet%' ESCAPE '\\' OR CommandLine LIKE '%Get-NetUser%' ESCAPE '\\' OR CommandLine LIKE '%Get-PathAcl%' ESCAPE '\\' OR CommandLine LIKE '%Get-PrincipalContext%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegCachedRDPConnection%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegLastLoggedOn%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegMountedDrive%' ESCAPE '\\' OR CommandLine LIKE '%Get-WMIRegProxy%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-Sharefinder%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR CommandLine LIKE '%Remove-DomainObjectAcl%' ESCAPE '\\' OR CommandLine LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR CommandLine LIKE '%Request-SPNTicket%' ESCAPE '\\' OR CommandLine LIKE '%Set-DomainObject%' ESCAPE '\\' OR CommandLine LIKE '%Test-AdminAccess%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_sharpview.yml" }, { "title": "Suspicious Dump64.exe Execution", "id": "129966c9-de17-4334-a123-8b58172e664d", "status": "test", "description": "Detects when a user bypasses Defender by renaming a tool to dump64.exe and placing it in a Visual Studio folder", "author": "Austin Songer @austinsonger, Florian Roth", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Dump64.exe in other folders than the excluded one" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\dump64.exe' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\Installer\\\\Feedback\\\\dump64.exe%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\dump64.exe' ESCAPE '\\' AND (CommandLine LIKE '% -ma %' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_lolbin_dump64.yml" }, { "title": "Remote Code Execute via Winrm.vbs", "id": "9df0dd3a-1a5c-47e3-a2bc-30ed177646a0", "status": "test", "description": "Detects an attempt to execute code or create service on remote host via winrm.vbs.", "author": "Julia Fomina, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR OriginalFileName = 'cscript.exe') AND (CommandLine LIKE '%winrm%' ESCAPE '\\' AND CommandLine LIKE '%invoke Create wmicimv2/Win32\\_%' ESCAPE '\\' AND CommandLine LIKE '%-r:http%' ESCAPE '\\'))" ], "filename": "proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" }, { "title": "PUA - RunXCmd Execution", "id": "93199800-b52a-4dec-b762-75212c196542", "status": "test", "description": "Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1569.002", "attack.s0029" ], "falsepositives": [ "Legitimate use by administrators" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% /account=system %' ESCAPE '\\' OR CommandLine LIKE '% /account=ti %' ESCAPE '\\') AND CommandLine LIKE '%/exec=%' ESCAPE '\\')" ], "filename": "proc_creation_win_pua_runxcmd.yml" }, { "title": "HackTool - Htran/NATBypass Execution", "id": "f5e3b62f-e577-4e59-931e-0a15b2b94e1e", "status": "experimental", "description": "Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1090", "attack.s0040" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\htran.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lcx.exe' ESCAPE '\\') OR (CommandLine LIKE '%.exe -tran %' ESCAPE '\\' OR CommandLine LIKE '%.exe -slave %' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_htran_or_natbypass.yml" }, { "title": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS", "id": "575dce0c-8139-4e30-9295-1ee75969f7fe", "status": "test", "description": "Detects execution of the built-in script located in \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\". Which can be used to gather information about the target machine", "author": "blueteamer8699", "tags": [ "attack.discovery", "attack.execution", "attack.t1615", "attack.t1059.005" ], "falsepositives": [ "Administrative activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR OriginalFileName IN ('cscript.exe', 'wscript.exe')) AND CommandLine LIKE '%gatherNetworkInfo.vbs%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_gather_network_info.yml" }, { "title": "Potential PowerShell Obfuscation Via WCHAR", "id": "e312efd0-35a1-407f-8439-b8d434b438a6", "status": "test", "description": "Detects suspicious encoded character syntax often used for defense evasion", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001", "attack.defense_evasion", "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%(WCHAR)0x%' ESCAPE '\\')" ], "filename": "proc_creation_win_powershell_obfuscation_via_utf8.yml" }, { "title": "Suspicious Query of MachineGUID", "id": "f5240972-3938-4e56-8e4b-e33893176c1f", "status": "test", "description": "Use of reg to get MachineGuid information", "author": "frack113", "tags": [ "attack.discovery", "attack.t1082" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%SOFTWARE\\\\Microsoft\\\\Cryptography%' ESCAPE '\\' AND CommandLine LIKE '%/v %' ESCAPE '\\' AND CommandLine LIKE '%MachineGuid%' ESCAPE '\\')" ], "filename": "proc_creation_win_reg_machineguid.yml" }, { "title": "Application Whitelisting Bypass via Dxcap.exe", "id": "60f16a96-db70-42eb-8f76-16763e333590", "status": "test", "description": "Detects execution of of Dxcap.exe", "author": "Beyu Denis, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Legitimate execution of dxcap.exe by legitimate user" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\DXCap.exe' ESCAPE '\\' OR OriginalFileName = 'DXCap.exe') AND CommandLine LIKE '% -c %' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_susp_dxcap.yml" }, { "title": "Explorer NOUACCHECK Flag", "id": "534f2ef7-e8a2-4433-816d-c91bccde289b", "status": "test", "description": "Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1548.002" ], "falsepositives": [ "Domain Controller User Logon", "Unknown how many legitimate software products use that method" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%/NOUACCHECK%' ESCAPE '\\') AND NOT ((ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe -k netsvcs -p -s Schedule' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_explorer_nouaccheck.yml" }, { "title": "Suspicious Whoami.EXE Execution", "id": "c30fb093-1109-4dc8-88a8-b30d11c95a5d", "status": "experimental", "description": "Detects the execution of \"whoami.exe\" with the \"/all\" flag or with redirection options to export the results to a file for later use.", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1033", "car.2016-03-001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% -all%' ESCAPE '\\' OR CommandLine LIKE '% /all%' ESCAPE '\\' OR CommandLine LIKE '% /FO CSV%' ESCAPE '\\' OR CommandLine LIKE '% -FO CSV%' ESCAPE '\\')) OR (CommandLine LIKE '%whoami%' ESCAPE '\\' AND CommandLine LIKE '%>%' ESCAPE '\\')))" ], "filename": "proc_creation_win_whoami_susp_flags.yml" }, { "title": "RDP Port Forwarding Rule Added Via Netsh.EXE", "id": "782d6f3e-4c5d-4b8c-92a3-1d05fed72e63", "status": "test", "description": "Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule", "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ "attack.lateral_movement", "attack.defense_evasion", "attack.command_and_control", "attack.t1090" ], "falsepositives": [ "Legitimate administration activity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '% i%' ESCAPE '\\' AND CommandLine LIKE '% p%' ESCAPE '\\' AND CommandLine LIKE '%=3389%' ESCAPE '\\' AND CommandLine LIKE '% c%' ESCAPE '\\'))" ], "filename": "proc_creation_win_netsh_port_forwarding_3389.yml" }, { "title": "Scheduled Task Executing Powershell Encoded Payload from Registry", "id": "c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78", "status": "test", "description": "Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.", "author": "pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport", "tags": [ "attack.execution", "attack.persistence", "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%FromBase64String%' ESCAPE '\\' AND CommandLine LIKE '%Get-ItemProperty%' ESCAPE '\\' AND (CommandLine LIKE '%HKCU:%' ESCAPE '\\' OR CommandLine LIKE '%HKLM:%' ESCAPE '\\' OR CommandLine LIKE '%registry::%' ESCAPE '\\' OR CommandLine LIKE '%HKEY\\_%' ESCAPE '\\')))" ], "filename": "proc_creation_win_schtasks_reg_loader.yml" }, { "title": "Suspicious Msbuild Execution By Uncommon Parent Process", "id": "33be4333-2c6b-44f4-ae28-102cdbde0a31", "status": "experimental", "description": "Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process", "author": "frack113", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\MSBuild.exe' ESCAPE '\\' OR OriginalFileName = 'MSBuild.exe') AND NOT ((ParentProcessName LIKE '%\\\\devenv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\python.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nuget.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_msbuild_susp_parent_process.yml" }, { "title": "Non-privileged Usage of Reg or Powershell", "id": "8f02c935-effe-45b3-8fc9-ef8696a9e41d", "status": "test", "description": "Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry", "author": "Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%reg %' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') OR (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%set-itemproperty%' ESCAPE '\\' OR CommandLine LIKE '% sp %' ESCAPE '\\' OR CommandLine LIKE '%new-itemproperty%' ESCAPE '\\')) AND (IntegrityLevel = 'Medium' AND CommandLine LIKE '%ControlSet%' ESCAPE '\\' AND CommandLine LIKE '%Services%' ESCAPE '\\' AND (CommandLine LIKE '%ImagePath%' ESCAPE '\\' OR CommandLine LIKE '%FailureCommand%' ESCAPE '\\' OR CommandLine LIKE '%ServiceDLL%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_non_priv_reg_or_ps.yml" }, { "title": "Use Of The SFTP.EXE Binary As A LOLBIN", "id": "a85ffc3a-e8fd-4040-93bf-78aff284d801", "status": "experimental", "description": "Detects the usage of the \"sftp.exe\" binary as a LOLBIN by abusing the \"-D\" flag", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\sftp.exe' ESCAPE '\\' AND (CommandLine LIKE '% -D ..%' ESCAPE '\\' OR CommandLine LIKE '% -D C:\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_sftp.yml" }, { "title": "Suspicious Rundll32 Script in CommandLine", "id": "73fcad2e-ff14-4c38-b11d-4172c8ac86c7", "status": "experimental", "description": "Detects suspicious process related to rundll32 based on arguments", "author": "frack113, Zaw Min Htun (ZETA)", "tags": [ "attack.defense_evasion", "attack.t1218.011" ], "falsepositives": [ "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32%' ESCAPE '\\' AND (CommandLine LIKE '%mshtml,RunHTMLApplication%' ESCAPE '\\' OR CommandLine LIKE '%mshtml,#135%' ESCAPE '\\') AND (CommandLine LIKE '%javascript:%' ESCAPE '\\' OR CommandLine LIKE '%vbscript:%' ESCAPE '\\'))" ], "filename": "proc_creation_win_rundll32_script_run.yml" }, { "title": "Potential PowerShell Downgrade Attack", "id": "b3512211-c67e-4707-bedc-66efc7848863", "status": "test", "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", "author": "Harish Segar (rule)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' AND (CommandLine LIKE '% -version 2 %' ESCAPE '\\' OR CommandLine LIKE '% -versio 2 %' ESCAPE '\\' OR CommandLine LIKE '% -versi 2 %' ESCAPE '\\' OR CommandLine LIKE '% -vers 2 %' ESCAPE '\\' OR CommandLine LIKE '% -ver 2 %' ESCAPE '\\' OR CommandLine LIKE '% -ve 2 %' ESCAPE '\\' OR CommandLine LIKE '% -v 2 %' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_downgrade_attack.yml" }, { "title": "Use of UltraViewer Remote Access Software", "id": "88656cec-6c3b-487c-82c0-f73ebb805503", "status": "experimental", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'UltraViewer' OR Company = 'DucFabulous Co,ltd' OR OriginalFileName LIKE 'UltraViewer\\_Desktop.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_remote_access_software_ultraviewer.yml" }, { "title": "Invoke-Obfuscation COMPRESS OBFUSCATION", "id": "7eedcc9d-9fdb-4d94-9c54-474e8affc0c7", "status": "test", "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (CommandLine LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR CommandLine LIKE '%system.io.streamreader%' ESCAPE '\\' OR CommandLine LIKE '%readtoend(%' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_invoke_obfuscation_via_compress.yml" }, { "title": "Potential RDP Tunneling Via SSH", "id": "f7d7ebd5-a016-46e2-9c54-f9932f2d386d", "status": "experimental", "description": "Execution of ssh.exe to perform data exfiltration and tunneling through RDP", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1572" ], "falsepositives": [ "Administrative activity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\ssh.exe' ESCAPE '\\' AND CommandLine LIKE '%:3389%' ESCAPE '\\')" ], "filename": "proc_creation_win_ssh_rdp_tunneling.yml" }, { "title": "Fsutil Suspicious Invocation", "id": "add64136-62e5-48ea-807e-88638d02df1e", "status": "stable", "description": "Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).\nMight be used by ransomwares during the attack (seen by NotPetya and others).\n", "author": "Ecco, E.M. Anhaus, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1070" ], "falsepositives": [ "Admin activity", "Scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR OriginalFileName = 'fsutil.exe') AND (CommandLine LIKE '%deletejournal%' ESCAPE '\\' OR CommandLine LIKE '%createjournal%' ESCAPE '\\'))" ], "filename": "proc_creation_win_fsutil_usage.yml" }, { "title": "Potential Discovery Activity Via Dnscmd.EXE", "id": "b6457d63-d2a2-4e29-859d-4e7affc153d1", "status": "experimental", "description": "Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.", "author": "@gott_cyber", "tags": [ "attack.discovery", "attack.execution", "attack.t1543.003" ], "falsepositives": [ "Legitimate administration use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\dnscmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%/enumrecords%' ESCAPE '\\' OR CommandLine LIKE '%/enumzones%' ESCAPE '\\' OR CommandLine LIKE '%/ZonePrint%' ESCAPE '\\' OR CommandLine LIKE '%/info%' ESCAPE '\\'))" ], "filename": "proc_creation_win_dnscmd_discovery.yml" }, { "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE", "id": "13e6fe51-d478-4c7e-b0f2-6da9b400a829", "status": "experimental", "description": "Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%urlcache %' ESCAPE '\\' OR CommandLine LIKE '%verifyctl %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%://7-%' ESCAPE '\\')))" ], "filename": "proc_creation_win_certutil_download_direct_ip.yml" }, { "title": "Windows Firewall Disabled via PowerShell", "id": "12f6b752-042d-483e-bf9c-915a6d06ad75", "status": "experimental", "description": "Detects attempts to disable the Windows Firewall using PowerShell", "author": "Tim Rauch", "tags": [ "attack.defense_evasion", "attack.t1562" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%Set-NetFirewallProfile %' ESCAPE '\\' AND CommandLine LIKE '% -Enabled %' ESCAPE '\\' AND CommandLine LIKE '% False%' ESCAPE '\\') AND (CommandLine LIKE '% -All %' ESCAPE '\\' OR CommandLine LIKE '%Public%' ESCAPE '\\' OR CommandLine LIKE '%Domain%' ESCAPE '\\' OR CommandLine LIKE '%Private%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_disable_firewall.yml" }, { "title": "MMC20 Lateral Movement", "id": "f1f3bf22-deb2-418d-8cce-e1a45e46a5bd", "status": "test", "description": "Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of \"-Embedding\" as a child of svchost.exe", "author": "@2xxeformyshirt (Security Risk Advisors) - rule; Teymur Kheirkhabarov (idea)", "tags": [ "attack.execution", "attack.t1021.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mmc.exe' ESCAPE '\\' AND CommandLine LIKE '%-Embedding%' ESCAPE '\\')" ], "filename": "proc_creation_win_mmc_mmc20_lateral_movement.yml" }, { "title": "CL_Mutexverifiers.ps1 Proxy Execution", "id": "1e0e1a81-e79b-44bc-935b-ddb9c8006b3d", "status": "experimental", "description": "Detects the use of a Microsoft signed script to execute commands", "author": "oscd.community, Natalia Shornikova, frack113", "tags": [ "attack.defense_evasion", "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND CommandLine LIKE '%runAfterCancelProcess %' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_cl_mutexverifiers.yml" }, { "title": "Security Privileges Enumeration Via Whoami.EXE", "id": "97a80ec7-0e2f-4d05-9ef4-65760e634f6b", "status": "experimental", "description": "Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.discovery", "attack.t1033" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe') AND (CommandLine LIKE '% /priv%' ESCAPE '\\' OR CommandLine LIKE '% -priv%' ESCAPE '\\'))" ], "filename": "proc_creation_win_whoami_priv_discovery.yml" }, { "title": "Use of Setres.exe", "id": "835e75bf-4bfd-47a4-b8a6-b766cac8bcb7", "status": "experimental", "description": "Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named \"choice\" (with any executable extension such as \".cmd\" or \".exe\") from the current execution path", "author": "@gott_cyber", "tags": [ "attack.defense_evasion", "attack.t1218", "attack.t1202" ], "falsepositives": [ "Legitimate usage of Setres" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\setres.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\choice' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_setres.yml" }, { "title": "Compress Data and Lock With Password for Exfiltration With WINZIP", "id": "e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d", "status": "test", "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities", "author": "frack113", "tags": [ "attack.collection", "attack.t1560.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%winzip.exe%' ESCAPE '\\' OR CommandLine LIKE '%winzip64.exe%' ESCAPE '\\') AND CommandLine LIKE '%-s\"%' ESCAPE '\\' AND (CommandLine LIKE '% -min %' ESCAPE '\\' OR CommandLine LIKE '% -a %' ESCAPE '\\'))" ], "filename": "proc_creation_win_winzip_password_compression.yml" }, { "title": "Modify Group Policy Settings", "id": "ada4b0c4-758b-46ac-9033-9004613a150d", "status": "experimental", "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1484.001" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System%' ESCAPE '\\' AND (CommandLine LIKE '%GroupPolicyRefreshTimeDC%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTimeOffsetDC%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTime%' ESCAPE '\\' OR CommandLine LIKE '%GroupPolicyRefreshTimeOffset%' ESCAPE '\\' OR CommandLine LIKE '%EnableSmartScreen%' ESCAPE '\\' OR CommandLine LIKE '%ShellSmartScreenLevel%' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_modify_group_policy_settings.yml" }, { "title": "Remote Access Tool - LogMeIn Execution", "id": "d85873ef-a0f8-4c48-a53a-6b621f11729d", "status": "test", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'LMIGuardianSvc' OR Product = 'LMIGuardianSvc' OR Company = 'LogMeIn, Inc.'))" ], "filename": "proc_creation_win_remote_access_tools_logmein.yml" }, { "title": "Invoke-Obfuscation VAR+ Launcher", "id": "27aec9c9-dbb0-4939-8422-1742242471d0", "status": "test", "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%cmd%' ESCAPE '\\' AND CommandLine LIKE '%\"set%' ESCAPE '\\' AND CommandLine LIKE '%-f%' ESCAPE '\\' AND (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_invoke_obfuscation_var.yml" }, { "title": "Suspicious Whoami.EXE Execution From Privileged Process", "id": "79ce34ca-af29-4d0e-b832-fc1b377020db", "status": "experimental", "description": "Detects the execution of \"whoami.exe\" by privileged accounts that are often abused by threat actors", "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov", "tags": [ "attack.privilege_escalation", "attack.discovery", "attack.t1033" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'whoami.exe' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\' OR User LIKE '%TrustedInstaller%' ESCAPE '\\'))" ], "filename": "proc_creation_win_whoami_execution_from_high_priv_process.yml" }, { "title": "Potential PowerShell Obfuscation Via Reversed Commands", "id": "b6b49cd1-34d6-4ead-b1bf-176e9edba9a4", "status": "test", "description": "Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers", "author": "Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%hctac%' ESCAPE '\\' OR CommandLine LIKE '%kaerb%' ESCAPE '\\' OR CommandLine LIKE '%dnammoc%' ESCAPE '\\' OR CommandLine LIKE '%ekovn%' ESCAPE '\\' OR CommandLine LIKE '%eliFd%' ESCAPE '\\' OR CommandLine LIKE '%rahc%' ESCAPE '\\' OR CommandLine LIKE '%etirw%' ESCAPE '\\' OR CommandLine LIKE '%golon%' ESCAPE '\\' OR CommandLine LIKE '%tninon%' ESCAPE '\\' OR CommandLine LIKE '%eddih%' ESCAPE '\\' OR CommandLine LIKE '%tpircS%' ESCAPE '\\' OR CommandLine LIKE '%ssecorp%' ESCAPE '\\' OR CommandLine LIKE '%llehsrewop%' ESCAPE '\\' OR CommandLine LIKE '%esnopser%' ESCAPE '\\' OR CommandLine LIKE '%daolnwod%' ESCAPE '\\' OR CommandLine LIKE '%tneilCbeW%' ESCAPE '\\' OR CommandLine LIKE '%tneilc%' ESCAPE '\\' OR CommandLine LIKE '%ptth%' ESCAPE '\\' OR CommandLine LIKE '%elifotevas%' ESCAPE '\\' OR CommandLine LIKE '%46esab%' ESCAPE '\\' OR CommandLine LIKE '%htaPpmeTteG%' ESCAPE '\\' OR CommandLine LIKE '%tcejbO%' ESCAPE '\\' OR CommandLine LIKE '%maerts%' ESCAPE '\\' OR CommandLine LIKE '%hcaerof%' ESCAPE '\\' OR CommandLine LIKE '%retupmoc%' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%-EncodedCommand%' ESCAPE '\\' AND CommandLine LIKE '%rahc%' ESCAPE '\\')))" ], "filename": "proc_creation_win_powershell_cmdline_reversed_strings.yml" }, { "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE", "id": "07f8bdc2-c9b3-472a-9817-5a670b872f53", "status": "experimental", "description": "Detects usage of cmdkey to look for cached credentials on the system", "author": "jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.005" ], "falsepositives": [ "Legitimate administrative tasks" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\cmdkey.exe' ESCAPE '\\' OR OriginalFileName = 'cmdkey.exe') AND (CommandLine LIKE '% /l%' ESCAPE '\\' OR CommandLine LIKE '% -l%' ESCAPE '\\'))" ], "filename": "proc_creation_win_cmdkey_recon.yml" }, { "title": "HackTool - CrackMapExec Process Patterns", "id": "f26307d8-14cd-47e3-a26b-4b4769f24af6", "status": "experimental", "description": "Detects suspicious process patterns found in logs when CrackMapExec is used", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%tasklist /fi %' ESCAPE '\\' AND CommandLine LIKE '%Imagename eq lsass.exe%' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (CommandLine LIKE '%do rundll32.exe C:\\\\windows\\\\System32\\\\comsvcs.dll, MiniDump%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND CommandLine LIKE '% full%' ESCAPE '\\' AND CommandLine LIKE '%\\%\\%B%' ESCAPE '\\') OR (CommandLine LIKE '%tasklist /v /fo csv%' ESCAPE '\\' AND CommandLine LIKE '%findstr /i \"lsass\"%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_crackmapexec_patterns.yml" }, { "title": "Suspicious Schtasks Execution AppData Folder", "id": "c5c00f49-b3f9-45a6-997e-cfdecc6e1967", "status": "experimental", "description": "Detects the creation of a schtask that executes a file from C:\\Users\\\\AppData\\Local", "author": "pH-T (Nextron Systems), Nasreddine Bencherchali", "tags": [ "attack.execution", "attack.persistence", "attack.t1053.005", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create%' ESCAPE '\\' AND CommandLine LIKE '%/RU%' ESCAPE '\\' AND CommandLine LIKE '%/TR%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%TeamViewer\\_.exe%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/TN TVInstallRestore%' ESCAPE '\\'))" ], "filename": "proc_creation_win_schtasks_appdata_local_system.yml" }, { "title": "HackTool - KrbRelay Execution", "id": "e96253b8-6b3b-4f90-9e59-3b24b99cf9b4", "status": "experimental", "description": "Detects the use of KrbRelay, a Kerberos relaying tool", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1558.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\KrbRelay.exe' ESCAPE '\\' OR OriginalFileName = 'KrbRelay.exe') OR (CommandLine LIKE '% -spn %' ESCAPE '\\' AND CommandLine LIKE '% -clsid %' ESCAPE '\\' AND CommandLine LIKE '% -rbcd %' ESCAPE '\\') OR (CommandLine LIKE '%shadowcred%' ESCAPE '\\' AND CommandLine LIKE '%clsid%' ESCAPE '\\' AND CommandLine LIKE '%spn%' ESCAPE '\\') OR (CommandLine LIKE '%spn %' ESCAPE '\\' AND CommandLine LIKE '%session %' ESCAPE '\\' AND CommandLine LIKE '%clsid %' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_krbrelay.yml" }, { "title": "Rundll32 With Suspicious Parent Process", "id": "1723e720-616d-4ddc-ab02-f7e3685a4713", "status": "experimental", "description": "Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary.", "author": "CD_ROM_", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT (CommandLine LIKE '% C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR CommandLine LIKE '% -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' ESCAPE '\\'))" ], "filename": "proc_creation_win_rundll32_parent_explorer.yml" }, { "title": "PowerShell Script Run in AppData", "id": "ac175779-025a-4f12-98b0-acdaeb77ea85", "status": "experimental", "description": "Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder", "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Administrative scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%powershell.exe%' ESCAPE '\\' OR CommandLine LIKE '%\\\\powershell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\pwsh%' ESCAPE '\\' OR CommandLine LIKE '%pwsh.exe%' ESCAPE '\\') AND CommandLine LIKE '%/c %' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%Local\\\\%' ESCAPE '\\' OR CommandLine LIKE '%Roaming\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_susp_ps_appdata.yml" }, { "title": "Potential Arbitrary Code Execution Via Node.EXE", "id": "6640f31c-01ad-49b5-beb5-83498a5cd8bd", "status": "experimental", "description": "Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1127" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\node.exe' ESCAPE '\\' AND (CommandLine LIKE '% -e %' ESCAPE '\\' OR CommandLine LIKE '% --eval %' ESCAPE '\\') AND CommandLine LIKE '%.exec(%' ESCAPE '\\' AND CommandLine LIKE '%net.socket%' ESCAPE '\\' AND CommandLine LIKE '%.connect%' ESCAPE '\\' AND CommandLine LIKE '%child\\_process%' ESCAPE '\\')" ], "filename": "proc_creation_win_node_abuse.yml" }, { "title": "UEFI Persistence Via Wpbbin - ProcessCreation", "id": "4abc0ec4-db5a-412f-9632-26659cddf145", "status": "experimental", "description": "Detects execution of the binary \"wpbbin\" which is used as part of the UEFI based persistence method described in the reference section", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.defense_evasion", "attack.t1542.001" ], "falsepositives": [ "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_wpbbin_potential_persistence.yml" }, { "title": "Potential CobaltStrike Process Patterns", "id": "f35c5d71-b489-4e22-a115-f003df287317", "status": "experimental", "description": "Detects potential process patterns related to Cobalt Strike beacon activity", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cmd.exe /C whoami' ESCAPE '\\' AND ParentProcessName LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND CommandLine LIKE '%cmd.exe /c echo%' ESCAPE '\\' AND CommandLine LIKE '%> \\\\\\\\.\\\\pipe%' ESCAPE '\\') OR (ParentCommandLine LIKE '%cmd.exe /C echo%' ESCAPE '\\' AND ParentCommandLine LIKE '% > \\\\\\\\.\\\\pipe%' ESCAPE '\\' AND CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1' ESCAPE '\\') OR (ParentCommandLine LIKE '%/C whoami' ESCAPE '\\' AND CommandLine LIKE '%conhost.exe 0xffffffff -ForceV1' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_cobaltstrike_process_patterns.yml" }, { "title": "Dism Remove Online Package", "id": "43e32da2-fdd0-4156-90de-50dfd62636f9", "status": "experimental", "description": "Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Legitimate script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\DismHost.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%/Online%' ESCAPE '\\' AND ParentCommandLine LIKE '%/Disable-Feature%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Dism.exe' ESCAPE '\\' AND CommandLine LIKE '%/Online%' ESCAPE '\\' AND CommandLine LIKE '%/Disable-Feature%' ESCAPE '\\')))" ], "filename": "proc_creation_win_dsim_remove.yml" }, { "title": "HackTool - Dumpert Process Dumper Execution", "id": "2704ab9e-afe2-4854-a3b1-0c0706d03578", "status": "test", "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Very unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Hashes LIKE '%09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR CommandLine LIKE '%Dumpert.dll%' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_dumpert.yml" }, { "title": "CobaltStrike Load by Rundll32", "id": "ae9c6a7c-9521-42a6-915e-5aaa8689d529", "status": "test", "description": "Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.", "author": "Wojciech Lesicki", "tags": [ "attack.defense_evasion", "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE' OR (CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' OR CommandLine LIKE '%rundll32 %' ESCAPE '\\')) AND (CommandLine LIKE '%.dll%' ESCAPE '\\' AND (CommandLine LIKE '% StartW' ESCAPE '\\' OR CommandLine LIKE '%,StartW' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" }, { "title": "LSASS Memory Dumping", "id": "ffa6861c-4461-4f59-8a41-578c39f3f23e", "status": "test", "description": "Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials.\nIdentifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.\n", "author": "E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%lsass%' ESCAPE '\\' AND CommandLine LIKE '%.dmp%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\werfault.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_lsass_dump.yml" }, { "title": "WmiPrvSE Spawned A Process", "id": "d21374ff-f574-44a7-9998-4a8c8bf33d7d", "status": "stable", "description": "Detects WmiPrvSE spawning a process", "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.execution", "attack.t1047" ], "falsepositives": [ "False positives are expected (e.g. in environments where WinRM is used legitimately)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentProcessName LIKE '%\\\\WmiPrvSe.exe' ESCAPE '\\' AND NOT ((SubjectLogonId IN ('0x3e7', 'null')) OR ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\') OR (SubjectLogonId = '')))" ], "filename": "proc_creation_win_wmiprvse_spawning_process.yml" }, { "title": "Taskkill Symantec Endpoint Protection", "id": "4a6713f6-3331-11ed-a261-0242ac120002", "status": "experimental", "description": "Detects one of the possible scenarios for disabling Symantec Endpoint Protection.\nSymantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.\nAs a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.\n", "author": "Ilya Krestinichev, Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%taskkill%' ESCAPE '\\' AND CommandLine LIKE '% /F %' ESCAPE '\\' AND CommandLine LIKE '% /IM %' ESCAPE '\\' AND CommandLine LIKE '%ccSvcHst.exe%' ESCAPE '\\')" ], "filename": "proc_creation_win_taskkill_sep.yml" }, { "title": "PUA - AdvancedRun Suspicious Execution", "id": "fa00b701-44c6-4679-994d-5a18afa8a707", "status": "experimental", "description": "Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%/EXEFilename%' ESCAPE '\\' OR CommandLine LIKE '%/CommandLine%' ESCAPE '\\') AND ((CommandLine LIKE '% /RunAs 8 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 4 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 10 %' ESCAPE '\\' OR CommandLine LIKE '% /RunAs 11 %' ESCAPE '\\') OR (CommandLine LIKE '%/RunAs 8' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 4' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 10' ESCAPE '\\' OR CommandLine LIKE '%/RunAs 11' ESCAPE '\\')))" ], "filename": "proc_creation_win_pua_advancedrun_priv_user.yml" }, { "title": "Webshell Hacking Activity Patterns", "id": "4ebc877f-4612-45cb-b3a5-8e3834db36c9", "status": "experimental", "description": "Detects certain parent child patterns found in cases in which a webshell is used to perform certain credential dumping or exfiltration activities on a compromised system", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1505.003", "attack.t1018", "attack.t1033", "attack.t1087" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_tomcatservice.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (CommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR CommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\'))) AND ((CommandLine LIKE '%rundll32%' ESCAPE '\\' AND CommandLine LIKE '%comsvcs%' ESCAPE '\\') OR (CommandLine LIKE '% -hp%' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\' AND CommandLine LIKE '% -m%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% user %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%net%' ESCAPE '\\' AND CommandLine LIKE '% localgroup %' ESCAPE '\\' AND CommandLine LIKE '% administrators %' ESCAPE '\\' AND CommandLine LIKE '%/add%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\ntdsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ldifde.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\adfind.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Nanodump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\') OR (CommandLine LIKE '% -NoP %' ESCAPE '\\' OR CommandLine LIKE '% -W Hidden %' ESCAPE '\\' OR CommandLine LIKE '% -decode %' ESCAPE '\\' OR CommandLine LIKE '% /decode %' ESCAPE '\\' OR CommandLine LIKE '%reg save %' ESCAPE '\\' OR CommandLine LIKE '%.downloadstring(%' ESCAPE '\\' OR CommandLine LIKE '%.downloadfile(%' ESCAPE '\\' OR CommandLine LIKE '%FromBase64String%' ESCAPE '\\' OR CommandLine LIKE '% /ticket:%' ESCAPE '\\' OR CommandLine LIKE '% sekurlsa%' ESCAPE '\\' OR CommandLine LIKE '%.dmp full%' ESCAPE '\\' OR CommandLine LIKE '%process call create%' ESCAPE '\\' OR CommandLine LIKE '%whoami /priv%' ESCAPE '\\')))" ], "filename": "proc_creation_win_webshell_hacking.yml" }, { "title": "Code Execution via Pcwutl.dll", "id": "9386d78a-7207-4048-9c9f-a93a7c2d1c05", "status": "test", "description": "Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.", "author": "Julia Fomina, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1218.011" ], "falsepositives": [ "Use of Program Compatibility Troubleshooter Helper" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND (CommandLine LIKE '%pcwutl%' ESCAPE '\\' AND CommandLine LIKE '%LaunchApplication%' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_pcwutl.yml" }, { "title": "Parent in Public Folder Suspicious Process", "id": "69bd9b97-2be2-41b6-9816-fb08757a4d1a", "status": "experimental", "description": "This rule detects suspicious processes with parent images located in the C:\\Users\\Public folder", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%powershell%' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /k %' ESCAPE '\\' OR CommandLine LIKE '%cmd /c %' ESCAPE '\\' OR CommandLine LIKE '%cmd /r %' ESCAPE '\\' OR CommandLine LIKE '%cmd /k %' ESCAPE '\\' OR CommandLine LIKE '%wscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%cscript.exe%' ESCAPE '\\' OR CommandLine LIKE '%bitsadmin%' ESCAPE '\\' OR CommandLine LIKE '%certutil%' ESCAPE '\\' OR CommandLine LIKE '%mshta.exe%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_execution_from_public_folder_as_parent.yml" }, { "title": "Console CodePage Lookup Via CHCP", "id": "7090adee-82e2-4269-bd59-80691e7c6338", "status": "experimental", "description": "Detects use of chcp to look up the system locale value as part of host discovery", "author": "_pete_0, TheDFIRReport", "tags": [ "attack.discovery", "attack.t1614.001" ], "falsepositives": [ "During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentCommandLine LIKE '% /c %' ESCAPE '\\' OR ParentCommandLine LIKE '% /r %' ESCAPE '\\' OR ParentCommandLine LIKE '% /k %' ESCAPE '\\') AND NewProcessName LIKE '%\\\\chcp.com' ESCAPE '\\' AND (CommandLine LIKE '%chcp' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\' OR CommandLine LIKE '%chcp ' ESCAPE '\\'))" ], "filename": "proc_creation_win_chcp_codepage_lookup.yml" }, { "title": "DumpMinitool Execution", "id": "dee0a7a3-f200-4112-a99b-952196d81e42", "status": "experimental", "description": "Detects the use of \"DumpMinitool.exe\" a tool that allows the dump of process memory via the use of the \"MiniDumpWriteDump\"", "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\DumpMinitool.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DumpMinitool.x86.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DumpMinitool.arm64.exe' ESCAPE '\\') OR OriginalFileName IN ('DumpMinitool.exe', 'DumpMinitool.x86.exe', 'DumpMinitool.arm64.exe')) AND (CommandLine LIKE '% Full%' ESCAPE '\\' OR CommandLine LIKE '% Mini%' ESCAPE '\\' OR CommandLine LIKE '% WithHeap%' ESCAPE '\\'))" ], "filename": "proc_creation_win_dumpminitool_execution.yml" }, { "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE", "id": "6c8fbee5-dee8-49bc-851d-c3142d02aa47", "status": "experimental", "description": "Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR OriginalFileName = 'sc.exe') AND (CommandLine LIKE '%sdset%' ESCAPE '\\' AND CommandLine LIKE '%A;%' ESCAPE '\\') AND (CommandLine LIKE '%;IU%' ESCAPE '\\' OR CommandLine LIKE '%;SU%' ESCAPE '\\' OR CommandLine LIKE '%;BA%' ESCAPE '\\' OR CommandLine LIKE '%;SY%' ESCAPE '\\' OR CommandLine LIKE '%;WD%' ESCAPE '\\'))" ], "filename": "proc_creation_win_sc_sdset_allow_service_changes.yml" }, { "title": "Windows Processes Suspicious Parent Directory", "id": "96036718-71cc-4027-a538-d1587e0006a7", "status": "test", "description": "Detect suspicious parent processes of well-known Windows processes", "author": "vburov", "tags": [ "attack.defense_evasion", "attack.t1036.003", "attack.t1036.005" ], "falsepositives": [ "Some security products seem to spawn these" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsaiso.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\') AND NOT (((ParentProcessName LIKE '%\\\\SavService.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\Windows Defender\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Microsoft Security Client\\\\%' ESCAPE '\\') AND ParentProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (ParentProcessName = '' OR ParentProcessName = '-')))" ], "filename": "proc_creation_win_susp_proc_wrong_parent.yml" }, { "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE", "id": "044ba588-dff4-4918-9808-3f95e8160606", "status": "experimental", "description": "Detects usage of the copy builtin cmd command to copy files with the \".dmp\"/\".dump\" extension from a remote share", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND (CommandLine LIKE '%.dmp%' ESCAPE '\\' OR CommandLine LIKE '%.dump%' ESCAPE '\\')))" ], "filename": "proc_creation_win_cmd_copy_dmp_from_share.yml" }, { "title": "Potential Powershell ReverseShell Connection", "id": "edc2f8ae-2412-4dfd-b9d5-0c57727e70be", "status": "stable", "description": "Detects usage of the \"TcpClient\" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang \"Invoke-PowerShellTcpOneLine\" reverse shell and other.", "author": "FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "In rare administrative cases, this function might be used to check network connectivity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\')) AND (CommandLine LIKE '% Net.Sockets.TCPClient%' ESCAPE '\\' AND CommandLine LIKE '%.GetStream(%' ESCAPE '\\' AND CommandLine LIKE '%.Write(%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_reverse_shell_connection.yml" }, { "title": "File Encoded To Base64 Via Certutil.EXE", "id": "e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a", "status": "test", "description": "Detects the execution of certutil with the \"encode\" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration", "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR OriginalFileName = 'CertUtil.exe') AND (CommandLine LIKE '%-encode%' ESCAPE '\\' OR CommandLine LIKE '%/encode%' ESCAPE '\\'))" ], "filename": "proc_creation_win_certutil_encode.yml" }, { "title": "Suspicious Elevated System Shell", "id": "178e615d-e666-498b-9630-9ed363038101", "status": "experimental", "description": "Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.", "author": "frack113, Tim Shelton (update fp)", "tags": [ "attack.privilege_escalation", "attack.defense_evasion", "attack.execution", "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll', 'Cmd.Exe')) AND ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND SubjectLogonId = '0x3e7')) AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\ManageEngine\\\\ADManager Plus\\\\pgsql\\\\bin\\\\postgres.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \"%' ESCAPE '\\' AND CurrentDirectory LIKE '%C:\\\\WINDOWS\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\Temp%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\invcol.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%C:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\CompatTelRunner.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\IBM\\\\SpectrumProtect\\\\webserver\\\\scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\IBM\\\\SpectrumProtect\\\\webserver\\\\scripts\\\\%' ESCAPE '\\') OR (CommandLine = 'powershell.exe -ExecutionPolicy Restricted -Command Write-Host ''Final result: 1'';') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%/d /c C:\\\\Windows\\\\system32\\\\silcollector.cmd%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (CommandLine LIKE '%cmd.exe /c btool server list replication\\_port --no-log' ESCAPE '\\' OR CommandLine LIKE '%cmd.exe /c btool server list general --no-log' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\Windows\\\\system32\\\\reg.exe query hklm\\\\software\\\\microsoft\\\\windows\\\\softwareinventorylogging /v collectionstate /reg:64%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /c PAUSE' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_elevated_system_shell.yml" }, { "title": "Suspicious Firewall Configuration Discovery Via Netsh.EXE", "id": "0e4164da-94bc-450d-a7be-a4b176179f1f", "status": "experimental", "description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", "tags": [ "attack.discovery", "attack.t1016" ], "falsepositives": [ "Administrative activity" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%netsh %' ESCAPE '\\' AND CommandLine LIKE '%show %' ESCAPE '\\' AND CommandLine LIKE '%firewall %' ESCAPE '\\' AND (CommandLine LIKE '%config %' ESCAPE '\\' OR CommandLine LIKE '%state %' ESCAPE '\\' OR CommandLine LIKE '%rule %' ESCAPE '\\' OR CommandLine LIKE '%name=all%' ESCAPE '\\')))" ], "filename": "proc_creation_win_netsh_fw_rules_discovery.yml" }, { "title": "Suspicious Rundll32 Execution With Image Extension", "id": "4aa6040b-3f28-44e3-a769-9208e5feb5ec", "status": "experimental", "description": "Detects the execution of Rundll32.exe with DLL files masquerading as image files", "author": "Hieu Tran", "tags": [ "attack.defense_evasion", "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.exe') AND (CommandLine LIKE '%.bmp%' ESCAPE '\\' OR CommandLine LIKE '%.cr2%' ESCAPE '\\' OR CommandLine LIKE '%.eps%' ESCAPE '\\' OR CommandLine LIKE '%.gif%' ESCAPE '\\' OR CommandLine LIKE '%.ico%' ESCAPE '\\' OR CommandLine LIKE '%.jpeg%' ESCAPE '\\' OR CommandLine LIKE '%.jpg%' ESCAPE '\\' OR CommandLine LIKE '%.nef%' ESCAPE '\\' OR CommandLine LIKE '%.orf%' ESCAPE '\\' OR CommandLine LIKE '%.png%' ESCAPE '\\' OR CommandLine LIKE '%.raw%' ESCAPE '\\' OR CommandLine LIKE '%.sr2%' ESCAPE '\\' OR CommandLine LIKE '%.tif%' ESCAPE '\\' OR CommandLine LIKE '%.tiff%' ESCAPE '\\'))" ], "filename": "proc_creation_win_rundll32_susp_execution_with_image_extension.yml" }, { "title": "Potential Procdump Evasion", "id": "79b06761-465f-4f88-9ef2-150e24d3d737", "status": "test", "description": "Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036", "attack.t1003.001" ], "falsepositives": [ "Cases in which procdump just gets copied to a different directory without any renaming" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%copy procdump%' ESCAPE '\\' OR CommandLine LIKE '%move procdump%' ESCAPE '\\') OR (CommandLine LIKE '%copy %' ESCAPE '\\' AND CommandLine LIKE '%.dmp %' ESCAPE '\\' AND (CommandLine LIKE '%2.dmp%' ESCAPE '\\' OR CommandLine LIKE '%lsass%' ESCAPE '\\' OR CommandLine LIKE '%out.dmp%' ESCAPE '\\')) OR (CommandLine LIKE '%copy lsass.exe\\_%' ESCAPE '\\' OR CommandLine LIKE '%move lsass.exe\\_%' ESCAPE '\\')))" ], "filename": "proc_creation_win_sysinternals_procdump_evasion.yml" }, { "title": "Suspicious ScreenSave Change by Reg.exe", "id": "0fc35fc3-efe6-4898-8a37-0b233339524f", "status": "experimental", "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", "author": "frack113", "tags": [ "attack.privilege_escalation", "attack.t1546.002" ], "falsepositives": [ "GPO" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND (CommandLine LIKE '%HKEY\\_CURRENT\\_USER\\\\Control Panel\\\\Desktop%' ESCAPE '\\' OR CommandLine LIKE '%HKCU\\\\Control Panel\\\\Desktop%' ESCAPE '\\')) AND ((CommandLine LIKE '%/v ScreenSaveActive%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d 1%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v ScreenSaveTimeout%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v ScreenSaverIsSecure%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d 0%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\') OR (CommandLine LIKE '%/v SCRNSAVE.EXE%' ESCAPE '\\' AND CommandLine LIKE '%/t REG\\_SZ%' ESCAPE '\\' AND CommandLine LIKE '%/d %' ESCAPE '\\' AND CommandLine LIKE '%.scr%' ESCAPE '\\' AND CommandLine LIKE '%/f%' ESCAPE '\\')))" ], "filename": "proc_creation_win_reg_screensaver.yml" }, { "title": "Potential UAC Bypass Via Sdclt.EXE", "id": "40f9af16-589d-4984-b78d-8c2aec023197", "status": "test", "description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.privilege_escalation", "attack.defense_evasion", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%sdclt.exe' ESCAPE '\\' AND IntegrityLevel = 'High')" ], "filename": "proc_creation_win_uac_bypass_sdclt.yml" }, { "title": "Suspicious File Download via CertOC.exe", "id": "70ad0861-d1fe-491c-a45f-fa48148a300d", "status": "experimental", "description": "Detects when a user downloads file by using CertOC.exe", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR OriginalFileName = 'CertOC.exe') AND CommandLine LIKE '%-GetCACAPS%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_certoc_download.yml" }, { "title": "HackTool - PowerTool Execution", "id": "a34f79a3-8e5f-4cc3-b765-de00695452c2", "status": "experimental", "description": "Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\PowerTool.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PowerTool64.exe' ESCAPE '\\') OR OriginalFileName = 'PowerTool.exe'))" ], "filename": "proc_creation_win_hktl_powertool.yml" }, { "title": "Direct Autorun Keys Modification", "id": "24357373-078f-44ed-9ac4-6d334a668a11", "status": "test", "description": "Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.", "author": "Victor Sergeev, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", "Legitimate administrator sets up autorun keys for legitimate reasons.", "Discord" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows%' ESCAPE '\\' OR CommandLine LIKE '%\\\\software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' OR CommandLine LIKE '%\\\\system\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\AlternateShell%' ESCAPE '\\'))" ], "filename": "proc_creation_win_reg_direct_asep_registry_keys_modification.yml" }, { "title": "HackTool - WinRM Access Via Evil-WinRM", "id": "a197e378-d31b-41c0-9635-cfdf1c1bb423", "status": "test", "description": "Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.", "author": "frack113", "tags": [ "attack.lateral_movement", "attack.t1021.006" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\ruby.exe' ESCAPE '\\' AND CommandLine LIKE '%-i %' ESCAPE '\\' AND CommandLine LIKE '%-u %' ESCAPE '\\' AND CommandLine LIKE '%-p %' ESCAPE '\\')" ], "filename": "proc_creation_win_hktl_evil_winrm.yml" }, { "title": "Always Install Elevated MSI Spawned Cmd And Powershell", "id": "1e53dd56-8d83-4eb4-a43e-b790a05510aa", "status": "test", "description": "Detects Windows Installer service (msiexec.exe) spawning \"cmd\" or \"powershell\"", "author": "Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community", "tags": [ "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll')) AND (ParentProcessName LIKE '%\\\\Windows\\\\Installer\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%msi%' ESCAPE '\\' AND ParentProcessName LIKE '%tmp' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_elavated_msi_spawned_shell.yml" }, { "title": "Suspicious PowerShell Child Processes", "id": "e4b6d2a7-d8a4-4f19-acbd-943c16d90647", "status": "experimental", "description": "Detects suspicious child processes spawned by PowerShell", "author": "Florian Roth (Nextron Systems), Tim Shelton", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((ParentCommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\Program Files\\\\Amazon\\\\WorkspacesConfig\\\\Scripts\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_powershell_susp_child_processes.yml" }, { "title": "Add New Windows Capability - ProcCreation", "id": "b36d01a3-ddaf-4804-be18-18a6247adfcd", "status": "experimental", "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Legitimate usage of the capabilities by administartors or users. Filter accordingly" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND CommandLine LIKE '%Add-WindowsCapability%' ESCAPE '\\' AND CommandLine LIKE '%OpenSSH.%' ESCAPE '\\')" ], "filename": "proc_creation_win_powershell_add_windows_capability.yml" }, { "title": "Obfuscated IP Via CLI", "id": "56d19cb4-6414-4769-9644-1ed35ffbb148", "status": "experimental", "description": "Detects usage of an encoded/obfuscated version of an IP address (hex, octal...) via commandline", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\') AND (CommandLine LIKE '% 0x%' ESCAPE '\\' OR CommandLine REGEXP ' [0-9]{7,13}'))" ], "filename": "proc_creation_win_susp_obfuscated_ip_via_cli.yml" }, { "title": "PowerShell Download Pattern", "id": "3b6ab547-8ec2-4991-b9d2-2b06702a48d7", "status": "test", "description": "Detects a Powershell process that contains download commands in its command line string", "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%new-object%' ESCAPE '\\' AND CommandLine LIKE '%net.webclient).%' ESCAPE '\\' AND CommandLine LIKE '%download%' ESCAPE '\\' AND (CommandLine LIKE '%string(%' ESCAPE '\\' OR CommandLine LIKE '%file(%' ESCAPE '\\')))" ], "filename": "proc_creation_win_powershell_download_patterns.yml" }, { "title": "Potential Data Exfiltration Via Curl.EXE", "id": "00bca14a-df4e-4649-9054-3f2aa676bc04", "status": "test", "description": "Detects the execution of the \"curl\" process with \"upload\" flags. Which might indicate potential data exfiltration", "author": "Florian Roth (Nextron Systems), Cedric MAURUGEON (Update)", "tags": [ "attack.exfiltration", "attack.t1567", "attack.t1105" ], "falsepositives": [ "Scripts created by developers and admins" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable') AND ((CommandLine LIKE '% --form%' ESCAPE '\\' OR CommandLine LIKE '% --upload-file %' ESCAPE '\\' OR CommandLine LIKE '% --data %' ESCAPE '\\' OR CommandLine LIKE '% --data-%' ESCAPE '\\') OR CommandLine REGEXP '\\s-[FTd]\\s')) AND NOT (((CommandLine LIKE '%://localhost%' ESCAPE '\\' OR CommandLine LIKE '%://127.0.0.1%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_curl_fileupload.yml" }, { "title": "HackTool - PurpleSharp Execution", "id": "ff23ffbc-3378-435e-992f-0624dcf93ab4", "status": "test", "description": "Detects the execution of the PurpleSharp adversary simulation tool", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.t1587", "attack.resource_development" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\purplesharp%' ESCAPE '\\' OR OriginalFileName = 'PurpleSharp.exe' OR (CommandLine LIKE '%xyz123456.exe%' ESCAPE '\\' OR CommandLine LIKE '%PurpleSharp%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_purplesharp_indicators.yml" }, { "title": "Suspicious Obfuscated PowerShell Code", "id": "8d01b53f-456f-48ee-90f6-bc28e67d4e35", "status": "experimental", "description": "Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%IAAtAGIAeABvAHIAIAAwAHgA%' ESCAPE '\\' OR CommandLine LIKE '%AALQBiAHgAbwByACAAMAB4A%' ESCAPE '\\' OR CommandLine LIKE '%gAC0AYgB4AG8AcgAgADAAeA%' ESCAPE '\\' OR CommandLine LIKE '%AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg%' ESCAPE '\\' OR CommandLine LIKE '%AuAEkAbgB2AG8AawBlACgAKQAgAHwAI%' ESCAPE '\\' OR CommandLine LIKE '%ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACIAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAiACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AIgAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMQB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADEAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAxAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMAB9AHsAMwB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADAAfQB7ADMAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAwAH0AewAzAH0AJwAgAC0AZgAg%' ESCAPE '\\' OR CommandLine LIKE '%AHsAMgB9AHsAMAB9ACcAIAAtAGYAI%' ESCAPE '\\' OR CommandLine LIKE '%B7ADIAfQB7ADAAfQAnACAALQBmAC%' ESCAPE '\\' OR CommandLine LIKE '%AewAyAH0AewAwAH0AJwAgAC0AZgAg%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_encoded_obfusc.yml" }, { "title": "RDP Connection Allowed Via Netsh.EXE", "id": "01aeb693-138d-49d2-9403-c4f52d7d3d62", "status": "test", "description": "Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware", "author": "Sander Wiebing", "tags": [ "attack.defense_evasion", "attack.t1562.004" ], "falsepositives": [ "Legitimate administration activity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%tcp %' ESCAPE '\\' AND CommandLine LIKE '%3389%' ESCAPE '\\') AND (CommandLine LIKE '%portopening%' ESCAPE '\\' OR (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%allow%' ESCAPE '\\')))" ], "filename": "proc_creation_win_netsh_fw_allow_rdp.yml" }, { "title": "HackTool - Inveigh Execution", "id": "b99a1518-1ad5-4f65-bc95-1ffff97a8fd0", "status": "experimental", "description": "Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Very unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR (OriginalFileName LIKE '\\\\Inveigh.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\Inveigh.dll' ESCAPE '\\') OR Description = 'Inveigh' OR (CommandLine LIKE '% -SpooferIP%' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToIPs %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToDomains %' ESCAPE '\\' OR CommandLine LIKE '% -ReplyToMACs %' ESCAPE '\\' OR CommandLine LIKE '% -SnifferIP%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_inveigh.yml" }, { "title": "Suspicious Ping/Del Command Combination", "id": "54786ddc-5b8a-11ed-9b6a-0242ac120002", "status": "experimental", "description": "Detects a method often used by ransomware. Which combines the \"ping\" to wait a couple of seconds and then \"del\" to delete the file in question. Its used to hide the file responsible for the initial infection for example", "author": "Ilya Krestinichev", "tags": [ "attack.defense_evasion", "attack.t1070.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -n %' ESCAPE '\\' OR CommandLine LIKE '% /n %' ESCAPE '\\') AND CommandLine LIKE '%Nul%' ESCAPE '\\' AND (CommandLine LIKE '% /f %' ESCAPE '\\' OR CommandLine LIKE '% -f %' ESCAPE '\\' OR CommandLine LIKE '% /q %' ESCAPE '\\' OR CommandLine LIKE '% -q %' ESCAPE '\\') AND CommandLine LIKE '%ping%' ESCAPE '\\' AND CommandLine LIKE '%del %' ESCAPE '\\')" ], "filename": "proc_creation_win_cmd_ping_del_combined_execution.yml" }, { "title": "Potential Arbitrary File Download Using Office Application", "id": "4ae3e30b-b03f-43aa-87e3-b622f4048eed", "status": "experimental", "description": "Detects potential arbitrary file download using a Microsoft Office application", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\EXCEL.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\') OR OriginalFileName IN ('Excel.exe', 'POWERPNT.EXE', 'WinWord.exe')) AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\'))" ], "filename": "proc_creation_win_office_arbitrary_cli_download.yml" }, { "title": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries", "id": "0ba1da6d-b6ce-4366-828c-18826c9de23e", "status": "test", "description": "Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.", "author": "Matthew Green - @mgreen27, Florian Roth (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", "attack.t1036.003", "car.2013-05-009" ], "falsepositives": [ "Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist", "PsExec installed via Windows Store doesn't contain original filename field (False negative)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Description = 'Execute processes remotely' OR Product = 'Sysinternals PsExec' OR (Description LIKE 'Windows PowerShell%' ESCAPE '\\' OR Description LIKE 'pwsh%' ESCAPE '\\') OR (OriginalFileName LIKE 'powershell.exe' ESCAPE '\\' OR OriginalFileName LIKE 'pwsh.dll' ESCAPE '\\' OR OriginalFileName LIKE 'powershell\\_ise.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'psexec.c' ESCAPE '\\' OR OriginalFileName LIKE 'psexesvc.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wscript.exe' ESCAPE '\\' OR OriginalFileName LIKE 'mshta.exe' ESCAPE '\\' OR OriginalFileName LIKE 'regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'wmic.exe' ESCAPE '\\' OR OriginalFileName LIKE 'certutil.exe' ESCAPE '\\' OR OriginalFileName LIKE 'rundll32.exe' ESCAPE '\\' OR OriginalFileName LIKE 'cmstp.exe' ESCAPE '\\' OR OriginalFileName LIKE 'msiexec.exe' ESCAPE '\\' OR OriginalFileName LIKE 'reg.exe' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psexec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_renamed_binary_highly_relevant.yml" }, { "title": "SQL Client Tools PowerShell Session Detection", "id": "a746c9b8-a2fb-4ee5-a428-92bee9e99060", "status": "test", "description": "This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", "author": "Agro (@agro_sev) oscd.communitly", "tags": [ "attack.execution", "attack.t1059.001", "attack.defense_evasion", "attack.t1127" ], "falsepositives": [ "Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\sqltoolsps.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sqltoolsps.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\sqltoolsps.exe' ESCAPE '\\') AND NOT (ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_mssql_sqltoolsps_susp_execution.yml" }, { "title": "Potential Arbitrary Command Execution Using Msdt.EXE", "id": "258fc8ce-8352-443a-9120-8a11e4857fa5", "status": "experimental", "description": "Detects processes leveraging the \"ms-msdt\" handler or the \"msdt.exe\" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' OR OriginalFileName = 'msdt.exe') AND (CommandLine LIKE '%IT\\_BrowseForFile=%' ESCAPE '\\' OR (CommandLine LIKE '% PCWDiagnostic%' ESCAPE '\\' AND (CommandLine LIKE '% /af %' ESCAPE '\\' OR CommandLine LIKE '% -af %' ESCAPE '\\'))))" ], "filename": "proc_creation_win_msdt_arbitrary_command_execution.yml" }, { "title": "Use of Remote.exe", "id": "4eddc365-79b4-43ff-a9d7-99422dc34b93", "status": "experimental", "description": "Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.", "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ "attack.defense_evasion", "attack.t1127" ], "falsepositives": [ "Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg)." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\remote.exe' ESCAPE '\\' OR OriginalFileName = 'remote.exe'))" ], "filename": "proc_creation_win_lolbin_remote.yml" }, { "title": "Potential Manage-bde.wsf Abuse To Proxy Execution", "id": "c363385c-f75d-4753-a108-c1a8e28bdbda", "status": "test", "description": "Detects potential abuse of the \"manage-bde.wsf\" script as a LOLBIN to proxy execution", "author": "oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1216" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR OriginalFileName = 'wscript.exe') AND CommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') OR (((ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND ParentCommandLine LIKE '%manage-bde.wsf%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\'))))" ], "filename": "proc_creation_win_lolbin_manage_bde.yml" }, { "title": "Detected Windows Software Discovery", "id": "e13f668e-7f95-443d-98d2-1816a7648a7b", "status": "test", "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.discovery", "attack.t1518" ], "falsepositives": [ "Legitimate administration activities" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' AND CommandLine LIKE '%query%' ESCAPE '\\' AND CommandLine LIKE '%\\\\software\\\\%' ESCAPE '\\' AND CommandLine LIKE '%/v%' ESCAPE '\\' AND CommandLine LIKE '%svcversion%' ESCAPE '\\')" ], "filename": "proc_creation_win_reg_software_discovery.yml" }, { "title": "Suspicious Execution of Hostname", "id": "7be5fb68-f9ef-476d-8b51-0256ebece19e", "status": "test", "description": "Use of hostname to get information", "author": "frack113", "tags": [ "attack.discovery", "attack.t1082" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\HOSTNAME.EXE' ESCAPE '\\')" ], "filename": "proc_creation_win_hostname_execution.yml" }, { "title": "Interactive AT Job", "id": "60fc936d-2eb0-4543-8a13-911c750a1dfc", "status": "test", "description": "Detects an interactive AT job, which may be used as a form of privilege escalation.", "author": "E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ "attack.privilege_escalation", "attack.t1053.002" ], "falsepositives": [ "Unlikely (at.exe deprecated as of Windows 8)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\at.exe' ESCAPE '\\' AND CommandLine LIKE '%interactive%' ESCAPE '\\')" ], "filename": "proc_creation_win_at_interactive_execution.yml" }, { "title": "Terminal Service Process Spawn", "id": "1012f107-b8f1-4271-af30-5aed2de89b39", "status": "test", "description": "Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.initial_access", "attack.t1190", "attack.lateral_movement", "attack.t1210", "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentCommandLine LIKE '%\\\\svchost.exe%' ESCAPE '\\' AND ParentCommandLine LIKE '%termsvcs%' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\rdpclip.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\')) OR (NewProcessName = '')))" ], "filename": "proc_creation_win_svchost_termserv_proc_spawn.yml" }, { "title": "Suspicious Debugger Registration Cmdline", "id": "ae215552-081e-44c7-805f-be16f975c8a2", "status": "test", "description": "Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).", "author": "Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1546.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\CurrentVersion\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%displayswitch.exe%' ESCAPE '\\' OR CommandLine LIKE '%atbroker.exe%' ESCAPE '\\' OR CommandLine LIKE '%HelpPane.exe%' ESCAPE '\\'))" ], "filename": "proc_creation_win_registry_install_reg_debugger_backdoor.yml" }, { "title": "HackTool - Jlaive In-Memory Assembly Execution", "id": "0a99eb3e-1617-41bd-b095-13dc767f3def", "status": "experimental", "description": "Detects the use of Jlaive to execute assemblies in a copied PowerShell", "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", "tags": [ "attack.execution", "attack.t1059.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%.bat' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\' AND CommandLine LIKE '%powershell.exe%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\xcopy.exe' ESCAPE '\\' AND CommandLine LIKE '%pwsh.exe%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' AND CommandLine LIKE '%+s%' ESCAPE '\\' AND CommandLine LIKE '%+h%' ESCAPE '\\' AND CommandLine LIKE '%.bat.exe%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_jlaive_batch_execution.yml" }, { "title": "Potential Crypto Mining Activity", "id": "66c3b204-9f88-4d0a-a7f7-8a57d521ca55", "status": "stable", "description": "Detects command line parameters or strings often used by crypto miners", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.impact", "attack.t1496" ], "falsepositives": [ "Legitimate use of crypto miners", "Some build frameworks" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '% --cpu-priority=%' ESCAPE '\\' OR CommandLine LIKE '%--donate-level=0%' ESCAPE '\\' OR CommandLine LIKE '% -o pool.%' ESCAPE '\\' OR CommandLine LIKE '% --nicehash%' ESCAPE '\\' OR CommandLine LIKE '% --algo=rx/0 %' ESCAPE '\\' OR CommandLine LIKE '%stratum+tcp://%' ESCAPE '\\' OR CommandLine LIKE '%stratum+udp://%' ESCAPE '\\' OR CommandLine LIKE '%LS1kb25hdGUtbGV2ZWw9%' ESCAPE '\\' OR CommandLine LIKE '%0tZG9uYXRlLWxldmVsP%' ESCAPE '\\' OR CommandLine LIKE '%tLWRvbmF0ZS1sZXZlbD%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt0Y3A6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdGNwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3RjcDovL%' ESCAPE '\\' OR CommandLine LIKE '%c3RyYXR1bSt1ZHA6Ly%' ESCAPE '\\' OR CommandLine LIKE '%N0cmF0dW0rdWRwOi8v%' ESCAPE '\\' OR CommandLine LIKE '%zdHJhdHVtK3VkcDovL%' ESCAPE '\\') AND NOT ((CommandLine LIKE '% pool.c %' ESCAPE '\\' OR CommandLine LIKE '% pool.o %' ESCAPE '\\' OR CommandLine LIKE '%gcc -%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_crypto_mining_monero.yml" }, { "title": "Suspicious Git Clone", "id": "aef9d1f1-7396-4e92-a927-4567c7a495c1", "status": "experimental", "description": "Detects execution of \"git\" in order to clone a remote repository that contain suspicious keywords which might be suspicious", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.reconnaissance", "attack.t1593.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\git.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\git-remote-https.exe' ESCAPE '\\') OR OriginalFileName = 'git.exe') AND (CommandLine LIKE '% clone %' ESCAPE '\\' OR CommandLine LIKE '%git-remote-https %' ESCAPE '\\') AND (CommandLine LIKE '%exploit%' ESCAPE '\\' OR CommandLine LIKE '%Vulns%' ESCAPE '\\' OR CommandLine LIKE '%vulnerability%' ESCAPE '\\' OR CommandLine LIKE '%RemoteCodeExecution%' ESCAPE '\\' OR CommandLine LIKE '%Invoke-%' ESCAPE '\\' OR CommandLine LIKE '%CVE-%' ESCAPE '\\' OR CommandLine LIKE '%poc-%' ESCAPE '\\' OR CommandLine LIKE '%ProofOfConcept%' ESCAPE '\\' OR CommandLine LIKE '%proxyshell%' ESCAPE '\\' OR CommandLine LIKE '%log4shell%' ESCAPE '\\' OR CommandLine LIKE '%eternalblue%' ESCAPE '\\' OR CommandLine LIKE '%eternal-blue%' ESCAPE '\\' OR CommandLine LIKE '%MS17-%' ESCAPE '\\'))" ], "filename": "proc_creation_win_git_susp_clone.yml" }, { "title": "File Download with Headless Browser", "id": "0e8cfe08-02c9-4815-a2f8-0d157b7ed33e", "status": "test", "description": "This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.", "author": "Sreeman, Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\') AND CommandLine LIKE '%--headless%' ESCAPE '\\' AND CommandLine LIKE '%dump-dom%' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')" ], "filename": "proc_creation_win_browsers_chromium_headless_file_download.yml" }, { "title": "Logged-On User Password Change Via Ksetup.EXE", "id": "c9783e20-4793-4164-ba96-d9ee483992c4", "status": "experimental", "description": "Detects password change for the logged-on user's via \"ksetup.exe\"", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\ksetup.exe' ESCAPE '\\' OR OriginalFileName = 'ksetup.exe') AND CommandLine LIKE '% /ChangePassword %' ESCAPE '\\')" ], "filename": "proc_creation_win_ksetup_password_change_user.yml" }, { "title": "Remotely Hosted HTA File Executed Via Mshta.EXE", "id": "b98d0db6-511d-45de-ad02-e82a98729620", "status": "experimental", "description": "Detects execution of the \"mshta\" utility with an argument containing the \"http\" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR OriginalFileName = 'MSHTA.EXE') AND (CommandLine LIKE '%http://%' ESCAPE '\\' OR CommandLine LIKE '%https://%' ESCAPE '\\' OR CommandLine LIKE '%ftp://%' ESCAPE '\\'))" ], "filename": "proc_creation_win_mshta_http.yml" }, { "title": "Suspicious Diantz Download and Compress Into a CAB File", "id": "185d7418-f250-42d0-b72e-0c8b70661e93", "status": "experimental", "description": "Download and compress a remote file and store it in a cab file on local machine.", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%diantz.exe%' ESCAPE '\\' AND CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_diantz_remote_cab.yml" }, { "title": "Chopper Webshell Process Pattern", "id": "fa3c117a-bc0d-416e-a31b-0c0e80653efb", "status": "experimental", "description": "Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells", "author": "Florian Roth (Nextron Systems), MSTI (query)", "tags": [ "attack.persistence", "attack.t1505.003", "attack.t1018", "attack.t1033", "attack.t1087" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\') AND (CommandLine LIKE '%&ipconfig&echo%' ESCAPE '\\' OR CommandLine LIKE '%&quser&echo%' ESCAPE '\\' OR CommandLine LIKE '%&whoami&echo%' ESCAPE '\\' OR CommandLine LIKE '%&c:&echo%' ESCAPE '\\' OR CommandLine LIKE '%&cd&echo%' ESCAPE '\\' OR CommandLine LIKE '%&dir&echo%' ESCAPE '\\' OR CommandLine LIKE '%&echo [E]%' ESCAPE '\\' OR CommandLine LIKE '%&echo [S]%' ESCAPE '\\'))" ], "filename": "proc_creation_win_webshell_chopper.yml" }, { "title": "Suspicious SYSVOL Domain Group Policy Access", "id": "05f3c945-dcc8-4393-9f3d-af65077a8f86", "status": "test", "description": "Detects Access to Domain Group Policies stored in SYSVOL", "author": "Markus Neis, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.credential_access", "attack.t1552.006" ], "falsepositives": [ "Administrative activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\SYSVOL\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\policies\\\\%' ESCAPE '\\')" ], "filename": "proc_creation_win_susp_sysvol_access.yml" }, { "title": "Disable of ETW Trace", "id": "a238b5d0-ce2d-4414-a676-7a531b3d13d6", "status": "test", "description": "Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.", "author": "@neu5ron, Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1070", "attack.t1562.006", "car.2016-04-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%cl%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%clear-log%' ESCAPE '\\' AND CommandLine LIKE '%/Trace%' ESCAPE '\\') OR (CommandLine LIKE '%sl%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%set-log%' ESCAPE '\\' AND CommandLine LIKE '%/e:false%' ESCAPE '\\') OR (CommandLine LIKE '%logman%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\' AND CommandLine LIKE '%trace%' ESCAPE '\\' AND CommandLine LIKE '%--p%' ESCAPE '\\' AND CommandLine LIKE '%-ets%' ESCAPE '\\') OR CommandLine LIKE '%Remove-EtwTraceProvider%' ESCAPE '\\' OR (CommandLine LIKE '%Set-EtwTraceProvider%' ESCAPE '\\' AND CommandLine LIKE '%0x11%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_etw_trace_evasion.yml" }, { "title": "PUA - AdFind Suspicious Execution", "id": "9a132afa-654e-11eb-ae93-0242ac130002", "status": "test", "description": "Detects AdFind execution with common flags seen used during attacks", "author": "Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community", "tags": [ "attack.discovery", "attack.t1018", "attack.t1087.002", "attack.t1482", "attack.t1069.002" ], "falsepositives": [ "Legitimate admin activity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%domainlist%' ESCAPE '\\' OR CommandLine LIKE '%trustdmp%' ESCAPE '\\' OR CommandLine LIKE '%dcmodes%' ESCAPE '\\' OR CommandLine LIKE '%adinfo%' ESCAPE '\\' OR CommandLine LIKE '% dclist %' ESCAPE '\\' OR CommandLine LIKE '%computer\\_pwdnotreqd%' ESCAPE '\\' OR CommandLine LIKE '%objectcategory=%' ESCAPE '\\' OR CommandLine LIKE '%-subnets -f%' ESCAPE '\\' OR CommandLine LIKE '%name=\"Domain Admins\"%' ESCAPE '\\' OR CommandLine LIKE '%-sc u:%' ESCAPE '\\' OR CommandLine LIKE '%domainncs%' ESCAPE '\\' OR CommandLine LIKE '%dompol%' ESCAPE '\\' OR CommandLine LIKE '% oudmp %' ESCAPE '\\' OR CommandLine LIKE '%subnetdmp%' ESCAPE '\\' OR CommandLine LIKE '%gpodmp%' ESCAPE '\\' OR CommandLine LIKE '%fspdmp%' ESCAPE '\\' OR CommandLine LIKE '%users\\_noexpire%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_active%' ESCAPE '\\' OR CommandLine LIKE '%computers\\_pwdnotreqd%' ESCAPE '\\'))" ], "filename": "proc_creation_win_pua_adfind_susp_usage.yml" }, { "title": "Active Directory Database Snapshot Via ADExplorer", "id": "9212f354-7775-4e28-9c9f-8f0a4544e664", "status": "experimental", "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1552.001", "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\')" ], "filename": "proc_creation_win_sysinternals_adexplorer_execution.yml" }, { "title": "Suspicious Invoke-WebRequest Execution With DirectIP", "id": "1edff897-9146-48d2-9066-52e8d8f80a2f", "status": "experimental", "description": "Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND (CommandLine LIKE '%curl %' ESCAPE '\\' OR CommandLine LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR CommandLine LIKE '%iwr %' ESCAPE '\\' OR CommandLine LIKE '%wget %' ESCAPE '\\') AND (CommandLine LIKE '%://1%' ESCAPE '\\' OR CommandLine LIKE '%://2%' ESCAPE '\\' OR CommandLine LIKE '%://3%' ESCAPE '\\' OR CommandLine LIKE '%://4%' ESCAPE '\\' OR CommandLine LIKE '%://5%' ESCAPE '\\' OR CommandLine LIKE '%://6%' ESCAPE '\\' OR CommandLine LIKE '%://7%' ESCAPE '\\' OR CommandLine LIKE '%://8%' ESCAPE '\\' OR CommandLine LIKE '%://9%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_invoke_webrequest_direct_ip.yml" }, { "title": "Execution Of Non-Existing File", "id": "71158e3f-df67-472b-930e-7d287acaa3e1", "status": "experimental", "description": "Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)", "author": "Max Altgelt (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NOT (NewProcessName LIKE '%\\\\%' ESCAPE '\\') AND NOT ((NewProcessName = '') OR (NewProcessName IN ('-', '')) OR (NewProcessName IN ('System', 'Registry', 'MemCompression', 'vmmem') OR CommandLine IN ('Registry', 'MemCompression', 'vmmem'))))" ], "filename": "proc_creation_win_susp_image_missing.yml" }, { "title": "Run Once Task Execution as Configured in Registry", "id": "198effb6-6c98-4d0c-9ea3-451fa143c45c", "status": "test", "description": "This rule detects the execution of Run Once task as configured in the registry", "author": "Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\runonce.exe' ESCAPE '\\' OR Description = 'Run Once Wrapper') AND (CommandLine LIKE '%/AlternateShellStartup%' ESCAPE '\\' OR CommandLine LIKE '%/r' ESCAPE '\\'))" ], "filename": "proc_creation_win_runonce_execution.yml" }, { "title": "Visual Studio NodejsTools PressAnyKey Renamed Execution", "id": "65c3ca2c-525f-4ced-968e-246a713d164f", "status": "test", "description": "Detects renamed execution of \"Microsoft.NodejsTools.PressAnyKey.exe\", which can be abused as a LOLBIN to execute arbitrary binaries", "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'Microsoft.NodejsTools.PressAnyKey.exe' AND NOT ((NewProcessName LIKE '%\\\\Microsoft.NodejsTools.PressAnyKey.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_renamed_pressanykey.yml" }, { "title": "PowerShell Base64 Encoded WMI Classes", "id": "1816994b-42e1-4fb1-afd2-134d88184f71", "status": "experimental", "description": "Detects calls to base64 encoded WMI class such as \"Win32_Shadowcopy\", \"Win32_ScheduledJob\", etc.", "author": "Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001", "attack.defense_evasion", "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') OR OriginalFileName IN ('PowerShell.EXE', 'pwsh.dll')) AND ((CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQ%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5A%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2hhZG93Y29we%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NoYWRvd2NvcH%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TaGFkb3djb3B5%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUwBjAGgAZQBkAHUAbABlAGQASgBvAGIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFMAYwBoAGUAZAB1AGwAZQBkAEoAbwBiA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBTAGMAaABlAGQAdQBsAGUAZABKAG8AYg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfU2NoZWR1bGVkSm9i%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1NjaGVkdWxlZEpvY%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9TY2hlZHVsZWRKb2%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcw%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfUHJvY2Vzc%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1Byb2Nlc3%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Qcm9jZXNz%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8AVQBzAGUAcgBBAGMAYwBvAHUAbgB0A%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAFUAcwBlAHIAQQBjAGMAbwB1AG4AdA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBVAHMAZQByAEEAYwBjAG8AdQBuAHQA%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfVXNlckFjY291bn%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX1VzZXJBY2NvdW50%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Vc2VyQWNjb3Vud%' ESCAPE '\\') OR (CommandLine LIKE '%VwBpAG4AMwAyAF8ATABvAGcAZwBlAGQATwBuAFUAcwBlAHIA%' ESCAPE '\\' OR CommandLine LIKE '%cAaQBuADMAMgBfAEwAbwBnAGcAZQBkAE8AbgBVAHMAZQByA%' ESCAPE '\\' OR CommandLine LIKE '%XAGkAbgAzADIAXwBMAG8AZwBnAGUAZABPAG4AVQBzAGUAcg%' ESCAPE '\\' OR CommandLine LIKE '%V2luMzJfTG9nZ2VkT25Vc2Vy%' ESCAPE '\\' OR CommandLine LIKE '%dpbjMyX0xvZ2dlZE9uVXNlc%' ESCAPE '\\' OR CommandLine LIKE '%XaW4zMl9Mb2dnZWRPblVzZX%' ESCAPE '\\')))" ], "filename": "proc_creation_win_powershell_base64_wmi_classes.yml" }, { "title": "Execution of Powershell Script in Public Folder", "id": "fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4", "status": "experimental", "description": "This rule detects execution of PowerShell scripts located in the \"C:\\Users\\Public\" folder", "author": "Max Altgelt (Nextron Systems)", "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%-f C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-f \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fi C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fi \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-fil C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-fil \\%Public\\%%' ESCAPE '\\' OR CommandLine LIKE '%-file C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \"C:\\\\Users\\\\Public%' ESCAPE '\\' OR CommandLine LIKE '%-file \\%Public\\%%' ESCAPE '\\'))" ], "filename": "proc_creation_win_powershell_public_folder.yml" }, { "title": "WebDav Client Execution", "id": "2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5", "status": "test", "description": "Detects \"svchost.exe\" spawning \"rundll32.exe\" with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie.\nThis could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).\n", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.exfiltration", "attack.t1048.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND CommandLine LIKE '%C:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie%' ESCAPE '\\')" ], "filename": "proc_creation_win_rundll32_webdav_client_execution.yml" }, { "title": "Suspicious New Instance Of An Office COM Object", "id": "9bdaf1e9-fdef-443b-8081-4341b74a7e28", "status": "experimental", "description": "Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc.\nThis can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.defense_evasion" ], "falsepositives": [ "Legitimate usage of office automation via scripting" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_office_svchost_parent.yml" }, { "title": "Rundll32 Execution Without DLL File", "id": "c3a99af4-35a9-4668-879e-c09aeb4f2bdf", "status": "experimental", "description": "Detects the execution of rundll32 with a command line that doesn't contain a .dll file", "author": "Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE') AND NOT ((CommandLine = '') OR (CommandLine LIKE '%.dll%' ESCAPE '\\' OR CommandLine = '') OR (CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe C:\\\\Windows\\\\system32\\\\inetcpl.cpl,ClearMyTracksByProcess%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND CommandLine LIKE '%.cpl%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' AND ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\MsiExec.exe -Embedding%' ESCAPE '\\') OR (ParentProcessName LIKE '%:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% C:\\\\Program Files\\\\SplunkUniversalForwarder\\\\%' ESCAPE '\\') OR (CommandLine LIKE '% -localserver %' ESCAPE '\\') OR (ParentCommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mcmscins.dll\",DllUninstallFunction %' ESCAPE '\\' OR CommandLine LIKE 'C:\\\\Windows\\\\system32\\\\rundll32.exe\" /uninstall /longpath \"C:\\\\Program Files\\\\McAfee\\\\MSC\\\\mscrem.inf%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\setup.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%\\\\setup.exe\" --install-archive=\"C:\\\\Users\\\\%' ESCAPE '\\') OR (CommandLine LIKE '%C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND CommandLine LIKE '%.tmp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\' AND CommandLine LIKE '%Avira.OE.Setup%' ESCAPE '\\')))" ], "filename": "proc_creation_win_rundll32_executable_invalid_extension.yml" }, { "title": "Dropping Of Password Filter DLL", "id": "b7966f4a-b333-455b-8370-8ca53c229762", "status": "test", "description": "Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS", "author": "Sreeman", "tags": [ "attack.credential_access", "attack.t1556.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Lsa%' ESCAPE '\\' AND CommandLine LIKE '%scecli\\\\0%' ESCAPE '\\' AND CommandLine LIKE '%reg add%' ESCAPE '\\')" ], "filename": "proc_creation_win_reg_credential_access_via_password_filter.yml" }, { "title": "Network Reconnaissance Activity", "id": "e6313acd-208c-44fc-a0ff-db85d572e90e", "status": "test", "description": "Detects a set of suspicious network related commands often used in recon stages", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1087", "attack.t1082", "car.2016-03-001" ], "falsepositives": [ "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%nslookup%' ESCAPE '\\' AND CommandLine LIKE '%\\_ldap.\\_tcp.dc.\\_msdcs.%' ESCAPE '\\')" ], "filename": "proc_creation_win_nslookup_domain_discovery.yml" }, { "title": "Manage Engine Java Suspicious Sub Process", "id": "cea2b7ea-792b-405f-95a1-b903ea06458f", "status": "experimental", "description": "Detects suspicious sub processes started by the Manage Engine ServiceDesk Plus Java web service process", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Legitimate sub processes started by Manage Engine ServiceDesk Pro" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\ManageEngine\\\\ServiceDesk\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\java.exe%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mftrace.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppVLP.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '% stop%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_manageengine_pattern.yml" }, { "title": "Microsoft IIS Connection Strings Decryption", "id": "97dbf6e2-e436-44d8-abee-4261b24d3e41", "status": "experimental", "description": "Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", "author": "Tim Rauch", "tags": [ "attack.credential_access", "attack.t1003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\aspnet\\_regiis.exe' ESCAPE '\\' OR OriginalFileName LIKE 'aspnet\\_regiis.exe' ESCAPE '\\') AND (CommandLine LIKE '%connectionStrings%' ESCAPE '\\' AND CommandLine LIKE '% -pdf%' ESCAPE '\\'))" ], "filename": "proc_creation_win_iis_connection_strings_decryption.yml" }, { "title": "Lolbin Unregmp2.exe Use As Proxy", "id": "727454c0-d851-48b0-8b89-385611ab0704", "status": "experimental", "description": "Detect usage of the \"unregmp2.exe\" binary as a proxy to launch a custom version of \"wmpnscfg.exe\"", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\unregmp2.exe' ESCAPE '\\' OR OriginalFileName = 'unregmp2.exe') AND CommandLine LIKE '% /HideWMP%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_unregmp2.yml" }, { "title": "HackTool - SharpUp PrivEsc Tool Execution", "id": "c484e533-ee16-4a93-b6ac-f0ea4868b2f1", "status": "experimental", "description": "Detects the use of SharpUp, a tool for local privilege escalation", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1615", "attack.t1569.002", "attack.t1574.005" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\SharpUp.exe' ESCAPE '\\' OR Description = 'SharpUp' OR (CommandLine LIKE '%HijackablePaths%' ESCAPE '\\' OR CommandLine LIKE '%UnquotedServicePath%' ESCAPE '\\' OR CommandLine LIKE '%ProcessDLLHijack%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableServiceBinaries%' ESCAPE '\\' OR CommandLine LIKE '%ModifiableScheduledTask%' ESCAPE '\\' OR CommandLine LIKE '%DomainGPPPassword%' ESCAPE '\\' OR CommandLine LIKE '%CachedGPPPassword%' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_sharpup.yml" }, { "title": "Suspicious Add User to Remote Desktop Users Group", "id": "ffa28e60-bdb1-46e0-9f82-05f7a61cc06e", "status": "experimental", "description": "Detects suspicious command line in which a user gets added to the local Remote Desktop Users group", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.lateral_movement", "attack.t1133", "attack.t1136.001", "attack.t1021.001" ], "falsepositives": [ "Administrative activity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%localgroup %' ESCAPE '\\' AND CommandLine LIKE '% /add%' ESCAPE '\\') OR (CommandLine LIKE '%Add-LocalGroupMember %' ESCAPE '\\' AND CommandLine LIKE '% -Group %' ESCAPE '\\')) AND (CommandLine LIKE '%Remote Desktop Users%' ESCAPE '\\' OR CommandLine LIKE '%Utilisateurs du Bureau à distance%' ESCAPE '\\' OR CommandLine LIKE '%Usuarios de escritorio remoto%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_add_user_remote_desktop_group.yml" }, { "title": "Verclsid.exe Runs COM Object", "id": "d06be4b9-8045-428b-a567-740a26d9db25", "status": "test", "description": "Detects when verclsid.exe is used to run COM object via GUID", "author": "Victor Sergeev, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\verclsid.exe' ESCAPE '\\' OR OriginalFileName = 'verclsid.exe') AND (CommandLine LIKE '%/S%' ESCAPE '\\' AND CommandLine LIKE '%/C%' ESCAPE '\\'))" ], "filename": "proc_creation_win_verclsid_runs_com.yml" }, { "title": "Potential Commandline Obfuscation Using Unicode Characters", "id": "e0552b19-5a83-4222-b141-b36184bb8d79", "status": "test", "description": "Detects potential commandline obfuscation using unicode characters.\nAdversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.\n", "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%ˣ%' ESCAPE '\\' OR CommandLine LIKE '%˪%' ESCAPE '\\' OR CommandLine LIKE '%ˢ%' ESCAPE '\\') OR (CommandLine LIKE '%∕%' ESCAPE '\\' OR CommandLine LIKE '%⁄%' ESCAPE '\\') OR (CommandLine LIKE '%―%' ESCAPE '\\' OR CommandLine LIKE '%—%' ESCAPE '\\') OR (CommandLine LIKE '%â%' ESCAPE '\\' OR CommandLine LIKE '%€%' ESCAPE '\\' OR CommandLine LIKE '%£%' ESCAPE '\\' OR CommandLine LIKE '%¯%' ESCAPE '\\' OR CommandLine LIKE '%®%' ESCAPE '\\' OR CommandLine LIKE '%µ%' ESCAPE '\\' OR CommandLine LIKE '%¶%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_cli_obfuscation_unicode.yml" }, { "title": "Local Accounts Discovery", "id": "502b42de-4306-40b4-9596-6f590c81f073", "status": "test", "description": "Local accounts, System Owner/User discovery using operating systems utilities", "author": "Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.discovery", "attack.t1033", "attack.t1087.001" ], "falsepositives": [ "Legitimate administrator or user enumerates local users for legitimate reason" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '% /c%' ESCAPE '\\' AND CommandLine LIKE '%dir %' ESCAPE '\\' AND CommandLine LIKE '%\\\\Users\\\\%' ESCAPE '\\') AND NOT (CommandLine LIKE '% rmdir %' ESCAPE '\\')) OR (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') AND CommandLine LIKE '%user%' ESCAPE '\\') AND NOT ((CommandLine LIKE '%/domain%' ESCAPE '\\' OR CommandLine LIKE '%/add%' ESCAPE '\\' OR CommandLine LIKE '%/delete%' ESCAPE '\\' OR CommandLine LIKE '%/active%' ESCAPE '\\' OR CommandLine LIKE '%/expires%' ESCAPE '\\' OR CommandLine LIKE '%/passwordreq%' ESCAPE '\\' OR CommandLine LIKE '%/scriptpath%' ESCAPE '\\' OR CommandLine LIKE '%/times%' ESCAPE '\\' OR CommandLine LIKE '%/workstations%' ESCAPE '\\'))) OR (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\quser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qwinsta.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '%useraccount%' ESCAPE '\\' AND CommandLine LIKE '%get%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\cmdkey.exe' ESCAPE '\\' AND CommandLine LIKE '% /l%' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_local_system_owner_account_discovery.yml" }, { "title": "Potential Suspicious Activity Using SeCEdit", "id": "c2c76b77-32be-4d1f-82c9-7e544bdfe0eb", "status": "experimental", "description": "Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy", "author": "Janantha Marasinghe", "tags": [ "attack.discovery", "attack.persistence", "attack.defense_evasion", "attack.credential_access", "attack.privilege_escalation", "attack.t1562.002", "attack.t1547.001", "attack.t1505.005", "attack.t1556.002", "attack.t1562", "attack.t1574.007", "attack.t1564.002", "attack.t1546.008", "attack.t1546.007", "attack.t1547.014", "attack.t1547.010", "attack.t1547.002", "attack.t1557", "attack.t1082" ], "falsepositives": [ "Legitimate administrative use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\secedit.exe' ESCAPE '\\' OR OriginalFileName = 'SeCEdit') AND ((CommandLine LIKE '%/export%' ESCAPE '\\' AND CommandLine LIKE '%/cfg%' ESCAPE '\\') OR (CommandLine LIKE '%/configure%' ESCAPE '\\' AND CommandLine LIKE '%/db%' ESCAPE '\\')))" ], "filename": "proc_creation_win_secedit_execution.yml" }, { "title": "Gpresult Display Group Policy Information", "id": "e56d3073-83ff-4021-90fe-c658e0709e72", "status": "experimental", "description": "Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information", "author": "frack113", "tags": [ "attack.discovery", "attack.t1615" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\gpresult.exe' ESCAPE '\\' AND (CommandLine LIKE '%/z%' ESCAPE '\\' OR CommandLine LIKE '%/v%' ESCAPE '\\'))" ], "filename": "proc_creation_win_gpresult_execution.yml" }, { "title": "Service Registry Key Deleted Via Reg.EXE", "id": "05b2aa93-1210-42c8-8d9a-2fcc13b284f5", "status": "experimental", "description": "Detects execution of \"reg.exe\" commands with the \"delete\" flag on services registry key. Often used by attacker to remove AV software services", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%reg.exe' ESCAPE '\\' OR OriginalFileName = 'reg.exe') AND CommandLine LIKE '% delete %' ESCAPE '\\' AND CommandLine LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\%' ESCAPE '\\')" ], "filename": "proc_creation_win_reg_delete_services.yml" }, { "title": "Potential MSTSC Shadowing Activity", "id": "6ba5a05f-b095-4f0a-8654-b825f4f16334", "status": "test", "description": "Detects RDP session hijacking by using MSTSC shadowing", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.lateral_movement", "attack.t1563.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%noconsentprompt%' ESCAPE '\\' AND CommandLine LIKE '%shadow:%' ESCAPE '\\')" ], "filename": "proc_creation_win_mstsc_rdp_hijack_shadowing.yml" }, { "title": "Local Groups Reconnaissance Via Wmic.EXE", "id": "164eda96-11b2-430b-85ff-6a265c15bf32", "status": "experimental", "description": "Detects the execution of \"wmic\" with the \"group\" flag.\nAdversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", "author": "frack113", "tags": [ "attack.discovery", "attack.t1069.001" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR OriginalFileName = 'wmic.exe') AND CommandLine LIKE '% group%' ESCAPE '\\')" ], "filename": "proc_creation_win_wmic_recon_group.yml" }, { "title": "Suspicious TSCON Start as SYSTEM", "id": "9847f263-4a81-424f-970c-875dab15b79b", "status": "experimental", "description": "Detects a tscon.exe start as LOCAL SYSTEM", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\tscon.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_tscon_localsystem.yml" }, { "title": "Execution via stordiag.exe", "id": "961e0abb-1b1e-4c84-a453-aafe56ad0d34", "status": "test", "description": "Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe", "author": "Austin Songer (@austinsonger)", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Legitimate usage of stordiag.exe." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\stordiag.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fltmc.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'c:\\\\windows\\\\system32\\\\%' ESCAPE '\\' OR ParentProcessName LIKE 'c:\\\\windows\\\\syswow64\\\\%' ESCAPE '\\')))" ], "filename": "proc_creation_win_stordiag_susp_child_process.yml" }, { "title": "PUA - Crassus Execution", "id": "2c32b543-1058-4808-91c6-5b31b8bed6c5", "status": "experimental", "description": "Detects Crassus a windows privilege escalation discovery tool based on PE metadata characteristics.", "author": "pH-T (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1590.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\Crassus.exe' ESCAPE '\\' OR OriginalFileName = 'Crassus.exe' OR Description LIKE '%Crassus%' ESCAPE '\\'))" ], "filename": "proc_creation_win_pua_crassus.yml" }, { "title": "HackTool - SharpLdapWhoami Execution", "id": "d9367cbb-c2e0-47ce-bdc0-128cb6da898d", "status": "experimental", "description": "Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1033", "car.2016-03-001" ], "falsepositives": [ "Programs that use the same command line flags" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\SharpLdapWhoami.exe' ESCAPE '\\' OR OriginalFileName LIKE '%SharpLdapWhoami%' ESCAPE '\\' OR Product = 'SharpLdapWhoami' OR (CommandLine LIKE '% /method:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /method:kerb' ESCAPE '\\' OR CommandLine LIKE '% /method:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:nego' ESCAPE '\\' OR CommandLine LIKE '% /m:ntlm' ESCAPE '\\' OR CommandLine LIKE '% /m:kerb' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_sharpldapwhoami.yml" }, { "title": "Share And Session Enumeration Using Net.EXE", "id": "62510e69-616b-4078-b371-847da438cc03", "status": "stable", "description": "Detects attempts to enumerate file shares, printer shares and sessions using \"net.exe\" with the \"view\" flag.", "author": "Endgame, JHasenbusch (ported for oscd.community)", "tags": [ "attack.discovery", "attack.t1018" ], "falsepositives": [ "Legitimate use of net.exe utility by legitimate user" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND CommandLine LIKE '%view%' ESCAPE '\\') AND NOT (CommandLine LIKE '%\\\\\\\\\\*' ESCAPE '\\'))" ], "filename": "proc_creation_win_net_share_and_sessions_enum.yml" }, { "title": "Script Interpreter Execution From Suspicious Folder", "id": "1228c958-e64e-4e71-92ad-7d429f4138ba", "status": "test", "description": "Detects a suspicious script executions in temporary folders or folders accessible by environment variables", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\') OR (CommandLine LIKE '% -w hidden %' ESCAPE '\\' OR CommandLine LIKE '% -ep bypass %' ESCAPE '\\' OR CommandLine LIKE '%/e:vbscript %' ESCAPE '\\' OR CommandLine LIKE '%/e:javascript %' ESCAPE '\\') OR OriginalFileName IN ('powershell.exe', 'pwsh.dll', 'mshta.exe', 'wscript.exe', 'cscript.exe', 'cmd.exe')) AND (NewProcessName LIKE '%\\\\Windows\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_script_exec_from_env_folder.yml" }, { "title": "Winrar Execution in Non-Standard Folder", "id": "4ede543c-e098-43d9-a28f-dd784a13132f", "status": "test", "description": "Detects a suspicious winrar execution in a folder which is not the default installation folder", "author": "Florian Roth (Nextron Systems), Tigzy", "tags": [ "attack.collection", "attack.t1560.001" ], "falsepositives": [ "Legitimate use of WinRAR in a folder of a software that bundles WinRAR" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrar.exe' ESCAPE '\\') OR Description = 'Command line RAR') AND NOT ((NewProcessName LIKE '%\\\\WinRAR%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Temp%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\UnRAR.exe%' ESCAPE '\\')))" ], "filename": "proc_creation_win_winrar_execution.yml" }, { "title": "Indirect Command Execution By Program Compatibility Wizard", "id": "b97cd4b1-30b8-4a9d-bd72-6293928d52bc", "status": "test", "description": "Detect indirect command execution via Program Compatibility Assistant pcwrun.exe", "author": "A. Sungurov , oscd.community", "tags": [ "attack.defense_evasion", "attack.t1218", "attack.execution" ], "falsepositives": [ "Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts", "Legit usage of scripts" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_pcwrun.yml" }, { "title": "Use of Wfc.exe", "id": "49be8799-7b4d-4fda-ad23-cafbefdebbc5", "status": "experimental", "description": "The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.", "author": "Christopher Peacock @SecurePeacock, SCYTHE @scythe_io", "tags": [ "attack.defense_evasion", "attack.t1127" ], "falsepositives": [ "Legitimate use by a software developer" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\wfc.exe' ESCAPE '\\' OR OriginalFileName = 'wfc.exe'))" ], "filename": "proc_creation_win_lolbin_wfc.yml" }, { "title": "HackTool - Stracciatella Execution", "id": "7a4d9232-92fc-404d-8ce1-4c92e7caf539", "status": "experimental", "description": "Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.", "author": "pH-T (Nextron Systems)", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1059", "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\Stracciatella.exe' ESCAPE '\\' OR OriginalFileName = 'Stracciatella.exe' OR Description = 'Stracciatella' OR (Hashes LIKE '%SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a%' ESCAPE '\\') OR sha256 IN ('9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956', 'fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a')))" ], "filename": "proc_creation_win_hktl_stracciatella_execution.yml" }, { "title": "Arbitrary Binary Execution Using GUP Utility", "id": "d65aee4d-2292-4cea-b832-83accd6cfa43", "status": "experimental", "description": "Detects execution of the Notepad++ updater (gup) to launch other commands or executables", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Other parent binaries using GUP not currently identified" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\gup.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\Notepad++\\\\notepad++.exe%' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\Notepad++\\\\updater\\\\%' ESCAPE '\\') OR (CommandLine = '')))" ], "filename": "proc_creation_win_gup_arbitrary_binary_execution.yml" }, { "title": "PUA- IOX Tunneling Tool Execution", "id": "d7654f02-e04b-4934-9838-65c46f187ebc", "status": "experimental", "description": "Detects the use of IOX - a tool for port forwarding and intranet proxy purposes", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1090" ], "falsepositives": [ "Legitimate use" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\iox.exe' ESCAPE '\\' OR (CommandLine LIKE '%.exe fwd -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe fwd -r %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -l %' ESCAPE '\\' OR CommandLine LIKE '%.exe proxy -r %' ESCAPE '\\') OR (Hashes LIKE '%MD5=9DB2D314DD3F704A02051EF5EA210993%' ESCAPE '\\' OR Hashes LIKE '%SHA1=039130337E28A6623ECF9A0A3DA7D92C5964D8DD%' ESCAPE '\\' OR Hashes LIKE '%SHA256=C6CF82919B809967D9D90EA73772A8AA1C1EB3BC59252D977500F64F1A0D6731%' ESCAPE '\\') OR md5 = '9db2d314dd3f704a02051ef5ea210993' OR sha1 = '039130337e28a6623ecf9a0a3da7d92c5964d8dd' OR sha256 = 'c6cf82919b809967d9d90ea73772a8aa1c1eb3bc59252d977500f64f1a0d6731'))" ], "filename": "proc_creation_win_pua_iox.yml" }, { "title": "Firewall Rule Deleted Via Netsh.EXE", "id": "1a5fefe6-734f-452e-a07d-fc1c35bce4b2", "status": "experimental", "description": "Detects the removal of a port or application rule in the Windows Firewall configuration using netsh", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.004" ], "falsepositives": [ "Legitimate administration activity", "Software installations and removal" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%delete %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\Dropbox.exe' ESCAPE '\\' AND CommandLine LIKE '%name=Dropbox%' ESCAPE '\\'))" ], "filename": "proc_creation_win_netsh_fw_delete_rule.yml" }, { "title": "Python Inline Command Execution", "id": "899133d5-4d7c-4a7f-94ee-27355c879d90", "status": "experimental", "description": "Detects execution of python using the \"-c\" flag. This is could be used as a way to launch a reverse shell or execute live python code.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Python libraries that use a flag starting with \"-c\". Filter according to your environment" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((OriginalFileName = 'python.exe' OR (NewProcessName LIKE '%python.exe' ESCAPE '\\' OR NewProcessName LIKE '%python3.exe' ESCAPE '\\' OR NewProcessName LIKE '%python2.exe' ESCAPE '\\')) AND CommandLine LIKE '% -c%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Python%' ESCAPE '\\' AND ParentProcessName LIKE '%\\\\python.exe' ESCAPE '\\' AND ParentCommandLine LIKE '%-E -s -m ensurepip -U --default-pip%' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_python_inline_command_execution.yml" }, { "title": "Abusing Findstr for Defense Evasion", "id": "bf6c39fc-e203-45b9-9538-05397c1b4f3f", "status": "test", "description": "Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism", "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1218", "attack.t1564.004", "attack.t1552.001", "attack.t1105" ], "falsepositives": [ "Administrative findstr usage" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%findstr%' ESCAPE '\\' OR NewProcessName LIKE '%findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (((CommandLine LIKE '% /v %' ESCAPE '\\' OR CommandLine LIKE '% -v %' ESCAPE '\\') AND (CommandLine LIKE '% /l %' ESCAPE '\\' OR CommandLine LIKE '% -l %' ESCAPE '\\')) OR ((CommandLine LIKE '% /s %' ESCAPE '\\' OR CommandLine LIKE '% -s %' ESCAPE '\\') AND (CommandLine LIKE '% /i %' ESCAPE '\\' OR CommandLine LIKE '% -i %' ESCAPE '\\'))))" ], "filename": "proc_creation_win_lolbin_findstr.yml" }, { "title": "Suspicious Active Directory Database Snapshot Via ADExplorer", "id": "ef61af62-bc74-4f58-b49b-626448227652", "status": "experimental", "description": "Detects the execution of Sysinternals ADExplorer with the \"-snapshot\" flag in order to save a local copy of the active directory database to a suspicious directory.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1552.001", "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR OriginalFileName = 'AdExp') AND CommandLine LIKE '%snapshot%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_sysinternals_adexplorer_susp_execution.yml" }, { "title": "Capture Credentials with Rpcping.exe", "id": "93671f99-04eb-4ab4-a161-70d446a84003", "status": "test", "description": "Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.", "author": "Julia Fomina, oscd.community", "tags": [ "attack.credential_access", "attack.t1003" ], "falsepositives": [ "Unlikely" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\rpcping.exe' ESCAPE '\\' AND (CommandLine LIKE '%-s%' ESCAPE '\\' OR CommandLine LIKE '%/s%' ESCAPE '\\')) AND ((CommandLine LIKE '%-u%' ESCAPE '\\' AND CommandLine LIKE '%NTLM%' ESCAPE '\\') OR (CommandLine LIKE '%/u%' ESCAPE '\\' AND CommandLine LIKE '%NTLM%' ESCAPE '\\') OR (CommandLine LIKE '%-t%' ESCAPE '\\' AND CommandLine LIKE '%ncacn\\_np%' ESCAPE '\\') OR (CommandLine LIKE '%/t%' ESCAPE '\\' AND CommandLine LIKE '%ncacn\\_np%' ESCAPE '\\')))" ], "filename": "proc_creation_win_rpcping_credential_capture.yml" }, { "title": "Curl.EXE Execution", "id": "bbeaed61-1990-4773-bf57-b81dbad7db2d", "status": "test", "description": "Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Scripts created by developers and admins", "Administrative activity" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR Product = 'The curl executable'))" ], "filename": "proc_creation_win_curl_execution.yml" }, { "title": "Whoami Utility Execution", "id": "e28a5a99-da44-436d-b7a0-2afc20a5f413", "status": "test", "description": "Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1033", "car.2016-03-001" ], "falsepositives": [ "Admin activity", "Scripts and administrative tools used in the monitored environment", "Monitoring activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR OriginalFileName = 'whoami.exe'))" ], "filename": "proc_creation_win_whoami_execution.yml" }, { "title": "Ping Hex IP", "id": "1a0d4aba-7668-4365-9ce4-6d79ab088dfd", "status": "test", "description": "Detects a ping command that uses a hex encoded IP address", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1140", "attack.t1027" ], "falsepositives": [ "Unlikely, because no sane admin pings IP addresses in a hexadecimal form" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' AND CommandLine LIKE '%0x%' ESCAPE '\\')" ], "filename": "proc_creation_win_ping_hex_ip.yml" }, { "title": "Use of Pcalua For Execution", "id": "0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2", "status": "experimental", "description": "Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.", "author": "Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Legitimate use by a via a batch script or by an administrator." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\pcalua.exe' ESCAPE '\\' AND CommandLine LIKE '% -a%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_pcalua.yml" }, { "title": "Suspicious Mstsc.EXE Execution With Local RDP File", "id": "6e22722b-dfb1-4508-a911-49ac840b40f8", "status": "experimental", "description": "Detects potential RDP connection via Mstsc using a local \".rdp\" file located in suspicious locations.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Likelihood is related to how often the paths are used in the environment" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR OriginalFileName = 'mstsc.exe') AND (CommandLine LIKE '%.rdp' ESCAPE '\\' OR CommandLine LIKE '%.rdp\"' ESCAPE '\\') AND (CommandLine LIKE '%:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\System32\\\\Tasks\\_Migrated %' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%:\\\\Windows\\\\Tracing\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Downloads\\\\%' ESCAPE '\\'))" ], "filename": "proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml" }, { "title": "Netsh Allow Group Policy on Microsoft Defender Firewall", "id": "347906f3-e207-4d18-ae5b-a9403d6bcdef", "status": "test", "description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.004" ], "falsepositives": [ "Legitimate administration activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND (CommandLine LIKE '%advfirewall%' ESCAPE '\\' AND CommandLine LIKE '%firewall%' ESCAPE '\\' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%rule%' ESCAPE '\\' AND CommandLine LIKE '%group=%' ESCAPE '\\' AND CommandLine LIKE '%new%' ESCAPE '\\' AND CommandLine LIKE '%enable=Yes%' ESCAPE '\\'))" ], "filename": "proc_creation_win_netsh_fw_enable_group_rule.yml" }, { "title": "HH.EXE Execution", "id": "68c8acb4-1b60-4890-8e82-3ddf7a6dba84", "status": "test", "description": "Detects the usage of \"hh.exe\" to execute \".chm\" files.", "author": "E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community", "tags": [ "attack.defense_evasion", "attack.t1218.001" ], "falsepositives": [ "False positives are expected with legitimate \".CHM\"" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'HH.exe' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND CommandLine LIKE '%.chm%' ESCAPE '\\')" ], "filename": "proc_creation_win_hh_chm_execution.yml" }, { "title": "Suspicious Extrac32 Alternate Data Stream Execution", "id": "4b13db67-0c45-40f1-aba8-66a1a7198a1e", "status": "test", "description": "Extract data from cab file and hide it in an alternate data stream", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%extrac32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.cab%' ESCAPE '\\' AND CommandLine REGEXP ':[^\\\\]')" ], "filename": "proc_creation_win_lolbin_extrac32_ads.yml" }, { "title": "File Download Using Notepad++ GUP Utility", "id": "44143844-0631-49ab-97a0-96387d6b2d7c", "status": "experimental", "description": "Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Other parent processes other than notepad++ using GUP that are not currently identified" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\GUP.exe' ESCAPE '\\' OR OriginalFileName = 'gup.exe') AND (CommandLine LIKE '% -unzipTo %' ESCAPE '\\' AND CommandLine LIKE '%http%' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\notepad++.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_gup_download.yml" }, { "title": "VolumeShadowCopy Symlink Creation Via Mklink", "id": "40b19fa6-d835-400c-b301-41f3a2baacaf", "status": "stable", "description": "Shadow Copies storage symbolic link creation using operating systems utilities", "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ "attack.credential_access", "attack.t1003.002", "attack.t1003.003" ], "falsepositives": [ "Legitimate administrator working with shadow copies, access for backup purposes" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%mklink%' ESCAPE '\\' AND CommandLine LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], "filename": "proc_creation_win_cmd_mklink_shadow_copies_access_symlink.yml" }, { "title": "HackTool - Empire PowerShell Launch Parameters", "id": "79f4ede3-402e-41c8-bc3e-ebbf5f162581", "status": "test", "description": "Detects suspicious powershell command line parameters used in Empire", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Other tools that incidentally use the same command line parameters" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -NoP -sta -NonI -W Hidden -Enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc %' ESCAPE '\\' OR CommandLine LIKE '% -NoP -NonI -W Hidden -enc %' ESCAPE '\\' OR CommandLine LIKE '% -noP -sta -w 1 -enc%' ESCAPE '\\' OR CommandLine LIKE '% -enc SQB%' ESCAPE '\\' OR CommandLine LIKE '% -nop -exec bypass -EncodedCommand %' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_empire_powershell_launch.yml" }, { "title": "Uninstall Sysinternals Sysmon", "id": "6a5f68d1-c4b5-46b9-94ee-5324892ea939", "status": "test", "description": "Detects the removal of Sysmon, which could be a potential attempt at defense evasion", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Legitimate administrators might use this command to remove Sysmon for debugging purposes" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Sysmon.exe' ESCAPE '\\') OR Description = 'System activity monitor') AND (CommandLine LIKE '%-u%' ESCAPE '\\' OR CommandLine LIKE '%/u%' ESCAPE '\\'))" ], "filename": "proc_creation_win_sysinternals_sysmon_uninstall.yml" }, { "title": "Potential Recon Activity Via Nltest.EXE", "id": "5cc90652-4cbd-4241-aa3b-4b462fa5a248", "status": "experimental", "description": "Detects nltest commands that can be used for information discovery", "author": "Craig Young, oscd.community, Georg Lauenstein", "tags": [ "attack.discovery", "attack.t1016", "attack.t1482" ], "falsepositives": [ "Legitimate administration use but user and host must be investigated" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR OriginalFileName = 'nltestrk.exe') AND ((CommandLine LIKE '%/server%' ESCAPE '\\' AND CommandLine LIKE '%/query%' ESCAPE '\\') OR (CommandLine LIKE '%/dclist:%' ESCAPE '\\' OR CommandLine LIKE '%/parentdomain%' ESCAPE '\\' OR CommandLine LIKE '%/domain\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/all\\_trusts%' ESCAPE '\\' OR CommandLine LIKE '%/trusted\\_domains%' ESCAPE '\\' OR CommandLine LIKE '%/user%' ESCAPE '\\')))" ], "filename": "proc_creation_win_nltest_recon.yml" }, { "title": "Suspicious Regsvr32 Execution With Image Extension", "id": "089fc3d2-71e8-4763-a8a5-c97fbb0a403e", "status": "experimental", "description": "Detects the execution of REGSVR32.exe with DLL files masquerading as image files", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR OriginalFileName LIKE '\\\\REGSVR32.EXE' ESCAPE '\\') AND (CommandLine LIKE '%.bmp' ESCAPE '\\' OR CommandLine LIKE '%.cr2' ESCAPE '\\' OR CommandLine LIKE '%.eps' ESCAPE '\\' OR CommandLine LIKE '%.gif' ESCAPE '\\' OR CommandLine LIKE '%.ico' ESCAPE '\\' OR CommandLine LIKE '%.jpeg' ESCAPE '\\' OR CommandLine LIKE '%.jpg' ESCAPE '\\' OR CommandLine LIKE '%.nef' ESCAPE '\\' OR CommandLine LIKE '%.orf' ESCAPE '\\' OR CommandLine LIKE '%.png' ESCAPE '\\' OR CommandLine LIKE '%.raw' ESCAPE '\\' OR CommandLine LIKE '%.sr2' ESCAPE '\\' OR CommandLine LIKE '%.tif' ESCAPE '\\' OR CommandLine LIKE '%.tiff' ESCAPE '\\'))" ], "filename": "proc_creation_win_regsvr32_image.yml" }, { "title": "Unusual Parent Process For Cmd.EXE", "id": "4b991083-3d0e-44ce-8fc4-b254025d8d4b", "status": "experimental", "description": "Detects suspicious parent process for cmd.exe", "author": "Tim Rauch", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ctfmon.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\epad.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\FlashPlayerUpdateService.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\GoogleUpdate.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\jucheck.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\jusched.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\SIHClient.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\slui.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\sppsvc.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\unsecapp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wergmgr.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\WUDFHost.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_cmd_unusual_parent.yml" }, { "title": "Automated Collection Command Prompt", "id": "f576a613-2392-4067-9d1a-9345fb58d8d1", "status": "test", "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", "author": "frack113", "tags": [ "attack.collection", "attack.t1119", "attack.credential_access", "attack.t1552.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%.doc%' ESCAPE '\\' OR CommandLine LIKE '%.docx%' ESCAPE '\\' OR CommandLine LIKE '%.xls%' ESCAPE '\\' OR CommandLine LIKE '%.xlsx%' ESCAPE '\\' OR CommandLine LIKE '%.ppt%' ESCAPE '\\' OR CommandLine LIKE '%.pptx%' ESCAPE '\\' OR CommandLine LIKE '%.rtf%' ESCAPE '\\' OR CommandLine LIKE '%.pdf%' ESCAPE '\\' OR CommandLine LIKE '%.txt%' ESCAPE '\\') AND ((CommandLine LIKE '%dir %' ESCAPE '\\' AND CommandLine LIKE '% /b %' ESCAPE '\\' AND CommandLine LIKE '% /s %' ESCAPE '\\') OR (OriginalFileName = 'FINDSTR.EXE' AND (CommandLine LIKE '% /e %' ESCAPE '\\' OR CommandLine LIKE '% /si %' ESCAPE '\\'))))" ], "filename": "proc_creation_win_susp_automated_collection.yml" }, { "title": "Windows Admin Share Mount Via Net.EXE", "id": "3abd6094-7027-475f-9630-8ab9be7b9725", "status": "test", "description": "Detects when an admin share is mounted using net.exe", "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga", "tags": [ "attack.lateral_movement", "attack.t1021.002" ], "falsepositives": [ "Administrators" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' AND CommandLine LIKE '% \\\\%\\\\%$%' ESCAPE '\\'))" ], "filename": "proc_creation_win_net_use_mount_admin_share.yml" }, { "title": "GfxDownloadWrapper.exe Downloads File from Suspicious URL", "id": "eee00933-a761-4cd0-be70-c42fe91731e7", "status": "test", "description": "Detects when GfxDownloadWrapper.exe downloads file from non standard URL", "author": "Victor Sergeev, oscd.community", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND NewProcessName LIKE '%\\\\GfxDownloadWrapper.exe' ESCAPE '\\' AND NOT (CommandLine LIKE '%gameplayapi.intel.com%' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\GfxDownloadWrapper.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\igfxEM.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml" }, { "title": "Detection of PowerShell Execution via Sqlps.exe", "id": "0152550d-3a26-4efd-9f0e-54a0b28ae2f3", "status": "test", "description": "This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.\nScript blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.\n", "author": "Agro (@agro_sev) oscd.community", "tags": [ "attack.execution", "attack.t1059.001", "attack.defense_evasion", "attack.t1127" ], "falsepositives": [ "Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR ((NewProcessName LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR OriginalFileName = 'sqlps.exe') AND NOT (ParentProcessName LIKE '%\\\\sqlagent.exe' ESCAPE '\\'))))" ], "filename": "proc_creation_win_mssql_sqlps_susp_execution.yml" }, { "title": "Potential Credential Dumping Via WER", "id": "9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3", "status": "experimental", "description": "Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass", "author": "@pbssubhash , Nasreddine Bencherchali", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the \"-p\" parameter in the CommandLine." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\Werfault.exe' ESCAPE '\\' OR OriginalFileName = 'WerFault.exe') AND ((ParentUser LIKE '%AUTHORI%' ESCAPE '\\' OR ParentUser LIKE '%AUTORI%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND CommandLine LIKE '% -u -p %' ESCAPE '\\' AND CommandLine LIKE '% -ip %' ESCAPE '\\' AND CommandLine LIKE '% -s %' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_werfault_lsass_shtinkering.yml" }, { "title": "Script Event Consumer Spawning Process", "id": "f6d1dd2f-b8ce-40ca-bc23-062efb686b34", "status": "experimental", "description": "Detects a suspicious child process of Script Event Consumer (scrcons.exe).", "author": "Sittikorn S", "tags": [ "attack.execution", "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_scrcons_susp_child_process.yml" }, { "title": "Potential DLL Sideloading Via DeviceEnroller.EXE", "id": "e173ad47-4388-4012-ae62-bd13f71c18a8", "status": "experimental", "description": "Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named \"ShellChromeAPI.dll\".\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", "author": "@gott_cyber", "tags": [ "attack.defense_evasion", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\deviceenroller.exe' ESCAPE '\\' OR OriginalFileName = 'deviceenroller.exe') AND CommandLine LIKE '%/PhoneDeepLink%' ESCAPE '\\')" ], "filename": "proc_creation_win_deviceenroller_dll_sideloading.yml" }, { "title": "Finger.exe Suspicious Invocation", "id": "af491bca-e752-4b44-9c86-df5680533dbc", "status": "experimental", "description": "Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays", "author": "Florian Roth (Nextron Systems), omkar72, oscd.community", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Admin activity (unclear what they do nowadays with finger.exe)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'finger.exe' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_finger_usage.yml" }, { "title": "Files Added To An Archive Using Rar.EXE", "id": "6f3e2987-db24-4c78-a860-b4f4095a7095", "status": "test", "description": "Detects usage of \"rar\" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", "author": "Timur Zinniatullin, E.M. Anhaus, oscd.community", "tags": [ "attack.collection", "attack.t1560.001" ], "falsepositives": [ "Highly likely if rar is a default archiver in the monitored environment." ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\rar.exe' ESCAPE '\\' AND CommandLine LIKE '% a %' ESCAPE '\\')" ], "filename": "proc_creation_win_rar_compress_data.yml" }, { "title": "New Port Forwarding Rule Added Via Netsh.EXX", "id": "322ed9ec-fcab-4f67-9a34-e7c6aef43614", "status": "test", "description": "Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule", "author": "Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel", "tags": [ "attack.lateral_movement", "attack.defense_evasion", "attack.command_and_control", "attack.t1090" ], "falsepositives": [ "Legitimate administration activity", "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR OriginalFileName = 'netsh.exe') AND ((CommandLine LIKE '%interface%' ESCAPE '\\' AND CommandLine LIKE '%portproxy%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%v4tov4%' ESCAPE '\\') OR (CommandLine LIKE '%i %' ESCAPE '\\' AND CommandLine LIKE '%p %' ESCAPE '\\' AND CommandLine LIKE '%a %' ESCAPE '\\' AND CommandLine LIKE '%v %' ESCAPE '\\') OR (CommandLine LIKE '%connectp%' ESCAPE '\\' AND CommandLine LIKE '%listena%' ESCAPE '\\' AND CommandLine LIKE '%c=%' ESCAPE '\\')))" ], "filename": "proc_creation_win_netsh_port_forwarding.yml" }, { "title": "Suspicious Plink Port Forwarding", "id": "48a61b29-389f-4032-b317-b30de6b95314", "status": "test", "description": "Detects suspicious Plink tunnel port forwarding to a local port", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1572", "attack.lateral_movement", "attack.t1021.001" ], "falsepositives": [ "Administrative activity using a remote port forwarding to a local port" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND Description = 'Command-line SSH, Telnet, and Rlogin client' AND CommandLine LIKE '% -R %' ESCAPE '\\')" ], "filename": "proc_creation_win_plink_port_forwarding.yml" }, { "title": "Suspicious Splwow64 Without Params", "id": "1f1a8509-2cbb-44f5-8751-8e1571518ce2", "status": "test", "description": "Detects suspicious Splwow64.exe process without any command line parameters", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\splwow64.exe' ESCAPE '\\' AND CommandLine LIKE '%splwow64.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_splwow64_cli_anomaly.yml" }, { "title": "HackTool - DInjector PowerShell Cradle Execution", "id": "d78b5d61-187d-44b6-bf02-93486a80de5a", "status": "test", "description": "Detects the use of the Dinject PowerShell cradle based on the specific flags", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1055" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '% /am51%' ESCAPE '\\' AND CommandLine LIKE '% /password%' ESCAPE '\\')" ], "filename": "proc_creation_win_hktl_dinjector.yml" }, { "title": "Regsvr32 Flags Anomaly", "id": "b236190c-1c61-41e9-84b3-3fe03f6d76b0", "status": "test", "description": "Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' AND CommandLine LIKE '% /i:%' ESCAPE '\\') AND NOT (CommandLine LIKE '% /n %' ESCAPE '\\'))" ], "filename": "proc_creation_win_regsvr32_flags_anomaly.yml" }, { "title": "Arbitrary Shell Command Execution Via Settingcontent-Ms", "id": "24de4f3b-804c-4165-b442-5a06a2302c7e", "status": "experimental", "description": "The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create \"shortcuts\" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.", "author": "Sreeman", "tags": [ "attack.t1204", "attack.t1566.001", "attack.execution", "attack.initial_access" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%.SettingContent-ms%' ESCAPE '\\' AND NOT (CommandLine LIKE '%immersivecontrolpanel%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_arbitrary_shell_execution_via_settingcontent.yml" }, { "title": "Computer Password Change Via Ksetup.EXE", "id": "de16d92c-c446-4d53-8938-10aeef41c8b6", "status": "experimental", "description": "Detects password change for the computer's domain account or host principal via \"ksetup.exe\"", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\ksetup.exe' ESCAPE '\\' OR OriginalFileName = 'ksetup.exe') AND CommandLine LIKE '% /setcomputerpassword %' ESCAPE '\\')" ], "filename": "proc_creation_win_ksetup_password_change_computer.yml" }, { "title": "Permission Misconfiguration Reconnaissance Via Findstr.EXE", "id": "47e4bab7-c626-47dc-967b-255608c9a920", "status": "experimental", "description": "Detects usage of findstr with the \"EVERYONE\" or \"BUILTIN\" keywords. This is seen being used in combination with \"icacls\" to look for misconfigured files or folders permissions", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1552.006" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%\"Everyone\"%' ESCAPE '\\' OR CommandLine LIKE '%''Everyone''%' ESCAPE '\\' OR CommandLine LIKE '%\"BUILTIN\\\\\"%' ESCAPE '\\' OR CommandLine LIKE '%''BUILTIN\\\\''%' ESCAPE '\\')) OR (CommandLine LIKE '%icacls %' ESCAPE '\\' AND CommandLine LIKE '%findstr %' ESCAPE '\\' AND CommandLine LIKE '%Everyone%' ESCAPE '\\')))" ], "filename": "proc_creation_win_findstr_recon_everyone.yml" }, { "title": "Suspicious Scheduled Task Name As GUID", "id": "ff2fff64-4cd6-4a2b-ba7d-e28a30bbe66b", "status": "experimental", "description": "Detects creation of a scheduled task with a GUID like name", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1053.005" ], "falsepositives": [ "Legitimate software naming their tasks as GUIDs" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' AND CommandLine LIKE '%/Create %' ESCAPE '\\' AND (CommandLine LIKE '%/TN \"{%' ESCAPE '\\' OR CommandLine LIKE '%/TN ''{%' ESCAPE '\\' OR CommandLine LIKE '%/TN {%' ESCAPE '\\') AND (CommandLine LIKE '%}\"%' ESCAPE '\\' OR CommandLine LIKE '%}''%' ESCAPE '\\' OR CommandLine LIKE '%} %' ESCAPE '\\'))" ], "filename": "proc_creation_win_schtasks_guid_task_name.yml" }, { "title": "Suspicious Chromium Browser Instance Executed With Custom Extensions", "id": "27ba3207-dd30-4812-abbf-5d20c57d474e", "status": "experimental", "description": "Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start a instance with custom extensions", "author": "Aedan Russell, frack113, X__Junior (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1176" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') AND CommandLine LIKE '%--load-extension=%' ESCAPE '\\' AND CommandLine LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\')" ], "filename": "proc_creation_win_browsers_chromium_susp_load_extension.yml" }, { "title": "HackTool - SysmonEOP Execution", "id": "8a7e90c5-fe6e-45dc-889e-057fe4378bd9", "status": "experimental", "description": "Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120", "author": "Florian Roth (Nextron Systems)", "tags": [ "cve.2022.41120", "attack.t1068", "attack.privilege_escalation" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\SysmonEOP.exe' ESCAPE '\\' OR Hashes IN ('IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5', 'IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC') OR Imphash IN ('22f4089eb8aba31e1bb162c6d9bf72e5', '5123fa4c4384d431cd0d893eeb49bbec')))" ], "filename": "proc_creation_win_hktl_sysmoneop.yml" }, { "title": "Suspicious Service Binary Directory", "id": "883faa95-175a-4e22-8181-e5761aeb373c", "status": "test", "description": "Detects a service binary running in a suspicious directory", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\$Recycle.bin%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') AND (ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_service_dir.yml" }, { "title": "Conhost Spawned By Uncommon Parent Process", "id": "cbb9e3d1-2386-4e59-912e-62f1484f7a89", "status": "experimental", "description": "Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.", "author": "Tim Rauch", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\conhost.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\services.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\')) AND NOT (((ParentCommandLine LIKE '%-k apphost -s AppHostSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k imgsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k localService -p -s RemoteRegistry%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k LocalSystemNetworkRestricted -p -s NgcSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetSvcs -p -s NcaSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s NetSetupSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k netsvcs -p -s wlidsvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k NetworkService -p -s DoSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s AppXSvc%' ESCAPE '\\' OR ParentCommandLine LIKE '%-k wsappx -p -s ClipSVC%' ESCAPE '\\')))) AND NOT (((ParentCommandLine LIKE '%C:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\' OR ParentCommandLine LIKE '%C:\\\\Program Files\\\\Dropbox\\\\Client\\\\%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_conhost_uncommon_parent.yml" }, { "title": "HackTool - F-Secure C3 Load by Rundll32", "id": "b18c9d4c-fac9-4708-bd06-dd5bfacf200f", "status": "test", "description": "F-Secure C3 produces DLLs with a default exported StartNodeRelay function.", "author": "Alfie Champion (ajpc500)", "tags": [ "attack.defense_evasion", "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%rundll32.exe%' ESCAPE '\\' AND CommandLine LIKE '%.dll%' ESCAPE '\\' AND CommandLine LIKE '%StartNodeRelay%' ESCAPE '\\')" ], "filename": "proc_creation_win_hktl_c3_rundll32_pattern.yml" }, { "title": "Suspicious Eventlog Clear or Configuration Change", "id": "cc36992a-4671-4f21-a91d-6c2b72a2edf5", "status": "stable", "description": "Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).", "author": "Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105", "tags": [ "attack.defense_evasion", "attack.t1070.001", "attack.t1562.002", "car.2016-04-002" ], "falsepositives": [ "Admin activity", "Scripts and administrative tools used in the monitored environment", "Maintenance activity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' AND (CommandLine LIKE '%clear-log %' ESCAPE '\\' OR CommandLine LIKE '% cl %' ESCAPE '\\' OR CommandLine LIKE '%set-log %' ESCAPE '\\' OR CommandLine LIKE '% sl %' ESCAPE '\\' OR CommandLine LIKE '%lfn:%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '%Clear-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Remove-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Limit-EventLog %' ESCAPE '\\' OR CommandLine LIKE '%Clear-WinEvent %' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND CommandLine LIKE '% ClearEventLog %' ESCAPE '\\')) AND NOT (((ParentProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND CommandLine LIKE '% sl %' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_eventlog_clear.yml" }, { "title": "Windows Share Mount Via Net.EXE", "id": "f117933c-980c-4f78-b384-e3d838111165", "status": "experimental", "description": "Detects when a share is mounted using the \"net.exe\" utility", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.lateral_movement", "attack.t1021.002" ], "falsepositives": [ "Legitimate activity by administrators and scripts" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\') OR OriginalFileName IN ('net.exe', 'net1.exe')) AND (CommandLine LIKE '% use %' ESCAPE '\\' OR CommandLine LIKE '% \\\\\\\\\\*' ESCAPE '\\'))" ], "filename": "proc_creation_win_net_use_mount_share.yml" }, { "title": "Set Files as System Files Using Attrib.EXE", "id": "bb19e94c-59ae-4c15-8c12-c563d23fe52b", "status": "experimental", "description": "Detects the execution of \"attrib\" with the \"+s\" flag to mark files as system files", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1564.001" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\attrib.exe' ESCAPE '\\' OR OriginalFileName = 'ATTRIB.EXE') AND CommandLine LIKE '% +s %' ESCAPE '\\')" ], "filename": "proc_creation_win_attrib_system.yml" }, { "title": "PUA - Nmap/Zenmap Execution", "id": "f6ecd1cf-19b8-4488-97f6-00f0924991a3", "status": "test", "description": "Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", "author": "frack113", "tags": [ "attack.discovery", "attack.t1046" ], "falsepositives": [ "Network administrator computer" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\nmap.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\zennmap.exe' ESCAPE '\\') OR OriginalFileName IN ('nmap.exe', 'zennmap.exe')))" ], "filename": "proc_creation_win_pua_nmap_zenmap.yml" }, { "title": "OpenWith.exe Executes Specified Binary", "id": "cec8e918-30f7-4e2d-9bfa-a59cc97ae60f", "status": "test", "description": "The OpenWith.exe executes other binary", "author": "Beyu Denis, oscd.community (rule), @harr0ey (idea)", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\OpenWith.exe' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_openwith.yml" }, { "title": "Use NTFS Short Name in Command Line", "id": "dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795", "status": "experimental", "description": "Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection", "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1564.004" ], "falsepositives": [ "Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%~1.exe%' ESCAPE '\\' OR CommandLine LIKE '%~1.bat%' ESCAPE '\\' OR CommandLine LIKE '%~1.msi%' ESCAPE '\\' OR CommandLine LIKE '%~1.vbe%' ESCAPE '\\' OR CommandLine LIKE '%~1.vbs%' ESCAPE '\\' OR CommandLine LIKE '%~1.dll%' ESCAPE '\\' OR CommandLine LIKE '%~1.ps1%' ESCAPE '\\' OR CommandLine LIKE '%~1.js%' ESCAPE '\\' OR CommandLine LIKE '%~1.hta%' ESCAPE '\\' OR CommandLine LIKE '%~2.exe%' ESCAPE '\\' OR CommandLine LIKE '%~2.bat%' ESCAPE '\\' OR CommandLine LIKE '%~2.msi%' ESCAPE '\\' OR CommandLine LIKE '%~2.vbe%' ESCAPE '\\' OR CommandLine LIKE '%~2.vbs%' ESCAPE '\\' OR CommandLine LIKE '%~2.dll%' ESCAPE '\\' OR CommandLine LIKE '%~2.ps1%' ESCAPE '\\' OR CommandLine LIKE '%~2.js%' ESCAPE '\\' OR CommandLine LIKE '%~2.hta%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\thor\\\\thor64.exe' ESCAPE '\\') OR CommandLine LIKE '%C:\\\\xampp\\\\vcredist\\\\VCREDI~1.EXE%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_ntfs_short_name_use_cli.yml" }, { "title": "PUA - Fast Reverse Proxy (FRP) Execution", "id": "32410e29-5f94-4568-b6a3-d91a8adad863", "status": "experimental", "description": "Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.", "author": "frack113, Florian Roth", "tags": [ "attack.command_and_control", "attack.t1090" ], "falsepositives": [ "Legitimate use" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\frpc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\frps.exe' ESCAPE '\\') OR CommandLine LIKE '%\\\\frpc.ini%' ESCAPE '\\' OR (Hashes LIKE '%MD5=7D9C233B8C9E3F0EA290D2B84593C842%' ESCAPE '\\' OR Hashes LIKE '%SHA1=06DDC9280E1F1810677935A2477012960905942F%' ESCAPE '\\' OR Hashes LIKE '%SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5E142EE860E387C%' ESCAPE '\\') OR md5 = '7d9c233b8c9e3f0ea290d2b84593c842' OR sha1 = '06ddc9280e1f1810677935a2477012960905942f' OR sha256 = '57b0936b8d336d8e981c169466a15a5fd21a7d5a2c7daf62d5e142ee860e387c'))" ], "filename": "proc_creation_win_pua_frp.yml" }, { "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)", "id": "2afafd61-6aae-4df4-baed-139fa1f4c345", "status": "test", "description": "Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)", "author": "Thomas Patzke", "tags": [ "attack.credential_access", "attack.t1003.003" ], "falsepositives": [ "NTDS maintenance" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\ntdsutil.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_ntdsutil_usage.yml" }, { "title": "Execution from Suspicious Folder", "id": "3dfd06d2-eaf4-4532-9555-68aca59f57c4", "status": "experimental", "description": "Detects a suspicious execution from an uncommon folder", "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ "attack.defense_evasion", "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Intel\\\\Logs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RSA\\\\MachineKeys\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\NetworkService\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\debug\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Help\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Media\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\repair\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\security\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\Tasks\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Tasks\\\\%' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\config\\\\systemprofile\\\\Citrix\\\\UpdaterBinaries\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\CitrixReceiverUpdater.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_execution_path.yml" }, { "title": "Potential Password Spraying Attempt Using Dsacls.EXE", "id": "bac9fb54-2da7-44e9-988f-11e9a5edbc0c", "status": "experimental", "description": "Detects possible password spraying attempts using Dsacls", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1218" ], "falsepositives": [ "Legitimate use of dsacls to bind to an LDAP session" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\dsacls.exe' ESCAPE '\\' OR OriginalFileName = 'DSACLS.EXE') AND (CommandLine LIKE '%/user:%' ESCAPE '\\' AND CommandLine LIKE '%/passwd:%' ESCAPE '\\'))" ], "filename": "proc_creation_win_dsacls_password_spray.yml" }, { "title": "Renamed Plink Execution", "id": "1c12727d-02bf-45ff-a9f3-d49806a3cf43", "status": "experimental", "description": "Detects the execution of a renamed version of the Plink binary", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName = 'Plink' OR (CommandLine LIKE '% -l forward%' ESCAPE '\\' AND CommandLine LIKE '% -P %' ESCAPE '\\' AND CommandLine LIKE '% -R %' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\plink.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_renamed_plink.yml" }, { "title": "PsExec/PAExec Escalation to LOCAL SYSTEM", "id": "8834e2f7-6b4b-4f09-8906-d2276470ee23", "status": "experimental", "description": "Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.resource_development", "attack.t1587.001" ], "falsepositives": [ "Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)", "Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '% -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% /s -i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s /i cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -i /s cmd%' ESCAPE '\\' OR CommandLine LIKE '% /i -s cmd%' ESCAPE '\\' OR CommandLine LIKE '% -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /s -i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s /i pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -i /s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% /i -s pwsh%' ESCAPE '\\' OR CommandLine LIKE '% -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% /s -i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -s /i powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i -s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% -i /s powershell%' ESCAPE '\\' OR CommandLine LIKE '% /i -s powershell%' ESCAPE '\\') AND (CommandLine LIKE '%psexec%' ESCAPE '\\' OR CommandLine LIKE '%paexec%' ESCAPE '\\' OR CommandLine LIKE '%accepteula%' ESCAPE '\\'))" ], "filename": "proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" }, { "title": "Esentutl Gather Credentials", "id": "7df1713a-1a5b-4a4b-a071-dc83b144a101", "status": "test", "description": "Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.", "author": "sam0x90", "tags": [ "attack.credential_access", "attack.t1003", "attack.t1003.003" ], "falsepositives": [ "To be determined" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%esentutl%' ESCAPE '\\' AND CommandLine LIKE '% /p%' ESCAPE '\\')" ], "filename": "proc_creation_win_esentutl_params.yml" }, { "title": "Renamed MegaSync Execution", "id": "643bdcac-8b82-49f4-9fd9-25a90b929f3b", "status": "test", "description": "Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.", "author": "Sittikorn S", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Software that illegally integrates MegaSync in a renamed form", "Administrators that have renamed MegaSync" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND OriginalFileName = 'megasync.exe' AND NOT (NewProcessName LIKE '%\\\\megasync.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_renamed_megasync.yml" }, { "title": "Findstr GPP Passwords", "id": "91a2c315-9ee6-4052-a853-6f6a8238f90d", "status": "test", "description": "Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1552.006" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR OriginalFileName = 'FINDSTR.EXE') AND (CommandLine LIKE '%cpassword%' ESCAPE '\\' AND CommandLine LIKE '%\\\\sysvol\\\\%' ESCAPE '\\' AND CommandLine LIKE '%.xml%' ESCAPE '\\'))" ], "filename": "proc_creation_win_findstr_gpp_passwords.yml" }, { "title": "Files And Subdirectories Listing Using Dir", "id": "7c9340a9-e2ee-4e43-94c5-c54ebbea1006", "status": "experimental", "description": "Detects usage of the \"dir\" command that's part of windows batch/cmd to collect information about directories", "author": "frack113", "tags": [ "attack.discovery", "attack.t1217" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%dir %' ESCAPE '\\' AND CommandLine LIKE '% /s%' ESCAPE '\\' AND CommandLine LIKE '% /b%' ESCAPE '\\')" ], "filename": "proc_creation_win_cmd_dir_execution.yml" }, { "title": "Suspicious Shells Spawn by SQL Server", "id": "869b9ca7-9ea2-4a5a-8325-e80e62f75445", "status": "experimental", "description": "Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection", "author": "FPT.EagleEye Team, wagga", "tags": [ "attack.t1505.003", "attack.t1190", "attack.initial_access", "attack.persistence", "attack.privilege_escalation" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\sqlservr.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\')) AND NOT ((ParentProcessName LIKE 'C:\\\\Program Files\\\\Microsoft SQL Server\\\\%' ESCAPE '\\' AND ParentProcessName LIKE '%DATEV\\_DBENGINE\\\\MSSQL\\\\Binn\\\\sqlservr.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cmd.exe' ESCAPE '\\' AND CommandLine LIKE '\"C:\\\\Windows\\\\system32\\\\cmd.exe\" %' ESCAPE '\\')))" ], "filename": "proc_creation_win_mssql_susp_child_process.yml" }, { "title": "Suspicious RASdial Activity", "id": "6bba49bf-7f8c-47d6-a1bb-6b4dece4640e", "status": "test", "description": "Detects suspicious process related to rasdial.exe", "author": "juju4", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1059" ], "falsepositives": [ "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%rasdial.exe' ESCAPE '\\')" ], "filename": "proc_creation_win_rasdial_execution.yml" }, { "title": "Mshtml DLL RunHTMLApplication Abuse", "id": "4782eb5a-a513-4523-a0ac-f3082b26ac5c", "status": "experimental", "description": "Detects suspicious command line using the \"mshtml.dll\" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%\\\\..\\\\%' ESCAPE '\\' AND CommandLine LIKE '%mshtml%' ESCAPE '\\' AND CommandLine LIKE '%RunHTMLApplication%' ESCAPE '\\')" ], "filename": "proc_creation_win_rundll32_mshtml_runhtmlapplication.yml" }, { "title": "Potential SPN Enumeration Via Setspn.EXE", "id": "1eeed653-dbc8-4187-ad0c-eeebb20e6599", "status": "test", "description": "Detects service principal name (SPN) enumeration used for Kerberoasting", "author": "Markus Neis, keepwatch", "tags": [ "attack.credential_access", "attack.t1558.003" ], "falsepositives": [ "Administration activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\setspn.exe' ESCAPE '\\' OR OriginalFileName = 'setspn.exe' OR (Description LIKE '%Query or reset the computer%' ESCAPE '\\' AND Description LIKE '%SPN attribute%' ESCAPE '\\')) AND CommandLine LIKE '%-q%' ESCAPE '\\')" ], "filename": "proc_creation_win_setspn_spn_enumeration.yml" }, { "title": "Abusing Print Executable", "id": "bafac3d6-7de9-4dd9-8874-4a1194b493ed", "status": "test", "description": "Attackers can use print.exe for remote file copy", "author": "Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\print.exe' ESCAPE '\\' AND CommandLine LIKE 'print%' ESCAPE '\\' AND CommandLine LIKE '%/D%' ESCAPE '\\' AND CommandLine LIKE '%.exe%' ESCAPE '\\') AND NOT (CommandLine LIKE '%print.exe%' ESCAPE '\\'))" ], "filename": "proc_creation_win_print_remote_file_copy.yml" }, { "title": "Shells Spawned by Web Servers", "id": "8202070f-edeb-4d31-a010-a26c72ac5600", "status": "test", "description": "Detects web servers that spawn shell processes which could be the result of a successfully placed web shell or another attack", "author": "Thomas Patzke, Florian Roth (Nextron Systems), Zach Stanford @svch0st, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1505.003", "attack.t1190" ], "falsepositives": [ "Particular web applications may spawn a shell process legitimately" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\caddy.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\ws\\_TomcatService.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\UMWorkerProcess.exe' ESCAPE '\\') OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentProcessName LIKE '%-tomcat-%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\')) OR ((ParentProcessName LIKE '%\\\\java.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\javaw.exe' ESCAPE '\\') AND (ParentCommandLine LIKE '%catalina.jar%' ESCAPE '\\' OR ParentCommandLine LIKE '%CATALINA\\_HOME%' ESCAPE '\\' OR ParentCommandLine LIKE '%catalina.home%' ESCAPE '\\'))) AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\arp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\at.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dsget.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\find.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\findstr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fsutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hostname.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netdom.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\netstat.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nltest.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nslookup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ntdutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pathping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ping.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qprocess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\query.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\qwinsta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tasklist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tracert.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whoami.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wusa.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%Windows\\\\system32\\\\cmd.exe /c C:\\\\ManageEngine\\\\ADManager \"Plus\\\\ES\\\\bin\\\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt' ESCAPE '\\') OR (CommandLine LIKE '%sc query%' ESCAPE '\\' AND CommandLine LIKE '%ADManager Plus%' ESCAPE '\\')))" ], "filename": "proc_creation_win_webshell_spawn.yml" }, { "title": "Potential CommandLine Path Traversal Via Cmd.EXE", "id": "087790e3-3287-436c-bccf-cbd0184a7db1", "status": "test", "description": "Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking", "author": "xknow @xknow_infosec, Tim Shelton", "tags": [ "attack.execution", "attack.t1059.003" ], "falsepositives": [ "Java tools are known to produce false-positive when loading libraries" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((ParentProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'cmd.exe') AND ((ParentCommandLine LIKE '%/c%' ESCAPE '\\' OR ParentCommandLine LIKE '%/k%' ESCAPE '\\' OR ParentCommandLine LIKE '%/r%' ESCAPE '\\') OR (CommandLine LIKE '%/c%' ESCAPE '\\' OR CommandLine LIKE '%/k%' ESCAPE '\\' OR CommandLine LIKE '%/r%' ESCAPE '\\')) AND (ParentCommandLine = '/../../' OR CommandLine LIKE '%/../../%' ESCAPE '\\')) AND NOT ((CommandLine LIKE '%\\\\Tasktop\\\\keycloak\\\\bin\\\\/../../jre\\\\bin\\\\java%' ESCAPE '\\')))" ], "filename": "proc_creation_win_cmd_path_traversal.yml" }, { "title": "Renamed ZOHO Dctask64 Execution", "id": "340a090b-c4e9-412e-bb36-b4b16fe96f9b", "status": "test", "description": "Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1036", "attack.t1055.001", "attack.t1202", "attack.t1218" ], "falsepositives": [ "Unknown yet" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND Hashes LIKE '%6834B1B94E49701D77CCB3C0895E1AFD%' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\dctask64.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_renamed_dctask64.yml" }, { "title": "Renamed Office Binary Execution", "id": "0b0cd537-fc77-4e6e-a973-e53495c1083d", "status": "experimental", "description": "Detects the execution of a renamed office binary", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (OriginalFileName IN ('Excel.exe', 'MSACCESS.EXE', 'OneNote.exe', 'POWERPNT.EXE', 'WinWord.exe') OR Description IN ('Microsoft Access', 'Microsoft Excel', 'Microsoft OneNote', 'Microsoft PowerPoint', 'Microsoft Word')) AND NOT ((NewProcessName LIKE '%\\\\EXCEL.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSACCESS.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ONENOTE.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\POWERPNT.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_renamed_office_processes.yml" }, { "title": "Disabled IE Security Features", "id": "fb50eb7a-5ab1-43ae-bcc9-091818cb8424", "status": "test", "description": "Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '% -name IEHarden %' ESCAPE '\\' AND CommandLine LIKE '% -value 0 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DEPOff %' ESCAPE '\\' AND CommandLine LIKE '% -value 1 %' ESCAPE '\\') OR (CommandLine LIKE '% -name DisableFirstRunCustomize %' ESCAPE '\\' AND CommandLine LIKE '% -value 2 %' ESCAPE '\\')))" ], "filename": "proc_creation_win_powershell_disable_ie_features.yml" }, { "title": "Invoke-Obfuscation Via Use MSHTA", "id": "ac20ae82-8758-4f38-958e-b44a3140ca88", "status": "test", "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%set%' ESCAPE '\\' AND CommandLine LIKE '%&&%' ESCAPE '\\' AND CommandLine LIKE '%mshta%' ESCAPE '\\' AND CommandLine LIKE '%vbscript:createobject%' ESCAPE '\\' AND CommandLine LIKE '%.run%' ESCAPE '\\' AND CommandLine LIKE '%(window.close)%' ESCAPE '\\')" ], "filename": "proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml" }, { "title": "SQLite Firefox Profile Data DB Access", "id": "4833155a-4053-4c9c-a997-777fcea0baa7", "status": "experimental", "description": "Detect usage of the \"sqlite\" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1539", "attack.collection", "attack.t1005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (Product = 'SQLite' OR (NewProcessName LIKE '%\\\\sqlite.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlite3.exe' ESCAPE '\\')) AND (CommandLine LIKE '%cookies.sqlite%' ESCAPE '\\' OR CommandLine LIKE '%places.sqlite%' ESCAPE '\\'))" ], "filename": "proc_creation_win_sqlite_firefox_gecko_profile_data.yml" }, { "title": "Perl Inline Command Execution", "id": "f426547a-e0f7-441a-b63e-854ac5bdf54d", "status": "experimental", "description": "Detects execution of perl using the \"-e\"/\"-E\" flags. This is could be used as a way to launch a reverse shell or execute live perl code.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\perl.exe' ESCAPE '\\' OR OriginalFileName = 'perl.exe') AND CommandLine LIKE '% -e%' ESCAPE '\\')" ], "filename": "proc_creation_win_perl_inline_command_execution.yml" }, { "title": "Suspicious Execution From GUID Like Folder Names", "id": "90b63c33-2b97-4631-a011-ceb0f47b77c3", "status": "experimental", "description": "Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1027" ], "falsepositives": [ "Installers are sometimes known for creating temporary folders with GUID like names. Add appropriate filters accordingly" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((CommandLine LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND CommandLine LIKE '%\\\\{%' ESCAPE '\\' AND CommandLine LIKE '%}\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\{%' ESCAPE '\\' AND NewProcessName LIKE '%}\\\\%' ESCAPE '\\') OR (NewProcessName = '') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\drvinst.exe' ESCAPE '\\')))" ], "filename": "proc_creation_win_susp_execution_from_guid_folder_names.yml" }, { "title": "Suspicious Parent of Csc.exe", "id": "b730a276-6b63-41b8-bcf8-55930c8fc6ee", "status": "test", "description": "Detects a suspicious parent of csc.exe, which could by a sign of payload delivery", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.005", "attack.t1059.007", "attack.defense_evasion", "attack.t1218.005", "attack.t1027.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\csc.exe' ESCAPE '\\' AND (ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_csc_susp_parent.yml" }, { "title": "Potential Persistence Via Netsh Helper DLL", "id": "56321594-9087-49d9-bf10-524fe8479452", "status": "test", "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", "author": "Victor Sergeev, oscd.community", "tags": [ "attack.privilege_escalation", "attack.persistence", "attack.t1546.007", "attack.s0108" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName LIKE '%\\\\netsh.exe' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\' AND CommandLine LIKE '%helper%' ESCAPE '\\')" ], "filename": "proc_creation_win_netsh_helper_dll_persistence.yml" }, { "title": "Add Insecure Download Source To Winget", "id": "81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2", "status": "experimental", "description": "Detects usage of winget to add a new insecure (http) download source.\nWinget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1059" ], "falsepositives": [ "False positives might occur if the users are unaware of such control checks" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' OR OriginalFileName = 'winget.exe') AND (CommandLine LIKE '%source %' ESCAPE '\\' AND CommandLine LIKE '%add %' ESCAPE '\\' AND CommandLine LIKE '%http://%' ESCAPE '\\'))" ], "filename": "proc_creation_win_winget_add_insecure_custom_source.yml" }, { "title": "Potential Renamed Rundll32 Execution", "id": "2569ed8c-1147-498a-9b8c-2ad3656b10ed", "status": "experimental", "description": "Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND CommandLine LIKE '%DllRegisterServer%' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_renamed_rundll32_dllregisterserver.yml" }, { "title": "Enumeration for 3rd Party Creds From CLI", "id": "87a476dc-0079-4583-a985-dee7a20a03de", "status": "experimental", "description": "Detects processes that query known 3rd party registry keys that holds credentials via commandline", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1552.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\SimonTatham\\\\PuTTY\\\\SshHostKeys\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Mobatek\\\\MobaXterm\\\\%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\WOW6432Node\\\\Radmin\\\\v3.0\\\\Server\\\\Parameters\\\\Radmin%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Aerofox\\\\FoxmailPreview%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Aerofox\\\\Foxmail\\\\V3.1%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\IncrediMail\\\\Identities%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Qualcomm\\\\Eudora\\\\CommandLine%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\RimArts\\\\B2\\\\Settings%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\OpenVPN-GUI\\\\configs%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\Martin Prikryl\\\\WinSCP 2\\\\Sessions%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\FTPWare\\\\COREFTP\\\\Sites%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\DownloadManager\\\\Passwords%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\OpenSSH\\\\Agent\\\\Keys%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\TightVNC\\\\Server%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\ORL\\\\WinVNC3\\\\Password%' ESCAPE '\\' OR CommandLine LIKE '%\\\\Software\\\\RealVNC\\\\WinVNC4%' ESCAPE '\\'))" ], "filename": "proc_creation_win_registry_enumeration_for_credentials_cli.yml" }, { "title": "Windows Binary Executed From WSL", "id": "ed825c86-c009-4014-b413-b76003e33d35", "status": "experimental", "description": "Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.defense_evasion", "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND NewProcessName REGEXP '[a-zA-Z]:\\\\' AND CurrentDirectory LIKE '%\\\\\\\\wsl.localhost%' ESCAPE '\\')" ], "filename": "proc_creation_win_wsl_windows_binaries_execution.yml" }, { "title": "HackTool - GMER Rootkit Detector and Remover Execution", "id": "9082ff1f-88ab-4678-a3cc-5bcff99fc74d", "status": "experimental", "description": "Detects the execution GMER tool based on image and hash fields.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\gmer.exe' ESCAPE '\\' OR (Hashes LIKE '%MD5=E9DC058440D321AA17D0600B3CA0AB04%' ESCAPE '\\' OR Hashes LIKE '%SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173%' ESCAPE '\\') OR md5 = 'e9dc058440d321aa17d0600b3ca0ab04' OR sha1 = '539c228b6b332f5aa523e5ce358c16647d8bbe57' OR sha256 = 'e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173'))" ], "filename": "proc_creation_win_hktl_gmer.yml" }, { "title": "Execution via CL_Invocation.ps1", "id": "a0459f02-ac51-4c09-b511-b8c9203fc429", "status": "test", "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.defense_evasion", "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND CommandLine LIKE '%SyncInvoke%' ESCAPE '\\')" ], "filename": "proc_creation_win_lolbin_cl_invocation.yml" }, { "title": "Potential Defense Evasion Via Right-to-Left Override", "id": "ad691d92-15f2-4181-9aa4-723c74f9ddc3", "status": "experimental", "description": "Detects the presence of the \"u202+E\" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence.\nThis is used as an obfuscation and masquerading techniques.\n", "author": "Micah Babinski, @micahbabinski", "tags": [ "attack.defense_evasion", "attack.t1036.002" ], "falsepositives": [ "Commandlines that contains scriptures such as arabic or hebrew might make use of this character" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%‮%' ESCAPE '\\')" ], "filename": "proc_creation_win_susp_right_to_left_override.yml" }, { "title": "HackTool - Koadic Execution", "id": "5cddf373-ef00-4112-ad72-960ac29bac34", "status": "test", "description": "Detects command line parameters used by Koadic hack tool", "author": "wagga, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", "attack.t1059.003", "attack.t1059.005", "attack.t1059.007" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR OriginalFileName = 'Cmd.Exe') AND (CommandLine LIKE '%/q%' ESCAPE '\\' AND CommandLine LIKE '%/c%' ESCAPE '\\' AND CommandLine LIKE '%chcp%' ESCAPE '\\'))" ], "filename": "proc_creation_win_hktl_koadic.yml" }, { "title": "Reg Disable Security Service", "id": "5e95028c-5229-4214-afae-d653d573d0ec", "status": "experimental", "description": "Detects a suspicious reg.exe invocation that looks as if it would disable an important security service", "author": "Florian Roth (Nextron Systems), John Lambert (idea), elhoim", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unknown", "Other security solution installers" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '%add%' ESCAPE '\\') AND ((CommandLine LIKE '% /d 4%' ESCAPE '\\' AND CommandLine LIKE '% /v Start%' ESCAPE '\\' AND (CommandLine LIKE '%\\\\Sense%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WinDefend%' ESCAPE '\\' OR CommandLine LIKE '%\\\\MsMpSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\NisSrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdBoot%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisDrv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdNisSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wscsvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\SecurityHealthService%' ESCAPE '\\' OR CommandLine LIKE '%\\\\wuauserv%' ESCAPE '\\' OR CommandLine LIKE '%\\\\UsoSvc%' ESCAPE '\\' OR CommandLine LIKE '%\\\\WdFilter%' ESCAPE '\\' OR CommandLine LIKE '%\\\\AppIDSvc%' ESCAPE '\\')) OR (CommandLine LIKE '% /d 1%' ESCAPE '\\' AND CommandLine LIKE '%Windows Defender%' ESCAPE '\\' AND (CommandLine LIKE '%DisableIOAVProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableOnAccessProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableRoutinelyTakingAction%' ESCAPE '\\' OR CommandLine LIKE '%DisableScanOnRealtimeEnable%' ESCAPE '\\' OR CommandLine LIKE '%DisableBlockAtFirstSeen%' ESCAPE '\\' OR CommandLine LIKE '%DisableBehaviorMonitoring%' ESCAPE '\\' OR CommandLine LIKE '%DisableEnhancedNotifications%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpyware%' ESCAPE '\\' OR CommandLine LIKE '%DisableAntiSpywareRealtimeProtection%' ESCAPE '\\' OR CommandLine LIKE '%DisableConfig%' ESCAPE '\\' OR CommandLine LIKE '%DisablePrivacyMode%' ESCAPE '\\' OR CommandLine LIKE '%SignatureDisableUpdateOnStartupWithoutEngine%' ESCAPE '\\' OR CommandLine LIKE '%DisableArchiveScanning%' ESCAPE '\\' OR CommandLine LIKE '%DisableIntrusionPreventionSystem%' ESCAPE '\\' OR CommandLine LIKE '%DisableScriptScanning%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_reg_disable_sec_services.yml" }, { "title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE", "id": "de587dce-915e-4218-aac4-835ca6af6f70", "status": "test", "description": "Detects suspicious command line reg.exe tool adding key to RUN key in Registry", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons.", "Legitimate administrator sets up autorun keys for legitimate reasons.", "Discord" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND CommandLine LIKE '%reg%' ESCAPE '\\' AND CommandLine LIKE '% ADD %' ESCAPE '\\' AND CommandLine LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\')" ], "filename": "proc_creation_win_reg_add_run_key.yml" }, { "title": "Suspicious Userinit Child Process", "id": "b655a06a-31c0-477a-95c2-3726b83d649d", "status": "test", "description": "Detects a suspicious child process of userinit", "author": "Florian Roth (Nextron Systems), Samir Bousseaden (idea)", "tags": [ "attack.defense_evasion", "attack.t1055" ], "falsepositives": [ "Administrative scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ParentProcessName LIKE '%\\\\userinit.exe' ESCAPE '\\' AND NOT ((CommandLine LIKE '%\\\\netlogon\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR OriginalFileName = 'explorer.exe')))" ], "filename": "proc_creation_win_susp_userinit_child.yml" }, { "title": "Nslookup PowerShell Download Cradle - ProcessCreation", "id": "1b3b01c7-84e9-4072-86e5-fc285a41ff23", "status": "experimental", "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\nslookup.exe%' ESCAPE '\\' OR OriginalFileName LIKE '\\\\nslookup.exe' ESCAPE '\\') AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (CommandLine LIKE '% -q=txt %' ESCAPE '\\' OR CommandLine LIKE '% -querytype=txt %' ESCAPE '\\')))" ], "filename": "proc_creation_win_nslookup_poweshell_download.yml" }, { "title": "HackTool - Hashcat Password Cracker Execution", "id": "39b31e81-5f5f-4898-9c0e-2160cfc0f9bf", "status": "test", "description": "Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1110.002" ], "falsepositives": [ "Tools that use similar command line flags and values" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\hashcat.exe' ESCAPE '\\' OR (CommandLine LIKE '%-a %' ESCAPE '\\' AND CommandLine LIKE '%-m 1000 %' ESCAPE '\\' AND CommandLine LIKE '%-r %' ESCAPE '\\')))" ], "filename": "proc_creation_win_hktl_hashcat.yml" }, { "title": "Suspicious Schtasks Schedule Types", "id": "24c8392b-aa3c-46b7-a545-43f71657fe98", "status": "experimental", "description": "Detects scheduled task creations or modification on a suspicious schedule type", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1053.005" ], "falsepositives": [ "Legitimate processes that run at logon. Filter according to your environment" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR OriginalFileName = 'schtasks.exe') AND (CommandLine LIKE '% ONLOGON %' ESCAPE '\\' OR CommandLine LIKE '% ONSTART %' ESCAPE '\\' OR CommandLine LIKE '% ONCE %' ESCAPE '\\' OR CommandLine LIKE '% ONIDLE %' ESCAPE '\\')) AND NOT (((CommandLine LIKE '%NT AUT%' ESCAPE '\\' OR CommandLine LIKE '% SYSTEM%' ESCAPE '\\' OR CommandLine LIKE '%HIGHEST%' ESCAPE '\\'))))" ], "filename": "proc_creation_win_schtasks_schedule_type.yml" }, { "title": "Sticky Key Like Backdoor Execution", "id": "2fdefcb3-dbda-401e-ae23-f0db027628bc", "status": "test", "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.privilege_escalation", "attack.persistence", "attack.t1546.008", "car.2014-11-003", "car.2014-11-008" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND ParentProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wt.exe' ESCAPE '\\') AND (CommandLine LIKE '%sethc.exe%' ESCAPE '\\' OR CommandLine LIKE '%utilman.exe%' ESCAPE '\\' OR CommandLine LIKE '%osk.exe%' ESCAPE '\\' OR CommandLine LIKE '%Magnify.exe%' ESCAPE '\\' OR CommandLine LIKE '%Narrator.exe%' ESCAPE '\\' OR CommandLine LIKE '%DisplaySwitch.exe%' ESCAPE '\\'))" ], "filename": "proc_creation_win_cmd_sticky_key_like_backdoor_execution.yml" }, { "title": "Suspicious Office Token Search Via CLI", "id": "6d3a3952-6530-44a3-8554-cf17c116c615", "status": "experimental", "description": "Detects possible search for office tokens via CLI by looking for the string \"eyJ0eX\". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1528" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (CommandLine LIKE '%eyJ0eXAiOi%' ESCAPE '\\' OR CommandLine LIKE '% eyJ0eX%' ESCAPE '\\' OR CommandLine LIKE '% \"eyJ0eX\"%' ESCAPE '\\' OR CommandLine LIKE '% ''eyJ0eX''%' ESCAPE '\\'))" ], "filename": "proc_creation_win_susp_office_token_search.yml" }, { "title": "Execute MSDT Via Answer File", "id": "9c8c7000-3065-44a8-a555-79bcba5d9955", "status": "experimental", "description": "Detects execution of \"msdt.exe\" using an answer file which is simulating the legitimate way of calling msdt via \"pcwrun.exe\" (For example from the compatibility tab)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218", "attack.execution" ], "falsepositives": [ "Possible undocumented parents of \"msdt\" other than \"pcwrun\"" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND CommandLine LIKE '%\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml%' ESCAPE '\\' AND (CommandLine LIKE '% -af %' ESCAPE '\\' OR CommandLine LIKE '% /af %' ESCAPE '\\')) AND NOT (ParentProcessName LIKE '%\\\\pcwrun.exe' ESCAPE '\\'))" ], "filename": "proc_creation_win_lolbin_msdt_answer_file.yml" }, { "title": "Domain Trust Discovery Via Dsquery", "id": "3bad990e-4848-4a78-9530-b427d854aac0", "status": "test", "description": "Detects execution of \"dsquery.exe\" for domain trust discovery", "author": "E.M. Anhaus, Tony Lambert, oscd.community, omkar72", "tags": [ "attack.discovery", "attack.t1482" ], "falsepositives": [ "Legitimate use of the utilities by legitimate user for legitimate reason" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (NewProcessName LIKE '%\\\\dsquery.exe' ESCAPE '\\' OR OriginalFileName = 'dsquery.exe') AND CommandLine LIKE '%trustedDomain%' ESCAPE '\\')" ], "filename": "proc_creation_win_dsquery_domain_trust_discovery.yml" }, { "title": "Suspicious Control Panel DLL Load", "id": "d7eb979b-c2b5-4a6f-a3a7-c87ce6763819", "status": "test", "description": "Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218.011" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '1' AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (ParentProcessName LIKE '%\\\\System32\\\\control.exe' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR OriginalFileName = 'RUNDLL32.EXE')) AND NOT (CommandLine LIKE '%Shell32.dll%' ESCAPE '\\'))" ], "filename": "proc_creation_win_rundll32_susp_control_dll_load.yml" }, { "title": "Sysmon Configuration Modification", "id": "1f2b5353-573f-4880-8e33-7d04dcf97744", "status": "test", "description": "Detects when an attacker tries to hide from Sysmon by disabling or stopping it", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1564" ], "falsepositives": [ "Legitimate administrative action" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('4', '16') AND (State = 'Stopped' OR Events MATCH ('\"Sysmon config state changed\"')) AND NOT (State = 'Started'))" ], "filename": "sysmon_config_modification_status.yml" }, { "title": "Sysmon Configuration Error", "id": "815cd91b-7dbc-4247-841a-d7dd1392b0a8", "status": "experimental", "description": "Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1564" ], "falsepositives": [ "Legitimate administrative action" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '255' AND (Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' OR Description LIKE '%Failed to connect to the driver to update configuration%' ESCAPE '\\') AND NOT ((Description LIKE '%Failed to open service configuration with error%' ESCAPE '\\' AND Description LIKE '%Last error: The media is write protected.%' ESCAPE '\\') OR ((Description LIKE '%Failed to open service configuration with error 19%' ESCAPE '\\' OR Description LIKE '%Failed to open service configuration with error 93%' ESCAPE '\\'))))" ], "filename": "sysmon_config_modification_error.yml" }, { "title": "Sysmon Blocked Executable", "id": "23b71bc5-953e-4971-be4c-c896cda73fc2", "status": "experimental", "description": "Triggers on any Sysmon file block executable event. Which should indicates a violation of the block policy set", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE EventID = '27'" ], "filename": "sysmon_file_block_exe.yml" }, { "title": "Sysmon Process Hollowing Detection", "id": "c4b890e5-8d8c-4496-8c66-c805753817cd", "status": "experimental", "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Sittikorn S", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1055.012" ], "falsepositives": [ "There are no known false positives at this time" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '25' AND Type = 'Image is replaced' AND NOT ((NewProcessName LIKE '%:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%:\\\\Program Files (x86)%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WMIADAP.exe' ESCAPE '\\')))" ], "filename": "sysmon_process_hollowing.yml" }, { "title": "Sysmon Configuration Change", "id": "8ac03a65-6c84-4116-acad-dc1558ff7a77", "status": "test", "description": "Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration", "author": "frack113", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Legitimate administrative action" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventID = '16')" ], "filename": "sysmon_config_modification.yml" }, { "title": "Suspicious Network Connection Binary No CommandLine", "id": "20384606-a124-4fec-acbb-8bd373728613", "status": "experimental", "description": "Detects suspicious network connections made by a well-known Windows binary run with no command line parameters", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND (Initiated = 'true' AND (NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (CommandLine LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR CommandLine LIKE '%\\\\dllhost.exe' ESCAPE '\\')) AND NOT ((CommandLine = '') OR (CommandLine = '')))" ], "filename": "net_connection_win_susp_binary_no_cmdline.yml" }, { "title": "Excel Network Connections", "id": "75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84", "status": "experimental", "description": "Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292.\nYou will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.\n", "author": "Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0\", Tim Shelton", "tags": [ "attack.execution", "attack.t1203" ], "falsepositives": [ "You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains.", "Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned.", "It is highly recommended to baseline your activity and tune out common business use cases." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND (NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationIsIpv6 = 'false') AND NOT ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.0.0.1%' ESCAPE '\\')))" ], "filename": "net_connection_win_excel_outbound_network_connection.yml" }, { "title": "RDP to HTTP or HTTPS Target Ports", "id": "b1e5da3b-ca8e-4adf-915c-9921f3d85481", "status": "experimental", "description": "Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1572", "attack.lateral_movement", "attack.t1021.001", "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389' AND DestinationPort IN ('80', '443'))" ], "filename": "net_connection_win_rdp_to_http.yml" }, { "title": "Remote PowerShell Session (Network)", "id": "c539afac-c12a-46ed-b1bd-5a5567c9f045", "status": "test", "description": "Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.", "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.execution", "attack.t1059.001", "attack.lateral_movement", "attack.t1021.006" ], "falsepositives": [ "Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.", "Network Service user name of a not-covered localization" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND (DestinationPort IN ('5985', '5986') AND Initiated = 'true') AND NOT (((User LIKE '%NETWORK SERVICE%' ESCAPE '\\' OR User LIKE '%NETZWERKDIENST%' ESCAPE '\\' OR User LIKE '%SERVIZIO DI RETE%' ESCAPE '\\' OR User LIKE '%SERVICIO DE RED%' ESCAPE '\\') OR User LIKE '%SERVICE R%' ESCAPE '\\' AND User LIKE '%SEAU%' ESCAPE '\\' OR SourceIp LIKE '0:0:%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\AvastSvc.exe' ESCAPE '\\')) OR (SourceIp IN ('::1', '127.0.0.1') AND DestinationIp IN ('::1', '127.0.0.1'))))" ], "filename": "net_connection_win_remote_powershell_session_network.yml" }, { "title": "RDP Over Reverse SSH Tunnel", "id": "5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4", "status": "test", "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389", "author": "Samir Bousseaden", "tags": [ "attack.command_and_control", "attack.t1572", "attack.lateral_movement", "attack.t1021.001", "car.2013-07-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND Initiated = 'true' AND SourcePort = '3389') AND (DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp = '::1'))" ], "filename": "net_connection_win_rdp_reverse_tunnel.yml" }, { "title": "Potential Dead Drop Resolvers", "id": "297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7", "status": "test", "description": "Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.", "author": "Sorina Ionescu", "tags": [ "attack.command_and_control", "attack.t1102", "attack.t1102.001" ], "falsepositives": [ "One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND ((Initiated = 'true' AND (DestinationHostname LIKE '%.cloudflare.com' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%docs.google.com' ESCAPE '\\' OR DestinationHostname LIKE '%facebook.com' ESCAPE '\\' OR DestinationHostname LIKE '%feeds.rapidfeeds.com' ESCAPE '\\' OR DestinationHostname LIKE '%fotolog.com' ESCAPE '\\' OR DestinationHostname LIKE '%imgur.com' ESCAPE '\\' OR DestinationHostname LIKE '%livejournal.com' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%reddit.com' ESCAPE '\\' OR DestinationHostname LIKE '%steamcommunity.com' ESCAPE '\\' OR DestinationHostname LIKE '%technet.microsoft.com' ESCAPE '\\' OR DestinationHostname LIKE '%twitter.com' ESCAPE '\\' OR DestinationHostname LIKE '%youtube.com' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\'))) AND NOT (((NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsSense.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\PRTG Probe.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Engine.exe' ESCAPE '\\')))" ], "filename": "net_connection_win_dead_drop_resolvers.yml" }, { "title": "Suspicious Non-Browser Network Communication With Google API", "id": "7e9cf7b6-e827-11ed-a05b-0242ac120003", "status": "experimental", "description": "Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)", "author": "Gavin Knapp", "tags": [ "attack.command_and_control", "attack.t1102" ], "falsepositives": [ "Legitimate applications communicating with the \"googleapis.com\" endpoints that are not already in the exclusion list. This is environmental dependent and requires further testing and tuning." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND (DestinationHostname LIKE '%oauth2.googleapis.com%' ESCAPE '\\' OR DestinationHostname LIKE '%sheets.googleapis.com%' ESCAPE '\\' OR DestinationHostname LIKE '%drive.googleapis.com%' ESCAPE '\\' OR DestinationHostname LIKE '%www.googleapis.com%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Drive File Stream\\*\\\\GoogleDriveFS.exe%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\GoogleUpdate.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\teams.exe' ESCAPE '\\')))" ], "filename": "net_connection_win_google_api_non_browser_access.yml" }, { "title": "Suspicious Dropbox API Usage", "id": "25eabf56-22f0-4915-a1ed-056b8dae0a68", "status": "experimental", "description": "Detects an executable that isn't dropbox but communicates with the Dropbox API", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Legitimate use of the API with a tool that the author wasn't aware of" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND (Initiated = 'true' AND (DestinationHostname LIKE '%api.dropboxapi.com' ESCAPE '\\' OR DestinationHostname LIKE '%content.dropboxapi.com' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\Dropbox%' ESCAPE '\\'))" ], "filename": "net_connection_win_susp_dropbox_api.yml" }, { "title": "Msiexec Initiated Connection", "id": "8e5e38e4-5350-4c0b-895a-e872ce0dd54f", "status": "test", "description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218.007" ], "falsepositives": [ "Legitimate msiexec over networks" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND Initiated = 'true' AND NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\')" ], "filename": "net_connection_win_msiexec.yml" }, { "title": "Network Communication With Crypto Mining Pool", "id": "fa5b1358-b040-4403-9868-15f7d9ab6329", "status": "stable", "description": "Detects initiated network connections to crypto mining pools", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.impact", "attack.t1496" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND DestinationHostname IN ('alimabi.cn', 'ap.luckpool.net', 'bcn.pool.minergate.com', 'bcn.vip.pool.minergate.com', 'bohemianpool.com', 'ca.minexmr.com', 'ca.monero.herominers.com', 'cbd.monerpool.org', 'cbdv2.monerpool.org', 'cryptmonero.com', 'crypto-pool.fr', 'crypto-pool.info', 'cryptonight-hub.miningpoolhub.com', 'd1pool.ddns.net', 'd5pool.us', 'daili01.monerpool.org', 'de.minexmr.com', 'dl.nbminer.com', 'donate.graef.in', 'donate.ssl.xmrig.com', 'donate.v2.xmrig.com', 'donate.xmrig.com', 'donate2.graef.in', 'drill.moneroworld.com', 'dwarfpool.com', 'emercoin.com', 'emercoin.net', 'emergate.net', 'ethereumpool.co', 'eu.luckpool.net', 'eu.minerpool.pw', 'fcn-xmr.pool.minergate.com', 'fee.xmrig.com', 'fr.minexmr.com', 'hellominer.com', 'herominers.com', 'huadong1-aeon.ppxxmr.com', 'iwanttoearn.money', 'jw-js1.ppxxmr.com', 'koto-pool.work', 'lhr.nbminer.com', 'lhr3.nbminer.com', 'linux.monerpool.org', 'lokiturtle.herominers.com', 'luckpool.net', 'masari.miner.rocks', 'mine.c3pool.com', 'mine.moneropool.com', 'mine.ppxxmr.com', 'mine.zpool.ca', 'mine1.ppxxmr.com', 'minemonero.gq', 'miner.ppxxmr.com', 'miner.rocks', 'minercircle.com', 'minergate.com', 'minerpool.pw', 'minerrocks.com', 'miners.pro', 'minerxmr.ru', 'minexmr.cn', 'minexmr.com', 'mining-help.ru', 'miningpoolhub.com', 'mixpools.org', 'moner.monerpool.org', 'moner1min.monerpool.org', 'monero-master.crypto-pool.fr', 'monero.crypto-pool.fr', 'monero.hashvault.pro', 'monero.herominers.com', 'monero.lindon-pool.win', 'monero.miners.pro', 'monero.riefly.id', 'monero.us.to', 'monerocean.stream', 'monerogb.com', 'monerohash.com', 'moneroocean.stream', 'moneropool.com', 'moneropool.nl', 'monerorx.com', 'monerpool.org', 'moriaxmr.com', 'mro.pool.minergate.com', 'multipool.us', 'myxmr.pw', 'na.luckpool.net', 'nanopool.org', 'nbminer.com', 'node3.luckpool.net', 'noobxmr.com', 'pangolinminer.comgandalph3000.com', 'pool.4i7i.com', 'pool.armornetwork.org', 'pool.cortins.tk', 'pool.gntl.co.uk', 'pool.hashvault.pro', 'pool.minergate.com', 'pool.minexmr.com', 'pool.monero.hashvault.pro', 'pool.ppxxmr.com', 'pool.somec.cc', 'pool.support', 'pool.supportxmr.com', 'pool.usa-138.com', 'pool.xmr.pt', 'pool.xmrfast.com', 'pool2.armornetwork.org', 'poolchange.ppxxmr.com', 'pooldd.com', 'poolmining.org', 'poolto.be', 'ppxvip1.ppxxmr.com', 'ppxxmr.com', 'prohash.net', 'r.twotouchauthentication.online', 'randomx.xmrig.com', 'ratchetmining.com', 'seed.emercoin.com', 'seed.emercoin.net', 'seed.emergate.net', 'seed1.joulecoin.org', 'seed2.joulecoin.org', 'seed3.joulecoin.org', 'seed4.joulecoin.org', 'seed5.joulecoin.org', 'seed6.joulecoin.org', 'seed7.joulecoin.org', 'seed8.joulecoin.org', 'sg.minexmr.com', 'sheepman.mine.bz', 'siamining.com', 'sumokoin.minerrocks.com', 'supportxmr.com', 'suprnova.cc', 'teracycle.net', 'trtl.cnpool.cc', 'trtl.pool.mine2gether.com', 'turtle.miner.rocks', 'us-west.minexmr.com', 'usxmrpool.com', 'viaxmr.com', 'webservicepag.webhop.net', 'xiazai.monerpool.org', 'xiazai1.monerpool.org', 'xmc.pool.minergate.com', 'xmo.pool.minergate.com', 'xmr-asia1.nanopool.org', 'xmr-au1.nanopool.org', 'xmr-eu1.nanopool.org', 'xmr-eu2.nanopool.org', 'xmr-jp1.nanopool.org', 'xmr-us-east1.nanopool.org', 'xmr-us-west1.nanopool.org', 'xmr-us.suprnova.cc', 'xmr-usa.dwarfpool.com', 'xmr.2miners.com', 'xmr.5b6b7b.ru', 'xmr.alimabi.cn', 'xmr.bohemianpool.com', 'xmr.crypto-pool.fr', 'xmr.crypto-pool.info', 'xmr.f2pool.com', 'xmr.hashcity.org', 'xmr.hex7e4.ru', 'xmr.ip28.net', 'xmr.monerpool.org', 'xmr.mypool.online', 'xmr.nanopool.org', 'xmr.pool.gntl.co.uk', 'xmr.pool.minergate.com', 'xmr.poolto.be', 'xmr.ppxxmr.com', 'xmr.prohash.net', 'xmr.simka.pw', 'xmr.somec.cc', 'xmr.suprnova.cc', 'xmr.usa-138.com', 'xmr.vip.pool.minergate.com', 'xmr1min.monerpool.org', 'xmrf.520fjh.org', 'xmrf.fjhan.club', 'xmrfast.com', 'xmrigcc.graef.in', 'xmrminer.cc', 'xmrpool.de', 'xmrpool.eu', 'xmrpool.me', 'xmrpool.net', 'xmrpool.xyz', 'xx11m.monerpool.org', 'xx11mv2.monerpool.org', 'xxx.hex7e4.ru', 'zarabotaibitok.ru', 'zer0day.ru'))" ], "filename": "net_connection_win_crypto_mining_pools.yml" }, { "title": "HH.EXE Network Connections", "id": "468a8cea-2920-4909-a593-0cbe1d96674a", "status": "experimental", "description": "Detects network connections made by the \"hh.exe\" process, which could indicate the execution/download of remotely hosted .chm files", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '443', '135', '445'))" ], "filename": "net_connection_win_hh.yml" }, { "title": "Wuauclt Network Connection", "id": "c649a6c7-cd8c-4a78-9c04-000fc76df954", "status": "test", "description": "Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections.\nOne could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.\n", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Legitimate use of wuauclt.exe over the network." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND NewProcessName LIKE '%wuauclt%' ESCAPE '\\' AND NOT (((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\')) OR (CommandLine LIKE '%\\\\UpdateDeploy.dll /ClassId %' ESCAPE '\\')))" ], "filename": "net_connection_win_wuauclt_network_connection.yml" }, { "title": "PowerShell Network Connections", "id": "1f21ec3f-810d-4b0e-8045-322202e22b4b", "status": "experimental", "description": "Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company's ip range')", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Administrative scripts", "Microsoft IP range" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND Initiated = 'true' AND DestinationIsIpv6 = 'false') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.0.0.1%' ESCAPE '\\') AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\')) OR ((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\'))))" ], "filename": "net_connection_win_powershell_network_connection.yml" }, { "title": "Suspicious Typical Malware Back Connect Ports", "id": "4b89abaa-99fe-4232-afdd-8f9aa4d20382", "status": "test", "description": "Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.command_and_control", "attack.t1571" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND ((Initiated = 'true' AND DestinationPort IN ('100', '198', '200', '243', '473', '666', '700', '743', '777', '1443', '1515', '1777', '1817', '1904', '1960', '2443', '2448', '3360', '3675', '3939', '4040', '4433', '4438', '4443', '4444', '4455', '5445', '5552', '5649', '6625', '7210', '8080', '8143', '8843', '8888', '9631', '9943', '10101', '12102', '12103', '12322', '13145', '13394', '13504', '13505', '13506', '13507', '14102', '14103', '14154', '49180', '65520', '65535')) AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\')))) AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], "filename": "net_connection_win_malware_backconnect_ports.yml" }, { "title": "Download a File with IMEWDBLD.exe", "id": "8d7e392e-9b28-49e1-831d-5949c6281228", "status": "test", "description": "Use IMEWDBLD.exe (built-in to windows) to download a file", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Legitimate script" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND Initiated = 'true' AND NewProcessName LIKE '%\\\\IMEWDBLD.exe' ESCAPE '\\')" ], "filename": "net_connection_win_imewdbld.yml" }, { "title": "Microsoft Binary Suspicious Communication Endpoint", "id": "e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97", "status": "test", "description": "Detects an executable in the Windows folder accessing suspicious domains", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.lateral_movement", "attack.t1105" ], "falsepositives": [ "Unknown", "@subTee in your network" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND ((NewProcessName LIKE 'C:\\\\PerfLogs%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\AppData\\\\Temp\\\\%' ESCAPE '\\') AND (Initiated = 'true' AND (DestinationHostname LIKE '%.ghostbin.co' ESCAPE '\\' OR DestinationHostname LIKE '%.githubusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%.hastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%.paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%.pastebin.com' ESCAPE '\\' OR DestinationHostname LIKE '%anonfiles.com' ESCAPE '\\' OR DestinationHostname LIKE '%cdn.discordapp.com' ESCAPE '\\' OR DestinationHostname LIKE '%ddns.net' ESCAPE '\\' OR DestinationHostname LIKE '%dl.dropboxusercontent.com' ESCAPE '\\' OR DestinationHostname LIKE '%mediafire.com' ESCAPE '\\' OR DestinationHostname LIKE '%mega.nz' ESCAPE '\\' OR DestinationHostname LIKE '%paste.ee' ESCAPE '\\' OR DestinationHostname LIKE '%pastebin.pl' ESCAPE '\\' OR DestinationHostname LIKE '%pastetext.net' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.com' ESCAPE '\\' OR DestinationHostname LIKE '%privatlab.net' ESCAPE '\\' OR DestinationHostname LIKE '%send.exploit.in' ESCAPE '\\' OR DestinationHostname LIKE '%sendspace.com' ESCAPE '\\' OR DestinationHostname LIKE '%transfer.sh' ESCAPE '\\' OR DestinationHostname LIKE '%ufile.io' ESCAPE '\\')))" ], "filename": "net_connection_win_binary_susp_com.yml" }, { "title": "Connection Initiated Via Certutil.EXE", "id": "0dba975d-a193-4ed1-a067-424df57570d1", "status": "experimental", "description": "Detects a network connection initiated by the certutil.exe tool.\nAttackers can abuse the utility in order to download malware or additional payloads.\n", "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' AND Initiated = 'true' AND DestinationPort IN ('80', '135', '443', '445'))" ], "filename": "net_connection_win_certutil_initiated_connection.yml" }, { "title": "Communication To Mega.nz", "id": "fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4", "status": "test", "description": "Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.exfiltration", "attack.t1567.001" ], "falsepositives": [ "Legitimate use of mega.nz uploaders and tools" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND Initiated = 'true' AND DestinationHostname LIKE '%api.mega.co.nz' ESCAPE '\\')" ], "filename": "net_connection_win_mega_nz.yml" }, { "title": "Communication To Ngrok Tunneling Service", "id": "1d08ac94-400d-4469-a82f-daee9a908849", "status": "experimental", "description": "Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.exfiltration", "attack.command_and_control", "attack.t1567", "attack.t1568.002", "attack.t1572", "attack.t1090", "attack.t1102", "attack.s0508" ], "falsepositives": [ "Legitimate use of ngrok" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND (DestinationHostname LIKE '%tunnel.us.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.eu.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.ap.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.au.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.sa.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.jp.ngrok.com%' ESCAPE '\\' OR DestinationHostname LIKE '%tunnel.in.ngrok.com%' ESCAPE '\\'))" ], "filename": "net_connection_win_ngrok_tunnel.yml" }, { "title": "Regsvr32 Network Activity", "id": "c7e91a02-d771-4a6d-a700-42587e0b1095", "status": "test", "description": "Detects network connections and DNS queries initiated by Regsvr32.exe", "author": "Dmitriy Lifanov, oscd.community", "tags": [ "attack.execution", "attack.t1559.001", "attack.defense_evasion", "attack.t1218.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\')" ], "filename": "net_connection_win_regsvr32_network_activity.yml" }, { "title": "Suspicious Network Connection to IP Lookup Service APIs", "id": "edf3485d-dac4-4d50-90e4-b0e5813f7e60", "status": "experimental", "description": "Detects external IP address lookups by non-browser processes via services such as \"api.ipify.org\". This could be indicative of potential post compromise internet test activity.", "author": "Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1016" ], "falsepositives": [ "Legitimate use of the external websites for troubleshooting or network monitoring" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND (DestinationHostname LIKE '%api.2ip.ua%' ESCAPE '\\' OR DestinationHostname LIKE '%api.ipify.org%' ESCAPE '\\' OR DestinationHostname LIKE '%bot.whatismyipaddress.com%' ESCAPE '\\' OR DestinationHostname LIKE '%canireachthe.net%' ESCAPE '\\' OR DestinationHostname LIKE '%checkip.amazonaws.com%' ESCAPE '\\' OR DestinationHostname LIKE '%checkip.dyndns.org%' ESCAPE '\\' OR DestinationHostname LIKE '%curlmyip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%edns.ip-api.com%' ESCAPE '\\' OR DestinationHostname LIKE '%eth0.me%' ESCAPE '\\' OR DestinationHostname LIKE '%freegeoip.app%' ESCAPE '\\' OR DestinationHostname LIKE '%icanhazip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ident.me%' ESCAPE '\\' OR DestinationHostname LIKE '%ifconfig.io%' ESCAPE '\\' OR DestinationHostname LIKE '%ifconfig.me%' ESCAPE '\\' OR DestinationHostname LIKE '%ip-api.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ip.anysrc.net%' ESCAPE '\\' OR DestinationHostname LIKE '%ip.tyk.nu%' ESCAPE '\\' OR DestinationHostname LIKE '%ipaddressworld.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ipecho.net%' ESCAPE '\\' OR DestinationHostname LIKE '%ipinfo.io%' ESCAPE '\\' OR DestinationHostname LIKE '%ipof.in%' ESCAPE '\\' OR DestinationHostname LIKE '%ipv4.icanhazip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ipv4bot.whatismyipaddress.com%' ESCAPE '\\' OR DestinationHostname LIKE '%ipwho.is%' ESCAPE '\\' OR DestinationHostname LIKE '%l2.io%' ESCAPE '\\' OR DestinationHostname LIKE '%myexternalip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%wgetip.com%' ESCAPE '\\' OR DestinationHostname LIKE '%whatismyip.akamai.com%' ESCAPE '\\' OR DestinationHostname LIKE '%wtfismyip.com%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], "filename": "net_connection_win_susp_external_ip_lookup.yml" }, { "title": "Cmstp Making Network Connection", "id": "efafe0bf-4238-479e-af8f-797bd3490d2d", "status": "experimental", "description": "Detects suspicious network connection by Cmstp", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND Initiated = 'true')" ], "filename": "net_connection_win_susp_cmstp.yml" }, { "title": "Equation Editor Network Connection", "id": "a66bc059-c370-472c-a0d7-f8fd1bf9d583", "status": "experimental", "description": "Detects network connections from Equation Editor", "author": "Max Altgelt (Nextron Systems)", "tags": [ "attack.execution", "attack.t1203" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\')" ], "filename": "net_connection_win_eqnedt.yml" }, { "title": "Suspicious Epmap Connection", "id": "628d7a0b-7b84-4466-8552-e6138bc03b43", "status": "experimental", "description": "Detects suspicious \"epmap\" connection to a remote computer via remote procedure call (RPC)", "author": "frack113, Tim Shelton (fps)", "tags": [ "attack.lateral_movement" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND (Protocol = 'tcp' AND Initiated = 'true' AND DestinationPort = '135') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Amazon\\\\SSM\\\\Update\\\\amazon-ssm-agent-updater%' ESCAPE '\\')))" ], "filename": "net_connection_win_susp_epmap.yml" }, { "title": "Dllhost Internet Connection", "id": "cfed2f44-16df-4bf3-833a-79405198b277", "status": "test", "description": "Detects Dllhost that communicates with public IP addresses", "author": "bartblaze", "tags": [ "attack.defense_evasion", "attack.t1218", "attack.execution", "attack.t1559.001" ], "falsepositives": [ "Communication to other corporate systems that use IP addresses from public address spaces" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND (NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' AND Initiated = 'true') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\')) OR ((DestinationIp LIKE '20.184.%' ESCAPE '\\' OR DestinationIp LIKE '20.185.%' ESCAPE '\\' OR DestinationIp LIKE '20.186.%' ESCAPE '\\' OR DestinationIp LIKE '20.187.%' ESCAPE '\\' OR DestinationIp LIKE '20.188.%' ESCAPE '\\' OR DestinationIp LIKE '20.189.%' ESCAPE '\\' OR DestinationIp LIKE '20.190.%' ESCAPE '\\' OR DestinationIp LIKE '20.191.%' ESCAPE '\\' OR DestinationIp LIKE '23.79.%' ESCAPE '\\' OR DestinationIp LIKE '51.10.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\' OR DestinationIp LIKE '52.239.%' ESCAPE '\\'))))" ], "filename": "net_connection_win_dllhost_net_connections.yml" }, { "title": "Python Initiated Connection", "id": "bef0bc5a-b9ae-425d-85c6-7b2d705980c6", "status": "experimental", "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", "author": "frack113", "tags": [ "attack.discovery", "attack.t1046" ], "falsepositives": [ "Legitimate python script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND (Initiated = 'true' AND NewProcessName LIKE '%python%' ESCAPE '\\') AND NOT ((ParentProcessName LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda-script.py%' ESCAPE '\\' AND CommandLine LIKE '%update%' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\python.exe' ESCAPE '\\' AND CommandLine LIKE '%C:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\jupyter-notebook-script.py%' ESCAPE '\\') OR (DestinationIp = '127.0.0.1' AND SourceIp = '127.0.0.1')))" ], "filename": "net_connection_win_python.yml" }, { "title": "Script Initiated Connection", "id": "08249dc0-a28d-4555-8ba5-9255a198e08c", "status": "experimental", "description": "Detects a script interpreter wscript/cscript opening a network connection. Adversaries may use script to download malicious payloads.", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Legitimate scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND Initiated = 'true' AND (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\'))" ], "filename": "net_connection_win_script.yml" }, { "title": "Rundll32 Internet Connection", "id": "cdc8da7d-c303-42f8-b08c-b4ab47230263", "status": "test", "description": "Detects a rundll32 that communicates with public IP addresses", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218.011", "attack.execution" ], "falsepositives": [ "Communication to other corporate systems that use IP addresses from public address spaces" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND Initiated = 'true') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\' OR DestinationIp LIKE '51.103.%' ESCAPE '\\' OR DestinationIp LIKE '51.104.%' ESCAPE '\\' OR DestinationIp LIKE '51.105.%' ESCAPE '\\') OR CommandLine LIKE '%PcaSvc.dll,PcaPatchSdbTask%' ESCAPE '\\' OR SourceHostname LIKE '%.internal.cloudapp.net' ESCAPE '\\') OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND DestinationPort = '443')))" ], "filename": "net_connection_win_rundll32_net_connections.yml" }, { "title": "Script Initiated Connection to Non-Local Network", "id": "992a6cae-db6a-43c8-9cec-76d7195c96fc", "status": "experimental", "description": "Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.", "author": "frack113, Florian Roth", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Legitimate scripts" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND (Initiated = 'true' AND (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\')) AND NOT (((DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '172.%' ESCAPE '\\' OR DestinationIp LIKE '192.%' ESCAPE '\\' OR DestinationIp LIKE '169.254.%' ESCAPE '\\' OR DestinationIp LIKE '20.%' ESCAPE '\\')) OR ((DestinationIp LIKE '::1%' ESCAPE '\\' OR DestinationIp LIKE '0:0:0:0:0:0:0:1%' ESCAPE '\\' OR DestinationIp LIKE 'fe80:%' ESCAPE '\\' OR DestinationIp LIKE 'fc%' ESCAPE '\\' OR DestinationIp LIKE 'fd%' ESCAPE '\\'))))" ], "filename": "net_connection_win_script_wan.yml" }, { "title": "Microsoft Sync Center Suspicious Network Connections", "id": "9f2cc74d-78af-4eb2-bb64-9cd1d292b87b", "status": "experimental", "description": "Detects suspicious connections from Microsoft Sync Center to non-private IPs.", "author": "elhoim", "tags": [ "attack.t1055", "attack.t1218", "attack.execution", "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND NewProcessName LIKE '%\\\\mobsync.exe' ESCAPE '\\' AND NOT ((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\') AND DestinationIsIpv6 = 'false'))" ], "filename": "net_connection_win_susp_outbound_mobsync_connection.yml" }, { "title": "Suspicious Outbound SMTP Connections", "id": "9976fa64-2804-423c-8a5b-646ade840773", "status": "experimental", "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", "author": "frack113", "tags": [ "attack.exfiltration", "attack.t1048.003" ], "falsepositives": [ "Other SMTP tools" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND (DestinationPort IN ('25', '587', '465', '2525') AND Initiated = 'true') AND NOT (((NewProcessName LIKE '%\\\\thunderbird.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\microsoft.windowscommunicationsapps\\_%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\HxTsr.exe' ESCAPE '\\')))" ], "filename": "net_connection_win_susp_outbound_smtp_connections.yml" }, { "title": "Communication To Ngrok.Io", "id": "18249279-932f-45e2-b37a-8925f2597670", "status": "experimental", "description": "Detects an executable accessing ngrok.io, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.exfiltration", "attack.t1567.001" ], "falsepositives": [ "Legitimate use of ngrok.io" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND Initiated = 'true' AND DestinationHostname LIKE '%.ngrok.io' ESCAPE '\\')" ], "filename": "net_connection_win_ngrok_io.yml" }, { "title": "Outbound Network Connection To Public IP Via Winlogon", "id": "7610a4ea-c06d-495f-a2ac-0a696abcfd3b", "status": "experimental", "description": "Detects a \"winlogon.exe\" process that initiate network communications with public IP addresses", "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "tags": [ "attack.defense_evasion", "attack.execution", "attack.command_and_control", "attack.t1218.011" ], "falsepositives": [ "Communication to other corporate systems that use IP addresses from public address spaces" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND (NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND Initiated = 'true') AND NOT (((DestinationIp LIKE '10.%' ESCAPE '\\' OR DestinationIp LIKE '127.%' ESCAPE '\\' OR DestinationIp LIKE '172.16.%' ESCAPE '\\' OR DestinationIp LIKE '172.17.%' ESCAPE '\\' OR DestinationIp LIKE '172.18.%' ESCAPE '\\' OR DestinationIp LIKE '172.19.%' ESCAPE '\\' OR DestinationIp LIKE '172.20.%' ESCAPE '\\' OR DestinationIp LIKE '172.21.%' ESCAPE '\\' OR DestinationIp LIKE '172.22.%' ESCAPE '\\' OR DestinationIp LIKE '172.23.%' ESCAPE '\\' OR DestinationIp LIKE '172.24.%' ESCAPE '\\' OR DestinationIp LIKE '172.25.%' ESCAPE '\\' OR DestinationIp LIKE '172.26.%' ESCAPE '\\' OR DestinationIp LIKE '172.27.%' ESCAPE '\\' OR DestinationIp LIKE '172.28.%' ESCAPE '\\' OR DestinationIp LIKE '172.29.%' ESCAPE '\\' OR DestinationIp LIKE '172.30.%' ESCAPE '\\' OR DestinationIp LIKE '172.31.%' ESCAPE '\\' OR DestinationIp LIKE '192.168.%' ESCAPE '\\'))))" ], "filename": "net_connection_win_winlogon_net_connections.yml" }, { "title": "Suspicious Outbound Kerberos Connection", "id": "e54979bd-c5f9-4d6c-967b-a04b19ac4c74", "status": "test", "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", "author": "Ilyas Ochkov, oscd.community", "tags": [ "attack.credential_access", "attack.t1558", "attack.lateral_movement", "attack.t1550.003" ], "falsepositives": [ "Web Browsers" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND (DestinationPort = '88' AND Initiated = 'true') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" ], "filename": "net_connection_win_susp_outbound_kerberos_connection.yml" }, { "title": "Notepad Making Network Connection", "id": "e81528db-fc02-45e8-8e98-4e84aba1f10b", "status": "test", "description": "Detects suspicious network connection by Notepad", "author": "EagleEye Team", "tags": [ "attack.command_and_control", "attack.execution", "attack.defense_evasion", "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND NOT (DestinationPort = '9100'))" ], "filename": "net_connection_win_notepad_network_connection.yml" }, { "title": "Suspicious Program Location with Network Connections", "id": "7b434893-c57d-4f41-908d-6a17bf1ae98f", "status": "test", "description": "Detects programs with network connections running in suspicious files system locations", "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND ((NewProcessName LIKE '%\\\\Users\\\\All Users\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Contacts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Searches\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\config\\\\systemprofile\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\Fonts\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\IME\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\addins\\\\%' ESCAPE '\\') OR NewProcessName LIKE '%\\\\$Recycle.bin' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Perflogs\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\Start\\_Programs\\\\%' ESCAPE '\\')))" ], "filename": "net_connection_win_susp_prog_location_network_connection.yml" }, { "title": "Silenttrinity Stager Msbuild Activity", "id": "50e54b8d-ad73-43f8-96a1-5191685b17a4", "status": "test", "description": "Detects a possible remote connections to Silenttrinity c2", "author": "Kiran kumar s, oscd.community", "tags": [ "attack.execution", "attack.t1127.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' AND DestinationPort IN ('80', '443') AND Initiated = 'true')" ], "filename": "net_connection_win_silenttrinity_stager_msbuild_activity.yml" }, { "title": "Suspicious Non-Browser Network Communication With Reddit API", "id": "d7b09985-95a3-44be-8450-b6eadf49833e", "status": "experimental", "description": "Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2", "author": "Gavin Knapp", "tags": [ "attack.command_and_control", "attack.t1102" ], "falsepositives": [ "Legitimate applications communicating with the Reddit API e.g. web browsers not in the exclusion list, app with an RSS etc." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '3' AND DestinationHostname LIKE '%reddit.com%' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], "filename": "net_connection_win_reddit_api_non_browser_access.yml" }, { "title": "Suspicious Access To Browser Credential Files", "id": "91cb43db-302a-47e3-b3c8-7ede481e27bf", "status": "experimental", "description": "Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing", "author": "frack113", "tags": [ "attack.t1003", "attack.credential_access" ], "falsepositives": [ "Antivirus, Anti-Spyware, Anti-Malware Software", "Backup software", "Legitimate software installed on partitions other than \"C:\\\"", "Searching software such as \"everything.exe\"" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (((FileName LIKE '%\\\\Appdata\\\\Local\\\\Microsoft\\\\Windows\\\\WebCache\\\\WebCacheV01.dat' ESCAPE '\\' OR (FileName LIKE '%\\\\cookies.sqlite' ESCAPE '\\' OR FileName LIKE '%release\\\\key3.db' ESCAPE '\\' OR FileName LIKE '%release\\\\key4.db' ESCAPE '\\' OR FileName LIKE '%release\\\\logins.json' ESCAPE '\\') OR (FileName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Network\\\\Cookies%' ESCAPE '\\' OR FileName LIKE '%\\\\Appdata\\\\Local\\\\Chrome\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\User Data\\\\Local State%' ESCAPE '\\')) AND NOT ((NewProcessName = 'System' AND ParentProcessName = 'Idle') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\SysWOW64\\\\%' ESCAPE '\\')))) AND NOT ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\MpCopyAccelerator.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR (ParentProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\')))" ], "filename": "file_access_win_browser_credential_stealing.yml" }, { "title": "Suspicious Access To Windows DPAPI Master Keys", "id": "46612ae6-86be-4802-bc07-39b59feb1309", "status": "experimental", "description": "Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::masterkey\" function\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1555.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((FileName LIKE '%\\\\Microsoft\\\\Protect\\\\S-1-5-18\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\Microsoft\\\\Protect\\\\S-1-5-21-%' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" ], "filename": "file_access_win_dpapi_master_key_access.yml" }, { "title": "Suspicious Access To Windows Credential History File", "id": "7a2a22ea-a203-4cd3-9abf-20eb1c5c6cd2", "status": "experimental", "description": "Detects suspicious processes based on name and location that access the Windows Credential History File.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::credhist\" function\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1555.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (FileName LIKE '%\\\\Microsoft\\\\Protect\\\\CREDHIST' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')))" ], "filename": "file_access_win_susp_cred_hist_access.yml" }, { "title": "Credential Manager Access", "id": "407aecb1-e762-4acf-8c7b-d087bcff3bb6", "status": "experimental", "description": "Detects suspicious processes based on name and location that access the windows credential manager and vault.\nWhich can be a sign of credential stealing. Example case would be usage of mimikatz \"dpapi::cred\" function\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.t1003", "attack.credential_access" ], "falsepositives": [ "Legitimate software installed by the users for example in the \"AppData\" directory may access these files (for any reason)." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((FileName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Credentials\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Credentials\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Vault\\\\%' ESCAPE '\\' OR FileName LIKE '%\\\\ProgramData\\\\Microsoft\\\\Vault\\\\%' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" ], "filename": "file_access_win_credential_manager_stealing.yml" }, { "title": "Suspicious Appended Extension", "id": "e3f673b3-65d1-4d80-9146-466f8b63fa99", "status": "experimental", "description": "Detects possible ransomware adding a custom extension to the encrypted files, such as \".jpg.crypted\", \".docx.locky\" etc.", "author": "frack113", "tags": [ "attack.impact", "attack.t1486" ], "falsepositives": [ "Backup software" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (((SourceFilename LIKE '%.lnk' ESCAPE '\\' OR SourceFilename LIKE '%.rtf' ESCAPE '\\' OR SourceFilename LIKE '%.pst' ESCAPE '\\' OR SourceFilename LIKE '%.docx' ESCAPE '\\' OR SourceFilename LIKE '%.xlsx' ESCAPE '\\' OR SourceFilename LIKE '%.jpg' ESCAPE '\\' OR SourceFilename LIKE '%.jpeg' ESCAPE '\\' OR SourceFilename LIKE '%.png' ESCAPE '\\' OR SourceFilename LIKE '%.pdf' ESCAPE '\\') AND (TargetFilename LIKE '%.lnk.%' ESCAPE '\\' OR TargetFilename LIKE '%.rtf.%' ESCAPE '\\' OR TargetFilename LIKE '%.pst.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg.%' ESCAPE '\\' OR TargetFilename LIKE '%.png.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.bak' ESCAPE '\\' OR TargetFilename LIKE '%.old' ESCAPE '\\' OR TargetFilename LIKE '%.orig' ESCAPE '\\' OR TargetFilename LIKE '%.backup' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.c~' ESCAPE '\\')))" ], "filename": "file_rename_win_ransomware.yml" }, { "title": "Rename Common File to DLL File", "id": "bbfd974c-248e-4435-8de6-1e938c79c5c1", "status": "experimental", "description": "Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection", "author": "frack113", "falsepositives": [ "Application installation" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (TargetFilename LIKE '%.dll' ESCAPE '\\' AND NOT (((SourceFilename LIKE '%.dll' ESCAPE '\\' OR SourceFilename LIKE '%.tmp' ESCAPE '\\') OR (SourceFilename LIKE '%.dll.%' ESCAPE '\\' OR SourceFilename LIKE '%\\\\SquirrelTemp\\\\temp%' ESCAPE '\\')) OR (SourceFilename = '') OR (SourceFilename = '') OR (NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], "filename": "file_rename_win_not_dll_to_dll.yml" }, { "title": "File Creation Date Changed to Another Year", "id": "558eebe5-f2ba-4104-b339-36f7902bcc1a", "status": "experimental", "description": "Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system.\nNote that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity.\n", "author": "frack113, Florian Roth (Nextron Systems)", "tags": [ "attack.t1070.006", "attack.defense_evasion" ], "falsepositives": [ "Changes made to or by the local NTP service" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '2' AND ((PreviousCreationUtcTime LIKE '2022%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '2022%' ESCAPE '\\')) OR (PreviousCreationUtcTime LIKE '202%' ESCAPE '\\' AND NOT (CreationUtcTime LIKE '202%' ESCAPE '\\'))) AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\ProvTool.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\usocoreworker.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\ProgramData\\\\USOPrivate\\\\UpdateStore\\\\%' ESCAPE '\\' OR (TargetFilename LIKE '%.tmp' ESCAPE '\\' OR TargetFilename LIKE '%.temp' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\')))" ], "filename": "file_change_win_2022_timestomping.yml" }, { "title": "Unusual File Modification by dns.exe", "id": "9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3", "status": "experimental", "description": "Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", "author": "Tim Rauch (Nextron Systems)", "tags": [ "attack.initial_access", "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '2' AND NewProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" ], "filename": "file_change_win_unusual_modification_by_dns_exe.yml" }, { "title": "File Deleted Via Sysinternals SDelete", "id": "6ddab845-b1b8-49c2-bbf7-1a11967f64bc", "status": "test", "description": "Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", "attack.t1070.004" ], "falsepositives": [ "Legitime usage of SDelete" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('23', '26') AND (TargetFilename LIKE '%.AAA' ESCAPE '\\' OR TargetFilename LIKE '%.ZZZ' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\Wireshark\\\\radius\\\\dictionary.alcatel-lucent.aaa' ESCAPE '\\')))" ], "filename": "file_delete_win_sysinternals_sdelete_file_deletion.yml" }, { "title": "Tomcat WebServer Logs Deleted", "id": "270185ff-5f50-4d6d-a27f-24c3b8c9fef8", "status": "experimental", "description": "Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1070" ], "falsepositives": [ "During uninstallation of the tomcat server", "During log rotation" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('23', '26') AND TargetFilename LIKE '%\\\\Tomcat%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\logs\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%catalina.%' ESCAPE '\\' OR TargetFilename LIKE '%\\_access\\_log.%' ESCAPE '\\' OR TargetFilename LIKE '%localhost.%' ESCAPE '\\'))" ], "filename": "file_delete_win_delete_tomcat_logs.yml" }, { "title": "PowerShell Console History Logs Deleted", "id": "ff301988-c231-4bd0-834c-ac9d73b86586", "status": "experimental", "description": "Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1070" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('23', '26') AND TargetFilename LIKE '%\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\')" ], "filename": "file_delete_win_delete_powershell_command_history.yml" }, { "title": "TeamViewer Log File Deleted", "id": "b1decb61-ed83-4339-8e95-53ea51901720", "status": "test", "description": "Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1070.004" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('23', '26') AND (TargetFilename LIKE '%\\\\TeamViewer\\_%' ESCAPE '\\' AND TargetFilename LIKE '%.log' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\'))" ], "filename": "file_delete_win_delete_teamviewer_logs.yml" }, { "title": "IIS WebServer Access Logs Deleted", "id": "3eb8c339-a765-48cc-a150-4364c04652bf", "status": "experimental", "description": "Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence", "author": "Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1070" ], "falsepositives": [ "During uninstallation of the IIS service", "During log rotation" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('23', '26') AND TargetFilename LIKE '%\\\\inetpub\\\\logs\\\\LogFiles\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.log' ESCAPE '\\')" ], "filename": "file_delete_win_delete_iis_access_logs.yml" }, { "title": "Potential PrintNightmare Exploitation Attempt", "id": "5b2bbc47-dead-4ef7-8908-0cf73fcbecbf", "status": "experimental", "description": "Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675", "author": "Bhabesh Raj", "tags": [ "attack.persistence", "attack.defense_evasion", "attack.privilege_escalation", "attack.t1574", "cve.2021.1675" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('23', '26') AND NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\')" ], "filename": "file_delete_win_cve_2021_1675_print_nightmare.yml" }, { "title": "Unusual File Deletion by Dns.exe", "id": "8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0", "status": "experimental", "description": "Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)", "author": "Tim Rauch (Nextron Systems)", "tags": [ "attack.initial_access", "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('23', '26') AND NewProcessName LIKE '%\\\\dns.exe' ESCAPE '\\' AND NOT (TargetFilename LIKE '%\\\\dns.log' ESCAPE '\\'))" ], "filename": "file_delete_win_unusual_deletion_by_dns_exe.yml" }, { "title": "Backup Files Deleted", "id": "06125661-3814-4e03-bfa2-1e4411c60ac3", "status": "experimental", "description": "Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.", "author": "frack113", "tags": [ "attack.impact", "attack.t1490" ], "falsepositives": [ "Legitime usage" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('23', '26') AND (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.VHD' ESCAPE '\\' OR TargetFilename LIKE '%.bac' ESCAPE '\\' OR TargetFilename LIKE '%.bak' ESCAPE '\\' OR TargetFilename LIKE '%.wbcat' ESCAPE '\\' OR TargetFilename LIKE '%.bkf' ESCAPE '\\' OR TargetFilename LIKE '%.set' ESCAPE '\\' OR TargetFilename LIKE '%.win' ESCAPE '\\' OR TargetFilename LIKE '%.dsk' ESCAPE '\\'))" ], "filename": "file_delete_win_delete_backup_file.yml" }, { "title": "EventLog EVTX File Deleted", "id": "63c779ba-f638-40a0-a593-ddd45e8b1ddc", "status": "experimental", "description": "Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1070" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('23', '26') AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.evtx' ESCAPE '\\')" ], "filename": "file_delete_win_delete_event_log_files.yml" }, { "title": "Exchange PowerShell Cmdlet History Deleted", "id": "a55349d8-9588-4c5a-8e3b-1925fe2a4ffe", "status": "experimental", "description": "Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1070" ], "falsepositives": [ "Possible FP during log rotation" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('23', '26') AND TargetFilename LIKE '\\\\Logging\\\\CmdletInfra\\\\LocalPowerShell\\\\Cmdlet\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Cmdlet\\_%' ESCAPE '\\')" ], "filename": "file_delete_win_delete_exchange_powershell_logs.yml" }, { "title": "Prefetch File Deleted", "id": "0a1f9d29-6465-4776-b091-7f43b26e4c89", "status": "experimental", "description": "Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence", "author": "Cedric MAURUGEON", "tags": [ "attack.defense_evasion", "attack.t1070.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('23', '26') AND (TargetFilename LIKE 'C:\\\\Windows\\\\Prefetch\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.pf' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], "filename": "file_delete_win_delete_prefetch.yml" }, { "title": "Cred Dump Tools Dropped Files", "id": "8fbf3271-1ef6-4e94-8210-03c2317947f6", "status": "test", "description": "Files with well-known filenames (parts of credential dump software or files produced by them) creation", "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ "attack.credential_access", "attack.t1003.001", "attack.t1003.002", "attack.t1003.003", "attack.t1003.004", "attack.t1003.005" ], "falsepositives": [ "Legitimate Administrator using tool for password recovery" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((TargetFilename LIKE '%\\\\pwdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\kirbi%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwhashes%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_ccache%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wce\\_krbtkts%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgdump-log%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\test.pwd' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora64.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsremora.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fgexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wceaux.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SECURITY.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SYSTEM.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NTDS.out' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpExt.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DumpSvc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cachedump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pstgdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\servpw64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwdump.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Dumpy.exe' ESCAPE '\\')))" ], "filename": "file_event_win_cred_dump_tools_dropped_files.yml" }, { "title": "Legitimate Application Dropped Script", "id": "7d604714-e071-49ff-8726-edeb95a70679", "status": "experimental", "description": "Detects programs on a Windows system that should not write scripts to disk", "author": "frack113, Florian Roth", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.scf' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\' OR TargetFilename LIKE '%.wsh' ESCAPE '\\'))" ], "filename": "file_event_win_legitimate_app_dropping_script.yml" }, { "title": "Installation of TeamViewer Desktop", "id": "9711de76-5d4f-4c50-a94f-21e4e8f8384d", "status": "test", "description": "TeamViewer_Desktop.exe is create during install", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\TeamViewer\\_Desktop.exe' ESCAPE '\\')" ], "filename": "file_event_win_install_teamviewer_desktop.yml" }, { "title": "Suspicious Startup Folder Persistence", "id": "28208707-fe31-437f-9a7f-4b1108b94d2e", "status": "experimental", "description": "Detects when a file with a suspicious extension is created in the startup folder", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Rare legitimate usage of some of the extensions mentioned in the rule" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.jar' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\'))" ], "filename": "file_event_win_susp_startup_folder_persistence.yml" }, { "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File", "id": "d353dac0-1b41-46c2-820c-d7d2561fc6ed", "status": "test", "description": "Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)", "author": "Julia Fomina, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1216" ], "falsepositives": [ "Unlikely" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%WsmPty.xsl' ESCAPE '\\' OR TargetFilename LIKE '%WsmTxt.xsl' ESCAPE '\\') AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], "filename": "file_event_win_winrm_awl_bypass.yml" }, { "title": "Suspicious File Creation In Uncommon AppData Folder", "id": "d7b50671-d1ad-4871-aa60-5aa5b331fe04", "status": "experimental", "description": "Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.msi' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.psm1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\LocalLow\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\')))" ], "filename": "file_event_win_new_files_in_uncommon_appdata_folder.yml" }, { "title": "WMI Persistence - Script Event Consumer File Write", "id": "33f41cdd-35ac-4ba8-814b-c6a4244a1ad4", "status": "test", "description": "Detects file writes of WMI script event consumer", "author": "Thomas Patzke", "tags": [ "attack.t1546.003", "attack.persistence" ], "falsepositives": [ "Dell Power Manager (C:\\Program Files\\Dell\\PowerManager\\DpmPowerPlanSetup.exe)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\scrcons.exe' ESCAPE '\\')" ], "filename": "file_event_win_wmi_persistence_script_event_consumer_write.yml" }, { "title": "CrackMapExec File Creation Patterns", "id": "9433ff9c-5d3f-4269-99f8-95fc826ea489", "status": "experimental", "description": "Detects suspicious file creation patterns found in logs when CrackMapExec is used", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\rundll32.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\') AND (TargetFilename LIKE '%.rtf' ESCAPE '\\' OR TargetFilename LIKE '%.otf' ESCAPE '\\' OR TargetFilename LIKE '%.odt' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.wpd' ESCAPE '\\' OR TargetFilename LIKE '%.icns' ESCAPE '\\' OR TargetFilename LIKE '%.db' ESCAPE '\\' OR TargetFilename LIKE '%.ini' ESCAPE '\\' OR TargetFilename LIKE '%.tex' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.csv' ESCAPE '\\' OR TargetFilename LIKE '%.fon' ESCAPE '\\' OR TargetFilename LIKE '%.tar' ESCAPE '\\' OR TargetFilename LIKE '%.ttf' ESCAPE '\\' OR TargetFilename LIKE '%.xml' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%.cpl' ESCAPE '\\' OR TargetFilename LIKE '%.jpg' ESCAPE '\\' OR TargetFilename LIKE '%.drv' ESCAPE '\\' OR TargetFilename LIKE '%.cur' ESCAPE '\\' OR TargetFilename LIKE '%.tmp' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\procdump.exe' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\'))))" ], "filename": "file_event_win_crackmapexec_patterns.yml" }, { "title": "Creation Of Non-Existent System DLL", "id": "df6ecb8b-7822-4f4b-b412-08f524b4576c", "status": "experimental", "description": "Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking", "author": "Nasreddine Bencherchali (Nextron Systems), fornotes", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') OR TargetFilename LIKE '%\\\\SprintCSP.dll' ESCAPE '\\') AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\'))" ], "filename": "file_event_win_create_non_existent_dlls.yml" }, { "title": "Adwind RAT / JRAT File Artifact", "id": "0bcfabcb-7929-47f4-93d6-b33fb67d34d1", "status": "test", "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", "attack.t1059.005", "attack.t1059.007" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Oracle\\\\bin\\\\java%' ESCAPE '\\' AND TargetFilename LIKE '%.exe%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Retrive%' ESCAPE '\\' AND TargetFilename LIKE '%.vbs%' ESCAPE '\\')))" ], "filename": "file_event_win_mal_adwind.yml" }, { "title": "Suspicious VHD Image Download From Browser", "id": "8468111a-ef07-4654-903b-b863a80bbc95", "status": "test", "description": "Detects creation of \".vhd\"/\".vhdx\" files by browser processes.\nMalware can use mountable Virtual Hard Disk \".vhd\" files to encapsulate payloads and evade security controls.\n", "author": "frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'", "tags": [ "attack.resource_development", "attack.t1587.001" ], "falsepositives": [ "Legitimate downloads of \".vhd\" files would also trigger this" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\') AND TargetFilename LIKE '%.vhd%' ESCAPE '\\')" ], "filename": "file_event_win_mal_vhd_download.yml" }, { "title": "Potential Startup Shortcut Persistence Via PowerShell.EXE", "id": "92fa78e7-4d39-45f1-91a3-8b23f3f1088d", "status": "experimental", "description": "Detects PowerShell writing startup shortcuts.\nThis procedure was highlighted in Red Canary Intel Insights Oct. 2021, \"We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.\nAccordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats.\nIn the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL\"\n", "author": "Christopher Peacock '@securepeacock', SCYTHE", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\start menu\\\\programs\\\\startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk' ESCAPE '\\')" ], "filename": "file_event_win_powershell_startup_shortcuts.yml" }, { "title": "Process Monitor Driver Creation By Non-Sysinternals Binary", "id": "a05baa88-e922-4001-bc4d-8738135f27de", "status": "experimental", "description": "Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1068" ], "falsepositives": [ "Some false positives may occur with legitimate renamed process monitor binaries" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%\\\\procmon%' ESCAPE '\\' AND TargetFilename LIKE '%.sys' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\procmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon64.exe' ESCAPE '\\'))))" ], "filename": "file_event_win_sysinternals_procmon_driver_susp_creation.yml" }, { "title": "Inveigh Execution Artefacts", "id": "bb09dd3e-2b78-4819-8e35-a7c1b874e449", "status": "experimental", "description": "Detects the presence and execution of Inveigh via dropped artefacts", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%\\\\Inveigh-Log.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Cleartext.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2Users.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv1.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-NTLMv2.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-FormInput.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Inveigh-Relay.ps1' ESCAPE '\\'))" ], "filename": "file_event_win_hktl_inveigh_artefacts.yml" }, { "title": "Potential Persistence Attempt Via ErrorHandler.Cmd", "id": "15904280-565c-4b73-9303-3291f964e7f9", "status": "experimental", "description": "Detects creation of a file named \"ErrorHandler.cmd\" in the \"C:\\WINDOWS\\Setup\\Scripts\\\" directory which could be used as a method of persistence\nThe content of C:\\WINDOWS\\Setup\\Scripts\\ErrorHandler.cmd is read whenever some tools under C:\\WINDOWS\\System32\\oobe\\ (e.g. Setup.exe) fail to run for any reason.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\WINDOWS\\\\Setup\\\\Scripts\\\\ErrorHandler.cmd' ESCAPE '\\')" ], "filename": "file_event_win_persistence_error_handler_cmd.yml" }, { "title": "Windows Binaries Write Suspicious Extensions", "id": "b8fd0e93-ff58-4cbd-8f48-1c114e342e62", "status": "experimental", "description": "Detects windows executables that writes files with suspicious extensions", "author": "Nasreddine Bencherchali (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (((NewProcessName LIKE '%\\\\smss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sihost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\'))))" ], "filename": "file_event_win_shell_write_susp_files_extensions.yml" }, { "title": "Malicious DLL File Dropped in the Teams or OneDrive Folder", "id": "1908fcc1-1b92-4272-8214-0fbaf2fa5163", "status": "experimental", "description": "Detects creation of a malicious DLL file in the location where the OneDrive or Team applications\nUpon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded\n", "author": "frack113", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.defense_evasion", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%iphlpapi.dll%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft%' ESCAPE '\\')" ], "filename": "file_event_win_iphlpapi_dll_sideloading.yml" }, { "title": "Hijack Legit RDP Session to Move Laterally", "id": "52753ea4-b3a0-4365-910d-36cff487b789", "status": "test", "description": "Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder", "author": "Samir Bousseaden", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName LIKE '%\\\\mstsc.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\')" ], "filename": "file_event_win_tsclient_filewrite_startup.yml" }, { "title": "Office Macro File Creation From Suspicious Process", "id": "b1c50487-1967-4315-a026-6491686d860e", "status": "experimental", "description": "Detects the creation of a office macro file from a a suspicious process", "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.initial_access", "attack.t1566.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\')) AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" ], "filename": "file_event_win_office_macro_files_from_susp_process.yml" }, { "title": "Suspicious Screensaver Binary File Creation", "id": "97aa2e88-555c-450d-85a6-229bcd87efb8", "status": "experimental", "description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", "author": "frack113", "tags": [ "attack.persistence", "attack.t1546.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%.scr' ESCAPE '\\' AND NOT (((NewProcessName LIKE '%\\\\Kindle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Bin\\\\ccSvcHst.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\uwfservicingscr.scr' ESCAPE '\\')))" ], "filename": "file_event_win_creation_scr_binary_file.yml" }, { "title": "CVE-2021-44077 POC Default Dropped File", "id": "7b501acf-fa98-4272-aa39-194f82edc8a3", "status": "experimental", "description": "Detects the creation of \"msiexec.exe\" in the \"bin\" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "cve.2021.44077" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\ManageEngine\\\\SupportCenterPlus\\\\bin\\\\msiexec.exe' ESCAPE '\\')" ], "filename": "file_event_win_cve_2021_44077_poc_default_files.yml" }, { "title": "UEFI Persistence Via Wpbbin - FileCreation", "id": "e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f", "status": "experimental", "description": "Detects creation of a file named \"wpbbin\" in the \"%systemroot%\\system32\\\" directory. Which could be indicative of UEFI based persistence method", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.defense_evasion", "attack.t1542.001" ], "falsepositives": [ "Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wpbbin.exe' ESCAPE '\\')" ], "filename": "file_event_win_wpbbin_persistence.yml" }, { "title": "Suspicious NTDS Exfil Filename Patterns", "id": "3a8da4e0-36c1-40d2-8b29-b3e890d5172a", "status": "test", "description": "Detects suspicious creations of files with names used in various tools that export the NTDS.DIT for exfiltration", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%\\\\All.cab' ESCAPE '\\' OR TargetFilename LIKE '%.ntds.cleartext' ESCAPE '\\'))" ], "filename": "file_event_win_ntds_exfil_tools.yml" }, { "title": "Powerup Write Hijack DLL", "id": "602a1f13-c640-4d73-b053-be9a2fa58b96", "status": "test", "description": "Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation.\nIn it's default mode, it builds a self deleting .bat file which executes malicious command.\nThe detection rule relies on creation of the malicious bat file (debug.bat by default).\n", "author": "Subhash Popuri (@pbssubhash)", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.defense_evasion", "attack.t1574.001" ], "falsepositives": [ "Any powershell script that creates bat files" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.bat' ESCAPE '\\')" ], "filename": "file_event_win_hktl_powerup_dllhijacking.yml" }, { "title": "Dynamic CSharp Compile Artefact", "id": "e4a74e34-ecde-4aab-b2fb-9112dd01aed0", "status": "test", "description": "When C# is compiled dynamically, a .cmdline file will be created as a part of the process.\nCertain processes are not typically observed compiling C# code, but can do so without touching disk.\nThis can be used to unpack a payload for execution\n", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1027.004" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%.cmdline' ESCAPE '\\')" ], "filename": "file_event_win_csharp_compile_artefact.yml" }, { "title": "SCR File Write Event", "id": "c048f047-7e2a-4888-b302-55f509d4a91d", "status": "experimental", "description": "Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an \".SCR\" file using \"rundll32.exe desk.cpl,InstallScreenSaver\" for example.", "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "tags": [ "attack.defense_evasion", "attack.t1218.011" ], "falsepositives": [ "The installation of new screen savers by third party software" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%.scr' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE ':\\\\WUDownloadCache\\\\%' ESCAPE '\\')))" ], "filename": "file_event_win_new_src_file.yml" }, { "title": "Windows Shell/Scripting Application File Write to Suspicious Folder", "id": "1277f594-a7d1-4f28-a2d3-73af5cbeab43", "status": "experimental", "description": "Detects Windows shells and scripting applications that write files to suspicious folders", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (((NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\') AND (TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))))" ], "filename": "file_event_win_shell_write_susp_directory.yml" }, { "title": "Windows Webshell Creation", "id": "39f1f9f2-9636-45de-98f6-a4046aa8e4b9", "status": "test", "description": "Possible webshell file creation on a static web site", "author": "Beyu Denis, oscd.community, Tim Shelton", "tags": [ "attack.persistence", "attack.t1505.003" ], "falsepositives": [ "Legitimate administrator or developer creating legitimate executable files in a web application folder" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.asp%' ESCAPE '\\' OR TargetFilename LIKE '%.ashx%' ESCAPE '\\' OR TargetFilename LIKE '%.ph%' ESCAPE '\\')) OR ((TargetFilename LIKE '%\\\\www\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\htdocs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\html\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.ph%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (NewProcessName = 'System') OR (TargetFilename LIKE '%\\\\xampp%' ESCAPE '\\')))" ], "filename": "file_event_win_webshell_creation_detect.yml" }, { "title": "Startup Folder File Write", "id": "2aa0a6b4-a865-495b-ab51-c28249537b75", "status": "test", "description": "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp%' ESCAPE '\\' AND NOT (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\'))" ], "filename": "file_event_win_startup_folder_file_write.yml" }, { "title": "LSASS Process Memory Dump Files", "id": "a5a2d357-1ab8-4675-a967-ef9990a59391", "status": "experimental", "description": "Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((TargetFilename LIKE '%\\\\lsass.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.rar' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Temp\\\\dumpert.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Andrew.dmp' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Coredump.dmp' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass\\_2%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdump%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsassdmp%' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\') OR (TargetFilename LIKE '%SQLDmpr%' ESCAPE '\\' AND TargetFilename LIKE '%.mdmp' ESCAPE '\\') OR (TargetFilename LIKE 'nanodump%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')))" ], "filename": "file_event_win_lsass_dump.yml" }, { "title": "CVE-2021-1675 Print Spooler Exploitation Filename Pattern", "id": "2131cfb3-8c12-45e8-8fa0-31f5924e9f07", "status": "test", "description": "Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.privilege_escalation", "attack.resource_development", "attack.t1587", "cve.2021.1675" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\old\\\\1\\\\123%' ESCAPE '\\')" ], "filename": "file_event_win_cve_2021_1675_printspooler.yml" }, { "title": "Mimikatz Kirbi File Creation", "id": "9e099d99-44c2-42b6-a6d8-54c3545cab29", "status": "test", "description": "Detects the creation of files created by mimikatz such as \".kirbi\", \"mimilsa.log\", etc.", "author": "Florian Roth (Nextron Systems), David ANDRE", "tags": [ "attack.credential_access", "attack.t1558" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%.kirbi' ESCAPE '\\' OR TargetFilename LIKE '%mimilsa.log' ESCAPE '\\'))" ], "filename": "file_event_win_hktl_mimikatz_files.yml" }, { "title": "Legitimate Application Dropped Archive", "id": "654fcc6d-840d-4844-9b07-2c3300e54a26", "status": "experimental", "description": "Detects programs on a Windows system that should not write an archive to disk", "author": "frack113, Florian Roth", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.7z' ESCAPE '\\' OR TargetFilename LIKE '%.diagcab' ESCAPE '\\' OR TargetFilename LIKE '%.appx' ESCAPE '\\'))" ], "filename": "file_event_win_legitimate_app_dropping_archive.yml" }, { "title": "Potential Initial Access via DLL Search Order Hijacking", "id": "dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c", "status": "experimental", "description": "Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.", "author": "Tim Rauch (rule), Elastic (idea)", "tags": [ "attack.t1566", "attack.t1566.001", "attack.initial_access", "attack.t1574", "attack.t1574.001", "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSACCESS.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MSPUB.EXE' ESCAPE '\\' OR NewProcessName LIKE '%\\\\fltldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\curl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft OneDrive\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\')) AND NOT (NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\api-ms-win-core-%' ESCAPE '\\'))" ], "filename": "file_event_win_initial_access_dll_search_order_hijacking.yml" }, { "title": "Suspicious File Event With Teams Objects", "id": "6902955a-01b7-432c-b32a-6f5f81d8f624", "status": "experimental", "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", "author": "@SerkinValery", "tags": [ "attack.credential_access", "attack.t1528" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\') AND NOT (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" ], "filename": "file_event_win_access_susp_teams.yml" }, { "title": "Creation of a Diagcab", "id": "3d0ed417-3d94-4963-a562-4a92c940656a", "status": "experimental", "description": "Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)", "author": "frack113", "tags": [ "attack.resource_development" ], "falsepositives": [ "Legitimate microsoft diagcab" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%.diagcab' ESCAPE '\\')" ], "filename": "file_event_win_susp_diagcab.yml" }, { "title": "Suspicious ASPX File Drop by Exchange", "id": "bd1212e5-78da-431e-95fa-c58e3237a8e6", "status": "experimental", "description": "Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder", "author": "Florian Roth (Nextron Systems), MSTI (query, idea)", "tags": [ "attack.persistence", "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%FrontEnd\\\\HttpProxy\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\inetpub\\\\wwwroot\\\\aspnet\\_client\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\'))" ], "filename": "file_event_win_exchange_webshell_drop.yml" }, { "title": "ISO File Created Within Temp Folders", "id": "2f9356ae-bf43-41b8-b858-4496d83b2acb", "status": "experimental", "description": "Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.", "author": "@sam0x90", "tags": [ "attack.initial_access", "attack.t1566.001" ], "falsepositives": [ "Potential FP by sysadmin opening a zip file containing a legitimate ISO file" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.zip\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\Content.Outlook\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.iso' ESCAPE '\\')))" ], "filename": "file_event_win_iso_file_mount.yml" }, { "title": "Drop Binaries Into Spool Drivers Color Folder", "id": "ce7066a6-508a-42d3-995b-2952c65dc2ce", "status": "experimental", "description": "Detects the creation of suspcious binary files inside the \"\\windows\\system32\\spool\\drivers\\color\\\" as seen in the blog referenced below", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\'))" ], "filename": "file_event_win_susp_spool_drivers_color_drop.yml" }, { "title": "UAC Bypass Using NTFS Reparse Point - File", "id": "7fff6773-2baa-46de-a24a-b6eec1aba2d1", "status": "test", "description": "Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\api-ms-win-core-kernel32-legacy-l1.DLL' ESCAPE '\\')" ], "filename": "file_event_win_uac_bypass_ntfs_reparse_point.yml" }, { "title": "Moriya Rootkit", "id": "a1507d71-0b60-44f6-b17c-bf53220fdd88", "status": "test", "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", "author": "Bhabesh Raj", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\drivers\\\\MoriyaStreamWatchmen.sys' ESCAPE '\\')" ], "filename": "file_event_win_moriya_rootkit.yml" }, { "title": "Suspicious Double Extension Files", "id": "b4926b47-a9d7-434c-b3a0-adc3fa0bd13e", "status": "experimental", "description": "Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", "attack.t1036.007" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (((TargetFilename LIKE '%.zip' ESCAPE '\\' OR TargetFilename LIKE '%.rar' ESCAPE '\\' OR TargetFilename LIKE '%.iso' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) OR (TargetFilename LIKE '%.zip.exe' ESCAPE '\\' OR TargetFilename LIKE '%.rar.exe' ESCAPE '\\')))" ], "filename": "file_event_win_susp_double_extension.yml" }, { "title": "Wmiprvse Wbemcomn DLL Hijack - File", "id": "614a7e17-5643-4d89-b6fe-f9df1a79641c", "status": "test", "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.execution", "attack.t1047", "attack.lateral_movement", "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName = 'System' AND TargetFilename LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" ], "filename": "file_event_win_wmiprvse_wbemcomn_dll_hijack.yml" }, { "title": "Writing Local Admin Share", "id": "4aafb0fa-bff5-4b9d-b99e-8093e659c65f", "status": "experimental", "description": "Aversaries may use to interact with a remote network share using Server Message Block (SMB).\nThis technique is used by post-exploitation frameworks.\n", "author": "frack113", "tags": [ "attack.lateral_movement", "attack.t1546.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\\\\\127.0.0%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\')" ], "filename": "file_event_win_writing_local_admin_share.yml" }, { "title": "Typical HiveNightmare SAM File Export", "id": "6ea858a8-ba71-4a12-b2cc-5d83312404c7", "status": "test", "description": "Detects files written by the different tools that exploit HiveNightmare", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1552.001", "cve.2021.36934" ], "falsepositives": [ "Files that accidentally contain these strings" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2021-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2022-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-2023-%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SAM-haxx%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Sam.save%' ESCAPE '\\') OR TargetFilename LIKE 'C:\\\\windows\\\\temp\\\\sam' ESCAPE '\\'))" ], "filename": "file_event_win_hktl_hivenightmare_file_exports.yml" }, { "title": "Potential Privilege Escalation Attempt Via .Exe.Local Technique", "id": "07a99744-56ac-40d2-97b7-2095967b0e03", "status": "experimental", "description": "Detects potential privilege escalation attempt via the creation of the \"*.Exe.Local\" folder inside the \"System32\" directory in order to sideload \"comctl32.dll\"", "author": "Nasreddine Bencherchali (Nextron Systems), Subhash P (@pbssubhash)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\wermgr.exe.local%' ESCAPE '\\') AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], "filename": "file_event_win_system32_local_folder_privilege_escalation.yml" }, { "title": "Pingback Backdoor File Indicators", "id": "2bd63d53-84d4-4210-80ff-bf0658f1bf78", "status": "test", "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", "author": "Bhabesh Raj", "tags": [ "attack.persistence", "attack.t1574.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName LIKE '%updata.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" ], "filename": "file_event_win_malware_pingback_backdoor.yml" }, { "title": "UAC Bypass Abusing Winsat Path Parsing - File", "id": "155dbf56-e0a4-4dd0-8905-8a98705045e8", "status": "test", "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winsat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\system32\\\\winmm.dll' ESCAPE '\\'))" ], "filename": "file_event_win_uac_bypass_winsat.yml" }, { "title": "New Outlook Macro Created", "id": "8c31f563-f9a7-450c-bfa8-35f8f32f1f61", "status": "test", "description": "Detects the creation of a macro file for Outlook.", "author": "@ScoubiMtl", "tags": [ "attack.persistence", "attack.command_and_control", "attack.t1137", "attack.t1008", "attack.t1546" ], "falsepositives": [ "User genuinely creates a VB Macro for their email" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\')" ], "filename": "file_event_win_office_outlook_macro_creation.yml" }, { "title": "UAC Bypass Using EventVwr", "id": "63e4f530-65dc-49cc-8f80-ccfa95c69d43", "status": "experimental", "description": "Detects the pattern of a UAC bypass using Windows Event Viewer", "author": "Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%\\\\Microsoft\\\\Event Viewer\\\\RecentViews' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Microsoft\\\\EventV~1\\\\RecentViews' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], "filename": "file_event_win_uac_bypass_eventvwr.yml" }, { "title": "UAC Bypass Using .NET Code Profiler on MMC", "id": "93a19907-d4f9-4deb-9f91-aac4692776a6", "status": "test", "description": "Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pe386.dll' ESCAPE '\\')" ], "filename": "file_event_win_uac_bypass_dotnet_profiler.yml" }, { "title": "Suspicious Unattend.xml File Access", "id": "1a3d42dd-3763-46b9-8025-b5f17f340dfb", "status": "test", "description": "Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.\nIf these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process\n", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1552.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\unattend.xml' ESCAPE '\\')" ], "filename": "file_event_win_access_susp_unattend_xml.yml" }, { "title": "Potential RipZip Attack on Startup Folder", "id": "a6976974-ea6f-4e97-818e-ea08625c52cb", "status": "experimental", "description": "Detects a phishing attack which expands a ZIP file containing a malicious shortcut.\nIf the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.\nAdditionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.\n", "author": "Greg (rule)", "tags": [ "attack.persistence", "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup%' ESCAPE '\\' AND TargetFilename LIKE '%.lnk.{0AFACED1-E828-11D1-9187-B532F1E9575D}%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')" ], "filename": "file_event_win_ripzip_attack.yml" }, { "title": "UAC Bypass Using Windows Media Player - File", "id": "68578b43-65df-4f81-9a9b-92f32711a951", "status": "test", "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OskSupport.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\')))" ], "filename": "file_event_win_uac_bypass_wmp.yml" }, { "title": "Suspicious Scheduled Task Write to System32 Tasks", "id": "80e1f67a-4596-4351-98f5-a9c3efabac95", "status": "test", "description": "Detects the creation of tasks from processes executed from suspicious locations", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.execution", "attack.t1053" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\Tasks%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\PerfLogs%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Windows\\\\System32\\\\config\\\\systemprofile%' ESCAPE '\\'))" ], "filename": "file_event_win_susp_task_write.yml" }, { "title": "Advanced IP Scanner - File Event", "id": "fed85bf9-e075-4280-9159-fbe8a023d6fa", "status": "test", "description": "Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.", "author": "@ROxPinTeddy", "tags": [ "attack.discovery", "attack.t1046" ], "falsepositives": [ "Legitimate administrative use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Advanced IP Scanner 2%' ESCAPE '\\')" ], "filename": "file_event_win_advanced_ip_scanner.yml" }, { "title": "Suspicious Files in Default GPO Folder", "id": "5f87308a-0a5b-4623-ae15-d8fa1809bc60", "status": "experimental", "description": "Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder", "author": "elhoim", "tags": [ "attack.t1036.005", "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\Policies\\\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\'))" ], "filename": "file_event_win_susp_default_gpo_dir_write.yml" }, { "title": "Suspicious DotNET CLR Usage Log Artifact", "id": "e0b06658-7d1d-4cd3-bf15-03467507ff7c", "status": "experimental", "description": "Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.", "author": "frack113, omkar72, oscd.community, Wojciech Lesicki", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%\\\\UsageLogs\\\\cmstp.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\cscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\mshta.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\msxsl.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\regsvr32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\rundll32.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\svchost.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wscript.exe.log' ESCAPE '\\' OR TargetFilename LIKE '%\\\\UsageLogs\\\\wmic.exe.log' ESCAPE '\\') AND NOT ((ParentProcessName LIKE '%\\\\MsiExec.exe' ESCAPE '\\' AND ParentCommandLine LIKE '% -Embedding%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND CommandLine LIKE '%Temp%' ESCAPE '\\' AND CommandLine LIKE '%zzzzInvokeManagedCustomActionOutOfProc%' ESCAPE '\\')))" ], "filename": "file_event_win_net_cli_artefact.yml" }, { "title": "Suspicious Outlook Macro Created", "id": "117d3d3a-755c-4a61-b23e-9171146d094c", "status": "test", "description": "Detects the creation of a macro file for Outlook.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.command_and_control", "attack.t1137", "attack.t1008", "attack.t1546" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM' ESCAPE '\\' AND NOT (NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\'))" ], "filename": "file_event_win_office_outlook_susp_macro_creation.yml" }, { "title": "Potential Remote Credential Dumping Activity", "id": "6e2a900a-ced9-4e4a-a9c2-13e706f9518a", "status": "experimental", "description": "Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.", "author": "SecurityAura", "tags": [ "attack.credential_access", "attack.t1003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename REGEXP '\\\\Windows\\\\System32\\\\[a-zA-Z0-9]{8}\\.tmp$')" ], "filename": "file_event_win_remote_cred_dump.yml" }, { "title": "Creation In User Word Startup Folder", "id": "a10a2c40-2c4d-49f8-b557-1a946bc55d9d", "status": "experimental", "description": "Detects the creation of an file in user Word Startup", "author": "frack113", "tags": [ "attack.resource_development", "attack.t1587.001" ], "falsepositives": [ "Addition of legitimate plugins" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\STARTUP\\\\%' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotx' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.docb' ESCAPE '\\' OR TargetFilename LIKE '%.pdf' ESCAPE '\\' OR TargetFilename LIKE '%.wll' ESCAPE '\\' OR TargetFilename LIKE '%.wwl' ESCAPE '\\')))" ], "filename": "file_event_win_office_winword_startup.yml" }, { "title": "UAC Bypass Using IDiagnostic Profile - File", "id": "48ea844d-19b1-4642-944e-fe39c2cc1fec", "status": "experimental", "description": "Detects the creation of a file by \"dllhost.exe\" in System32 directory part of \"IDiagnosticProfileUAC\" UAC bypass technique", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName LIKE '%\\\\DllHost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')" ], "filename": "file_event_win_uac_bypass_idiagnostic_profile.yml" }, { "title": "ScreenConnect Temporary Installation Artefact", "id": "fec96f39-988b-4586-b746-b93d59fd1922", "status": "test", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\Bin\\\\ScreenConnect.%' ESCAPE '\\')" ], "filename": "file_event_win_screenconnect_artefact.yml" }, { "title": "Legitimate Application Dropped Executable", "id": "f0540f7e-2db3-4432-b9e0-3965486744bc", "status": "experimental", "description": "Detects programs on a Windows system that should not write executables to disk", "author": "frack113, Florian Roth", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msaccess.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\eqnedt32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\visio.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wordview.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certutil.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\certoc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CertReq.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Desktopimgdownldr.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\finger.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AcroRd32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RdrCEF.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\hh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\'))" ], "filename": "file_event_win_legitimate_app_dropping_exe.yml" }, { "title": "PSEXEC Remote Execution File Artefact", "id": "304afd73-55a5-4bb9-8c21-0b1fc84ea9e4", "status": "experimental", "description": "Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.lateral_movement", "attack.privilege_escalation", "attack.execution", "attack.persistence", "attack.t1136.002", "attack.t1543.003", "attack.t1570", "attack.s0029" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE 'C:\\\\Windows\\\\PSEXEC-%' ESCAPE '\\' AND TargetFilename LIKE '%.key' ESCAPE '\\')" ], "filename": "file_event_win_psexec_service_key.yml" }, { "title": "NPPSpy Hacktool Usage", "id": "cad1fe90-2406-44dc-bd03-59d0b58fe722", "status": "test", "description": "Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%\\\\NPPSpy.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\NPPSpy.dll' ESCAPE '\\'))" ], "filename": "file_event_win_hktl_nppspy.yml" }, { "title": "GatherNetworkInfo.VBS Reconnaissance Script Output", "id": "f92a6f1e-a512-4a15-9735-da09e78d7273", "status": "experimental", "description": "Detects creation of files which are the results of executing the built-in reconnaissance script \"C:\\Windows\\System32\\gatherNetworkInfo.vbs\".", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Hotfixinfo.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\netiostate.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sysportslog.txt' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VmSwitchLog.evtx' ESCAPE '\\'))" ], "filename": "file_event_win_lolbin_gather_network_info_script_output.yml" }, { "title": "Suspicious LNK Double Extension Files", "id": "3215aa19-f060-4332-86d5-5602511f3ca8", "status": "experimental", "description": "Detects dropped files with LNK double extension, which is often used by malware as a method to abuse the fact that windows hide default extensions by default.", "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", "attack.t1036.007" ], "falsepositives": [ "Users creating a shortcut on e.g. desktop" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%.lnk' ESCAPE '\\' AND (TargetFilename LIKE '%.doc.%' ESCAPE '\\' OR TargetFilename LIKE '%.docx.%' ESCAPE '\\' OR TargetFilename LIKE '%.xls.%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx.%' ESCAPE '\\' OR TargetFilename LIKE '%.ppt.%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx.%' ESCAPE '\\' OR TargetFilename LIKE '%.jpg.%' ESCAPE '\\' OR TargetFilename LIKE '%.pdf.%' ESCAPE '\\')) AND NOT (((TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Recent\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\PowerPoint%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word%' ESCAPE '\\')))" ], "filename": "file_event_win_susp_lnk_double_extension.yml" }, { "title": "Creation of an Executable by an Executable", "id": "297afac9-5d02-4138-8c58-b977bac60556", "status": "experimental", "description": "Detects the creation of an executable by another executable", "author": "frack113", "tags": [ "attack.resource_development", "attack.t1587.001" ], "falsepositives": [ "Software installers", "Update utilities", "32bit applications launching their 64bit versions" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (NewProcessName LIKE '%.exe' ESCAPE '\\' AND TargetFilename LIKE '%.exe' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\cleanmgr.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\dxgiadaptercache.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\Dism.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%:\\\\WUDownloadCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WindowsUpdateBox.exe%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\WindowsUpdateBox.Exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\Microsoft\\\\WindowsApps\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Squirrel.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\SquirrelTemp\\\\tempb\\\\' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\assembly\\\\NativeImages\\_%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.vscode\\\\extensions\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\Update.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\SquirrelTemp\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\%' ESCAPE '\\')))" ], "filename": "file_event_win_susp_dropper.yml" }, { "title": "CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum", "id": "ad7085ac-92e4-4b76-8ce2-276d2c0e68ef", "status": "test", "description": "Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum", "author": "Sittikorn S", "tags": [ "attack.credential_access", "attack.t1566", "attack.t1203", "cve.2021.33771", "cve.2021.31979" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\physmem.sys%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\System32\\\\IME\\\\IMEJP\\\\imjpueact.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\IMTCPROT.DLL%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\imecpmeid.dll%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\spp\\\\ServiceState\\\\Recovery\\\\pac.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\cy-GB\\\\Setup\\\\SKB\\\\InputMethod\\\\TupTask.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\config\\\\config\\\\startwus.dat%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\SHARED\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMEJP\\\\WimBootConfigurations.ini%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Windows\\\\system32\\\\ime\\\\IMETC\\\\WimBootConfigurations.ini%' ESCAPE '\\'))" ], "filename": "file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml" }, { "title": "Suspicious Executable File Creation", "id": "74babdd6-a758-4549-9632-26535279e654", "status": "experimental", "description": "Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1564" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((TargetFilename LIKE '%.bat.exe' ESCAPE '\\' OR TargetFilename LIKE '%.sys.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$Recycle.Bin.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Documents and Settings.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\MSOCache.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Recovery.exe' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\PerfLogs.exe' ESCAPE '\\')))" ], "filename": "file_event_win_susp_executable_creation.yml" }, { "title": "Suspicious File Created Via OneNote Application", "id": "fcc6d700-68d9-4241-9a1a-06874d621b06", "status": "experimental", "description": "Detects suspicious files created via the OneNote application. This could indicate a potential malicious \".one\"/\".onepkg\" file was executed as seen being used in malware activity in the wild", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "False positives should be very low with the extensions list cited. Especially if you don't heavily utilize OneNote.", "Occasional FPs might occur if OneNote is used internally to share different embedded documents" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenotem.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\') AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\OneNote\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.chm' ESCAPE '\\' OR TargetFilename LIKE '%.cmd' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.hta' ESCAPE '\\' OR TargetFilename LIKE '%.htm' ESCAPE '\\' OR TargetFilename LIKE '%.html' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.wsf' ESCAPE '\\'))" ], "filename": "file_event_win_office_onenote_susp_dropped_files.yml" }, { "title": "UAC Bypass Using IEInstal - File", "id": "bdd8157d-8e85-4397-bb82-f06cc9c71dbb", "status": "test", "description": "Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\IEInstal.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%consent.exe' ESCAPE '\\')" ], "filename": "file_event_win_uac_bypass_ieinstal.yml" }, { "title": "Suspicious Interactive PowerShell as SYSTEM", "id": "5b40a734-99b6-4b98-a1d0-1cea51a08ab2", "status": "experimental", "description": "Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Administrative activity", "PowerShell scripts running as SYSTEM user" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\PowerShell\\\\PSReadLine\\\\ConsoleHost\\_history.txt' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\PowerShell\\\\StartupProfileData-Interactive' ESCAPE '\\'))" ], "filename": "file_event_win_susp_system_interactive_powershell.yml" }, { "title": "GoToAssist Temporary Installation Artefact", "id": "5d756aee-ad3e-4306-ad95-cb1abec48de2", "status": "test", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\LogMeInInc\\\\GoToAssist Remote Support Expert\\\\%' ESCAPE '\\')" ], "filename": "file_event_win_gotoopener_artefact.yml" }, { "title": "BloodHound Collection Files", "id": "02773bed-83bf-469f-b7ff-e676e7d78bab", "status": "experimental", "description": "Detects default file names outputted by the BloodHound collection tool SharpHound", "author": "C.J. May", "tags": [ "attack.discovery", "attack.t1087.001", "attack.t1087.002", "attack.t1482", "attack.t1069.001", "attack.t1069.002", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Some false positives may arise in some environment and this may require some tuning. Add addional filters or reduce level depending on the level of noise" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%BloodHound.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\_computers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_containers.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_domains.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_gpos.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_groups.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_ous.json' ESCAPE '\\' OR TargetFilename LIKE '%\\_users.json' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\pocket\\_containers.json' ESCAPE '\\')))" ], "filename": "file_event_win_bloodhound_collection.yml" }, { "title": "VsCode Powershell Profile Modification", "id": "3a9fa2ec-30bc-4ebd-b49e-7c9cff225502", "status": "experimental", "description": "Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1546.013" ], "falsepositives": [ "Legitimate use of the profile by developers or administrators" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\Microsoft.VSCode\\_profile.ps1' ESCAPE '\\')" ], "filename": "file_event_win_susp_vscode_powershell_profile.yml" }, { "title": "Suspicious Get-Variable.exe Creation", "id": "0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b", "status": "experimental", "description": "Get-Variable is a valid PowerShell cmdlet\nWindowsApps is by default in the path where PowerShell is executed.\nSo when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.\n", "author": "frack113", "tags": [ "attack.persistence", "attack.t1546", "attack.defense_evasion", "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%Local\\\\Microsoft\\\\WindowsApps\\\\Get-Variable.exe' ESCAPE '\\')" ], "filename": "file_event_win_susp_get_variable.yml" }, { "title": "Suspicious Desktopimgdownldr Target File", "id": "fc4f4817-0c53-4683-a4ee-b17a64bc1039", "status": "test", "description": "Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1105" ], "falsepositives": [ "False positives depend on scripts and administrative tools used in the monitored environment" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Personalization\\\\LockScreenImage\\\\%' ESCAPE '\\') AND NOT (TargetFilename LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%.jpg%' ESCAPE '\\' OR TargetFilename LIKE '%.jpeg%' ESCAPE '\\' OR TargetFilename LIKE '%.png%' ESCAPE '\\')))" ], "filename": "file_event_win_susp_desktopimgdownldr_file.yml" }, { "title": "Malicious PowerShell Scripts - FileCreation", "id": "f331aa1f-8c53-4fc3-b083-cc159bc971cb", "status": "test", "description": "Detects the creation of known offensive powershell scripts used for exploitation", "author": "Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((TargetFilename LIKE '%\\\\Add-ConstrainedDelegationBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-RemoteRegBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Add-ScrnSaveBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ADRecon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AzureADRecon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Check-VM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ConvertTo-ROT13.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Copy-VSS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Create-MultipleSessions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DNS\\_TXT\\_Pwnage.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Do-Exfiltration.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\DomainPasswordSpray.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download\\_Execute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Download-Execute-PS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enable-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Enabled-DuplicateToken.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-Command-MSSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-DNSTXT-Code.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Execute-OnTime.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ExetoText.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Exploit-Jboss.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-AVSignature.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-Fruit.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-GPOLocation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Find-TrustedDocuments.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireBuster.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\FireListener.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ApplicationHost.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ChromeDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ClipboardContents.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ComputerDetail.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-FoxDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPAutologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-GPPPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-IndexedItem.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Keystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-LSASecret.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-MicrophoneAudio.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHashes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-PassHints.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAlwaysInstallElevated.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RegAutoLogon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-RickAstley.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Screenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SecurityPackages.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceFilePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServicePermission.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-ServiceUnquoted.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-SiteListPassword.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-System.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-TimedScreenshot.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-UnattendedInstallFile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-Unconstrained.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-USBKeystrokes.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VaultCredential.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnAutoRun.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-VulnSchTask.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebConfig.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WebCredentials.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Get-WLAN-Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Gupt-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\HTTP-Login.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-ServiceBinary.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Install-SSP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ACLScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ADSBackdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-AmsiBypass.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ARPScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BackdoorLNK.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BadPotato.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BetterSafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BruteForce.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-BypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Carbuncle.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Certify.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ConPtyShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-CredentialsPhish.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DAFT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DCSync.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Decode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DinvokeKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DllInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DNSUpdate.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-DowngradeAccount.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EgressCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Encode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-EventViewer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Eyewitness.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-FakeLogonScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Farmer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Get-RBCD-Threaded.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Gopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper2.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Grouper3.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-HandleKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Interceptor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Internalmonologue.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Inveigh.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-InveighRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRegsvr.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-JSRatRundll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-KrbRelayUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-LdapSignCheck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Lockless.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MalSCCM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MimikatzWDigestDowngrade.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Mimikittenz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-MITM6.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NanoDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetRipper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NetworkRelay.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-NinjaCopy.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-OxidResolver.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-P0wnedshellx86.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Paranoia.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PortScan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PoshRatHttps.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PostExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellIcmp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTCP.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellTcpOneLineBind.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellUdpOneLine.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerShellWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PowerThIEf.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PPLDump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Prasadhak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsGcatAgent.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PSInject.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-PsUaCme.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReflectivePEInjection.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ReverseDNSLookup.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Rubeus.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-RunAs.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SafetyKatz.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SauronEye.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SCShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Seatbelt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ServiceAbuse.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SessionGopher.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ShellCode.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SMBScanner.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Snaffler.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Spoolsample.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSHCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-SSIDExfil.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StandIn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-StickyNotesExtract.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tater.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Thunderfox.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-ThunderStruck.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TokenManipulation.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Tokenvator.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-TotalExec.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UrbanBishop.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-UserHunter.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-VoiceTroll.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Whisker.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WinEnum.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-winPEAS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WireTap.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WmiCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-WScriptBypassUAC.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Invoke-Zerologon.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Keylogger.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\MailRaider.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\New-HoneyHash.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\OfficeMemScraper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Offline\\_Winpwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-CHM.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-DnsTxt.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Excel.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-HTA.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Java.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-JS.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Minidump.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-RundllCommand.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCF.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-SCT.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Shortcut.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-WebQuery.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Out-Word.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Parse\\_Keys.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Port-Scan.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerBreach.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powercat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Powermad.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerRunAsSystem.psm1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerSharpPack.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUp.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerUpSQL.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerView.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PSAsyncShell.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RemoteHashRetrieval.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Persistence.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-PoshRat.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Remove-Update.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Run-EXEonRemote.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Schtasks-Backdoor.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-DCShadowPermissions.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-MacAttribute.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemotePSRemoting.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-RemoteWMI.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Set-Wallpaper.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Show-TargetScreen.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Speak.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-CaptureServer.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start-WebcamRecorder.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\StringToBase64.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TexttoExe.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\VolumeShadowCopyTools.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinPwn.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSUSpendu.ps1' ESCAPE '\\') OR (TargetFilename LIKE '%Invoke-Sharp%' ESCAPE '\\' AND TargetFilename LIKE '%.ps1' ESCAPE '\\')))" ], "filename": "file_event_win_powershell_exploit_scripts.yml" }, { "title": "LSASS Process Dump Artefact In CrashDumps Folder", "id": "6902955a-01b7-432c-b32a-6f5f81d8f625", "status": "experimental", "description": "Detects the presence of an LSASS dump file in the \"CrashDumps\" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.", "author": "@pbssubhash", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Rare legitimate dump of the process by the operating system due to a crash of lsass" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%lsass.exe.%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp' ESCAPE '\\')" ], "filename": "file_event_win_lsass_shtinkering.yml" }, { "title": "Process Explorer Driver Creation By Non-Sysinternals Binary", "id": "de46c52b-0bf8-4936-a327-aace94f94ac6", "status": "experimental", "description": "Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself.\nHack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.\n", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1068" ], "falsepositives": [ "Some false positives may occur with legitimate renamed process explorer binaries" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%\\\\PROCEXP%' ESCAPE '\\' AND TargetFilename LIKE '%.sys' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\'))))" ], "filename": "file_event_win_sysinternals_procexp_driver_susp_creation.yml" }, { "title": "PowerShell Profile Modification", "id": "b5b78988-486d-4a80-b991-930eff3ff8bf", "status": "test", "description": "Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence", "author": "HieuTT35, Nasreddine Bencherchali", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1546.013" ], "falsepositives": [ "System administrator creating Powershell profile manually" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%\\\\Microsoft.PowerShell\\_profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WindowsPowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\PowerShell\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\profile.ps1' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Program Files\\\\PowerShell\\\\7\\\\profile.ps1' ESCAPE '\\'))" ], "filename": "file_event_win_susp_powershell_profile.yml" }, { "title": "New Shim Database Created in the Default Directory", "id": "ee63c85c-6d51-4d12-ad09-04e25877a947", "status": "test", "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.\n", "author": "frack113", "tags": [ "attack.persistence", "attack.t1547.009" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%.sdb' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\apppatch\\\\Custom\\\\%' ESCAPE '\\')" ], "filename": "file_event_win_creation_new_shim_database.yml" }, { "title": "Office Macro File Creation", "id": "91174a41-dc8f-401b-be89-7bfc140612a0", "status": "experimental", "description": "Detects the creation of a new office macro files on the systems", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.initial_access", "attack.t1566.001" ], "falsepositives": [ "Very common in environments that rely heavily on macro documents" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\'))" ], "filename": "file_event_win_office_macro_files_created.yml" }, { "title": "LSASS Memory Dump File Creation", "id": "5e3d3601-0662-4af0-b1d2-36a05e90c40a", "status": "test", "description": "LSASS memory dump creation using operating systems utilities. Procdump will use process name in output file if no name is specified", "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Dumping lsass memory for forensic investigation purposes by legitimate incident responder or forensic invetigator", "Dumps of another process that contains lsass in its process name (substring)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%lsass%' ESCAPE '\\' AND TargetFilename LIKE '%dmp' ESCAPE '\\')" ], "filename": "file_event_win_lsass_memory_dump_file_creation.yml" }, { "title": "Wmiexec Default Output File", "id": "8d5aca11-22b3-4f22-b7ba-90e60533e1fb", "status": "experimental", "description": "Detects the creation of the default output filename used by the wmiexec tool", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.lateral_movement", "attack.t1047" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename REGEXP '\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'C:\\\\__1\\d{9}\\.\\d{1,7}$' OR TargetFilename REGEXP 'D:\\\\__1\\d{9}\\.\\d{1,7}$'))" ], "filename": "file_event_win_wmiexec_default_filename.yml" }, { "title": "PsExec Service File Creation", "id": "259e5a6a-b8d2-4c38-86e2-26c5e651361d", "status": "test", "description": "Detects default PsExec service filename which indicates PsExec service installation and execution", "author": "Thomas Patzke", "tags": [ "attack.execution", "attack.t1569.002", "attack.s0029" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\')" ], "filename": "file_event_win_tool_psexec.yml" }, { "title": "RDP File Creation From Suspicious Application", "id": "fccfb43e-09a7-4bd2-8b37-a5a7df33386d", "status": "experimental", "description": "Detects Rclone config file being created", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chromium.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\microsoftedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Whale.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Thunderbird.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Discord.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Keybase.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msteams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Slack.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\teams.exe' ESCAPE '\\') AND TargetFilename LIKE '%.rdp%' ESCAPE '\\')" ], "filename": "file_event_win_rdp_file_susp_creation.yml" }, { "title": "File Creation In Suspicious Directory By Msdt.EXE", "id": "318557a5-150c-4c8d-b70e-a9910e199857", "status": "experimental", "description": "Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities", "author": "Vadim Varganov, Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1547.001", "cve.2022.30190" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], "filename": "file_event_win_msdt_susp_directories.yml" }, { "title": "Creation Exe for Service with Unquoted Path", "id": "8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9", "status": "test", "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n", "author": "frack113", "tags": [ "attack.persistence", "attack.t1547.009" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE 'C:\\\\program.exe' ESCAPE '\\')" ], "filename": "file_event_win_creation_unquoted_service_path.yml" }, { "title": "Office Macro File Download", "id": "0e29e3a7-1ad8-40aa-b691-9f82ecd33d66", "status": "experimental", "description": "Detects the creation of a new office macro files on the systems via an application (browser, mail client).", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.initial_access", "attack.t1566.001" ], "falsepositives": [ "Legitimate macro files downloaded from the internet", "Legitimate macro files sent as attachments via emails" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (NewProcessName LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thunderbird.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MicrosoftEdge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\') AND ((TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.potm' ESCAPE '\\' OR TargetFilename LIKE '%.pptm' ESCAPE '\\') OR (TargetFilename LIKE '%.docm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dotm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xltm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.potm:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.pptm:Zone%' ESCAPE '\\')))" ], "filename": "file_event_win_office_macro_files_downloaded.yml" }, { "title": "Suspicious NTDS.DIT Creation", "id": "4e7050dd-e548-483f-b7d6-527ab4fa784d", "status": "test", "description": "Detects suspicious creations of a file named \"ntds.dit\" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND ((ParentProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\php-cgi.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\nginx.exe' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\httpd.exe' ESCAPE '\\') OR (ParentProcessName LIKE '%\\\\apache%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\tomcat%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR ParentProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\')))" ], "filename": "file_event_win_ntds_dit.yml" }, { "title": "Office Template Creation", "id": "0e20c89d-2264-44ae-8238-aeeaba609ece", "status": "experimental", "description": "Detects creation of template files for Microsoft Office from outside Office", "author": "Max Altgelt (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1137" ], "falsepositives": [ "Loading a user environment from a backup or a domain controller", "Synchronization of templates" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (((TargetFilename LIKE '%.dot' ESCAPE '\\' OR TargetFilename LIKE '%.dotm' ESCAPE '\\' OR TargetFilename LIKE '%.doc' ESCAPE '\\' OR TargetFilename LIKE '%.docm' ESCAPE '\\' OR TargetFilename LIKE '%.docx' ESCAPE '\\' OR TargetFilename LIKE '%.rtf' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup%' ESCAPE '\\') OR ((TargetFilename LIKE '%.xlt' ESCAPE '\\' OR TargetFilename LIKE '%.xltm' ESCAPE '\\' OR TargetFilename LIKE '%.xls' ESCAPE '\\' OR TargetFilename LIKE '%.xlsm' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\WINWORD.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\EXCEL.exe' ESCAPE '\\')))" ], "filename": "file_event_win_word_template_creation.yml" }, { "title": "OneNote Attachment File Dropped In Suspicious Location", "id": "7fd164ba-126a-4d9c-9392-0d4f7c243df0", "status": "experimental", "description": "Detects creation of files with the \".one\"/\".onepkg\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Legitimate usage of \".one\" or \".onepkg\" files from those locations" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (TargetFilename LIKE '%.one' ESCAPE '\\' OR TargetFilename LIKE '%.onepkg' ESCAPE '\\'))" ], "filename": "file_event_win_office_onenote_files_in_susp_locations.yml" }, { "title": "DLL Search Order Hijackig Via Additional Space in Path", "id": "b6f91281-20aa-446a-b986-38a92813a18f", "status": "experimental", "description": "Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)\nbut with a space in order to trick DLL load search order and perform a \"DLL Search Order Hijacking\" attack\n", "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.defense_evasion", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE 'C:\\\\Windows \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files \\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Program Files (x86) \\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.dll' ESCAPE '\\')" ], "filename": "file_event_win_dll_sideloading_space_path.yml" }, { "title": "Suspicious desktop.ini Action", "id": "81315b50-6b60-4d8f-9928-3466e1022515", "status": "test", "description": "Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", "author": "Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "tags": [ "attack.persistence", "attack.t1547.009" ], "falsepositives": [ "Operations performed through Windows SCCM or equivalent", "Read only access list authority" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\desktop.ini' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\JetBrains\\\\Toolbox\\\\bin\\\\7z.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\JetBrains\\\\apps\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\NewOS\\\\%' ESCAPE '\\')))" ], "filename": "file_event_win_susp_desktop_ini.yml" }, { "title": "WerFault LSASS Process Memory Dump", "id": "c3e76af5-4ce0-4a14-9c9a-25ceb8fda182", "status": "experimental", "description": "Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\WerFault.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\lsass%' ESCAPE '\\' OR TargetFilename LIKE '%lsass.exe%' ESCAPE '\\'))" ], "filename": "file_event_win_lsass_werfault_dump.yml" }, { "title": "Suspicious PFX File Creation", "id": "dca1b3e8-e043-4ec8-85d7-867f334b5724", "status": "test", "description": "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.credential_access", "attack.t1552.004" ], "falsepositives": [ "System administrators managing certififcates." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%.pfx' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%\\\\Templates\\\\Windows\\\\Windows\\_TemporaryKey.pfx%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\CMake\\\\%' ESCAPE '\\')))" ], "filename": "file_event_win_susp_pfx_file_creation.yml" }, { "title": "Suspicious ADSI-Cache Usage By Unknown Tool", "id": "75bf09fa-1dd7-4d18-9af9-dd9e492562eb", "status": "test", "description": "Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.", "author": "xknow @xknow_infosec, Tim Shelton", "tags": [ "attack.t1001.003", "attack.command_and_control" ], "falsepositives": [ "Other legimate tools, which do ADSI (LDAP) operations, e.g. any remoting activity by MMC, Powershell, Windows etc." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%\\\\Local\\\\Microsoft\\\\Windows\\\\SchCache\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.sch' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\mmc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceSvc.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\ccmsetup\\\\autoupgrade\\\\ccmsetup%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent%' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\LANDesk\\\\LDCLient\\\\ldapwhoami.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\efsui.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\dsac.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Program Files\\\\Citrix\\\\Receiver StoreFront\\\\Services\\\\DefaultDomainServices\\\\Citrix.DeliveryServices.DomainServices.ServiceHost.exe' ESCAPE '\\')))" ], "filename": "file_event_win_susp_adsi_cache_usage.yml" }, { "title": "CVE-2021-26858 Exchange Exploitation", "id": "b06335b3-55ac-4b41-937e-16b7f5d57dfd", "status": "test", "description": "Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for \ncreation of non-standard files on disk by Exchange Server’s Unified Messaging service\nwhich could indicate dropping web shells or other malicious content\n", "author": "Bhabesh Raj", "tags": [ "attack.t1203", "attack.execution", "cve.2021.26858" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName LIKE '%UMWorkerProcess.exe' ESCAPE '\\' AND NOT ((TargetFilename LIKE '%CacheCleanup.bin' ESCAPE '\\' OR TargetFilename LIKE '%.txt' ESCAPE '\\' OR TargetFilename LIKE '%.LOG' ESCAPE '\\' OR TargetFilename LIKE '%.cfg' ESCAPE '\\' OR TargetFilename LIKE '%cleanup.bin' ESCAPE '\\')))" ], "filename": "file_event_win_cve_2021_26858_msexchange.yml" }, { "title": "Created Files by Microsoft Sync Center", "id": "409f8a98-4496-4aaa-818a-c931c0a8b832", "status": "experimental", "description": "This rule detects suspicious files created by Microsoft Sync Center (mobsync)", "author": "elhoim", "tags": [ "attack.t1055", "attack.t1218", "attack.execution", "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName LIKE '%\\\\mobsync.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\'))" ], "filename": "file_event_win_susp_creation_by_mobsync.yml" }, { "title": "Suspicious File Drop by Exchange", "id": "6b269392-9eba-40b5-acb6-55c882b20ba6", "status": "experimental", "description": "Detects suspicious file type dropped by an Exchange component in IIS", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1190", "attack.initial_access", "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName LIKE '%\\\\w3wp.exe' ESCAPE '\\' AND CommandLine LIKE '%MSExchange%' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\' OR TargetFilename LIKE '%.ashx' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" ], "filename": "file_event_win_exchange_webshell_drop_suspicious.yml" }, { "title": "Publisher Attachment File Dropped In Suspicious Location", "id": "3d2a2d59-929c-4b78-8c1a-145dfe9e07b1", "status": "experimental", "description": "Detects creation of files with the \".pub\" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Legitimate usage of \".pub\" files from those locations" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND TargetFilename LIKE '%.pub' ESCAPE '\\')" ], "filename": "file_event_win_office_publisher_files_in_susp_locations.yml" }, { "title": "Potential SAM Database Dump", "id": "4e87b8e2-2ee9-4b2a-a715-4727d297ece0", "status": "experimental", "description": "Detects the creation of files that look like exports of the local SAM (Security Account Manager)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.002" ], "falsepositives": [ "Rare cases of administrative activity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((TargetFilename LIKE '%\\\\Temp\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.sav' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Intel\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.hive' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Perflogs\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ProgramData\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Users\\\\Public\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\sam' ESCAPE '\\' OR TargetFilename LIKE '%\\_ShadowSteal.zip' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Documents\\\\SAM.export' ESCAPE '\\' OR TargetFilename LIKE '%:\\\\sam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\hive\\_sam\\_%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.export%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\~reg\\_sam.save%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam\\_backup%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.bck%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sam.backup%' ESCAPE '\\')))" ], "filename": "file_event_win_sam_dump.yml" }, { "title": "Potential Persistence Via Notepad++ Plugins", "id": "54127bd4-f541-4ac3-afdb-ea073f63f692", "status": "experimental", "description": "Detects creation of new \".dll\" files inside the plugins directory of a notepad++ installation by a process other than \"gup.exe\". Which could indicates possible persistence", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Possible FPs during first installation of Notepad++", "Legitimate use of custom plugins by users in order to enhance notepad++ functionalities" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%\\\\Notepad++\\\\plugins\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\Notepad++\\\\updater\\\\gup.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\target.exe' ESCAPE '\\' OR NewProcessName LIKE '%Installer.x64.exe' ESCAPE '\\'))))" ], "filename": "file_event_win_notepad_plus_plus_persistence.yml" }, { "title": "Suspicious PROCEXP152.sys File Created In TMP", "id": "3da70954-0f2c-4103-adff-b7440368f50e", "status": "test", "description": "Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder.\nThis driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.\n", "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "tags": [ "attack.t1562.001", "attack.defense_evasion" ], "falsepositives": [ "Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%PROCEXP152.sys' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\procexp64.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon64.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon.exe%' ESCAPE '\\')))" ], "filename": "file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml" }, { "title": "SafetyKatz Default Dump Filename", "id": "e074832a-eada-4fd7-94a1-10642b130e16", "status": "test", "description": "Detects default lsass dump filename from SafetyKatz", "author": "Markus Neis", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Rare legitimate files with similar filename structure" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\Temp\\\\debug.bin' ESCAPE '\\')" ], "filename": "file_event_win_hktl_safetykatz.yml" }, { "title": "Suspicious Binary Writes Via AnyDesk", "id": "2d367498-5112-4ae5-a06a-96e7bc33a211", "status": "experimental", "description": "Detects AnyDesk writing binary files to disk other than \"gcapi.dll\".\nAccording to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,\nwhich is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (NewProcessName LIKE '%\\\\anydesk.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\\\gcapi.dll' ESCAPE '\\')))" ], "filename": "file_event_win_anydesk_writing_susp_binaries.yml" }, { "title": "Potential DCOM InternetExplorer.Application DLL Hijack", "id": "2f7979ae-f82b-45af-ac1d-2b10e93b0baa", "status": "test", "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class over the network", "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", "tags": [ "attack.lateral_movement", "attack.t1021.002", "attack.t1021.003" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName = 'System' AND TargetFilename LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" ], "filename": "file_event_win_dcom_iertutil_dll_hijack.yml" }, { "title": "Potential Persistence Via Microsoft Office Add-In", "id": "8e1cb247-6cf6-42fa-b440-3f27d57e9936", "status": "test", "description": "Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).", "author": "NVISO", "tags": [ "attack.persistence", "attack.t1137.006" ], "falsepositives": [ "Legitimate add-ins" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((TargetFilename LIKE '%\\\\Microsoft\\\\Word\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.wll' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Excel\\\\Startup\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xll' ESCAPE '\\') OR (TargetFilename LIKE '%Microsoft\\\\Excel\\\\XLSTART\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.xlam' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\Microsoft\\\\Addins\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.xlam' ESCAPE '\\' OR TargetFilename LIKE '%.xla' ESCAPE '\\' OR TargetFilename LIKE '%.ppam' ESCAPE '\\'))))" ], "filename": "file_event_win_office_addin_persistence.yml" }, { "title": "UAC Bypass Using Consent and Comctl32 - File", "id": "62ed5b55-f991-406a-85d9-e8e8fdf18789", "status": "test", "description": "Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.@%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], "filename": "file_event_win_uac_bypass_consent_comctl32.yml" }, { "title": "WScript or CScript Dropper - File", "id": "002bdb95-0cf1-46a6-9e08-d38c128a6127", "status": "experimental", "description": "Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe", "author": "Tim Shelton", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\') AND (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\ProgramData%' ESCAPE '\\') AND (TargetFilename LIKE '%.jse' ESCAPE '\\' OR TargetFilename LIKE '%.vbe' ESCAPE '\\' OR TargetFilename LIKE '%.js' ESCAPE '\\' OR TargetFilename LIKE '%.vba' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\'))" ], "filename": "file_event_win_cscript_wscript_dropper.yml" }, { "title": "EVTX Created In Uncommon Location", "id": "65236ec7-ace0-4f0c-82fd-737b04fd4dcb", "status": "experimental", "description": "Detects the creation of new files with the \".evtx\" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls", "author": "D3F7A5105", "tags": [ "attack.defense_evasion", "attack.t1562.002" ], "falsepositives": [ "Admin activity", "Backup activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%.evtx' ESCAPE '\\' AND NOT ((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Containers\\\\BaseImages\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\System32\\\\winevt\\\\Logs\\\\' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\dllhost.exe' ESCAPE '\\'))))" ], "filename": "file_event_win_create_evtx_non_common_locations.yml" }, { "title": "Dumpert Process Dumper Default File", "id": "93d94efc-d7ad-4161-ad7d-1638c4f908d8", "status": "test", "description": "Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Very unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\dumpert.dmp' ESCAPE '\\')" ], "filename": "file_event_win_hktl_dumpert.yml" }, { "title": "Potential Winnti Dropper Activity", "id": "130c9e58-28ac-4f83-8574-0a4cc913b97e", "status": "test", "description": "Detects files dropped by Winnti as described in RedMimicry Winnti playbook", "author": "Alexander Rausch", "tags": [ "attack.defense_evasion", "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%\\\\gthread-3.6.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sigcmm-2.4.dll' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Windows\\\\Temp\\\\tmp.bat' ESCAPE '\\'))" ], "filename": "file_event_win_redmimicry_winnti_filedrop.yml" }, { "title": "CVE-2022-24527 Microsoft Connected Cache LPE", "id": "e0a41412-c69a-446f-8e6e-0e6d7483dad7", "status": "experimental", "description": "Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1059.001", "cve.2022.24527" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%WindowsPowerShell\\\\Modules\\\\webAdministration\\\\webAdministration.psm1' ESCAPE '\\' AND NOT ((User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')))" ], "filename": "file_event_win_cve_2022_24527_lpe.yml" }, { "title": "ISO or Image Mount Indicator in Recent Files", "id": "4358e5a5-7542-4dcb-b9f3-87667371839b", "status": "test", "description": "Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.\nThis can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.\n", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Cases in which a user mounts an image file for legitimate reasons" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%.iso.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.img.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.vhd.lnk' ESCAPE '\\' OR TargetFilename LIKE '%.vhdx.lnk' ESCAPE '\\') AND TargetFilename LIKE '%\\\\Microsoft\\\\Windows\\\\Recent\\\\%' ESCAPE '\\')" ], "filename": "file_event_win_iso_file_recent.yml" }, { "title": "InstallerFileTakeOver LPE CVE-2021-41379 File Create Event", "id": "3be82d5d-09fe-4d6a-a275-0d40d234d324", "status": "test", "description": "Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1068" ], "falsepositives": [ "Unknown", "Possibly some Microsoft Edge upgrades" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\elevation\\_service.exe' ESCAPE '\\')" ], "filename": "file_event_win_cve_2021_41379_msi_lpe.yml" }, { "title": "Rclone Config File Creation", "id": "34986307-b7f4-49be-92f3-e7a4d01ac5db", "status": "test", "description": "Detects Rclone config file being created", "author": "Aaron Greetham (@beardofbinary) - NCC Group", "tags": [ "attack.exfiltration", "attack.t1567.002" ], "falsepositives": [ "Legitimate Rclone usage (rare)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\.config\\\\rclone\\\\%' ESCAPE '\\')" ], "filename": "file_event_win_rclone_exec_file.yml" }, { "title": "PCRE.NET Package Temp Files", "id": "6e90ae7a-7cd3-473f-a035-4ebb72d961da", "status": "test", "description": "Detects processes creating temp files related to PCRE.NET package", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\')" ], "filename": "file_event_win_pcre_net_temp_file.yml" }, { "title": "Suspicious MSExchangeMailboxReplication ASPX Write", "id": "7280c9f3-a5af-45d0-916a-bc01cb4151c9", "status": "test", "description": "Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.initial_access", "attack.t1190", "attack.persistence", "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName LIKE '%\\\\MSExchangeMailboxReplication.exe' ESCAPE '\\' AND (TargetFilename LIKE '%.aspx' ESCAPE '\\' OR TargetFilename LIKE '%.asp' ESCAPE '\\'))" ], "filename": "file_event_win_susp_exchange_aspx_write.yml" }, { "title": "QuarksPwDump Dump File", "id": "847def9e-924d-4e90-b7c4-5f581395a2b4", "status": "test", "description": "Detects a dump file written by QuarksPwDump password dumper", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM-%' ESCAPE '\\' AND TargetFilename LIKE '%.dmp%' ESCAPE '\\')" ], "filename": "file_event_win_hktl_quarkspw_filedump.yml" }, { "title": "Anydesk Temporary Artefact", "id": "0b9ad457-2554-44c1-82c2-d56a99c42377", "status": "test", "description": "An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.\nThese services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.\nRemote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)\n", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\AnyDesk\\\\user.conf%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Roaming\\\\AnyDesk\\\\system.conf%' ESCAPE '\\') AND TargetFilename LIKE '%.temp' ESCAPE '\\')" ], "filename": "file_event_win_anydesk_artefact.yml" }, { "title": "Creation of an WerFault.exe in Unusual Folder", "id": "28a452f3-786c-4fd8-b8f2-bddbe9d616d1", "status": "experimental", "description": "Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking", "author": "frack113", "tags": [ "attack.persistence", "attack.defense_evasion", "attack.t1574.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wer.dll' ESCAPE '\\') AND NOT ((TargetFilename LIKE '%\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinSxS\\\\%' ESCAPE '\\')))" ], "filename": "file_event_win_werfault_dll_hijacking.yml" }, { "title": "Suspicious Process Writes Ntds.dit", "id": "11b1ed55-154d-4e82-8ad7-83739298f720", "status": "experimental", "description": "Detects suspicious processes that write (copy) a Active Directory database (ntds.dit) file", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.002", "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE '%\\\\ntds.dit' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsl.exe' ESCAPE '\\'))" ], "filename": "file_event_win_susp_ntds_dit.yml" }, { "title": "Octopus Scanner Malware", "id": "805c55d9-31e6-4846-9878-c34c75054fe9", "status": "test", "description": "Detects Octopus Scanner Malware.", "author": "NVISO", "tags": [ "attack.t1195", "attack.t1195.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Cache134.dat' ESCAPE '\\' OR TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\ExplorerSync.db' ESCAPE '\\'))" ], "filename": "file_event_win_mal_octopus_scanner.yml" }, { "title": "Suspicious Creation TXT File in User Desktop", "id": "caf02a0a-1e1c-4552-9b48-5e070bd88d11", "status": "test", "description": "Ransomware create txt file in the user Desktop", "author": "frack113", "tags": [ "attack.impact", "attack.t1486" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.txt' ESCAPE '\\')" ], "filename": "file_event_win_susp_desktop_txt.yml" }, { "title": "Potential Binary Or Script Dropper Via PowerShell.EXE", "id": "7047d730-036f-4f40-b9d8-1c63e36d5e62", "status": "experimental", "description": "Detects PowerShell creating a binary executable or script file.", "author": "frack113", "tags": [ "attack.persistence" ], "falsepositives": [ "Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%\\_\\_PSScriptPolicyTest\\_%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')))" ], "filename": "file_event_win_powershell_drop_binary.yml" }, { "title": "UAC Bypass Using MSConfig Token Modification - File", "id": "41bb431f-56d8-4691-bb56-ed34e390906f", "status": "test", "description": "Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\pkgmgr.exe' ESCAPE '\\')" ], "filename": "file_event_win_uac_bypass_msconfig_gui.yml" }, { "title": "Created Files by Office Applications", "id": "c7a74c80-ba5a-486e-9974-ab9e682bc5e4", "status": "experimental", "description": "This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.", "author": "Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)", "tags": [ "attack.t1204.002", "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\') AND (TargetFilename LIKE '%.exe' ESCAPE '\\' OR TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.ocx' ESCAPE '\\' OR TargetFilename LIKE '%.com' ESCAPE '\\' OR TargetFilename LIKE '%.ps1' ESCAPE '\\' OR TargetFilename LIKE '%.vbs' ESCAPE '\\' OR TargetFilename LIKE '%.sys' ESCAPE '\\' OR TargetFilename LIKE '%.bat' ESCAPE '\\' OR TargetFilename LIKE '%.scr' ESCAPE '\\' OR TargetFilename LIKE '%.proj' ESCAPE '\\')) AND NOT ((TargetFilename LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\WebServiceCache\\\\AllUsers%' ESCAPE '\\' AND TargetFilename LIKE '%.com' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\webexdelta\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%.dll' ESCAPE '\\' OR TargetFilename LIKE '%.exe' ESCAPE '\\')) OR (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\assembly\\\\tmp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.dll' ESCAPE '\\')))" ], "filename": "file_event_win_script_creation_by_office_using_file_ext.yml" }, { "title": "Files With System Process Name In Unsuspected Locations", "id": "d5866ddf-ce8f-4aea-b28e-d96485a20d3d", "status": "test", "description": "Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).", "author": "Sander Wiebing, Tim Shelton, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1036.005" ], "falsepositives": [ "System processes copied outside their default folders for testing purposes", "Third party software naming their software with the same names as the processes mentioned here" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND (TargetFilename LIKE '%\\\\AtBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\audiodg.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\backgroundTaskHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bitsadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmdl32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\conhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\csrss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dasHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dfrgui.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\dwm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventcreate.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\eventvwr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\explorer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\extrac32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\fontdrvhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ipconfig.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicli.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\iscsicpl.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\logman.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LogonUI.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\LsaIso.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsass.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\lsm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\msinfo32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\mstsc.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\nbtstat.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\odbcconf.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\powershell.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regini.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchFilterHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchIndexer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SearchProtocolHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthService.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\services.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\ShellAppRuntime.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\sihost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\smss.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\svchost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Taskmgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TiWorker.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\w32tm.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFault.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WerFaultSecure.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wermgr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wevtutil.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wininit.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WinRTNetMUAHostServer.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlanext.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wlrmdr.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\wslhost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WSReset.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WUDFHost.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\WWAHost.exe' ESCAPE '\\') AND NOT (((TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR TargetFilename LIKE '\\\\SystemRoot\\\\System32\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\Windows\\\\System32\\\\dism.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')) OR (TargetFilename LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\RuntimeBroker.exe' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wbengine.exe' ESCAPE '\\') OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\%' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetFilename LIKE '%\\\\bcdedit.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:Program Files\\\\WindowsApps\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wuauclt.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetFilename LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (TargetFilename LIKE 'C:\\\\Windows\\\\System32\\\\SecurityHealth\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\SecurityHealthSystray.exe' ESCAPE '\\' AND NewProcessName LIKE '%\\\\SecurityHealthSetup.exe' ESCAPE '\\')))" ], "filename": "file_event_win_creation_system_file.yml" }, { "title": "Suspicious Creation with Colorcpl", "id": "e15b518d-b4ce-4410-a9cd-501f23ce4a18", "status": "experimental", "description": "Once executed, colorcpl.exe will copy the arbitrary file to c:\\windows\\system32\\spool\\drivers\\color\\", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1564" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName LIKE '%\\\\colorcpl.exe' ESCAPE '\\' AND NOT (((TargetFilename LIKE '%.icm' ESCAPE '\\' OR TargetFilename LIKE '%.gmmp' ESCAPE '\\' OR TargetFilename LIKE '%.cdmp' ESCAPE '\\' OR TargetFilename LIKE '%.camp' ESCAPE '\\'))))" ], "filename": "file_event_win_susp_colorcpl.yml" }, { "title": "TeamViewer Remote Session", "id": "162ab1e4-6874-4564-853c-53ec3ab8be01", "status": "test", "description": "Detects the creation of log files during a TeamViewer remote session", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Legitimate uses of TeamViewer in an organisation" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((TargetFilename LIKE '%\\\\TeamViewer\\\\RemotePrinting\\\\tvprint.db' ESCAPE '\\' OR TargetFilename LIKE '%\\\\TeamViewer\\\\TVNetwork.log' ESCAPE '\\') OR (TargetFilename LIKE '%\\\\TeamViewer%' ESCAPE '\\' AND TargetFilename LIKE '%\\_Logfile.log%' ESCAPE '\\')))" ], "filename": "file_event_win_susp_teamviewer_remote_session.yml" }, { "title": "Potential Persistence Via Outlook Form", "id": "c3edc6a5-d9d4-48d8-930e-aab518390917", "status": "experimental", "description": "Detects the creation of a new Outlook form which can contain malicious code", "author": "Tobias Michalski (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1137.003" ], "falsepositives": [ "Legitimate use of outlook forms" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND (TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\FORMS\\\\IPM%' ESCAPE '\\' OR TargetFilename LIKE '%\\\\Local Settings\\\\Application Data\\\\Microsoft\\\\Forms%' ESCAPE '\\'))" ], "filename": "file_event_win_office_outlook_newform.yml" }, { "title": "Suspicious Word Cab File Write CVE-2021-40444", "id": "60c0a111-787a-4e8a-9262-ee485f3ef9d5", "status": "experimental", "description": "Detects file creation patterns noticeable during the exploitation of CVE-2021-40444", "author": "Florian Roth (Nextron Systems), Sittikorn S", "tags": [ "attack.resource_development", "attack.t1587" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '11' AND ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%.cab' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Windows\\\\INetCache%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%.inf%' ESCAPE '\\')) AND NOT (TargetFilename LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetFilename LIKE '%AppData\\\\Local\\\\Temp%' ESCAPE '\\' AND TargetFilename LIKE '%\\\\Content.inf' ESCAPE '\\'))" ], "filename": "file_event_win_winword_cve_2021_40444.yml" }, { "title": "Credential Dumping Tools Service Execution", "id": "df5ff0a5-f83f-4a5b-bba1-3e6a3f6f6ea2", "status": "test", "description": "Detects well-known credential dumping tools execution via service execution events", "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.credential_access", "attack.execution", "attack.t1003.001", "attack.t1003.002", "attack.t1003.004", "attack.t1003.005", "attack.t1003.006", "attack.t1569.002", "attack.s0005" ], "falsepositives": [ "Legitimate Administrator using credential dumping tool for password recovery" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '6' AND (ImageLoaded LIKE '%fgexec%' ESCAPE '\\' OR ImageLoaded LIKE '%dumpsvc%' ESCAPE '\\' OR ImageLoaded LIKE '%cachedump%' ESCAPE '\\' OR ImageLoaded LIKE '%mimidrv%' ESCAPE '\\' OR ImageLoaded LIKE '%gsecdump%' ESCAPE '\\' OR ImageLoaded LIKE '%servpw%' ESCAPE '\\' OR ImageLoaded LIKE '%pwdump%' ESCAPE '\\'))" ], "filename": "driver_load_win_mal_creddumper.yml" }, { "title": "WinDivert Driver Load", "id": "679085d5-f427-4484-9f58-1dc30a7c426d", "status": "experimental", "description": "Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.collection", "attack.defense_evasion", "attack.t1599.001", "attack.t1557.001" ], "falsepositives": [ "Legitimate WinDivert driver usage" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '6' AND ((ImageLoaded LIKE '%\\\\WinDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinDivert64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NordDivert.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lingtiwfp.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eswfp.sys%' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=0604bb7cb4bb851e2168d5c7d9399087%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2e5f0e649d97f32b03c09e4686d0574f%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=52f8aa269f69f0edad9e8fcdaedce276%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c0e5d314da39dbf65a2dbff409cc2c76%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=58623490691babe8330adc81cd04a663%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=8ee39b48656e4d6b8459d7ba7da7438b%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=45ee545ae77e8d43fc70ede9efcd4c96%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a1b2e245acd47e4a348e1a552a02859a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=2a5f85fe4609461c6339637594fa9b0a%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6b2c6f95233c2914d1d488ee27531acc%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9f2fdd3f9ab922bbb0560a7df46f4342%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=d8a719865c448b1bd2ec241e46ac1c88%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0ea54f8c9af4a2fe8367fa457f48ed38%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=9d519ae0a0864d6d6ae3f8b6c9c70af6%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a74929edfc3289895e3f2885278947ae%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=a66b476c2d06c370f0a53b5537f2f11e%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c28cd6ccd83179e79dac132a553693d9%' ESCAPE '\\') OR Imphash IN ('0604bb7cb4bb851e2168d5c7d9399087', '2e5f0e649d97f32b03c09e4686d0574f', '52f8aa269f69f0edad9e8fcdaedce276', 'c0e5d314da39dbf65a2dbff409cc2c76', '58623490691babe8330adc81cd04a663', '8ee39b48656e4d6b8459d7ba7da7438b', '45ee545ae77e8d43fc70ede9efcd4c96', 'a1b2e245acd47e4a348e1a552a02859a', '2a5f85fe4609461c6339637594fa9b0a', '6b2c6f95233c2914d1d488ee27531acc', '9f2fdd3f9ab922bbb0560a7df46f4342', 'd8a719865c448b1bd2ec241e46ac1c88', '0ea54f8c9af4a2fe8367fa457f48ed38', '9d519ae0a0864d6d6ae3f8b6c9c70af6', 'a74929edfc3289895e3f2885278947ae', 'a66b476c2d06c370f0a53b5537f2f11e', 'bdcd836a46bc2415773f6b5ea77a46e4', 'c28cd6ccd83179e79dac132a553693d9')))" ], "filename": "driver_load_win_windivert.yml" }, { "title": "Vulnerable Driver Load", "id": "7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8", "status": "experimental", "description": "Detects the load of known vulnerable drivers by hash value", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1543.003", "attack.t1068" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '6' AND ((Hashes LIKE '%MD5=1b5c3c458e31bede55145d0644e88d75%' ESCAPE '\\' OR Hashes LIKE '%MD5=6f5d54ab483659ac78672440422ae3f1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=c02f70960fa934b8defa16a03d7f6556%' ESCAPE '\\' OR Hashes LIKE '%MD5=839cbbc86453960e9eb6db814b776a40%' ESCAPE '\\' OR Hashes LIKE '%MD5=acac842a46f3501fe407b1db1b247a0b%' ESCAPE '\\' OR Hashes LIKE '%MD5=95e4c7b0384da89dce8ea6f31c3613d9%' ESCAPE '\\' OR Hashes LIKE '%MD5=e700a820f117f65e813b216fccbf78c9%' ESCAPE '\\' OR Hashes LIKE '%MD5=96b463b6fa426ae42c414177af550ba2%' ESCAPE '\\' OR Hashes LIKE '%MD5=27bcbeec8a466178a6057b64bef66512%' ESCAPE '\\' OR Hashes LIKE '%MD5=70dcd07d38017b43f710061f37cb4a91%' ESCAPE '\\' OR Hashes LIKE '%MD5=db72def618cbc3c5f9aa82f091b54250%' ESCAPE '\\' OR Hashes LIKE '%MD5=83601bbe5563d92c1fdb4e960d84dc77%' ESCAPE '\\' OR Hashes LIKE '%MD5=5970e8de1b337ca665114511b9d10806%' ESCAPE '\\' OR Hashes LIKE '%MD5=49fe3d1f3d5c2e50a0df0f6e8436d778%' ESCAPE '\\' OR Hashes LIKE '%MD5=1493d342e7a36553c56b2adea150949e%' ESCAPE '\\' OR Hashes LIKE '%MD5=4f191abc652d8f7442ca2636725e1ed6%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ae30291c6cbfa7be39320badd6e8de0%' ESCAPE '\\' OR Hashes LIKE '%MD5=d104621c93213942b7b43d65b5d8d33e%' ESCAPE '\\' OR Hashes LIKE '%MD5=b89b097b8b8aecb8341d05136f334ebb%' ESCAPE '\\' OR Hashes LIKE '%MD5=14580bd59c55185115fd3abe73b016a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=992ded5b623be3c228f32edb4ca3f2d2%' ESCAPE '\\' OR Hashes LIKE '%MD5=a26e600652c33dd054731b4693bf5b01%' ESCAPE '\\' OR Hashes LIKE '%MD5=1f950cfd5ed8dd9de3de004f5416fe20%' ESCAPE '\\' OR Hashes LIKE '%MD5=491aec2249ad8e2020f9f9b559ab68a8%' ESCAPE '\\' OR Hashes LIKE '%MD5=e4266262a77fffdea2584283f6c4f51d%' ESCAPE '\\' OR Hashes LIKE '%MD5=bd25be845c151370ff177509d95d5add%' ESCAPE '\\' OR Hashes LIKE '%MD5=9638f265b1ddd5da6ecdf5c0619dcbe6%' ESCAPE '\\' OR Hashes LIKE '%MD5=4e90cd77509738d30d3181a4d0880bfa%' ESCAPE '\\' OR Hashes LIKE '%MD5=0a6a1c9a7f80a2a5dcced5c4c0473765%' ESCAPE '\\' OR Hashes LIKE '%MD5=9aa7ed7809eec0d8bc6c545a1d18107a%' ESCAPE '\\' OR Hashes LIKE '%MD5=aa1ed3917928f04d97d8a217fe9b5cb1%' ESCAPE '\\' OR Hashes LIKE '%MD5=42f7cc4be348c3efd98b0f1233cf2d69%' ESCAPE '\\' OR Hashes LIKE '%MD5=4cc3ddd5ae268d9a154a426af2c23ef9%' ESCAPE '\\' OR Hashes LIKE '%MD5=2fed983ec44d1e7cffb0d516407746f2%' ESCAPE '\\' OR Hashes LIKE '%MD5=f7cbbb5eb263ec9a35a1042f52e82ca4%' ESCAPE '\\' OR Hashes LIKE '%MD5=ed6348707f177629739df73b97ba1b6e%' ESCAPE '\\' OR Hashes LIKE '%MD5=40bc58b7615d00eb55ad9ba700c340c1%' ESCAPE '\\' OR Hashes LIKE '%MD5=c3fea895fe95ea7a57d9f4d7abed5e71%' ESCAPE '\\' OR Hashes LIKE '%MD5=2128e6c044ee86f822d952a261af0b48%' ESCAPE '\\' OR Hashes LIKE '%MD5=3dbf69f935ea48571ea6b0f5a2878896%' ESCAPE '\\' OR Hashes LIKE '%MD5=c6f8983dd3d75640c072a8459b8fa55a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=79f7e6f98a5d3ab6601622be4471027f%' ESCAPE '\\' OR Hashes LIKE '%MD5=bae1f127c4ff21d8fe45e2bbfc59c180%' ESCAPE '\\' OR Hashes LIKE '%MD5=c533d6d64b474ffc3169a0e0fc0a701a%' ESCAPE '\\' OR Hashes LIKE '%MD5=3f39f013168428c8e505a7b9e6cba8a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=748cf64b95ca83abc35762ad2c25458f%' ESCAPE '\\' OR Hashes LIKE '%MD5=bce7f34912ff59a3926216b206deb09f%' ESCAPE '\\' OR Hashes LIKE '%MD5=2d8e4f38b36c334d0a32a7324832501d%' ESCAPE '\\' OR Hashes LIKE '%MD5=47e6ac52431ca47da17248d80bf71389%' ESCAPE '\\' OR Hashes LIKE '%MD5=3651a6990fe38711ebb285143f867a43%' ESCAPE '\\' OR Hashes LIKE '%MD5=dc943bf367ae77016ae399df8e71d38a%' ESCAPE '\\' OR Hashes LIKE '%MD5=02198692732722681f246c1b33f7a9d9%' ESCAPE '\\' OR Hashes LIKE '%MD5=ddc2ffe0ab3fcd48db898ab13c38d88d%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ec361f2fba49c73260af351c39ff9cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1fce7aac4e9dd7a730997e2979fa1e2%' ESCAPE '\\' OR Hashes LIKE '%MD5=49938383844ceec33dba794fb751c9a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=34069a15ae3aa0e879cd0d81708e4bcc%' ESCAPE '\\' OR Hashes LIKE '%MD5=1c294146fc77565030603878fd0106f9%' ESCAPE '\\' OR Hashes LIKE '%MD5=fd81af62964f5dd5eb4a828543a33dcf%' ESCAPE '\\' OR Hashes LIKE '%MD5=bd5b0514f3b40f139d8079138d01b5f6%' ESCAPE '\\' OR Hashes LIKE '%MD5=fa173832dca1b1faeba095e5c82a1559%' ESCAPE '\\' OR Hashes LIKE '%MD5=5cc5c26fc99175997d84fe95c61ab2c2%' ESCAPE '\\' OR Hashes LIKE '%MD5=1ed043249c21ab201edccb37f1d40af9%' ESCAPE '\\' OR Hashes LIKE '%MD5=361a598d8bb92c13b18abb7cac850b01%' ESCAPE '\\' OR Hashes LIKE '%MD5=9b359b722ac80c4e0a5235264e1e0156%' ESCAPE '\\' OR Hashes LIKE '%MD5=296bde4d0ed32c6069eb90c502187d0d%' ESCAPE '\\' OR Hashes LIKE '%MD5=d3e40644a91327da2b1a7241606fe559%' ESCAPE '\\' OR Hashes LIKE '%MD5=12cecc3c14160f32b21279c1a36b8338%' ESCAPE '\\' OR Hashes LIKE '%MD5=dd39a86852b498b891672ffbcd071c03%' ESCAPE '\\' OR Hashes LIKE '%MD5=b2a9ac0600b12ec9819e049d7a6a0b75%' ESCAPE '\\' OR Hashes LIKE '%MD5=444f538daa9f7b340cfd43974ed43690%' ESCAPE '\\' OR Hashes LIKE '%MD5=7b43dfd84de5e81162ebcfafb764b769%' ESCAPE '\\' OR Hashes LIKE '%MD5=13dda15ef67eb265869fc371c72d6ef0%' ESCAPE '\\' OR Hashes LIKE '%MD5=300c5b1795c9b6cc1bc4d7d55c7bbe85%' ESCAPE '\\' OR Hashes LIKE '%MD5=1392b92179b07b672720763d9b1028a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=2e1f8a2a80221deb93496a861693c565%' ESCAPE '\\' OR Hashes LIKE '%MD5=8065a7659562005127673ac52898675f%' ESCAPE '\\' OR Hashes LIKE '%MD5=b5ada7fd226d20ec6634fc24768f9e22%' ESCAPE '\\' OR Hashes LIKE '%MD5=84fb76ee319073e77fb364bbbbff5461%' ESCAPE '\\' OR Hashes LIKE '%MD5=daf800da15b33bf1a84ee7afc59f0656%' ESCAPE '\\' OR Hashes LIKE '%MD5=f7393fb917aed182e4cbef25ce8af950%' ESCAPE '\\' OR Hashes LIKE '%MD5=120b5bbb9d2eb35ff4f62d79507ea63a%' ESCAPE '\\' OR Hashes LIKE '%MD5=73c98438ac64a68e88b7b0afd11ba140%' ESCAPE '\\' OR Hashes LIKE '%MD5=51207adb8dab983332d6b22c29fe8129%' ESCAPE '\\' OR Hashes LIKE '%MD5=4a23e0f2c6f926a41b28d574cbc6ac30%' ESCAPE '\\' OR Hashes LIKE '%MD5=20125794b807116617d43f02b616e092%' ESCAPE '\\' OR Hashes LIKE '%MD5=e8ebba56ea799e1e62748c59e1a4c586%' ESCAPE '\\' OR Hashes LIKE '%MD5=8abbb12e61045984eda19e2dc77b235e%' ESCAPE '\\' OR Hashes LIKE '%MD5=f66b96aa7ae430b56289409241645099%' ESCAPE '\\' OR Hashes LIKE '%MD5=97e3a44ec4ae58c8cc38eefc613e950e%' ESCAPE '\\' OR Hashes LIKE '%MD5=ff7b31fa6e9ab923bce8af31d1be5bb2%' ESCAPE '\\' OR Hashes LIKE '%MD5=12908c285b9d68ee1f39186110df0f1e%' ESCAPE '\\' OR Hashes LIKE '%MD5=6126065af2fc2639473d12ee3c0c198e%' ESCAPE '\\' OR Hashes LIKE '%MD5=356bda2bf0f6899a2c08b2da3ec69f13%' ESCAPE '\\' OR Hashes LIKE '%MD5=fd7de498a72b2daf89f321d23948c3c4%' ESCAPE '\\' OR Hashes LIKE '%MD5=338a98e1c27bc76f09331fcd7ae413a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=c9a293762319d73c8ee84bcaaf81b7b3%' ESCAPE '\\' OR Hashes LIKE '%MD5=e9e786bdba458b8b4f9e93d034f73d00%' ESCAPE '\\' OR Hashes LIKE '%MD5=a17c58c0582ee560c72f60764ed63224%' ESCAPE '\\' OR Hashes LIKE '%MD5=21e13f2cb269defeae5e1d09887d47bb%' ESCAPE '\\' OR Hashes LIKE '%MD5=a57b47489febc552515778dd0fd1e51c%' ESCAPE '\\' OR Hashes LIKE '%MD5=d6e9f6c67d9b3d790d592557a7d57c3c%' ESCAPE '\\' OR Hashes LIKE '%MD5=76bb1a4332666222a8e3e1339e267179%' ESCAPE '\\' OR Hashes LIKE '%MD5=1cd158a64f3d886357535382a6fdad75%' ESCAPE '\\' OR Hashes LIKE '%MD5=d9e7e5bcc5b01915dbcef7762a7fc329%' ESCAPE '\\' OR Hashes LIKE '%MD5=d253c19194a18030296ae62a10821640%' ESCAPE '\\' OR Hashes LIKE '%MD5=b12d1630fd50b2a21fd91e45d522ba3a%' ESCAPE '\\' OR Hashes LIKE '%MD5=50b39072d0ee9af5ef4824eca34be6e3%' ESCAPE '\\' OR Hashes LIKE '%MD5=778b7feea3c750d44745d3bf294bd4ce%' ESCAPE '\\' OR Hashes LIKE '%MD5=0761c357aed5f591142edaefdf0c89c8%' ESCAPE '\\' OR Hashes LIKE '%MD5=23cf3da010497eb2bf39a5c5a57e437c%' ESCAPE '\\' OR Hashes LIKE '%MD5=c49a1956a6a25ffc25ad97d6762b0989%' ESCAPE '\\' OR Hashes LIKE '%MD5=f406c5536bcf9bacbeb7ce8a3c383bfa%' ESCAPE '\\' OR Hashes LIKE '%MD5=f2f728d2f69765f5dfda913d407783d2%' ESCAPE '\\' OR Hashes LIKE '%MD5=4b817d0e7714b9d43db43ae4a22a161e%' ESCAPE '\\' OR Hashes LIKE '%MD5=715f8efab1d1c660e4188055c4b28eed%' ESCAPE '\\' OR Hashes LIKE '%MD5=a01c412699b6f21645b2885c2bae4454%' ESCAPE '\\' OR Hashes LIKE '%MD5=010c0e5ac584e3ab97a2daf84cf436f5%' ESCAPE '\\' OR Hashes LIKE '%MD5=d5db81974ffda566fa821400419f59be%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014ba35d406475311a2eab0c4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=4d487f77be4471900d6ccbc47242cc25%' ESCAPE '\\' OR Hashes LIKE '%MD5=1f2888e57fdd6aee466962c25ba7d62d%' ESCAPE '\\' OR Hashes LIKE '%MD5=507a649eb585d8d0447eab0532ef0c73%' ESCAPE '\\' OR Hashes LIKE '%MD5=4ad8fd9e83d7200bd7f8d0d4a9abfb11%' ESCAPE '\\' OR Hashes LIKE '%MD5=cd9f0fcecf1664facb3671c0130dc8bb%' ESCAPE '\\' OR Hashes LIKE '%MD5=b10b210c5944965d0dc85e70a0b19a42%' ESCAPE '\\' OR Hashes LIKE '%MD5=ae5eb2759305402821aeddc52ba9a6d6%' ESCAPE '\\' OR Hashes LIKE '%MD5=f5051c756035ef5de9c4c48bacb0612b%' ESCAPE '\\' OR Hashes LIKE '%MD5=1898ceda3247213c084f43637ef163b3%' ESCAPE '\\' OR Hashes LIKE '%MD5=37086ae5244442ba552803984a11d6cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=825703c494e0d270f797f1ecf070f698%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\' OR Hashes LIKE '%MD5=75d6c3469347de1cdfa3b1b9f1544208%' ESCAPE '\\' OR Hashes LIKE '%MD5=9ab9f3b75a2eb87fafb1b7361be9dfb3%' ESCAPE '\\' OR Hashes LIKE '%MD5=5f9785e7535f8f602cb294a54962c9e7%' ESCAPE '\\' OR Hashes LIKE '%MD5=7d46d0ddaf8c7e1776a70c220bf47524%' ESCAPE '\\' OR Hashes LIKE '%MD5=f9844524fb0009e5b784c21c7bad4220%' ESCAPE '\\' OR Hashes LIKE '%MD5=828bb9cb1dd449cd65a29b18ec46055f%' ESCAPE '\\' OR Hashes LIKE '%MD5=4d17b32be70ef39eae5d5edeb5e89877%' ESCAPE '\\' OR Hashes LIKE '%MD5=2391fb461b061d0e5fccb050d4af7941%' ESCAPE '\\' OR Hashes LIKE '%MD5=6d4159694e1754f262e326b52a3b305a%' ESCAPE '\\' OR Hashes LIKE '%MD5=a60c9173563b940203cf4ad38ccf2082%' ESCAPE '\\' OR Hashes LIKE '%MD5=63e333d64a8716e1ae59f914cb686ae8%' ESCAPE '\\' OR Hashes LIKE '%MD5=a9f220b1507a3c9a327a99995ff99c82%' ESCAPE '\\' OR Hashes LIKE '%MD5=c5f5d109f11aadebae94c77b27cb026f%' ESCAPE '\\' OR Hashes LIKE '%MD5=5bab40019419a2713298a5c9173e5d30%' ESCAPE '\\' OR Hashes LIKE '%MD5=c996d7971c49252c582171d9380360f2%' ESCAPE '\\' OR Hashes LIKE '%MD5=98763a3dee3cf03de334f00f95fc071a%' ESCAPE '\\' OR Hashes LIKE '%MD5=e79c91c27df3eaf82fb7bd1280172517%' ESCAPE '\\' OR Hashes LIKE '%MD5=a42249a046182aaaf3a7a7db98bfa69d%' ESCAPE '\\' OR Hashes LIKE '%MD5=803a371a78d528a44ef8777f67443b16%' ESCAPE '\\' OR Hashes LIKE '%MD5=9007c94c9d91ccff8d7f5d4cdddcc403%' ESCAPE '\\' OR Hashes LIKE '%MD5=11fb599312cb1cf43ca5e879ed6fb71e%' ESCAPE '\\' OR Hashes LIKE '%MD5=7f9309f5e4defec132b622fadbcad511%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=8636fe3724f2bcba9399daffd6ef3c7e%' ESCAPE '\\' OR Hashes LIKE '%MD5=9dfd73dadb2f1c7e9c9d2542981aaa63%' ESCAPE '\\' OR Hashes LIKE '%MD5=490b1f404c4f31f4538b36736c990136%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1d063c9422a19944cdaa6714623f2ec%' ESCAPE '\\' OR Hashes LIKE '%MD5=dacb62578b3ea191ea37486d15f4f83c%' ESCAPE '\\' OR Hashes LIKE '%MD5=2da209dde8188076a9579bd256dc90d0%' ESCAPE '\\' OR Hashes LIKE '%MD5=0ba6afe0ea182236f98365bd977adfdf%' ESCAPE '\\' OR Hashes LIKE '%MD5=4c016fd76ed5c05e84ca8cab77993961%' ESCAPE '\\' OR Hashes LIKE '%MD5=ad22a7b010de6f9c6f39c350a471a440%' ESCAPE '\\' OR Hashes LIKE '%MD5=79483cb29a0c428e1362ec8642109eee%' ESCAPE '\\' OR Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%MD5=ccf523b951afaa0147f22e2a7aae4976%' ESCAPE '\\' OR Hashes LIKE '%MD5=736c4b85ce346ddf3b49b1e3abb4e72a%' ESCAPE '\\' OR Hashes LIKE '%MD5=b0baac4d6cbac384a633c71858b35a2e%' ESCAPE '\\' OR Hashes LIKE '%MD5=798de15f187c1f013095bbbeb6fb6197%' ESCAPE '\\' OR Hashes LIKE '%MD5=a86150f2e29b35369afa2cafd7aa9764%' ESCAPE '\\' OR Hashes LIKE '%MD5=b941c8364308990ee4cc6eadf7214e0f%' ESCAPE '\\' OR Hashes LIKE '%MD5=dd04cd3de0c19bede84e9c95a86b3ca8%' ESCAPE '\\' OR Hashes LIKE '%MD5=6909b5e86e00b4033fedfca1775b0e33%' ESCAPE '\\' OR Hashes LIKE '%MD5=9b91a44a488e4d539f2e55476b216024%' ESCAPE '\\' OR Hashes LIKE '%MD5=8b287636041792f640f92e77e560725e%' ESCAPE '\\' OR Hashes LIKE '%MD5=07f83829e7429e60298440cd1e601a6a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0395b4e0eb21693590ad1cfdf7044b8b%' ESCAPE '\\' OR Hashes LIKE '%MD5=4b058945c9f2b8d8ebc485add1101ba5%' ESCAPE '\\' OR Hashes LIKE '%MD5=0067c788e1cb174f008c325ebde56c22%' ESCAPE '\\' OR Hashes LIKE '%MD5=c2c1b8c00b99e913d992a870ed478a24%' ESCAPE '\\' OR Hashes LIKE '%MD5=84ba7af6ada1b3ea5efb9871a0613fc6%' ESCAPE '\\' OR Hashes LIKE '%MD5=dbc415304403be25ac83047c170b0ec2%' ESCAPE '\\' OR Hashes LIKE '%MD5=31469f1313871690e8dc2e8ee4799b22%' ESCAPE '\\' OR Hashes LIKE '%MD5=2d465b4487dc81effaa84f122b71c24f%' ESCAPE '\\' OR Hashes LIKE '%MD5=64efbffaa153b0d53dc1bccda4279299%' ESCAPE '\\' OR Hashes LIKE '%MD5=b164daf106566f444dfb280d743bc2f7%' ESCAPE '\\' OR Hashes LIKE '%MD5=7c72a7e1d42b0790773efd8700e24952%' ESCAPE '\\' OR Hashes LIKE '%MD5=56a515173b211832e20fbc64e5a0447c%' ESCAPE '\\' OR Hashes LIKE '%MD5=c2eb4539a4f6ab6edd01bdc191619975%' ESCAPE '\\' OR Hashes LIKE '%MD5=d1bac75205c389d6d5d6418f0457c29b%' ESCAPE '\\' OR Hashes LIKE '%MD5=68dde686d6999ad2e5d182b20403240b%' ESCAPE '\\' OR Hashes LIKE '%MD5=a785b3bc4309d2eb111911c1b55e793f%' ESCAPE '\\' OR Hashes LIKE '%MD5=6ab7b8ef0c44e7d2d5909fdb58d37fa5%' ESCAPE '\\' OR Hashes LIKE '%MD5=d9ce18960c23f38706ae9c6584d9ac90%' ESCAPE '\\' OR Hashes LIKE '%MD5=ab53d07f18a9697139ddc825b466f696%' ESCAPE '\\' OR Hashes LIKE '%MD5=ba5f0f6347780c2ed911bbf888e75bef%' ESCAPE '\\' OR Hashes LIKE '%MD5=13ee349c15ee5d6cf640b3d0111ffc0e%' ESCAPE '\\' OR Hashes LIKE '%MD5=9a237fa07ce3ed06ea924a9bed4a6b99%' ESCAPE '\\' OR Hashes LIKE '%MD5=fa222bed731713904320723b9c085b11%' ESCAPE '\\' OR Hashes LIKE '%MD5=0898af0888d8f7a9544ef56e5e16354e%' ESCAPE '\\' OR Hashes LIKE '%MD5=e076dadf37dd43a6b36aeed957abee9e%' ESCAPE '\\' OR Hashes LIKE '%MD5=4f27c09cc8680e06b04d6a9c34ca1e08%' ESCAPE '\\' OR Hashes LIKE '%MD5=1b32c54b95121ab1683c7b83b2db4b96%' ESCAPE '\\' OR Hashes LIKE '%MD5=715572dfe6fb10b16f980bfa242f3fa5%' ESCAPE '\\' OR Hashes LIKE '%MD5=4a06bcd96ef0b90a1753a805b4235f28%' ESCAPE '\\' OR Hashes LIKE '%MD5=f242cffd9926c0ccf94af3bf16b6e527%' ESCAPE '\\' OR Hashes LIKE '%MD5=7ed6030f14e66e743241f2c1fa783e69%' ESCAPE '\\' OR Hashes LIKE '%MD5=0d6fef14f8e1ce5753424bd22c46b1ce%' ESCAPE '\\' OR Hashes LIKE '%MD5=a4fda97f452b8f8705695a729f5969f7%' ESCAPE '\\' OR Hashes LIKE '%MD5=62c18d61ed324088f963510bae43b831%' ESCAPE '\\' OR Hashes LIKE '%MD5=d5a642329cce4df94b8dc1ba9660ae34%' ESCAPE '\\' OR Hashes LIKE '%MD5=a641e3dccba765a10718c9cb0da7879e%' ESCAPE '\\' OR Hashes LIKE '%MD5=ed07f1a8038596574184e09211dfc30f%' ESCAPE '\\' OR Hashes LIKE '%MD5=3473faea65fba5d4fbe54c0898a3c044%' ESCAPE '\\' OR Hashes LIKE '%MD5=708ac9f7b12b6ca4553fd8d0c7299296%' ESCAPE '\\' OR Hashes LIKE '%MD5=bbe4f5f8b0c0f32f384a83ae31f49a00%' ESCAPE '\\' OR Hashes LIKE '%MD5=257483d5d8b268d0d679956c7acdf02d%' ESCAPE '\\' OR Hashes LIKE '%MD5=312e31851e0fc2072dbf9a128557d6ef%' ESCAPE '\\' OR Hashes LIKE '%MD5=14eead4d42728e9340ec8399a225c124%' ESCAPE '\\' OR Hashes LIKE '%MD5=de1cc5c266140bff9d964fab87a29421%' ESCAPE '\\' OR Hashes LIKE '%MD5=9a9dbf5107848c254381be67a4c1b1dd%' ESCAPE '\\' OR Hashes LIKE '%MD5=1dc94a6a82697c62a04e461d7a94d0b0%' ESCAPE '\\' OR Hashes LIKE '%MD5=2850608430dd089f24386f3336c84729%' ESCAPE '\\' OR Hashes LIKE '%MD5=6d131a7462e568213b44ef69156f10a5%' ESCAPE '\\' OR Hashes LIKE '%MD5=b8b6686324f7aa77f570bc019ec214e6%' ESCAPE '\\' OR Hashes LIKE '%MD5=22823fed979903f8dfe3b5d28537eb47%' ESCAPE '\\' OR Hashes LIKE '%MD5=c1d3a6bb423739a5e781f7eee04c9cfd%' ESCAPE '\\' OR Hashes LIKE '%MD5=0c0195c48b6b8582fa6f6373032118da%' ESCAPE '\\' OR Hashes LIKE '%MD5=5228b7a738dc90a06ae4f4a7412cb1e9%' ESCAPE '\\' OR Hashes LIKE '%MD5=62f02339fe267dc7438f603bfb5431a1%' ESCAPE '\\' OR Hashes LIKE '%MD5=22949977ce5cd96ba674b403a9c81285%' ESCAPE '\\' OR Hashes LIKE '%MD5=5ca1922ed5ee2b533b5f3dd9be20fd9a%' ESCAPE '\\' OR Hashes LIKE '%MD5=1ed08a6264c5c92099d6d1dae5e8f530%' ESCAPE '\\' OR Hashes LIKE '%MD5=b0770094c3c64250167b55e4db850c04%' ESCAPE '\\' OR Hashes LIKE '%MD5=a6e9d6505f6d2326a8a9214667c61c67%' ESCAPE '\\' OR Hashes LIKE '%MD5=8407ddfab85ae664e507c30314090385%' ESCAPE '\\' OR Hashes LIKE '%MD5=9321a61a25c7961d9f36852ecaa86f55%' ESCAPE '\\' OR Hashes LIKE '%MD5=a711e6ab17802fabf2e69e0cd57c54cd%' ESCAPE '\\' OR Hashes LIKE '%MD5=29ccff428e5eb70ae429c3da8968e1ec%' ESCAPE '\\' OR Hashes LIKE '%MD5=79df0eabbf2895e4e2dae15a4772868c%' ESCAPE '\\' OR Hashes LIKE '%MD5=fb7c61ef427f9b2fdff3574ee6b1819b%' ESCAPE '\\' OR Hashes LIKE '%MD5=f778489c7105a63e9e789a02412aaa5f%' ESCAPE '\\' OR Hashes LIKE '%MD5=fef9dd9ea587f8886ade43c1befbdafe%' ESCAPE '\\' OR Hashes LIKE '%MD5=43830326cd5fae66f5508e27cbec39a0%' ESCAPE '\\' OR Hashes LIKE '%MD5=c7a57cd4bea07dadba2e2fb914379910%' ESCAPE '\\' OR Hashes LIKE '%MD5=f1e054333cc40f79cfa78e5fbf3b54c2%' ESCAPE '\\' OR Hashes LIKE '%MD5=dc564bac7258e16627b9de0ce39fae25%' ESCAPE '\\' OR Hashes LIKE '%MD5=054299e09cea38df2b84e6b29348b418%' ESCAPE '\\' OR Hashes LIKE '%MD5=97221e16e7a99a00592ca278c49ffbfc%' ESCAPE '\\' OR Hashes LIKE '%MD5=8d63e1a9ff4cafee1af179c0c544365c%' ESCAPE '\\' OR Hashes LIKE '%MD5=96421b56dbda73e9b965f027a3bda7ba%' ESCAPE '\\' OR Hashes LIKE '%MD5=4ae55080ec8aed49343e40d08370195c%' ESCAPE '\\' OR Hashes LIKE '%MD5=988dabdcf990b134b0ac1e00512c30c4%' ESCAPE '\\' OR Hashes LIKE '%MD5=bbbc9a6cc488cfb0f6c6934b193891eb%' ESCAPE '\\' OR Hashes LIKE '%MD5=76c643ab29d497317085e5db8c799960%' ESCAPE '\\' OR Hashes LIKE '%MD5=e9a30edef1105b8a64218f892b2e56ed%' ESCAPE '\\' OR Hashes LIKE '%MD5=7bd840ff7f15df79a9a71fec7db1243e%' ESCAPE '\\' OR Hashes LIKE '%MD5=1cff7b947f8c3dea1d34dc791fc78cdc%' ESCAPE '\\' OR Hashes LIKE '%MD5=2c54859a67306e20bfdc8887b537de72%' ESCAPE '\\' OR Hashes LIKE '%MD5=a5f637d61719d37a5b4868c385e363c0%' ESCAPE '\\' OR Hashes LIKE '%MD5=2509a71a02296aa65a3428ddfac22180%' ESCAPE '\\' OR Hashes LIKE '%MD5=6cce5bb9c8c2a8293df2d3b1897941a2%' ESCAPE '\\' OR Hashes LIKE '%MD5=7a16fca3d56c6038c692ec75b2bfee15%' ESCAPE '\\' OR Hashes LIKE '%MD5=eaea9ccb40c82af8f3867cd0f4dd5e9d%' ESCAPE '\\' OR Hashes LIKE '%MD5=d2588631d8aae2a3e54410eaf54f0679%' ESCAPE '\\' OR Hashes LIKE '%MD5=b47dee29b5e6e1939567a926c7a3e6a4%' ESCAPE '\\' OR Hashes LIKE '%MD5=fac8eb49e2fd541b81fcbdeb98a199cb%' ESCAPE '\\' OR Hashes LIKE '%MD5=1a234f4643f5658bab07bfa611282267%' ESCAPE '\\' OR Hashes LIKE '%MD5=0752f113d983030939b4ab98b0812cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f0c463d29a5914b01e4607889094f1b7d95e7aaf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ecb4d096a9c58643b02f328d2c7742a38e017cf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=684786de4b3b3f53816eae9df5f943a22c89601f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745335bcdf02fb42df7d890a24858e16094f48fd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25d812a5ece19ea375178ef9d60415841087726e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d417c0be261b0c6f44afdec3d5432100e420c3ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6afc6b04cf73dd461e4a4956365f25c1f1162387%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01a578a3a39697c4de8e3dab04dba55a4c35163e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7e836dadc2e149a0b758c7e22c989cbfcce18684%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a705af959af61bad48ef7579f839cb5ebd654d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc2f3850c7b858340d7ed27b90e63b036881fd6c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e22495d92ac3dcae5eeb1980549a9ead8155f98a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c969f1f73922fd95db1992a5b552fbc488366a40%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4c18754dca481f107f0923fb8ef5e149d128525d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2fc6845047abcf2a918fce89ab99e4955d08e72c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4f7a8e26a97980544be634b26899afbefb0a833c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21edff2937eb5cd6f6b0acb7ee5247681f624260%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89cd760e8cb19d29ee08c430fb17a5fd4455c741%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=064de88dbbea67c149e779aac05228e5405985c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea877092d57373cb466b44e7dbcad4ce9a547344%' ESCAPE '\\' OR Hashes LIKE '%SHA1=55ab7e27412eca433d76513edc7e6e03bcdd7eda%' ESCAPE '\\' OR Hashes LIKE '%SHA1=976777d39d73034df6b113dfce1aa6e1d00ffcfd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f7501e01d84a2297c85cb39880ec4e40ac3fe8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6816949cd469b6e5c35858d19273936fab1bef6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=91f832f46e4c38ecc9335460d46f6f71352cffed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=43419df1f9a07430a18c5f3b3cc74de621be0f8e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=01779ee53f999464465ed690d823d160f73f10e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27d3ebea7655a72e6e8b95053753a25db944ec0f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcd615df88645d1f57ff5702bd6758b77efea6d0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10115219e3595b93204c70eec6db3e68a93f3144%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33285b2e97a0aeb317166cce91f6733cf9c1ad53%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2c27abbbbcf10dfb75ad79557e30ace5ed314df8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10e15ba8ff8ed926ddd3636cec66a0f08c9860a4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8f5cd4a56e6e15935491aa40adb1ecad61eafe7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7948a4e9a3a1a9ed0e4e41350e422464d8313cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19bd488fe54b011f387e8c5d202a70019a204adf%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15d1a6a904c8409fb47a82aefa42f8c3c7d8c370%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d02403f85be6f243054395a873b41ef8a17ea279%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4789b910023a667bee70ff1f1a8f369cffb10fe8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=50e2bc41f0186fdce970b80e2a2cb296353af586%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b97a8d506be2e7eaa4385f70c009b22adbd071ba%' ESCAPE '\\' OR Hashes LIKE '%SHA1=78b9481607ca6f3a80b4515c432ddfe6550b18a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e039c9dd21494dbd073b4823fc3a17fbb951ec6c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=806832983bb8cb1e26001e60ea3b7c3ade4d3471%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a3ed5cbfbc17b58243289f3cf575bf04be49591d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7fb52290883a6b69a96d480f2867643396727e83%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=da9cea92f996f938f699902482ac5313d5e8b28e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc7b022f8bd149efbcb2204a48dce75c72633526%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d979353d04bf65cc92ad3412605bc81edbb75ec2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b009e91bae8d27b160dc195f10c095f8a2441e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=51b60eaa228458dee605430aae1bc26f3fc62325%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6bd965300f07012d1b651a9b8776028c45b149a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=729a8675665c61824f22f06c7b954be4d14b52c4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37364cb5f5cefd68e5eca56f95c0ab4aff43afcc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=25bf4e30a94df9b8f8ab900d1a43fd056d285c9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d8498707f295082f6a95fd9d32c9782951f5a082%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5e6ddd2b39a3de0016385cbd7aa50e49451e376d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=943593e880b4d340f2548548e6e673ef6f61eed3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2dfcb799b3c42ecb0472e27c19b24ac7532775ce%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6714380bc0b8ab09b9a0d2fa66d1b025b646b946%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a7d66874a0472a47087fabaa033a85d47413379%' ESCAPE '\\' OR Hashes LIKE '%SHA1=012db3a80faf1f7f727b538cbe5d94064e7159de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c6d349823bbb1f5b44bae91357895dba653c5861%' ESCAPE '\\' OR Hashes LIKE '%SHA1=643383938d5e0d4fd30d302af3e9293a4798e392%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1d0df45ee3fa758f0470e055915004e6eae54c95%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3599ea2ac1fa78f423423a4cf90106ea0938dde8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f42f28d164205d9f6dab9317c9fecad54c38d5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d9c09dd725bc7bc3c19b4db37866015817a516ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d5fd9fe10405c4f90235e583526164cd0902ed86%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c74d09da7baf7c05360346e4c3512d0cd433d59%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c256edd10823ca76c0443a330e523027b70522d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=65d8a7c2e867b22d1c14592b020c548dd0665646%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7859e75580570e23a1ef7208b9a76f81738043d5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b242b0332b9c9e8e17ec27ef10d75503d20d97b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6523b3fd87de39eb5db1332e4523ce99556077dc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac600a2bc06b312d92e649b7b55e3e91e9d63451%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe10018af723986db50701c8532df5ed98b17c39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b9807b8840327c6d7fbdde45fc27de921f1f1a82%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=054a50293c7b4eea064c91ef59cf120d8100f237%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=485c0b9710a196c7177b99ee95e5ddb35b26ddd1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=faa870b0cb15c9ac2b9bba5d0470bd501ccd4326%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0291d0457acaf0fe8ed5c3137302390469ce8b35%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8183a341ba6c3ce1948bf9be49ab5320e0ee324d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b25170e09c9fb7c0599bfba3cf617187f6a733ac%' ESCAPE '\\' OR Hashes LIKE '%SHA1=19f3343bfad0ef3595f41d60272d21746c92ffca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a48aa80942fc8e0699f518de4fd6512e341d4196%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9a35ae9a1f95ce4be64adc604c80079173e4a676%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ea360a9f23bb7cf67f08b88e6a185a699f0c5410%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403%' ESCAPE '\\' OR Hashes LIKE '%SHA1=08596732304351b311970ff96b21f451f23b1e25%' ESCAPE '\\' OR Hashes LIKE '%SHA1=29a190727140f40cea9514a6420f5a195e36386b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d014b5edd6e19ce0e8395a64faedf49688ecb5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31fac347aa26e92db4d8c9e1ba37a7c7a2234f08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fcde5275ee1913509927ce5f0f85e6681064c9d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f052dc35b74a1a6246842fbb35eb481577537826%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65%' ESCAPE '\\' OR Hashes LIKE '%SHA1=33cdab3bbc8b3adce4067a1b042778607dce2acd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2d503a2457a787014a1fdd48a2ece2e6cbe98ea7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9519d033d75e1ab6b82b2e156eafe9607edbcfb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=89909fa481ff67d7449ee90d24c167b17b0612f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7d827a41b2c4b7638495cd1d77926f1ba902978%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c23eeb6f18f626ce1fd840227f351fa7543bb167%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3805e4e08ad342d224973ecdade8b00c40ed31be%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8302802b709ad242a81b939b6c90b3230e1a1f1e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ac13941f436139b909d105ad55637e1308f49d9a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=92f251358b3fe86fd5e7aa9b17330afa0d64a705%' ESCAPE '\\' OR Hashes LIKE '%SHA1=623cd2abef6c92255f79cbbd3309cb59176771da%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af50109b112995f8c82be8ef3a88be404510cdde%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a00e444120449e35641d58e62ed64bb9c9f518d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9923c8f1e565a05b3c738d283cf5c0ed61a0b90f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7eec3a1edf3b021883a4b5da450db63f7c0afeeb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=078ae07dec258db4376d5a2a05b9b508d68c0123%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ef80da613442047697bec35ea228cde477c09a3d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6003184788cd3d2fc624ca801df291ccc4e225ee%' ESCAPE '\\' OR Hashes LIKE '%SHA1=558aad879b6a47d94a968f39d0a4e3a3aaef1ef1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=877c6c36a155109888fe1f9797b93cb30b4957ef%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3cce7e79ab5bd055f311bb3ac44a838779270b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3b6b35bca1b05fafbfc883a844df6d52af44ccdc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=351cbd352b3ec0d5f4f58c84af732a0bf41b4463%' ESCAPE '\\' OR Hashes LIKE '%SHA1=609fa1efcf61e26d64a5ceb13b044175ab2b3a13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc0e97adb756c0f30b41840a59b85218cbdd198f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=71469dce9c2f38d0e0243a289f915131bf6dd2a8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=05ac1c64ca16ab0517fe85d4499d08199e63df26%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2261198385d62d2117f50f631652eded0ecc71db%' ESCAPE '\\' OR Hashes LIKE '%SHA1=414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8626ab1da6bfbdf61bd327eb944b39fd9df33d1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d702d88b12233be9413446c445f22fda4a92a1d9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e74b6dda8bc53bc687fc21218bd34062a78d8467%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a197a02025946aca96d6e74746f84774df31249e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f25f54e9b289f76604e81e98483309612c5a471%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e3c1dd569aa4758552566b0213ee4d1fe6382c4b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=879fcc6795cebe67718388228e715c470de87dca%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ae56ab63230d6d9552360845b4a37b5801cc5ea%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74e4e3006b644392f5fcea4a9bae1d9d84714b57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ce549714a11bd43b52be709581c6e144957136ec%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3abb9d0a9d600200ae19c706e570465ef0a15643%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc51be79ae56bc97211f6b73cc905c3492da8f9d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b03b1996a40bfea72e4584b82f6b845c503a9748%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0307d76750dd98d707c699aee3b626643afb6936%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8db869c0674221a2d3280143cbb0807fac08e0cc%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2f991435a6f58e25c103a657d24ed892b99690b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c948ae14761095e4d76b55d9de86412258be7afd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a7bd05de737f8ea57857f1e0845a25677df01872%' ESCAPE '\\' OR Hashes LIKE '%SHA1=aca8e53483b40a06dfdee81bb364b1622f9156fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f36a47edfacd85e0c6d4d22133dd386aee4eec15%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bf87e32a651bdfd9b9244a8cf24fca0e459eb614%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bc47e15537fa7c32dfefd23168d7e1741f8477ed%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ee2fd08137e9262d2e911158090e4a7c7427ea0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4e826430a1389032f3fe06e2cc292f643fb0c417%' ESCAPE '\\' OR Hashes LIKE '%SHA1=745bad097052134548fe159f158c04be5616afc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=28b1c0b91eb6afd2d26b239c9f93beb053867a1a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0466e90bf0e83b776ca8716e01d35a8a2e5f96d3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6765d8866cad6193df1507c18f31fa7f723ca3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=57511ef5ff8162a9d793071b5bf7ebe8371759de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d098600152e5ee6a8238d414d2a77a34da8afaaa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=16d7ecf09fc98798a6170e4cef2745e0bee3f5c7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8b6aa5b2bff44766ef7afbe095966a71bc4183fa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c834c4931b074665d56ccab437dfcc326649d612%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8d59fd14a445c8f3f0f7991fa6cd717d466b3754%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d94f2fb3198e14bfe69b44fb9f00f2551f7248b2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=64e4ac8b9ea2f050933b7ec76a55dd04e97773b4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=93aa3bb934b74160446df3a47fa085fd7f3a6be9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=14bf0eaa90e012169745b3e30c281a327751e316%' ESCAPE '\\' OR Hashes LIKE '%SHA1=738b7918d85e5cb4395df9e3f6fc94ddad90e939%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fff4f28287677caabc60c8ab36786c370226588d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=34c85afe6d84cd3deec02c0a72e5abfa7a2886c3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3f223581409492172a1e875f130f3485b90fbe5f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=282bb241bda5c4c1b8eb9bf56d018896649ca0e1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e83458c4a6383223759cd8024e60c17be4e7c85f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d569d4bab86e70efbcdfdac9d822139d6f477b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2a6e6bd51c7062ad24c02a4d2c1b5e948908d131%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a65fabaf64aa1934314aae23f25cdf215cbaa4b6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c257aa4094539719a3c7b7950598ef872dbf9518%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1292c7dd60214d96a71e7705e519006b9de7968f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4d1554ec19504215d27de0758e13c35ddd6db3e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=994dc79255aeb662a672a1814280de73d405617a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5dd2c31c4357a8b76db095364952b3d0e3935e1d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=21e6c104fe9731c874fab5c9560c929b2857b918%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e92817a8744ebc4e4fa5383cdce2b2977f01ecd4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bb962c9a8dda93e94fef504c4159de881e4706fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=82ba5513c33e056c3f54152c8555abf555f3e745%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3de54667548a5c9abf5d8fa47db4097fcee9f1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0c26ab1299adcd9a385b541ef1653728270aa23e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f02af84393e9627ba808d4159841854a6601cf80%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb22723faa5ae2809476e5c5e9b9a597b26cab9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f9feb60b23ca69072ce42264cd821fe588a186a6%' ESCAPE '\\' OR Hashes LIKE '%SHA1=160c96b5e5db8c96b821895582b501e3c2d5d6e7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b8b83f245d94107cb802a285e6529161d9a834d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d7f7594ff084201c0d9fa2f4ef1626635b67bce5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7d7c03e22049a725ace2a9812c72b53a66c2548b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=589a7d4df869395601ba7538a65afae8c4616385%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3799fed3cf43254fe30dcdfdb8dc02d82e662b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=72966ca845759d239d09da0de7eebe3abe86fee3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0f780b7ada5dd8464d9f2cc537d973f5ac804e9c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c6cad6a268230f6e08417d278dda4d66bb00d13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d04e5db5b6c848a29732bfd52029001f23c3da75%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a87d6eac2d70a3fbc04e59412326b28001c179de%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cce9b82f01ec68f450f5fe4312f40d929c6a506e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8cc8974a05e81678e3d28acfe434e7804abd019c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1e7c241b9a9ea79061b50fb19b3d141dee175c27%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4d41248078181c7f61e6e4906aa96bbdea320dc2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f3db629cfe37a73144d5258e64d9dd8b38084cf4%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d2e6fc9259420f0c9b6b1769be3b1f63eb36dc57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=99201c9555e5faf6e8d82da793b148311f8aa4b8%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a2e0b3162cfa336cd4ab40a2acc95abe7dc53843%' ESCAPE '\\' OR Hashes LIKE '%SHA1=12d38abbc5391369a4c14f3431715b5b76ac5a2a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=490109fa6739f114651f4199196c5121d1c6bdf2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e5021a98e55d514e2376aa573d143631e5ee1c13%' ESCAPE '\\' OR Hashes LIKE '%SHA1=af6e1f2cfb230907476e8b2d676129b6d6657124%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ddbe809b731a0962e404a045ab9e65a0b64917ad%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a21c84c6bf2e21d69fa06daaf19b4cc34b589347%' ESCAPE '\\' OR Hashes LIKE '%SHA1=dc55217b6043d819eadebd423ff07704ee103231%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6053d258096bccb07cb0057d700fe05233ab1fbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b0032b8d8e6f4bd19a31619ce38d8e010f29a816%' ESCAPE '\\' OR Hashes LIKE '%SHA1=eb93d2f564fea9b3dc350f386b45de2cd9a3e001%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8692274681e8d10c26ddf2b993f31974b04f5bf0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f5696fb352a3fbd14fb1a89ad21a71776027f9ab%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5db61d00a001fd493591dc919f69b14713889fc5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2b4d0dead4c1a7cc95543748b3565cfa802e5256%' ESCAPE '\\' OR Hashes LIKE '%SHA1=205c69f078a563f54f4c0da2d02a25e284370251%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=35829e096a15e559fcbabf3441d99e580ca3b26e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=17fa047c1f979b180644906fe9265f21af5b0509%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=461882bd59887617cadc1c7b2b22d0a45458c070%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7838fb56fdab816bc1900a4720eea2fc9972ef7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1f3a9265963b660392c4053329eb9436deeed339%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e09b5e80805b8fe853ea27d8773e31bff262e3f7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5f8356ffa8201f338dd2ea979eb47881a6db9f03%' ESCAPE '\\' OR Hashes LIKE '%SHA1=37e6450c7cd6999d080da94b867ba23faa8c32fe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7ab4565ba24268f0adadb03a5506d4eb1dc7c181%' ESCAPE '\\' OR Hashes LIKE '%SHA1=00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c24dd75e4074041dbe03bf21f050c77d748b8e9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3270720a066492b046d7180ca6e60602c764cac7%' ESCAPE '\\' OR Hashes LIKE '%SHA1=0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=814200191551faec65b21f5f6819b46c8fc227a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=696d68bdbe1d684029aaad2861c49af56694473a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b89a8eef5aeae806af5ba212a8068845cafdab6f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=15df139494d2c40a645fb010908551185c27f3c5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=947db58d6f36a8df9fa2a1057f3a7f653ccbc42e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=fe1d909ab38de1389a2a48352fd1c8415fd2eab0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=7667b72471689151e176baeba4e1cd9cd006a09a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d25340ae8e92a6d29f599fef426a2bc1b5217299%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6abbc3003c7aa69ce79cbbcd2e3210b07f21d202%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d34a7c497c603f3f7fcad546dc4097c2da17c430%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b8de3a1aeeda9deea43e3f768071125851c85bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9c6749fc6c1127f8788bff70e0ce9062959637c9%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4268f30b79ce125a81d0d588bef0d4e2ad409bbb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=213ba055863d4226da26a759e8a254062ea77814%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a4b2c56c12799855162ca3b004b4b2078c6ecf77%' ESCAPE '\\' OR Hashes LIKE '%SHA1=27eab595ec403580236e04101172247c4f5d5426%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d62fa51e520022483bdc5847141658de689c0c29%' ESCAPE '\\' OR Hashes LIKE '%SHA1=ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308%' ESCAPE '\\' OR Hashes LIKE '%SHA1=8fb149fc476cf5bf18dc575334edad7caf210996%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e35a2b009d54e1a0b231d8a276251f64231b66a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=d0d39e1061f30946141b6ecfa0957f8cc3ddeb63%' ESCAPE '\\' OR Hashes LIKE '%SHA1=166759fd511613414d3213942fe2575b926a6226%' ESCAPE '\\' OR Hashes LIKE '%SHA1=73bac306292b4e9107147db94d0d836fdb071e33%' ESCAPE '\\' OR Hashes LIKE '%SHA1=460008b1ffd31792a6deadfa6280fb2a30c8a5d2%' ESCAPE '\\' OR Hashes LIKE '%SHA1=2c5ff272bd345962ed41ab8869aef41da0dfe697%' ESCAPE '\\' OR Hashes LIKE '%SHA1=9d07df024ec457168bf0be7e0009619f6ac4f13c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c4ed28fdfba7b8a8dfe39e591006f25d39990f07%' ESCAPE '\\' OR Hashes LIKE '%SHA1=30a224b22592d952fbe2e6ad97eda4a8f2c734e0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5520ac25d81550a255dc16a0bb89d4b275f6f809%' ESCAPE '\\' OR Hashes LIKE '%SHA1=400f833dcc2ef0a122dd0e0b1ec4ec929340d90e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6b54f8f137778c1391285fee6150dfa58a8120b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc0e0440adc058615e31e8a52372abadf658e6b1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cb3f30809b05cf02bc29d4a7796fb0650271e542%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a64354aac2d68b4fa74b5829a9d42d90d83b040c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a6fe4f30ca7cb94d74bc6d42cdd09a136056952e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=e6305dddd06490d7f87e3b06d09e9d4c1c643af0%' ESCAPE '\\' OR Hashes LIKE '%SHA1=90a76945fd2fa45fab2b7bcfdaf6563595f94891%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53f776d9a183c42b93960b270dddeafba74eb3fb%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6100eb82a25d64a7a7702e94c2b21333bc15bd08%' ESCAPE '\\' OR Hashes LIKE '%SHA1=53acd4d9e7ba0b1056cf52af0d191f226eddf312%' ESCAPE '\\' OR Hashes LIKE '%SHA1=910cb12aa49e9f35ecc4907e8304adf0dcca8cf1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b882748faf2c6c360884c6812dd5bcbce75ebff%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c95db1e82619fb16f8eec9a8209b7b0e853a4ebe%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4b8c0445075f09aeef542ab1c86e5de6b06e91a3%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc1e5fd826961d93b76abd161314cb3592c4436%' ESCAPE '\\' OR Hashes LIKE '%SHA1=bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1acc7a486b52c5ee6619dbdc3b4210b5f48b936f%' ESCAPE '\\' OR Hashes LIKE '%SHA1=468e2e5505a3d924b14fedee4ddf240d09393776%' ESCAPE '\\' OR Hashes LIKE '%SHA1=c8d87f3cd34c572870e63a696cf771580e6ea81b%' ESCAPE '\\' OR Hashes LIKE '%SHA1=f18e669127c041431cde8f2d03b15cfc20696056%' ESCAPE '\\' OR Hashes LIKE '%SHA256=15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810%' ESCAPE '\\' OR Hashes LIKE '%SHA256=be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59%' ESCAPE '\\' OR Hashes LIKE '%SHA256=607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae%' ESCAPE '\\' OR Hashes LIKE '%SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250%' ESCAPE '\\' OR Hashes LIKE '%SHA256=32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993%' ESCAPE '\\' OR Hashes LIKE '%SHA256=39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004%' ESCAPE '\\' OR Hashes LIKE '%SHA256=30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae%' ESCAPE '\\' OR Hashes LIKE '%SHA256=575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29%' ESCAPE '\\' OR Hashes LIKE '%SHA256=45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a9706e320179993dade519a83061477ace195daa1b788662825484813001f526%' ESCAPE '\\' OR Hashes LIKE '%SHA256=61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03%' ESCAPE '\\' OR Hashes LIKE '%SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433%' ESCAPE '\\' OR Hashes LIKE '%SHA256=07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33%' ESCAPE '\\' OR Hashes LIKE '%SHA256=99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813%' ESCAPE '\\' OR Hashes LIKE '%SHA256=bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890%' ESCAPE '\\' OR Hashes LIKE '%SHA256=159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94%' ESCAPE '\\' OR Hashes LIKE '%SHA256=db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097%' ESCAPE '\\' OR Hashes LIKE '%SHA256=025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53%' ESCAPE '\\' OR Hashes LIKE '%SHA256=749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb%' ESCAPE '\\' OR Hashes LIKE '%SHA256=86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce%' ESCAPE '\\' OR Hashes LIKE '%SHA256=36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca%' ESCAPE '\\' OR Hashes LIKE '%SHA256=591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52%' ESCAPE '\\' OR Hashes LIKE '%SHA256=04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293%' ESCAPE '\\' OR Hashes LIKE '%SHA256=49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347%' ESCAPE '\\' OR Hashes LIKE '%SHA256=89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165%' ESCAPE '\\' OR Hashes LIKE '%SHA256=475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe%' ESCAPE '\\' OR Hashes LIKE '%SHA256=5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e%' ESCAPE '\\' OR Hashes LIKE '%SHA256=54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965%' ESCAPE '\\' OR Hashes LIKE '%SHA256=362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71%' ESCAPE '\\' OR Hashes LIKE '%SHA256=543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa%' ESCAPE '\\' OR Hashes LIKE '%SHA256=0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395%' ESCAPE '\\' OR Hashes LIKE '%SHA256=aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79%' ESCAPE '\\' OR Hashes LIKE '%SHA256=146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec%' ESCAPE '\\' OR Hashes LIKE '%SHA256=cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d%' ESCAPE '\\' OR Hashes LIKE '%SHA256=ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41%' ESCAPE '\\' OR Hashes LIKE '%SHA256=06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80%' ESCAPE '\\' OR Hashes LIKE '%SHA256=314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073%' ESCAPE '\\' OR Hashes LIKE '%SHA256=11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7%' ESCAPE '\\' OR Hashes LIKE '%SHA256=455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22%' ESCAPE '\\' OR Hashes LIKE '%SHA256=221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9%' ESCAPE '\\' OR Hashes LIKE '%SHA256=afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508%' ESCAPE '\\' OR Hashes LIKE '%SHA256=78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af%' ESCAPE '\\' OR Hashes LIKE '%SHA256=58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495%' ESCAPE '\\' OR Hashes LIKE '%SHA256=dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21%' ESCAPE '\\' OR Hashes LIKE '%SHA256=91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009%' ESCAPE '\\' OR Hashes LIKE '%SHA256=b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3%' ESCAPE '\\' OR Hashes LIKE '%SHA256=65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd%' ESCAPE '\\' OR Hashes LIKE '%SHA256=a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499%' ESCAPE '\\' OR Hashes LIKE '%SHA256=509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6%' ESCAPE '\\' OR Hashes LIKE '%SHA256=440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1%' ESCAPE '\\' OR Hashes LIKE '%SHA256=1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219%' ESCAPE '\\' OR Hashes LIKE '%SHA256=677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf%' ESCAPE '\\' OR Hashes LIKE '%SHA256=823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748%' ESCAPE '\\' OR Hashes LIKE '%SHA256=42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f%' ESCAPE '\\' OR Hashes LIKE '%SHA256=f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35%' ESCAPE '\\' OR Hashes LIKE '%SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a%' ESCAPE '\\' OR Hashes LIKE '%SHA256=eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b%' ESCAPE '\\' OR Hashes LIKE '%SHA256=88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b%' ESCAPE '\\') OR md5 IN ('1b5c3c458e31bede55145d0644e88d75', '6f5d54ab483659ac78672440422ae3f1', 'ee6b1a79cb6641aa44c762ee90786fe0', 'c02f70960fa934b8defa16a03d7f6556', '839cbbc86453960e9eb6db814b776a40', 'acac842a46f3501fe407b1db1b247a0b', '95e4c7b0384da89dce8ea6f31c3613d9', 'e700a820f117f65e813b216fccbf78c9', '96b463b6fa426ae42c414177af550ba2', '27bcbeec8a466178a6057b64bef66512', '70dcd07d38017b43f710061f37cb4a91', 'db72def618cbc3c5f9aa82f091b54250', '83601bbe5563d92c1fdb4e960d84dc77', '5970e8de1b337ca665114511b9d10806', '49fe3d1f3d5c2e50a0df0f6e8436d778', '1493d342e7a36553c56b2adea150949e', '4f191abc652d8f7442ca2636725e1ed6', '0ae30291c6cbfa7be39320badd6e8de0', 'd104621c93213942b7b43d65b5d8d33e', 'b89b097b8b8aecb8341d05136f334ebb', '14580bd59c55185115fd3abe73b016a2', '992ded5b623be3c228f32edb4ca3f2d2', 'a26e600652c33dd054731b4693bf5b01', '1f950cfd5ed8dd9de3de004f5416fe20', '491aec2249ad8e2020f9f9b559ab68a8', 'e4266262a77fffdea2584283f6c4f51d', 'bd25be845c151370ff177509d95d5add', '9638f265b1ddd5da6ecdf5c0619dcbe6', '4e90cd77509738d30d3181a4d0880bfa', '0a6a1c9a7f80a2a5dcced5c4c0473765', '9aa7ed7809eec0d8bc6c545a1d18107a', 'aa1ed3917928f04d97d8a217fe9b5cb1', '42f7cc4be348c3efd98b0f1233cf2d69', '4cc3ddd5ae268d9a154a426af2c23ef9', '2fed983ec44d1e7cffb0d516407746f2', 'f7cbbb5eb263ec9a35a1042f52e82ca4', 'ed6348707f177629739df73b97ba1b6e', '40bc58b7615d00eb55ad9ba700c340c1', 'c3fea895fe95ea7a57d9f4d7abed5e71', '2128e6c044ee86f822d952a261af0b48', '3dbf69f935ea48571ea6b0f5a2878896', 'c6f8983dd3d75640c072a8459b8fa55a', '6fcf56f6ca3210ec397e55f727353c4a', '79f7e6f98a5d3ab6601622be4471027f', 'bae1f127c4ff21d8fe45e2bbfc59c180', 'c533d6d64b474ffc3169a0e0fc0a701a', '3f39f013168428c8e505a7b9e6cba8a2', '748cf64b95ca83abc35762ad2c25458f', 'bce7f34912ff59a3926216b206deb09f', '2d8e4f38b36c334d0a32a7324832501d', '47e6ac52431ca47da17248d80bf71389', '3651a6990fe38711ebb285143f867a43', 'dc943bf367ae77016ae399df8e71d38a', '02198692732722681f246c1b33f7a9d9', 'ddc2ffe0ab3fcd48db898ab13c38d88d', '0ec361f2fba49c73260af351c39ff9cb', 'c1fce7aac4e9dd7a730997e2979fa1e2', '49938383844ceec33dba794fb751c9a5', '34069a15ae3aa0e879cd0d81708e4bcc', '1c294146fc77565030603878fd0106f9', 'fd81af62964f5dd5eb4a828543a33dcf', 'bd5b0514f3b40f139d8079138d01b5f6', 'fa173832dca1b1faeba095e5c82a1559', '5cc5c26fc99175997d84fe95c61ab2c2', '1ed043249c21ab201edccb37f1d40af9', '361a598d8bb92c13b18abb7cac850b01', '9b359b722ac80c4e0a5235264e1e0156', '296bde4d0ed32c6069eb90c502187d0d', 'd3e40644a91327da2b1a7241606fe559', '12cecc3c14160f32b21279c1a36b8338', 'dd39a86852b498b891672ffbcd071c03', 'b2a9ac0600b12ec9819e049d7a6a0b75', '444f538daa9f7b340cfd43974ed43690', '7b43dfd84de5e81162ebcfafb764b769', '13dda15ef67eb265869fc371c72d6ef0', '300c5b1795c9b6cc1bc4d7d55c7bbe85', '1392b92179b07b672720763d9b1028a5', '2e1f8a2a80221deb93496a861693c565', '8065a7659562005127673ac52898675f', 'b5ada7fd226d20ec6634fc24768f9e22', '84fb76ee319073e77fb364bbbbff5461', 'daf800da15b33bf1a84ee7afc59f0656', 'f7393fb917aed182e4cbef25ce8af950', '120b5bbb9d2eb35ff4f62d79507ea63a', '73c98438ac64a68e88b7b0afd11ba140', '51207adb8dab983332d6b22c29fe8129', '4a23e0f2c6f926a41b28d574cbc6ac30', '20125794b807116617d43f02b616e092', 'e8ebba56ea799e1e62748c59e1a4c586', '8abbb12e61045984eda19e2dc77b235e', 'f66b96aa7ae430b56289409241645099', '97e3a44ec4ae58c8cc38eefc613e950e', 'ff7b31fa6e9ab923bce8af31d1be5bb2', '12908c285b9d68ee1f39186110df0f1e', '6126065af2fc2639473d12ee3c0c198e', '356bda2bf0f6899a2c08b2da3ec69f13', 'fd7de498a72b2daf89f321d23948c3c4', '338a98e1c27bc76f09331fcd7ae413a5', 'c9a293762319d73c8ee84bcaaf81b7b3', 'e9e786bdba458b8b4f9e93d034f73d00', 'a17c58c0582ee560c72f60764ed63224', '21e13f2cb269defeae5e1d09887d47bb', 'a57b47489febc552515778dd0fd1e51c', 'd6e9f6c67d9b3d790d592557a7d57c3c', '76bb1a4332666222a8e3e1339e267179', '1cd158a64f3d886357535382a6fdad75', 'd9e7e5bcc5b01915dbcef7762a7fc329', 'd253c19194a18030296ae62a10821640', 'b12d1630fd50b2a21fd91e45d522ba3a', '50b39072d0ee9af5ef4824eca34be6e3', '778b7feea3c750d44745d3bf294bd4ce', '0761c357aed5f591142edaefdf0c89c8', '23cf3da010497eb2bf39a5c5a57e437c', 'c49a1956a6a25ffc25ad97d6762b0989', 'f406c5536bcf9bacbeb7ce8a3c383bfa', 'f2f728d2f69765f5dfda913d407783d2', '4b817d0e7714b9d43db43ae4a22a161e', '715f8efab1d1c660e4188055c4b28eed', 'a01c412699b6f21645b2885c2bae4454', '010c0e5ac584e3ab97a2daf84cf436f5', 'd5db81974ffda566fa821400419f59be', '3247014ba35d406475311a2eab0c4657', '4d487f77be4471900d6ccbc47242cc25', '1f2888e57fdd6aee466962c25ba7d62d', '507a649eb585d8d0447eab0532ef0c73', '4ad8fd9e83d7200bd7f8d0d4a9abfb11', 'cd9f0fcecf1664facb3671c0130dc8bb', 'b10b210c5944965d0dc85e70a0b19a42', 'ae5eb2759305402821aeddc52ba9a6d6', 'f5051c756035ef5de9c4c48bacb0612b', '1898ceda3247213c084f43637ef163b3', '37086ae5244442ba552803984a11d6cb', '825703c494e0d270f797f1ecf070f698', '909f3fc221acbe999483c87d9ead024a', '75d6c3469347de1cdfa3b1b9f1544208', '9ab9f3b75a2eb87fafb1b7361be9dfb3', '5f9785e7535f8f602cb294a54962c9e7', '7d46d0ddaf8c7e1776a70c220bf47524', 'f9844524fb0009e5b784c21c7bad4220', '828bb9cb1dd449cd65a29b18ec46055f', '4d17b32be70ef39eae5d5edeb5e89877', '2391fb461b061d0e5fccb050d4af7941', '6d4159694e1754f262e326b52a3b305a', 'a60c9173563b940203cf4ad38ccf2082', '63e333d64a8716e1ae59f914cb686ae8', 'a9f220b1507a3c9a327a99995ff99c82', 'c5f5d109f11aadebae94c77b27cb026f', '5bab40019419a2713298a5c9173e5d30', 'c996d7971c49252c582171d9380360f2', '98763a3dee3cf03de334f00f95fc071a', 'e79c91c27df3eaf82fb7bd1280172517', 'a42249a046182aaaf3a7a7db98bfa69d', '803a371a78d528a44ef8777f67443b16', '9007c94c9d91ccff8d7f5d4cdddcc403', '11fb599312cb1cf43ca5e879ed6fb71e', '7f9309f5e4defec132b622fadbcad511', '04a88f5974caa621cee18f34300fc08a', '8636fe3724f2bcba9399daffd6ef3c7e', '9dfd73dadb2f1c7e9c9d2542981aaa63', '490b1f404c4f31f4538b36736c990136', 'c1d063c9422a19944cdaa6714623f2ec', 'dacb62578b3ea191ea37486d15f4f83c', '2da209dde8188076a9579bd256dc90d0', '0ba6afe0ea182236f98365bd977adfdf', '4c016fd76ed5c05e84ca8cab77993961', 'ad22a7b010de6f9c6f39c350a471a440', '79483cb29a0c428e1362ec8642109eee', 'a179c4093d05a3e1ee73f6ff07f994aa', 'ccf523b951afaa0147f22e2a7aae4976', '736c4b85ce346ddf3b49b1e3abb4e72a', 'b0baac4d6cbac384a633c71858b35a2e', '798de15f187c1f013095bbbeb6fb6197', 'a86150f2e29b35369afa2cafd7aa9764', 'b941c8364308990ee4cc6eadf7214e0f', 'dd04cd3de0c19bede84e9c95a86b3ca8', '6909b5e86e00b4033fedfca1775b0e33', '9b91a44a488e4d539f2e55476b216024', '8b287636041792f640f92e77e560725e', '07f83829e7429e60298440cd1e601a6a', '0395b4e0eb21693590ad1cfdf7044b8b', '4b058945c9f2b8d8ebc485add1101ba5', '0067c788e1cb174f008c325ebde56c22', 'c2c1b8c00b99e913d992a870ed478a24', '84ba7af6ada1b3ea5efb9871a0613fc6', 'dbc415304403be25ac83047c170b0ec2', '31469f1313871690e8dc2e8ee4799b22', '2d465b4487dc81effaa84f122b71c24f', '64efbffaa153b0d53dc1bccda4279299', 'b164daf106566f444dfb280d743bc2f7', '7c72a7e1d42b0790773efd8700e24952', '56a515173b211832e20fbc64e5a0447c', 'c2eb4539a4f6ab6edd01bdc191619975', 'd1bac75205c389d6d5d6418f0457c29b', '68dde686d6999ad2e5d182b20403240b', 'a785b3bc4309d2eb111911c1b55e793f', '6ab7b8ef0c44e7d2d5909fdb58d37fa5', 'd9ce18960c23f38706ae9c6584d9ac90', 'ab53d07f18a9697139ddc825b466f696', 'ba5f0f6347780c2ed911bbf888e75bef', '13ee349c15ee5d6cf640b3d0111ffc0e', '9a237fa07ce3ed06ea924a9bed4a6b99', 'fa222bed731713904320723b9c085b11', '0898af0888d8f7a9544ef56e5e16354e', 'e076dadf37dd43a6b36aeed957abee9e', '4f27c09cc8680e06b04d6a9c34ca1e08', '1b32c54b95121ab1683c7b83b2db4b96', '715572dfe6fb10b16f980bfa242f3fa5', '4a06bcd96ef0b90a1753a805b4235f28', 'f242cffd9926c0ccf94af3bf16b6e527', '7ed6030f14e66e743241f2c1fa783e69', '0d6fef14f8e1ce5753424bd22c46b1ce', 'a4fda97f452b8f8705695a729f5969f7', '62c18d61ed324088f963510bae43b831', 'd5a642329cce4df94b8dc1ba9660ae34', 'a641e3dccba765a10718c9cb0da7879e', 'ed07f1a8038596574184e09211dfc30f', '3473faea65fba5d4fbe54c0898a3c044', '708ac9f7b12b6ca4553fd8d0c7299296', 'bbe4f5f8b0c0f32f384a83ae31f49a00', '257483d5d8b268d0d679956c7acdf02d', '312e31851e0fc2072dbf9a128557d6ef', '14eead4d42728e9340ec8399a225c124', 'de1cc5c266140bff9d964fab87a29421', '9a9dbf5107848c254381be67a4c1b1dd', '1dc94a6a82697c62a04e461d7a94d0b0', '2850608430dd089f24386f3336c84729', '6d131a7462e568213b44ef69156f10a5', 'b8b6686324f7aa77f570bc019ec214e6', '22823fed979903f8dfe3b5d28537eb47', 'c1d3a6bb423739a5e781f7eee04c9cfd', '0c0195c48b6b8582fa6f6373032118da', '5228b7a738dc90a06ae4f4a7412cb1e9', '62f02339fe267dc7438f603bfb5431a1', '22949977ce5cd96ba674b403a9c81285', '5ca1922ed5ee2b533b5f3dd9be20fd9a', '1ed08a6264c5c92099d6d1dae5e8f530', 'b0770094c3c64250167b55e4db850c04', 'a6e9d6505f6d2326a8a9214667c61c67', '8407ddfab85ae664e507c30314090385', '9321a61a25c7961d9f36852ecaa86f55', 'a711e6ab17802fabf2e69e0cd57c54cd', '29ccff428e5eb70ae429c3da8968e1ec', '79df0eabbf2895e4e2dae15a4772868c', 'fb7c61ef427f9b2fdff3574ee6b1819b', 'f778489c7105a63e9e789a02412aaa5f', 'fef9dd9ea587f8886ade43c1befbdafe', '43830326cd5fae66f5508e27cbec39a0', 'c7a57cd4bea07dadba2e2fb914379910', 'f1e054333cc40f79cfa78e5fbf3b54c2', 'dc564bac7258e16627b9de0ce39fae25', '054299e09cea38df2b84e6b29348b418', '97221e16e7a99a00592ca278c49ffbfc', '8d63e1a9ff4cafee1af179c0c544365c', '96421b56dbda73e9b965f027a3bda7ba', '4ae55080ec8aed49343e40d08370195c', '988dabdcf990b134b0ac1e00512c30c4', 'bbbc9a6cc488cfb0f6c6934b193891eb', '76c643ab29d497317085e5db8c799960', 'e9a30edef1105b8a64218f892b2e56ed', '7bd840ff7f15df79a9a71fec7db1243e', '1cff7b947f8c3dea1d34dc791fc78cdc', '2c54859a67306e20bfdc8887b537de72', 'a5f637d61719d37a5b4868c385e363c0', '2509a71a02296aa65a3428ddfac22180', '6cce5bb9c8c2a8293df2d3b1897941a2', '7a16fca3d56c6038c692ec75b2bfee15', 'eaea9ccb40c82af8f3867cd0f4dd5e9d', 'd2588631d8aae2a3e54410eaf54f0679', 'b47dee29b5e6e1939567a926c7a3e6a4', 'fac8eb49e2fd541b81fcbdeb98a199cb', '1a234f4643f5658bab07bfa611282267', '0752f113d983030939b4ab98b0812cf0') OR sha1 IN ('f0c463d29a5914b01e4607889094f1b7d95e7aaf', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', 'ecb4d096a9c58643b02f328d2c7742a38e017cf0', '684786de4b3b3f53816eae9df5f943a22c89601f', '745335bcdf02fb42df7d890a24858e16094f48fd', '25d812a5ece19ea375178ef9d60415841087726e', 'd417c0be261b0c6f44afdec3d5432100e420c3ed', '6afc6b04cf73dd461e4a4956365f25c1f1162387', '01a578a3a39697c4de8e3dab04dba55a4c35163e', '2b0bb408ff0e66bcdf6574f1ca52cbf4015b257b', '7e836dadc2e149a0b758c7e22c989cbfcce18684', '4a705af959af61bad48ef7579f839cb5ebd654d2', 'bc2f3850c7b858340d7ed27b90e63b036881fd6c', 'e22495d92ac3dcae5eeb1980549a9ead8155f98a', 'c969f1f73922fd95db1992a5b552fbc488366a40', '4c18754dca481f107f0923fb8ef5e149d128525d', '2fc6845047abcf2a918fce89ab99e4955d08e72c', '4f7a8e26a97980544be634b26899afbefb0a833c', '21edff2937eb5cd6f6b0acb7ee5247681f624260', '89cd760e8cb19d29ee08c430fb17a5fd4455c741', '6c1bb3a72ebfb5359b9e22ca44d0a1ff825a68f2', '064de88dbbea67c149e779aac05228e5405985c7', 'ea877092d57373cb466b44e7dbcad4ce9a547344', '55ab7e27412eca433d76513edc7e6e03bcdd7eda', '976777d39d73034df6b113dfce1aa6e1d00ffcfd', '1f7501e01d84a2297c85cb39880ec4e40ac3fe8a', 'a6816949cd469b6e5c35858d19273936fab1bef6', '91f832f46e4c38ecc9335460d46f6f71352cffed', '43419df1f9a07430a18c5f3b3cc74de621be0f8e', '01779ee53f999464465ed690d823d160f73f10e7', 'bfe55cacc7c56c9f7bd75bdb4b352c0b745d071b', '27d3ebea7655a72e6e8b95053753a25db944ec0f', 'fcd615df88645d1f57ff5702bd6758b77efea6d0', '10115219e3595b93204c70eec6db3e68a93f3144', '33285b2e97a0aeb317166cce91f6733cf9c1ad53', '2c27abbbbcf10dfb75ad79557e30ace5ed314df8', '10e15ba8ff8ed926ddd3636cec66a0f08c9860a4', '291b4a88ffd2ac1d6bf812ecaedc2d934dc503cb', '05c0c49e8bcf11b883d41441ce87a2ee7a3aba1d', '8f5cd4a56e6e15935491aa40adb1ecad61eafe7c', 'a7948a4e9a3a1a9ed0e4e41350e422464d8313cd', '19bd488fe54b011f387e8c5d202a70019a204adf', 'eeff4ec4ebc12c6acd2c930dc2eaaf877cfec7ec', 'c4d7fb9db3c3459f7e8c0e3d48c95c7c9c4cff60', '15d1a6a904c8409fb47a82aefa42f8c3c7d8c370', 'd02403f85be6f243054395a873b41ef8a17ea279', '4243dbbf6e5719d723f24d0f862afd0fcb40bc35', '4789b910023a667bee70ff1f1a8f369cffb10fe8', '50e2bc41f0186fdce970b80e2a2cb296353af586', 'b97a8d506be2e7eaa4385f70c009b22adbd071ba', '78b9481607ca6f3a80b4515c432ddfe6550b18a8', 'e039c9dd21494dbd073b4823fc3a17fbb951ec6c', '806832983bb8cb1e26001e60ea3b7c3ade4d3471', 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7', 'c9cbfdd0be7b35751a017ec59ff7237ffdc4df1f', 'a3ed5cbfbc17b58243289f3cf575bf04be49591d', '7fb52290883a6b69a96d480f2867643396727e83', '5711c88e9e64e45b8fc4b90ab6f2dd6437dc5a8a', 'da9cea92f996f938f699902482ac5313d5e8b28e', 'dc7b022f8bd149efbcb2204a48dce75c72633526', 'd979353d04bf65cc92ad3412605bc81edbb75ec2', '4b009e91bae8d27b160dc195f10c095f8a2441e1', '51b60eaa228458dee605430aae1bc26f3fc62325', 'c6bd965300f07012d1b651a9b8776028c45b149a', '729a8675665c61824f22f06c7b954be4d14b52c4', '37364cb5f5cefd68e5eca56f95c0ab4aff43afcc', 'e4436c8c42ba5ffabd58a3b2256f6e86ccc907ab', '7ba19a701c8af76988006d616a5f77484c13cb0a', '25bf4e30a94df9b8f8ab900d1a43fd056d285c9d', 'd8498707f295082f6a95fd9d32c9782951f5a082', '5e6ddd2b39a3de0016385cbd7aa50e49451e376d', '943593e880b4d340f2548548e6e673ef6f61eed3', '2dfcb799b3c42ecb0472e27c19b24ac7532775ce', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98', '6714380bc0b8ab09b9a0d2fa66d1b025b646b946', '4a7d66874a0472a47087fabaa033a85d47413379', '012db3a80faf1f7f727b538cbe5d94064e7159de', '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4', 'c6d349823bbb1f5b44bae91357895dba653c5861', '643383938d5e0d4fd30d302af3e9293a4798e392', 'ace6b9e34e3e2e73fe584f3bbdb4e4ec106e0a7d', '1d0df45ee3fa758f0470e055915004e6eae54c95', '3599ea2ac1fa78f423423a4cf90106ea0938dde8', 'f42f28d164205d9f6dab9317c9fecad54c38d5d2', 'd9c09dd725bc7bc3c19b4db37866015817a516ef', 'd5fd9fe10405c4f90235e583526164cd0902ed86', '0c74d09da7baf7c05360346e4c3512d0cd433d59', '9c256edd10823ca76c0443a330e523027b70522d', '65d8a7c2e867b22d1c14592b020c548dd0665646', '7859e75580570e23a1ef7208b9a76f81738043d5', 'b242b0332b9c9e8e17ec27ef10d75503d20d97b6', '6523b3fd87de39eb5db1332e4523ce99556077dc', 'ac600a2bc06b312d92e649b7b55e3e91e9d63451', 'fe10018af723986db50701c8532df5ed98b17c39', 'b9807b8840327c6d7fbdde45fc27de921f1f1a82', 'a3636986cdcd1d1cb8ab540f3d5c29dcc90bb8f0', '054a50293c7b4eea064c91ef59cf120d8100f237', '2e3de9bff43d7712707ef8a0b10f7e4ad8427fd8', '485c0b9710a196c7177b99ee95e5ddb35b26ddd1', 'faa870b0cb15c9ac2b9bba5d0470bd501ccd4326', '4a235f0b84ff615e2879fa9e0ec0d745fcfdaa5c', '0291d0457acaf0fe8ed5c3137302390469ce8b35', '8183a341ba6c3ce1948bf9be49ab5320e0ee324d', '5a7dd0da0aee0bdedc14c1b7831b9ce9178a0346', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'b25170e09c9fb7c0599bfba3cf617187f6a733ac', '19f3343bfad0ef3595f41d60272d21746c92ffca', 'a48aa80942fc8e0699f518de4fd6512e341d4196', 'f6f11ad2cd2b0cf95ed42324876bee1d83e01775', '9a35ae9a1f95ce4be64adc604c80079173e4a676', 'ea360a9f23bb7cf67f08b88e6a185a699f0c5410', '6a3d3b9ab3d201cd6b0316a7f9c3fb4d34d0f403', '08596732304351b311970ff96b21f451f23b1e25', '29a190727140f40cea9514a6420f5a195e36386b', 'b4d014b5edd6e19ce0e8395a64faedf49688ecb5', '31fac347aa26e92db4d8c9e1ba37a7c7a2234f08', 'fcde5275ee1913509927ce5f0f85e6681064c9d2', 'f052dc35b74a1a6246842fbb35eb481577537826', 'c52cef5b9e1d4a78431b7af56a6fdb6aa1bcad65', '33cdab3bbc8b3adce4067a1b042778607dce2acd', '2d503a2457a787014a1fdd48a2ece2e6cbe98ea7', 'f9519d033d75e1ab6b82b2e156eafe9607edbcfb', '89909fa481ff67d7449ee90d24c167b17b0612f1', 'a7d827a41b2c4b7638495cd1d77926f1ba902978', 'c23eeb6f18f626ce1fd840227f351fa7543bb167', '3805e4e08ad342d224973ecdade8b00c40ed31be', '8302802b709ad242a81b939b6c90b3230e1a1f1e', 'ac13941f436139b909d105ad55637e1308f49d9a', '92f251358b3fe86fd5e7aa9b17330afa0d64a705', '623cd2abef6c92255f79cbbd3309cb59176771da', 'af50109b112995f8c82be8ef3a88be404510cdde', 'a00e444120449e35641d58e62ed64bb9c9f518d2', '9923c8f1e565a05b3c738d283cf5c0ed61a0b90f', '7eec3a1edf3b021883a4b5da450db63f7c0afeeb', '078ae07dec258db4376d5a2a05b9b508d68c0123', 'ef80da613442047697bec35ea228cde477c09a3d', '6003184788cd3d2fc624ca801df291ccc4e225ee', '558aad879b6a47d94a968f39d0a4e3a3aaef1ef1', '877c6c36a155109888fe1f9797b93cb30b4957ef', 'f3cce7e79ab5bd055f311bb3ac44a838779270b6', '80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77', '3b6b35bca1b05fafbfc883a844df6d52af44ccdc', '351cbd352b3ec0d5f4f58c84af732a0bf41b4463', '609fa1efcf61e26d64a5ceb13b044175ab2b3a13', 'dc0e97adb756c0f30b41840a59b85218cbdd198f', '71469dce9c2f38d0e0243a289f915131bf6dd2a8', '05ac1c64ca16ab0517fe85d4499d08199e63df26', '2261198385d62d2117f50f631652eded0ecc71db', '414cd15d6c991d19fb5be02e3b9fb0e6c5ce731c', '8626ab1da6bfbdf61bd327eb944b39fd9df33d1d', '5fb9421be8a8b08ec395d05e00fd45eb753b593a', 'd702d88b12233be9413446c445f22fda4a92a1d9', 'e74b6dda8bc53bc687fc21218bd34062a78d8467', 'a197a02025946aca96d6e74746f84774df31249e', '1f25f54e9b289f76604e81e98483309612c5a471', 'e3c1dd569aa4758552566b0213ee4d1fe6382c4b', '879fcc6795cebe67718388228e715c470de87dca', '3ae56ab63230d6d9552360845b4a37b5801cc5ea', '74e4e3006b644392f5fcea4a9bae1d9d84714b57', 'ce549714a11bd43b52be709581c6e144957136ec', '3abb9d0a9d600200ae19c706e570465ef0a15643', 'fbf8b0613a2f7039aeb9fa09bd3b40c8ff49ded2', 'cc51be79ae56bc97211f6b73cc905c3492da8f9d', 'b03b1996a40bfea72e4584b82f6b845c503a9748', '0307d76750dd98d707c699aee3b626643afb6936', '8db869c0674221a2d3280143cbb0807fac08e0cc', '2f991435a6f58e25c103a657d24ed892b99690b8', 'c948ae14761095e4d76b55d9de86412258be7afd', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', '152b6bb9ffd2ffec00cc46f5c6e29362d0e66e67', 'a7bd05de737f8ea57857f1e0845a25677df01872', 'aca8e53483b40a06dfdee81bb364b1622f9156fe', 'f36a47edfacd85e0c6d4d22133dd386aee4eec15', 'bf87e32a651bdfd9b9244a8cf24fca0e459eb614', 'bc47e15537fa7c32dfefd23168d7e1741f8477ed', '3ee2fd08137e9262d2e911158090e4a7c7427ea0', '4e826430a1389032f3fe06e2cc292f643fb0c417', '745bad097052134548fe159f158c04be5616afc2', '28b1c0b91eb6afd2d26b239c9f93beb053867a1a', '0466e90bf0e83b776ca8716e01d35a8a2e5f96d3', 'e6765d8866cad6193df1507c18f31fa7f723ca3e', '1fd7f881ea4a1dbb5c9aeb9e7ad659a85421745b', '57511ef5ff8162a9d793071b5bf7ebe8371759de', 'd098600152e5ee6a8238d414d2a77a34da8afaaa', '16d7ecf09fc98798a6170e4cef2745e0bee3f5c7', '8b6aa5b2bff44766ef7afbe095966a71bc4183fa', 'c834c4931b074665d56ccab437dfcc326649d612', '8d59fd14a445c8f3f0f7991fa6cd717d466b3754', 'd94f2fb3198e14bfe69b44fb9f00f2551f7248b2', '64e4ac8b9ea2f050933b7ec76a55dd04e97773b4', '93aa3bb934b74160446df3a47fa085fd7f3a6be9', '14bf0eaa90e012169745b3e30c281a327751e316', '738b7918d85e5cb4395df9e3f6fc94ddad90e939', '8c377ab4eebc5f4d8dd7bb3f90c0187dfdd3349f', 'fff4f28287677caabc60c8ab36786c370226588d', '34c85afe6d84cd3deec02c0a72e5abfa7a2886c3', '3f223581409492172a1e875f130f3485b90fbe5f', '282bb241bda5c4c1b8eb9bf56d018896649ca0e1', 'f1c8c3926d0370459a1b7f0cf3d17b22ff9d0c7f', 'e83458c4a6383223759cd8024e60c17be4e7c85f', 'd569d4bab86e70efbcdfdac9d822139d6f477b7c', '2a6e6bd51c7062ad24c02a4d2c1b5e948908d131', 'a65fabaf64aa1934314aae23f25cdf215cbaa4b6', 'c257aa4094539719a3c7b7950598ef872dbf9518', '1292c7dd60214d96a71e7705e519006b9de7968f', 'b4d1554ec19504215d27de0758e13c35ddd6db3e', '994dc79255aeb662a672a1814280de73d405617a', '5dd2c31c4357a8b76db095364952b3d0e3935e1d', '21e6c104fe9731c874fab5c9560c929b2857b918', 'e92817a8744ebc4e4fa5383cdce2b2977f01ecd4', '35f1ba60ba0da8512a0b1b15ee8e30fe240d77cd', 'bb962c9a8dda93e94fef504c4159de881e4706fe', '82ba5513c33e056c3f54152c8555abf555f3e745', 'f50c6b84dfb8f2d53ba3bce000a55f0a486c0e79', 'cb3de54667548a5c9abf5d8fa47db4097fcee9f1', '0c26ab1299adcd9a385b541ef1653728270aa23e', 'f02af84393e9627ba808d4159841854a6601cf80', 'cb22723faa5ae2809476e5c5e9b9a597b26cab9b', 'f9feb60b23ca69072ce42264cd821fe588a186a6', '160c96b5e5db8c96b821895582b501e3c2d5d6e7', '0b8b83f245d94107cb802a285e6529161d9a834d', 'd7e8aef8c8feb87ce722c0b9abf34a7e6bab6eb4', 'd7f7594ff084201c0d9fa2f4ef1626635b67bce5', '7d7c03e22049a725ace2a9812c72b53a66c2548b', '589a7d4df869395601ba7538a65afae8c4616385', '1f3799fed3cf43254fe30dcdfdb8dc02d82e662b', '72966ca845759d239d09da0de7eebe3abe86fee3', '0f780b7ada5dd8464d9f2cc537d973f5ac804e9c', '26c4a7b392d7e7bd7f0a2a758534e45c0d9a56ab', '7c6cad6a268230f6e08417d278dda4d66bb00d13', 'd04e5db5b6c848a29732bfd52029001f23c3da75', 'a87d6eac2d70a3fbc04e59412326b28001c179de', 'cce9b82f01ec68f450f5fe4312f40d929c6a506e', '8cc8974a05e81678e3d28acfe434e7804abd019c', '1e7c241b9a9ea79061b50fb19b3d141dee175c27', '00b4e8b7644d1bf93f5ddb5740b444b445e81b02', '4d41248078181c7f61e6e4906aa96bbdea320dc2', 'f3db629cfe37a73144d5258e64d9dd8b38084cf4', 'd2e6fc9259420f0c9b6b1769be3b1f63eb36dc57', '99201c9555e5faf6e8d82da793b148311f8aa4b8', 'a2e0b3162cfa336cd4ab40a2acc95abe7dc53843', '12d38abbc5391369a4c14f3431715b5b76ac5a2a', 'b4dcdbd97f38b24d729b986f84a9cdb3fc34d59f', '490109fa6739f114651f4199196c5121d1c6bdf2', 'e5021a98e55d514e2376aa573d143631e5ee1c13', 'af6e1f2cfb230907476e8b2d676129b6d6657124', 'ddbe809b731a0962e404a045ab9e65a0b64917ad', 'b480c54391a2a2f917a44f91a5e9e4590648b332', 'a21c84c6bf2e21d69fa06daaf19b4cc34b589347', 'dc55217b6043d819eadebd423ff07704ee103231', '6053d258096bccb07cb0057d700fe05233ab1fbb', 'b0032b8d8e6f4bd19a31619ce38d8e010f29a816', 'eb93d2f564fea9b3dc350f386b45de2cd9a3e001', '8692274681e8d10c26ddf2b993f31974b04f5bf0', 'f5696fb352a3fbd14fb1a89ad21a71776027f9ab', '5db61d00a001fd493591dc919f69b14713889fc5', '2b4d0dead4c1a7cc95543748b3565cfa802e5256', '205c69f078a563f54f4c0da2d02a25e284370251', '7c1b25518dee1e30b5a6eaa1ea8e4a3780c24d0c', '35829e096a15e559fcbabf3441d99e580ca3b26e', '17fa047c1f979b180644906fe9265f21af5b0509', 'ec4cc6de4c779bb1ca1dd32ee3a03f7e8d633a9b', '461882bd59887617cadc1c7b2b22d0a45458c070', '7838fb56fdab816bc1900a4720eea2fc9972ef7a', '1f3a9265963b660392c4053329eb9436deeed339', 'e09b5e80805b8fe853ea27d8773e31bff262e3f7', '5f8356ffa8201f338dd2ea979eb47881a6db9f03', '37e6450c7cd6999d080da94b867ba23faa8c32fe', '7ab4565ba24268f0adadb03a5506d4eb1dc7c181', '00a442a4305c62cefa8105c0b4c4a9a5f4d1e93b', '9c24dd75e4074041dbe03bf21f050c77d748b8e9', '3270720a066492b046d7180ca6e60602c764cac7', '0b6ec2aedc518849a1c61a70b1f9fb068ede2bc3', '814200191551faec65b21f5f6819b46c8fc227a3', '696d68bdbe1d684029aaad2861c49af56694473a', 'b89a8eef5aeae806af5ba212a8068845cafdab6f', '15df139494d2c40a645fb010908551185c27f3c5', '947db58d6f36a8df9fa2a1057f3a7f653ccbc42e', 'fe1d909ab38de1389a2a48352fd1c8415fd2eab0', '7667b72471689151e176baeba4e1cd9cd006a09a', 'd25340ae8e92a6d29f599fef426a2bc1b5217299', '6abbc3003c7aa69ce79cbbcd2e3210b07f21d202', 'd34a7c497c603f3f7fcad546dc4097c2da17c430', 'b8de3a1aeeda9deea43e3f768071125851c85bd0', '9c6749fc6c1127f8788bff70e0ce9062959637c9', '4268f30b79ce125a81d0d588bef0d4e2ad409bbb', '213ba055863d4226da26a759e8a254062ea77814', 'a4b2c56c12799855162ca3b004b4b2078c6ecf77', '27eab595ec403580236e04101172247c4f5d5426', 'd62fa51e520022483bdc5847141658de689c0c29', 'ccdd3a1ebe9a1c8f8a72af20a05a10f11da1d308', '8fb149fc476cf5bf18dc575334edad7caf210996', 'e35a2b009d54e1a0b231d8a276251f64231b66a3', 'd0d39e1061f30946141b6ecfa0957f8cc3ddeb63', '166759fd511613414d3213942fe2575b926a6226', '73bac306292b4e9107147db94d0d836fdb071e33', '460008b1ffd31792a6deadfa6280fb2a30c8a5d2', '2c5ff272bd345962ed41ab8869aef41da0dfe697', '9d07df024ec457168bf0be7e0009619f6ac4f13c', 'c4ed28fdfba7b8a8dfe39e591006f25d39990f07', '30a224b22592d952fbe2e6ad97eda4a8f2c734e0', '5520ac25d81550a255dc16a0bb89d4b275f6f809', '400f833dcc2ef0a122dd0e0b1ec4ec929340d90e', '6b54f8f137778c1391285fee6150dfa58a8120b1', 'cc0e0440adc058615e31e8a52372abadf658e6b1', 'cb3f30809b05cf02bc29d4a7796fb0650271e542', 'a64354aac2d68b4fa74b5829a9d42d90d83b040c', 'a6fe4f30ca7cb94d74bc6d42cdd09a136056952e', 'e6305dddd06490d7f87e3b06d09e9d4c1c643af0', '90a76945fd2fa45fab2b7bcfdaf6563595f94891', '53f776d9a183c42b93960b270dddeafba74eb3fb', '6100eb82a25d64a7a7702e94c2b21333bc15bd08', '53acd4d9e7ba0b1056cf52af0d191f226eddf312', '910cb12aa49e9f35ecc4907e8304adf0dcca8cf1', '4b882748faf2c6c360884c6812dd5bcbce75ebff', 'c95db1e82619fb16f8eec9a8209b7b0e853a4ebe', '4b8c0445075f09aeef542ab1c86e5de6b06e91a3', 'bbc1e5fd826961d93b76abd161314cb3592c4436', 'bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825', '1acc7a486b52c5ee6619dbdc3b4210b5f48b936f', '468e2e5505a3d924b14fedee4ddf240d09393776', 'c8d87f3cd34c572870e63a696cf771580e6ea81b', 'f18e669127c041431cde8f2d03b15cfc20696056') OR sha256 IN ('15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229', 'ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339', 'f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d', '9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e', 'e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790', 'e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf', 'f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960', 'b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c', '96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc', '5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a', '6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa', '49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810', 'be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57', '3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4', 'd205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e', 'b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a', '84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4', '32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351', 'c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e', '79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57', '3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd', '58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59', '607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c', '358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69', 'd0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889', 'f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004', '6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f', 'a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3', '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd', 'de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa', '950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9', '36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10', '6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492', 'ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0', '478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82', '7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c', 'f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960', '0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb', '131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6', '3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5', '1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa', 'f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497', '9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a', '4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca', 'a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062', '1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52', '3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5', 'f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b', '19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0', '1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b', '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05', '5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae', 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24', '0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670', '8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f', 'be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100', '47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc', 'a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200', '7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa', 'a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8', 'a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8', 'ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d', '9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6', '2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250', '32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993', '39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e', '984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7', 'db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004', '30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab', '8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6', '9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5', 'd92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482', 'e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb', '525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd', '01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece', '4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e', '3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838', 'f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae', '575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316', '3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3', '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', '082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d', 'c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c', '7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7', '61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0', 'b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29', '45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0', '2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d', '06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50', '1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee', 'e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e', '93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63', 'a9706e320179993dade519a83061477ace195daa1b788662825484813001f526', '61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8', '47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84', 'fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03', '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b', 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433', '07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357', '9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33', '99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1', '22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c', 'ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c', '8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f', '36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb', '6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74', '9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449', '5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a', 'fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566', 'e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028', 'f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57', '2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4', '06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf', 'cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8', '845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a', '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd', '64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57', '2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a', '85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94', '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', 'bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955', '9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87', 'b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427', '43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89', '76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22', '1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a', '60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813', 'bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc', '5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a', 'f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b', '405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659', '3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e', '42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00', '65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890', '159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980', '5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a', 'fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1', 'cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612', '4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6', '80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3', '29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94', 'db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653', '8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e', '101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558', '6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7', '95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3', '37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e', '5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3', 'd7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102', '7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb', 'b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de', '3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099', '0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3', 'f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008', 'b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e', '74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4', '7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6', 'c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8', '22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a', '76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184', 'dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097', '025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4', '50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793', 'e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53', '749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c', 'd8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2', '49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba', '7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129', 'ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2', '4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9', '84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4', '7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376', 'cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb', '86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219', '47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005', '18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6', '70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4', '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1', '8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce', '36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a', '7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca', '591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52', '04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162', '4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', 'e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293', '49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530', 'd8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530', '7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d', '2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8', 'cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986', 'a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc', 'c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5', '59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347', '89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be', 'e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1', '5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be', 'cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812', 'ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165', '475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a', 'cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64', '0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8', '72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1', 'cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b', 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe', '5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92', '4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b', 'f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13', 'c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8', '2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e', '54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57', 'e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217', 'cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b', '6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1', '708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965', '362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc', '08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6', '2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d', 'c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c', '4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8', '1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c', '76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303', '3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25', '7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d', 'f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212', '55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a', 'b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3', 'fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8', 'd5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71', '543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91', '6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc', '6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44', 'e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf', '4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2', 'dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc', '6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421', 'e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa', '0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff', '3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c', '7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f', '9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395', 'aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3', '31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', '258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79', '146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88', '9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b', 'cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec', 'cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6', '436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7', 'b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf', 'b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602', '9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374', '81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1', '552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9', '81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469', '4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7', 'af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685', 'b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d', 'ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41', '06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4', '4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80', '314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073', '11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5', '4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe', '38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a', '56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7', '455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b', 'e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4', '3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46', 'b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414', 'dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22', '221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9', 'afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508', '78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f', '7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457', 'd5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3', 'fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533', 'f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af', '58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495', 'dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8', '21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21', '91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c', '98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8', 'd25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26', '6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4', '3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5', '8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f', '1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8', '50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f', '3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8', '71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009', 'b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a', '3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3', '65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd', 'a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499', '509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6', '440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c', '09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1', '1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219', '677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf', '823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba', '05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748', '42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f', 'f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35', '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a', 'e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a', 'eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b', '88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463', '9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b')))" ], "filename": "driver_load_win_vuln_drivers.yml" }, { "title": "Suspicious Driver Load from Temp", "id": "2c4523d5-d481-4ed0-8ec3-7fbf0cb41a75", "status": "test", "description": "Detects a driver load from a temporary directory", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ "There is a relevant set of false positives depending on applications in the environment" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '6' AND ImageLoaded LIKE '%\\\\Temp\\\\%' ESCAPE '\\')" ], "filename": "driver_load_win_susp_temp_use.yml" }, { "title": "Vulnerable AVAST Anti Rootkit Driver Load", "id": "7c676970-af4f-43c8-80af-ec9b49952852", "status": "experimental", "description": "Detects the load of a signed and vulnerable AVAST Anti Rootkit driver often used by threat actors or malware for stopping and disabling AV and EDR products", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '6' AND (((Hashes LIKE '%MD5=a179c4093d05a3e1ee73f6ff07f994aa%' ESCAPE '\\' OR Hashes LIKE '%SHA1=5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1%' ESCAPE '\\') OR md5 = 'a179c4093d05a3e1ee73f6ff07f994aa' OR sha1 = '5d6b9e80e12bfc595d4d26f6afb099b3cb471dd4' OR sha256 = '4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1') OR (ImageLoaded LIKE '%\\\\aswArPot.sys' ESCAPE '\\' AND (Signed = 'false' OR SignatureStatus = 'Expired'))))" ], "filename": "driver_load_win_vuln_avast_anti_rootkit_driver.yml" }, { "title": "Vulnerable Dell BIOS Update Driver Load", "id": "21b23707-60d6-41bb-96e3-0f0481b0fed9", "status": "experimental", "description": "Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", "cve.2021.21551", "attack.t1543", "attack.t1068" ], "falsepositives": [ "Legitimate BIOS driver updates (should be rare)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '6' AND (ImageLoaded LIKE '%\\\\DBUtil\\_2\\_3.Sys%' ESCAPE '\\' OR (Hashes LIKE '%SHA256=0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5%' ESCAPE '\\' OR Hashes LIKE '%SHA256=DDBF5ECCA5C8086AFDE1FB4F551E9E6400E94F4428FE7FB5559DA5CFFA654CC1%' ESCAPE '\\' OR Hashes LIKE '%SHA1=C948AE14761095E4D76B55D9DE86412258BE7AFD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=10B30BDEE43B3A2EC4AA63375577ADE650269D25%' ESCAPE '\\' OR Hashes LIKE '%MD5=C996D7971C49252C582171D9380360F2%' ESCAPE '\\' OR Hashes LIKE '%MD5=D2FD132AB7BBC6BBB87A84F026FA0244%' ESCAPE '\\') OR sha256 IN ('0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5', 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1') OR sha1 IN ('c948ae14761095e4d76b55d9de86412258be7afd', '10b30bdee43b3a2ec4aa63375577ade650269d25') OR md5 IN ('c996d7971c49252c582171d9380360f2', 'd2fd132ab7bbc6bbb87a84f026fa0244')))" ], "filename": "driver_load_win_vuln_dell_driver.yml" }, { "title": "Vulnerable HackSys Extreme Vulnerable Driver Load", "id": "295c9289-acee-4503-a571-8eacaef36b28", "status": "experimental", "description": "Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '6' AND (ImageLoaded LIKE '%\\\\HEVD.sys' ESCAPE '\\' OR (Hashes LIKE '%IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=c46ea2e651fd5f7f716c8867c6d13594%' ESCAPE '\\') OR Imphash IN ('f26d0b110873a1c7d8c4f08fbeab89c5', 'c46ea2e651fd5f7f716c8867c6d13594')))" ], "filename": "driver_load_win_vuln_hevd_driver.yml" }, { "title": "PowerShell Scripts Run by a Services", "id": "46deb5e1-28c9-4905-b2df-51cdcc9e6073", "status": "test", "description": "Detects powershell script installed as a Service", "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.execution", "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '6' AND (ImageLoaded LIKE '%powershell%' ESCAPE '\\' OR ImageLoaded LIKE '%pwsh%' ESCAPE '\\'))" ], "filename": "driver_load_win_powershell_script_installed_as_service.yml" }, { "title": "Vulnerable Lenovo Driver Load", "id": "ac683a42-877b-4ff8-91ac-69e94b0f70b4", "status": "experimental", "description": "Detects the load of the vulnerable Lenovo driver as reported in CVE-2022-3699 which can be used to escalate privileges", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", "cve.2021.21551", "attack.t1543" ], "falsepositives": [ "Legitimate driver loads (old driver that didn't receive an update)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '6' AND ((Hashes LIKE '%SHA256=F05B1EE9E2F6AB704B8919D5071BECBCE6F9D0F9D0BA32A460C41D5272134ABE%' ESCAPE '\\' OR Hashes LIKE '%SHA1=B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F%' ESCAPE '\\' OR Hashes LIKE '%MD5=B941C8364308990EE4CC6EADF7214E0F%' ESCAPE '\\') OR sha256 = 'f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe' OR sha1 = 'b89a8eef5aeae806af5ba212a8068845cafdab6f' OR md5 = 'b941c8364308990ee4cc6eadf7214e0f'))" ], "filename": "driver_load_win_vuln_lenovo_driver.yml" }, { "title": "Process Hacker and System Informer Driver Load", "id": "67add051-9ee7-4ad3-93ba-42935615ae8d", "status": "experimental", "description": "Detects the load of drivers used by Process Hacker and System Informer", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1543" ], "falsepositives": [ "Legitimate user of process hacker or system informer by low level developers or system administrators" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '6' AND ((ImageLoaded LIKE '%\\\\kprocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\SystemInformer.sys' ESCAPE '\\') OR (Hashes LIKE '%IMPHASH=821D74031D3F625BCBD0DF08B70F1E77%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=F86759BB4DE4320918615DC06E998A39%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0%' ESCAPE '\\') OR Imphash IN ('821D74031D3F625BCBD0DF08B70F1E77', 'F86759BB4DE4320918615DC06E998A39', '0A64EEB85419257D0CE32BD5D55C3A18', '6E7B34DFC017700B1517B230DF6FF0D0') OR (Hashes LIKE '%SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454%' ESCAPE '\\' OR Hashes LIKE '%SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34%' ESCAPE '\\' OR Hashes LIKE '%SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89%' ESCAPE '\\' OR Hashes LIKE '%SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB%' ESCAPE '\\' OR Hashes LIKE '%SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B%' ESCAPE '\\' OR Hashes LIKE '%SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97%' ESCAPE '\\' OR Hashes LIKE '%SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656%' ESCAPE '\\' OR Hashes LIKE '%SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138%' ESCAPE '\\') OR sha256 IN ('8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24', 'a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454', '38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d', 'a773891acf203a7eb0c0d30942fb1347648f1cd918ae2bfd9a4857b4dcf5081b', '4c3b81ac88a987bbdf7d41fa0aecc2cedf5b9bd2f45e7a21f376d05345fc211d', '3241bc14bec51ce6a691b9a3562e5c1d52e9d057d27a3d67fd0b245c350b6d34', '047c42e9bba28366868847c7dafc1e043fb038c796422d37220493517d68ee89', '18931dc81e95d0020466fa091e16869dbe824e543a4c2c8fe644fa71a0f44feb', 'b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b', '640954afc268565f7daa6e6f81a8ee05311e33e34332b501a3c3fe5b22adea97', '251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656', 'e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4', '3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138')))" ], "filename": "driver_load_win_process_hacker.yml" }, { "title": "Vulnerable Driver Load By Name", "id": "c316eac1-f3d8-42da-ad1c-66dcec5ca787", "status": "experimental", "description": "Detects the load of known vulnerable drivers via their names only.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1543.003", "attack.t1068" ], "falsepositives": [ "False positives may occur if one of the vulnerable driver names mentioned above didn't change its name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.", "If you experience a lot of FP you could comment the driver name or its exact known legitimate location (when possible)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '6' AND (ImageLoaded LIKE '%\\\\mtcbsv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_def64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gameink.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\81.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_rcio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sense5ext.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gvcidrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_5.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x86-withoutdbg.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atillk64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lurker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\segwindrvx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\enetechio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inpoutx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows8-10-32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\corsairllaccess64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt6.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winflash64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\paniox64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\blackbonedrv10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msio32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fiddrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbutildrv2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\my.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio32a.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wyproxy64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ni.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_i2cio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kprocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\protects.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\phymem64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proxy32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netproxydriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_hwmio64\\_w10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\physmem.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrsmartconnectdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\monitor\\_win10\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\poortry2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amdryzenmasterdriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sandra.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmix64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_i2c64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_6.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_rcio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\zam64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viragt64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio32b.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\poortry1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncpl.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nchgbios2x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bwrsh.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\panio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lha.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntbios.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\blacklotus\\_driver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fidpcidrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mhyprot3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ucorew64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hwos2ec7x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmemx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows7-32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv106.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\elbycdio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iomem64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asupio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\otipcibus.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows-xp-64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aswarpot.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amdpowerprofiler.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tgsafe.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntiolib\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrrapidstartdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hwos2ec10x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank5.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viraglt64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iomap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lv561av.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nscm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\c.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asribdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\b1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eneio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\capcom.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\80.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asio32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iobitunlocker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\zamguard64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nstrwsk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wiseunlo.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t7.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_hwmio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hostnt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\glckio2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hpportiox64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\citmdrv\\_amd64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kevp64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmixp64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nbiolib\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\full.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nvflash.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtcore64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\speedfan.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fidpcidrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hwrwdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msrhook.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proxy64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\7.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hw\\_sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64b.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\semav6msr64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bandai.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\piddrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t8.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv103.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adv64drv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrsetupdrv103.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bwrs.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbk64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fiddrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\goad.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gametersafe.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mhyprot2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lenovodiagnosticsdriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netflt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bw.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntbios\\_2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbutil.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dh\\_kernel.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkiow8x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\superbmc.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nodedriver.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz141.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dh\\_kernel\\_10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\naldrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winiodrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asmmap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\smep\\_namco.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mhyprot.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iqvw64e.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nstr.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntiolib.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pciecubed.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vmdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atszio.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\agent64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpupress.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x86.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\krpocesshacker.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv102.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aswvmm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tmcomm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_def.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bsmi.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\alsysio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank1.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amifldrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rwdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\testbone.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64c.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\procexp.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\se64a.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\air\\_system10.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcpu.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nicm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank6.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kbdcap64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lctka.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nvflsh64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\phlashnt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\viragt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atszio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbutil\\_2\\_3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\phymemx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndislan.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\panmonfltx64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\t3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\panmonflt.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank3.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\smep\\_capcom.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wyproxy32.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\black.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vboxdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cpuz\\_x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\poortry.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mydrivers.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winio64a.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\openlibsys.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bs\\_flash64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vproeventmonitor.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\piddrv64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wantd\\_2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sysinfo.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv104.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netfilterdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libnicm.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\driver7-x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\semav6msr.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pchunter.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asupio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkio64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rzpnk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magdrvamd64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\elrawdsk.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amp.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrautochkupddrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lgdcatcher.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fairplaykd.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\daxin\\_blank4.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtkiow10x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\citmdrv\\_ia64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt5.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asromgdrv.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nt2.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\asrdrv101.sys' ESCAPE '\\'))" ], "filename": "driver_load_win_vuln_drivers_names.yml" }, { "title": "Vulnerable HW Driver Load", "id": "9bacc538-d1b9-4d42-862e-469eafc05a41", "status": "experimental", "description": "Detects the load of a legitimate signed driver named HW.sys by often used by threat actors or malware for privilege escalation", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '6' AND (ImageLoaded LIKE '%\\\\HW.sys' ESCAPE '\\' OR (Hashes LIKE '%SHA256=4880F40F2E557CFF38100620B9AA1A3A753CB693AF16CD3D95841583EDCB57A8%' ESCAPE '\\' OR Hashes LIKE '%SHA256=55963284BBD5A3297F39F12F0D8A01ED99FE59D008561E3537BCD4DB4B4268FA%' ESCAPE '\\' OR Hashes LIKE '%SHA256=6A4875AE86131A594019DEC4ABD46AC6BA47E57A88287B814D07D929858FE3E5%' ESCAPE '\\' OR Hashes LIKE '%SHA1=74E4E3006B644392F5FCEA4A9BAE1D9D84714B57%' ESCAPE '\\' OR Hashes LIKE '%SHA1=18F34A0005E82A9A1556BA40B997B0EAE554D5FD%' ESCAPE '\\' OR Hashes LIKE '%SHA1=4E56E0B1D12664C05615C69697A2F5C5D893058A%' ESCAPE '\\' OR Hashes LIKE '%MD5=3247014BA35D406475311A2EAB0C4657%' ESCAPE '\\' OR Hashes LIKE '%MD5=376B1E8957227A3639EC1482900D9B97%' ESCAPE '\\' OR Hashes LIKE '%MD5=45C2D133D41D2732F3653ED615A745C8%' ESCAPE '\\') OR sha256 IN ('4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8', '55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa', '6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5') OR sha1 IN ('74e4e3006b644392f5fcea4a9bae1d9d84714b57', '18f34a0005e82a9a1556ba40b997b0eae554d5fd', '4e56e0b1d12664c05615c69697a2f5c5d893058a') OR md5 IN ('3247014ba35d406475311a2eab0c4657', '376b1e8957227a3639ec1482900d9b97', '45c2d133d41d2732f3653ed615a745c8')))" ], "filename": "driver_load_win_vuln_hw_driver.yml" }, { "title": "Vulnerable WinRing0 Driver Load", "id": "1a42dfa6-6cb2-4df9-9b48-295be477e835", "status": "experimental", "description": "Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '6' AND ((ImageLoaded LIKE '%\\\\WinRing0x64.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.sys' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinRing0x64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winring00x64.sys' ESCAPE '\\') OR Hashes LIKE '%IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7%' ESCAPE '\\' OR Imphash = 'd41fa95d4642dc981f10de36f4dc8cd7'))" ], "filename": "driver_load_win_vuln_winring0_driver.yml" }, { "title": "Usage Of Malicious POORTRY Signed Driver", "id": "91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6", "status": "experimental", "description": "Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1543", "attack.t1068" ], "falsepositives": [ "Legitimate BIOS driver updates (should be rare)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '6' AND ((ImageLoaded LIKE '%\\\\prokiller64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gftkyj64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\KApcHelper\\_x64.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\NodeDriver.sys%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\LcTkA.sys%' ESCAPE '\\') OR (Hashes LIKE '%SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc%' ESCAPE '\\' OR Hashes LIKE '%SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104%' ESCAPE '\\' OR Hashes LIKE '%SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c%' ESCAPE '\\' OR Hashes LIKE '%SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4%' ESCAPE '\\' OR Hashes LIKE '%SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497%' ESCAPE '\\' OR Hashes LIKE '%SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a%' ESCAPE '\\' OR Hashes LIKE '%SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d%' ESCAPE '\\' OR Hashes LIKE '%SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c%' ESCAPE '\\' OR Hashes LIKE '%SHA1=cc65bf60600b64feece5575f21ab89e03a728332%' ESCAPE '\\' OR Hashes LIKE '%SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e%' ESCAPE '\\' OR Hashes LIKE '%SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98%' ESCAPE '\\' OR Hashes LIKE '%MD5=10f3679384a03cb487bda9621ceb5f90%' ESCAPE '\\' OR Hashes LIKE '%MD5=04a88f5974caa621cee18f34300fc08a%' ESCAPE '\\' OR Hashes LIKE '%MD5=6fcf56f6ca3210ec397e55f727353c4a%' ESCAPE '\\' OR Hashes LIKE '%MD5=0f16a43f7989034641fd2de3eb268bf1%' ESCAPE '\\' OR Hashes LIKE '%MD5=ee6b1a79cb6641aa44c762ee90786fe0%' ESCAPE '\\' OR Hashes LIKE '%MD5=909f3fc221acbe999483c87d9ead024a%' ESCAPE '\\') OR sha256 IN ('0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc', '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c', '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104', 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c', '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4', 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497') OR sha1 IN ('31cc8718894d6e6ce8c132f68b8caaba39b5ba7a', 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d', '6debce728bcff73d9d1d334df0c6b1c3735e295c', 'cc65bf60600b64feece5575f21ab89e03a728332', '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e', 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98') OR md5 IN ('10f3679384a03cb487bda9621ceb5f90', '04a88f5974caa621cee18f34300fc08a', '6fcf56f6ca3210ec397e55f727353c4a', '0f16a43f7989034641fd2de3eb268bf1', 'ee6b1a79cb6641aa44c762ee90786fe0', '909f3fc221acbe999483c87d9ead024a')))" ], "filename": "driver_load_win_mal_poortry_driver.yml" }, { "title": "Vulnerable GIGABYTE Driver Load", "id": "7bcfeece-e5ed-4ff3-a5fb-2640d8cc8647", "status": "experimental", "description": "Detects the load of a signed and vulnerable GIGABYTE driver often used by threat actors or malware for privilege escalation", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '6' AND ((Hashes LIKE '%MD5=9AB9F3B75A2EB87FAFB1B7361BE9DFB3%' ESCAPE '\\' OR Hashes LIKE '%MD5=C832A4313FF082258240B61B88EFA025%' ESCAPE '\\' OR Hashes LIKE '%SHA1=FE10018AF723986DB50701C8532DF5ED98B17C39%' ESCAPE '\\' OR Hashes LIKE '%SHA1=1F1CE28C10453ACBC9D3844B4604C59C0AB0AD46%' ESCAPE '\\' OR Hashes LIKE '%SHA256=31F4CFB4C71DA44120752721103A16512444C13C2AC2D857A7E6F13CB679B427%' ESCAPE '\\' OR Hashes LIKE '%SHA256=CFC5C585DD4E592DD1A08887DED28B92D9A5820587B6F4F8FA4F56D60289259B%' ESCAPE '\\') OR md5 IN ('9ab9f3b75a2eb87fafb1b7361be9dfb3', 'c832a4313ff082258240b61b88efa025') OR sha1 IN ('fe10018af723986db50701c8532df5ed98b17c39', '1f1ce28c10453acbc9d3844b4604c59c0ab0ad46') OR sha256 IN ('31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427', 'cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b')))" ], "filename": "driver_load_win_vuln_gigabyte_driver.yml" }, { "title": "DLL Loaded From Suspicious Location Via Cmspt.EXE", "id": "75e508f7-932d-4ebc-af77-269237a84ce1", "status": "experimental", "description": "Detects cmstp loading \"dll\" or \"ocx\" files from suspicious locations", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1218.003" ], "falsepositives": [ "Unikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ProgramData\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Users\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\') AND (ImageLoaded LIKE '%.dll' ESCAPE '\\' OR ImageLoaded LIKE '%.ocx' ESCAPE '\\'))" ], "filename": "image_load_cmstp_load_dll_from_susp_location.yml" }, { "title": "Pingback Backdoor DLL Loading Activity", "id": "35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b", "status": "experimental", "description": "Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report", "author": "Bhabesh Raj", "tags": [ "attack.persistence", "attack.t1574.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND NewProcessName LIKE '%\\\\msdtc.exe' ESCAPE '\\' AND ImageLoaded LIKE 'C:\\\\Windows\\\\oci.dll' ESCAPE '\\')" ], "filename": "image_load_malware_pingback_backdoor.yml" }, { "title": "Microsoft VBA For Outlook Addin Loaded Via Outlook", "id": "9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed", "status": "test", "description": "Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1204.002" ], "falsepositives": [ "Legitimate macro usage. Add the appropriate filter according to your environment" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' AND ImageLoaded LIKE '\\\\outlvba.dll%' ESCAPE '\\')" ], "filename": "image_load_office_outlook_outlvba_load.yml" }, { "title": "FoggyWeb Backdoor DLL Loading", "id": "640dc51c-7713-4faa-8a0e-e7c0d9d4654c", "status": "test", "description": "Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected \"version.dll\" dll", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.resource_development", "attack.t1587" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ImageLoaded LIKE 'C:\\\\Windows\\\\ADFS\\\\version.dll' ESCAPE '\\')" ], "filename": "image_load_malware_foggyweb_nobelium.yml" }, { "title": "Fax Service DLL Search Order Hijack", "id": "828af599-4c53-4ed2-ba4a-a9f835c434ea", "status": "test", "description": "The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.", "author": "NVISO", "tags": [ "attack.persistence", "attack.defense_evasion", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (NewProcessName LIKE '%\\\\fxssvc.exe' ESCAPE '\\' AND ImageLoaded LIKE '%ualapi.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" ], "filename": "image_load_side_load_ualapi.yml" }, { "title": "Active Directory Kerberos DLL Loaded Via Office Application", "id": "7417e29e-c2e7-4cf6-a2e8-767228c64837", "status": "test", "description": "Detects Kerberos DLL being loaded by an Office Product", "author": "Antonlovesdnb", "tags": [ "attack.execution", "attack.t1204.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\kerberos.dll' ESCAPE '\\')" ], "filename": "image_load_office_kerberos_dll_load.yml" }, { "title": "GAC DLL Loaded Via Office Applications", "id": "90217a70-13fc-48e4-b3db-0d836c5824ac", "status": "test", "description": "Detects any GAC DLL being loaded by an Office Product", "author": "Antonlovesdnb", "tags": [ "attack.execution", "attack.t1204.002" ], "falsepositives": [ "Legitimate macro usage. Add the appropriate filter according to your environment" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\assembly\\\\GAC\\_MSIL%' ESCAPE '\\')" ], "filename": "image_load_office_dotnet_gac_dll_load.yml" }, { "title": "UIPromptForCredentials DLLs", "id": "9ae01559-cf7e-4f8e-8e14-4c290a1b4784", "status": "experimental", "description": "Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.credential_access", "attack.collection", "attack.t1056.002" ], "falsepositives": [ "Other legitimate processes loading those DLLs in your environment." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ((ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wincredui.dll' ESCAPE '\\') OR OriginalFileName IN ('credui.dll', 'wincredui.dll')) AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\opera\\_autoupdate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\regedit.exe' ESCAPE '\\') OR (Provider_Name = 'Microsoft-Windows-Kernel-Process' AND CommandLine LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\SpotifyAB.SpotifyMusic\\_%' ESCAPE '\\')))" ], "filename": "image_load_uipromptforcreds_dlls.yml" }, { "title": "Third Party Software DLL Sideloading", "id": "f9df325d-d7bc-4a32-8a1a-2cc61dcefc63", "status": "experimental", "description": "Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)", "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ((ImageLoaded LIKE '%\\\\commfunc.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE '%\\\\AppData\\\\local\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Lenovo\\\\Communications Utility\\\\%' ESCAPE '\\'))) OR (ImageLoaded LIKE '%\\\\tosbtkbd.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Toshiba\\\\Bluetooth Toshiba Stack\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Toshiba\\\\Bluetooth Toshiba Stack\\\\%' ESCAPE '\\')))))" ], "filename": "image_load_side_load_third_party.yml" }, { "title": "Potential DLL Sideloading Of Non-Existent DLLs From System Folders", "id": "6b98b92b-4f00-4f62-b4fe-4d1920215771", "status": "experimental", "description": "Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT ((Signed = 'true' AND Signature = 'Microsoft Windows')))" ], "filename": "image_load_side_load_non_existent_dlls.yml" }, { "title": "Potential DLL Sideloading Via comctl32.dll", "id": "6360757a-d460-456c-8b13-74cf0e60cceb", "status": "experimental", "description": "Detects potential DLL sideloading using comctl32.dll to obtain system privileges", "author": "Nasreddine Bencherchali (Nextron Systems), Subhash Popuri (@pbssubhash)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\logonUI.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\werFault.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\consent.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\narrator.exe.local\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\windows\\\\system32\\\\wermgr.exe.local\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\comctl32.dll' ESCAPE '\\')" ], "filename": "image_load_side_load_comctl32.yml" }, { "title": "Potential Iviewers.DLL Sideloading", "id": "4c21b805-4dd7-469f-b47d-7383a8fcb437", "status": "experimental", "description": "Detects potential DLL sideloading of \"iviewers.dll\" (OLE/COM Object Interface Viewer)", "author": "X__Junior (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ImageLoaded LIKE '%\\\\iviewers.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Kits\\\\%' ESCAPE '\\')))" ], "filename": "image_load_side_load_iviewers.yml" }, { "title": "Windows Spooler Service Suspicious Binary Load", "id": "02fb90de-c321-4e63-a6b9-25f4b03dfd14", "status": "experimental", "description": "Detect DLL Load from Spooler Service backup folder", "author": "FPT.EagleEye, Thomas Patzke (improvements)", "tags": [ "attack.persistence", "attack.defense_evasion", "attack.privilege_escalation", "attack.t1574", "cve.2021.1675", "cve.2021.34527" ], "falsepositives": [ "Loading of legitimate driver" ], "level": "informational", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND NewProcessName LIKE '%\\\\spoolsv.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\%' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\%' ESCAPE '\\') AND ImageLoaded LIKE '%.dll' ESCAPE '\\')" ], "filename": "image_load_spoolsv_dll_load.yml" }, { "title": "Suspicious Renamed Comsvcs DLL Loaded By Rundll32", "id": "8cde342c-ba48-4b74-b615-172c330f2e93", "status": "experimental", "description": "Detects rundll32 loading a renamed comsvcs.dll to dump process memory", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.defense_evasion", "attack.t1003.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND (Hashes LIKE '%IMPHASH=eed93054cb555f3de70eaa9787f32ebb%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=5e0dbdec1fce52daae251a110b4f309d%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=eadbccbb324829acb5f2bbe87e5549a8%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=407ca0f7b523319d758a40d7c0193699%' ESCAPE '\\' OR Hashes LIKE '%IMPHASH=281d618f4e6271e527e6386ea6f748de%' ESCAPE '\\')) AND NOT (ImageLoaded LIKE '%\\\\comsvcs.dll' ESCAPE '\\'))" ], "filename": "image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml" }, { "title": "Potential Azure Browser SSO Abuse", "id": "50f852e6-af22-4c78-9ede-42ef36aa3453", "status": "test", "description": "Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser.\nAn attacker can use this to authenticate to Azure AD in a browser as that user.\n", "author": "Den Iuzvyk", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1574.002" ], "falsepositives": [ "False positives are expected since this rules is only looking for the DLL load event. This rule is better used in correlation with related activity" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\MicrosoftAccountTokenProvider.dll' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\BackgroundTaskHost.exe' ESCAPE '\\'))) AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\IDE\\\\devenv.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe' ESCAPE '\\') OR (NewProcessName = '')))" ], "filename": "image_load_abusing_azure_browser_sso.yml" }, { "title": "Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded", "id": "bdc64095-d59a-42a2-8588-71fd9c9d9abc", "status": "test", "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", "author": "Perez Diego (@darkquassar), oscd.community, Ecco", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND Signed = 'false')" ], "filename": "image_load_dll_dbghelp_dbgcore_unsigned_load.yml" }, { "title": "CLR DLL Loaded Via Office Applications", "id": "d13c43f0-f66b-4279-8b2c-5912077c1780", "status": "test", "description": "Detects CLR DLL being loaded by an Office Product", "author": "Antonlovesdnb", "tags": [ "attack.execution", "attack.t1204.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\clr.dll%' ESCAPE '\\')" ], "filename": "image_load_office_dotnet_clr_dll_load.yml" }, { "title": "Aruba Network Service Potential DLL Sideloading", "id": "90ae0469-0cee-4509-b67f-e5efcef040f7", "status": "experimental", "description": "Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access \"arubanetsvc.exe\" process using DLL Search Order Hijacking", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.persistence", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (NewProcessName LIKE '%\\\\arubanetsvc.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcr100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp100.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpapi.dll' ESCAPE '\\')) AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')))" ], "filename": "image_load_side_load_aruba_networks_virtual_intranet_access.yml" }, { "title": "Potential System DLL Sideloading From Non System Locations", "id": "4fc0deee-0057-4998-ab31-d24e46e0aba4", "status": "experimental", "description": "Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "Legitimate applications loading their own versions of the DLLs mentioned in this rule" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (ImageLoaded LIKE '%\\\\shfolder.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\activeds.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\adsldpc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aepic.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\apphelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\applicationframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxalluserstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appxdeploymentclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\archiveint.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\atl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\audioses.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\auditpolcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authfwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\authz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\avrt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcd.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47langs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcp47mrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bcrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabinet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cabview.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\certenroll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cldapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clipc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\clusapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmpbk32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coloradapterclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\colorui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\comdlg32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\connect.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coremessaging.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\credui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptxml.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cscui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d2d1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10\\_1core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d10warp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d11.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d12.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\d3d9.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dataexchange.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\davclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\defragproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\desktopshellext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\deviceassociation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicecredential.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devicepairing.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devobj.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\devrtl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dhcpcsvc6.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\directmanipulation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcfgutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcmnutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenrollengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmenterprisediagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmiso8601utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmoleaututils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmprocessxmlfiltered.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmpushproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmxmlhelputils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dnsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3api.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dot3cfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsparse.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsreg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsrole.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dui70.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\duser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dusmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwrite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxgi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxva2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\eappprxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edputil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsadu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\efsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\esent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\execmodelproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\explorerframe.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\faultrep.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fddevquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\feclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\firewallapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\flightsettings.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fltlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwcfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpolicyiomgr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fwpuclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\getuname.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\hnetmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\httpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\idstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ieadvpack.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iedkcs32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iertutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iphlpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iri.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsidsc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iscsium.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\joinutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ksuser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ktmw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensemanagerapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\licensingdiagspp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\linkinfo.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\loadperf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\logoncontroller.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lpksetupproxyserv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\magnification.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mapistub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfplat.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\midimap.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\miutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mlang.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mmdevapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mobilenetworking.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mpr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mprapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mrmcorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msacm32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscms.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctf.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msctfmonitor.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdrm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msftedit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msutb.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswb7.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mswsock.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msxml3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mtxclu.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\napinsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ncrypt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ndfapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netid.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netiohlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netplwiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprofm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netsetupapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netshell.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\networkexplorer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\newdev.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ninput.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlaapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nlansp\\_c.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\npmproxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nshwfp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntdsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlanman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntlmshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntmarta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ntshrui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\oleacc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\omadmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\onex.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osbaseln.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osuninst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2p.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p2pnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\p9np.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pcaui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\peerdistsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pla.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pnrpnsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\policymanager.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\polstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\printui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\propsys.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prvdmofcomp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\puiapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\radcui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasgcw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasman.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasmontr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reagent.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\regapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rmclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpcnsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rtworkq.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sapi\\_onecore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sas.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scansetting.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scecli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\schedcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\secur32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\shell32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\slc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\snmpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srvcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssp\\_isv.exe\\_rsaenh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sspicli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\staterepository.core.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\structuredquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sxshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tbs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tquery.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsworkspace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\twinui.appcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uianimation.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiautomationcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uireng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uiribbon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\updatepolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\userenv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utildll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxinit.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\uxtheme.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vaultcli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\virtdisk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcmapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wcnnetsh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wdscore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\webservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wecapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wer.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wevtapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\whhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wimgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbrand.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.storage.search.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecs.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowscodecsext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windowsudk.shellcommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winhttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wininet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winipsec.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmde.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winmm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winnsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winrnr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsqlite3.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsta.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wkscli.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlanapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wldp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlidprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmidcom.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmsgapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wofutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wpdshext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshbth.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wtsapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xmllite.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xolehlp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwizards.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xwtpw32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\aclui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bderepair.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootmenuux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dcntel.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dwmcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dynamoapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fhsvcctl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsst.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\inproclogger.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumbase.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\kdstub.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\maintenanceui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mdmdiagnostics.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mintdh.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtctm.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\nettrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\osksupport.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\reseteng.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\resetengine.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\spectrumsyncclient.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\systemsettingsthresholdadminflowui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\timesync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\upshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmpdui.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wwancfg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dpx.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxsapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fxstiff.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\xpsservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appvpolicy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\batmeter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\bootux.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cmutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\configmanager2.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coredplus.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\coreuicomponents.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptsp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dmcommandlineutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\drvstore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsprop.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxcore.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\edgeiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\framedynos.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fveskybackup.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fvewiz.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\gpapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\icmp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ifsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\iumsdk.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockhostingframework.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lrwizdll.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mbaexmlparser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mfc42u.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msiso.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msvcp110\\_win.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netapi32.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netjoin.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\netprovfw.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\opcservices.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\pkeyhelper.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\playsndsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\powrprof.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\prntvpt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\profapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximitycommon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\proximityservicepal.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rasdlg.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\security.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\sppcext.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\srmtrace.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tpmcoreprovisioning.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\umpdc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\unattend.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\urlmon.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vdsutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\version.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winbio.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\windows.ui.immersive.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winscard.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\winsync.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wscapi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wsmsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FxsCompose.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WfsR.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rpchttp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\storageusage.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\PrintIsolationProxy.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\msdtcVSp1res.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\rdpendp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dxilconv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\utcutil.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\appraiser.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dsound.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\DispBroker.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\FXSRESM.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\cryptnet.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\COMRES.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdumdim64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igd12umd64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\igdusc64.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WLBSCTRL.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSMSISrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\TSVIPSrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wow64log.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WptsExtensions.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\AppVPolicy.dll' ESCAPE '\\' AND NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (ImageLoaded LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe%' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\cleanmgr.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\ssshim.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\DellInc.DellSupportAssistforPCs%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\wldp.dll' ESCAPE '\\')))" ], "filename": "image_load_side_load_from_non_system_location.yml" }, { "title": "VMGuestLib DLL Sideload", "id": "70e8e9b4-6a93-4cb7-8cde-da69502e7aff", "status": "experimental", "description": "Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "FP could occur if the legitimate version of vmGuestLib already exists on the system" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (ImageLoaded LIKE '%\\\\VMware\\\\VMware Tools\\\\vmStatsProvider\\\\win32%' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\vmGuestLib.dll%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe' ESCAPE '\\') AND NOT (Signed = 'true'))" ], "filename": "image_load_side_load_vmguestlib.yml" }, { "title": "DotNET Assembly DLL Loaded Via Office Application", "id": "ff0f2b05-09db-4095-b96d-1b75ca24894a", "status": "test", "description": "Detects any assembly DLL being loaded by an Office Product", "author": "Antonlovesdnb", "tags": [ "attack.execution", "attack.t1204.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE 'C:\\\\Windows\\\\assembly\\\\%' ESCAPE '\\')" ], "filename": "image_load_office_dotnet_assembly_dll_load.yml" }, { "title": "Potential DCOM InternetExplorer.Application DLL Hijack - Image Load", "id": "f354eba5-623b-450f-b073-0b5b2773b6aa", "status": "test", "description": "Detects potential DLL hijack of \"iertutil.dll\" found in the DCOM InternetExplorer.Application Class", "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga", "tags": [ "attack.lateral_movement", "attack.t1021.002", "attack.t1021.003" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND NewProcessName LIKE '%\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\')" ], "filename": "image_load_dcom_iertutil_dll_hijack.yml" }, { "title": "DLL Sideloading Of DBGHELP.DLL", "id": "6414b5cd-b19d-447e-bb5e-9f03940b5784", "status": "experimental", "description": "Detects DLL sideloading of \"dbghelp.dll\"", "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\') OR (ImageLoaded LIKE '%\\\\Epic Games\\\\Launcher\\\\Engine\\\\Binaries\\\\ThirdParty\\\\DbgHelp\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Epic Games\\\\MagicLegends\\\\x86\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\amd64\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Anaconda3\\\\Lib\\\\site-packages\\\\vtrace\\\\platforms\\\\windll\\\\i386\\\\dbghelp.dll' ESCAPE '\\'))))" ], "filename": "image_load_side_load_dbghelp_dll.yml" }, { "title": "DLL Load By System Process From Suspicious Locations", "id": "9e9a9002-56c4-40fd-9eff-e4b09bfa5f6c", "status": "experimental", "description": "Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location such as C:\\Users\\Public", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1070" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (ImageLoaded LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], "filename": "image_load_susp_dll_load_system_process.yml" }, { "title": "Suspicious WSMAN Provider Image Loads", "id": "ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94", "status": "experimental", "description": "Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.execution", "attack.t1059.001", "attack.lateral_movement", "attack.t1021.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ((((ImageLoaded LIKE '%\\\\WsmSvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WsmAuto.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\Microsoft.WSMan.Management.ni.dll' ESCAPE '\\') OR OriginalFileName IN ('WsmSvc.dll', 'WSMANAUTOMATION.DLL', 'Microsoft.WSMan.Management.dll')) OR (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND OriginalFileName = 'WsmWmiPl.dll')) AND NOT (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\')) OR ((CommandLine LIKE '%svchost.exe -k netsvcs -p -s BITS%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k NetworkService -p -s Wecsvc%' ESCAPE '\\' OR CommandLine LIKE '%svchost.exe -k netsvcs%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Configure-SMRemoting.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\ServerManager.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Citrix\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND CommandLine = '')))" ], "filename": "image_load_wsman_provider_image_load.yml" }, { "title": "Svchost DLL Search Order Hijack", "id": "602a1f13-c640-4d73-b053-be9a2fa58b77", "status": "test", "description": "Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system\nIKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\\Windows\\System32\\ by default.\nAn attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services \"svchost.exe -k netsvcs\" to gain code execution on a remote machine.\n", "author": "SBousseaden", "tags": [ "attack.persistence", "attack.defense_evasion", "attack.t1574.002", "attack.t1574.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\tsmsisrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\tsvipsrv.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wlbsctrl.dll' ESCAPE '\\')) AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\'))" ], "filename": "image_load_side_load_svchost_dlls.yml" }, { "title": "WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load", "id": "b439f47d-ef52-4b29-9a2f-57d8a96cb6b8", "status": "test", "description": "Detects signs of the WMI script host process \"scrcons.exe\" loading scripting DLLs which could indciates WMI ActiveScriptEventConsumers EventConsumers activity.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.lateral_movement", "attack.privilege_escalation", "attack.persistence", "attack.t1546.003" ], "falsepositives": [ "Legitimate event consumers", "Dell computers on some versions register an event consumer that is known to cause false positives when brightness is changed by the corresponding keyboard button" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND NewProcessName LIKE '%\\\\scrcons.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\vbscript.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemdisp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wshom.ocx' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\scrrun.dll' ESCAPE '\\'))" ], "filename": "image_load_scrcons_wmi_scripteventconsumer.yml" }, { "title": "WMIC Loading Scripting Libraries", "id": "06ce37c2-61ab-4f05-9ff5-b1a96d18ae32", "status": "test", "description": "Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", "attack.t1220" ], "falsepositives": [ "The command wmic os get lastboottuptime loads vbscript.dll", "The command wmic os get locale loads vbscript.dll", "Since the ImageLoad event doesn't have enough information in this case. It's better to look at the recent process creation events that spawned the WMIC process and investigate the command line and parent/child processes to get more insights" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\jscript.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vbscript.dll' ESCAPE '\\'))" ], "filename": "image_load_wmic_remote_xsl_scripting_dlls.yml" }, { "title": "Potential DLL Sideloading Via VMware Xfer", "id": "9313dc13-d04c-46d8-af4a-a930cc55d93b", "status": "experimental", "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1574.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (NewProcessName LIKE '%\\\\VMwareXferlogs.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\glib-2.0.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\VMware\\\\%' ESCAPE '\\'))" ], "filename": "image_load_side_load_vmware_xfer.yml" }, { "title": "Suspicious Volume Shadow Copy VSS_PS.dll Load", "id": "333cdbe8-27bb-4246-bf82-b41a0dca4b70", "status": "experimental", "description": "Detects the image load of vss_ps.dll by uncommon executables", "author": "Markus Neis, @markus_neis", "tags": [ "attack.defense_evasion", "attack.impact", "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ImageLoaded LIKE '%\\\\vss\\_ps.dll' ESCAPE '\\' AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\clussvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dismhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dllhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\inetsrv\\\\appcmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\inetsrv\\\\iissetup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\searchindexer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\srtasks.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\taskhostw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\tiworker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\System32\\\\SystemPropertiesAdvanced.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (CommandLine LIKE 'C:\\\\$WinREAgent\\\\Scratch\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\dismhost.exe {%' ESCAPE '\\')))" ], "filename": "image_load_dll_vss_ps_susp_load.yml" }, { "title": "Time Travel Debugging Utility Usage - Image", "id": "e76c8240-d68f-4773-8880-5c6f63595aaf", "status": "test", "description": "Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.", "author": "Ensar Şamil, @sblmsrsn, @oscd_initiative", "tags": [ "attack.defense_evasion", "attack.credential_access", "attack.t1218", "attack.t1003.001" ], "falsepositives": [ "Legitimate usage by software developers/testers" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (ImageLoaded LIKE '%\\\\ttdrecord.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdwriter.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\ttdloader.dll' ESCAPE '\\'))" ], "filename": "image_load_tttracer_mod_load.yml" }, { "title": "HackTool - SharpEvtMute DLL Load", "id": "49329257-089d-46e6-af37-4afce4290685", "status": "experimental", "description": "Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.002" ], "falsepositives": [ "Other DLLs with the same Imphash" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (Hashes LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Imphash = '330768a4f172e10acb6287b87289d83b'))" ], "filename": "image_load_hktl_sharpevtmute.yml" }, { "title": "Suspicious Volume Shadow Copy Vssapi.dll Load", "id": "37774c23-25a1-4adb-bb6d-8bb9fd59c0f8", "status": "experimental", "description": "Detects the image load of VSS DLL by uncommon executables", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.impact", "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ImageLoaded LIKE '%\\\\vssapi.dll' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\')))" ], "filename": "image_load_dll_vssapi_susp_load.yml" }, { "title": "Potential Libvlc.DLL Sideloading", "id": "bf9808c4-d24f-44a2-8398-b65227d406b6", "status": "experimental", "description": "Detects potential DLL sideloading of \"libvlc.dll\", a DLL that is legitimately used by \"VLC.exe\"", "author": "X__Junior", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "False positives are expected if VLC is installed in non-default locations" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ImageLoaded LIKE '%\\\\libvlc.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\VideoLAN\\\\VLC\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\VideoLAN\\\\VLC\\\\%' ESCAPE '\\'))))" ], "filename": "image_load_side_load_libvlc.yml" }, { "title": "WMI Persistence - Command Line Event Consumer", "id": "05936ce2-ee05-4dae-9d03-9a391cf2d2c6", "status": "test", "description": "Detects WMI command line event consumers", "author": "Thomas Patzke", "tags": [ "attack.t1546.003", "attack.persistence" ], "falsepositives": [ "Unknown (data set is too small; further testing needed)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbemcons.dll' ESCAPE '\\')" ], "filename": "image_load_wmi_persistence_commandline_event_consumer.yml" }, { "title": "Web Browsers DLL Sideloading", "id": "72ca7c75-bf85-45cd-aca7-255d360e423c", "status": "experimental", "description": "Detects DLL sideloading of DLLs that are part of web browsers", "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ImageLoaded LIKE '%\\\\chrome\\_frame\\_helper.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE '%\\\\AppData\\\\local\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\')))" ], "filename": "image_load_side_load_web_browsers.yml" }, { "title": "System Drawing DLL Load", "id": "666ecfc7-229d-42b8-821e-1a8f8cb7057c", "status": "experimental", "description": "Detects processes loading \"System.Drawing.ni.dll\". This could be an indicator of potential Screen Capture.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.collection", "attack.t1113" ], "falsepositives": [ "False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ImageLoaded LIKE '%\\\\System.Drawing.ni.dll' ESCAPE '\\')" ], "filename": "image_load_dll_system_drawing_load.yml" }, { "title": "Potential DLL Sideloading Using Coregen.exe", "id": "0fa66f66-e3f6-4a9c-93f8-4f2610b00171", "status": "experimental", "description": "Detect usage of DLL \"coregen.exe\" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218", "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND NewProcessName LIKE '%\\\\coregen.exe' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Silverlight\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\%' ESCAPE '\\')))" ], "filename": "image_load_side_load_coregen.yml" }, { "title": "Wmiprvse Wbemcomn DLL Hijack", "id": "7707a579-e0d8-4886-a853-ce47e4575aaa", "status": "test", "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network and loading it for a WMI DLL Hijack scenario.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.execution", "attack.t1047", "attack.lateral_movement", "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND NewProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\')" ], "filename": "image_load_wmiprvse_wbemcomn_dll_hijack.yml" }, { "title": "PowerShell Core DLL Loaded By Non PowerShell Process", "id": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", "status": "experimental", "description": "Detects loading of essential DLLs used by PowerShell, but not by the process powershell.exe. Detects behaviour similar to meterpreter's \"load powershell\" extension.", "author": "Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton", "tags": [ "attack.t1059.001", "attack.execution" ], "falsepositives": [ "Used by some .NET binaries, minimal on user workstation.", "Used by Microsoft SQL Server Management Studio" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (ImageLoaded LIKE '%\\\\System.Management.Automation.Dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\System.Management.Automation.ni.Dll' ESCAPE '\\') AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\dsac.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powershell\\_ise.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WINDOWS\\\\System32\\\\RemoteFXvGPUDisablement.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sqlps.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wsmprovhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winrshost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\syncappvpublishingserver.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\runscripthelper.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServerManager.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Microsoft SQL Server Management Studio %\\\\Common%\\\\IDE\\\\Ssms.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServiceHub.VSDetouredHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServiceHub.SettingsHost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ServiceHub.Host.CLR.x86.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Citrix\\\\ConfigSync\\\\ConfigSyncRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR (NewProcessName = '')))" ], "filename": "image_load_dll_system_management_automation_susp_load.yml" }, { "title": "Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE", "id": "ec8c4047-fad9-416a-8c81-0f479353d7f6", "status": "experimental", "description": "Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the \"sdiageng.dll\" library", "author": "Greg (rule)", "tags": [ "attack.defense_evasion", "attack.t1202", "cve.2022.30190" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND NewProcessName LIKE '%\\\\msdt.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\sdiageng.dll' ESCAPE '\\')" ], "filename": "image_load_dll_sdiageng_load_by_msdt.yml" }, { "title": "Suspicious Volume Shadow Copy Vsstrace.dll Load", "id": "48bfd177-7cf2-412b-ad77-baf923489e82", "status": "experimental", "description": "Detects the image load of VSS DLL by uncommon executables", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.impact", "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ImageLoaded LIKE '%\\\\vsstrace.dll' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\{%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], "filename": "image_load_dll_vsstrace_susp_load.yml" }, { "title": "VBA DLL Loaded Via Office Application", "id": "e6ce8457-68b1-485b-9bdd-3c2b5d679aa9", "status": "test", "description": "Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.", "author": "Antonlovesdnb", "tags": [ "attack.execution", "attack.t1204.002" ], "falsepositives": [ "Legitimate macro usage. Add the appropriate filter according to your environment" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\VBE7.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBEUI.DLL' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\VBE7INTL.DLL' ESCAPE '\\'))" ], "filename": "image_load_office_vbadll_load.yml" }, { "title": "Potential DLL Sideloading Via JsSchHlp", "id": "68654bf0-4412-43d5-bfe8-5eaa393cd939", "status": "experimental", "description": "Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ImageLoaded LIKE '%\\\\JSESPR.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\Common Files\\\\Justsystem\\\\JsSchHlp\\\\%' ESCAPE '\\'))" ], "filename": "image_load_side_load_jsschhlp.yml" }, { "title": "Potential Rcdll.DLL Sideloading", "id": "6e78b74f-c762-4800-82ad-f66787f10c8a", "status": "experimental", "description": "Detects potential DLL sideloading of rcdll.dll", "author": "X__Junior (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ImageLoaded LIKE '%\\\\rcdll.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Kits\\\\%' ESCAPE '\\')))" ], "filename": "image_load_side_load_rcdll.yml" }, { "title": "Python Py2Exe Image Load", "id": "cbb56d62-4060-40f7-9466-d8aaf3123f83", "status": "experimental", "description": "Detects the image load of Python Core indicative of a Python script bundled with Py2Exe.", "author": "Patrick St. John, OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", "attack.t1027.002" ], "falsepositives": [ "Legitimate Py2Exe Binaries", "Known false positive caused with Python Anaconda" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND Description = 'Python Core' AND NOT ((NewProcessName LIKE '%Python%' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\ProgramData\\\\Anaconda3\\\\%' ESCAPE '\\')) OR (NewProcessName = '')))" ], "filename": "image_load_susp_python_image_load.yml" }, { "title": "Microsoft Defender Loading DLL from Nondefault Path", "id": "418dc89a-9808-4b87-b1d7-e5ae0cb6effc", "status": "experimental", "description": "Detects loading of Microsoft Defender's DLLs by its processes (MpCmdRun and NisSrv) from the non-default directory which may be an attempt to sideload arbitrary DLL", "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", "attack.t1574.002" ], "falsepositives": [ "Very unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ((NewProcessName LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\NisSrv.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\mpclient.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Windows Defender\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')))" ], "filename": "image_load_side_load_windows_defender.yml" }, { "title": "Potential Antivirus Software DLL Sideloading", "id": "552b6b65-df37-4d3e-a258-f2fc4771ae54", "status": "experimental", "description": "Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused.", "Dell SARemediation plugin folder (C:\\Program Files\\Dell\\SARemediation\\plugin\\log.dll) is known to contain the 'log.dll' file.", "The Canon MyPrinter folder 'C:\\Program Files\\Canon\\MyPrinter\\' is known to contain the 'log.dll' file" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (((((((ImageLoaded LIKE '%\\\\log.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Program Files\\\\Bitdefender Antivirus Free\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Bitdefender Antivirus Free\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\audit\\\\TelemetryUtility.exe' ESCAPE '\\' AND (ImageLoaded LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\plugin\\\\log.dll' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Dell\\\\SARemediation\\\\audit\\\\log.dll' ESCAPE '\\')) OR (ImageLoaded LIKE 'C:\\\\Program Files\\\\Canon\\\\MyPrinter\\\\%' ESCAPE '\\'))) OR (ImageLoaded LIKE '%\\\\qrt.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\F-Secure\\\\Anti-Virus\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\F-Secure\\\\Anti-Virus\\\\%' ESCAPE '\\')))) OR ((ImageLoaded LIKE '%\\\\ashldres.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\lockdown.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\vsodscpl.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\McAfee\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\McAfee\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\vftrace.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\CyberArk\\\\Endpoint Privilege Manager\\\\Agent\\\\x32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\CyberArk\\\\Endpoint Privilege Manager\\\\Agent\\\\x32\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\wsc.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\AVAST Software\\\\Avast\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\AVAST Software\\\\Avast\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\tmdbglog.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\Trend Micro\\\\Titanium\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\Trend Micro\\\\Titanium\\\\%' ESCAPE '\\')))) OR (ImageLoaded LIKE '%\\\\DLPPREM32.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\program Files\\\\ESET%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\program Files (x86)\\\\ESET%' ESCAPE '\\')))))" ], "filename": "image_load_side_load_antivirus.yml" }, { "title": "Possible Process Hollowing Image Loading", "id": "e32ce4f5-46c6-4c47-ba69-5de3c9193cd7", "status": "test", "description": "Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz", "author": "Markus Neis", "tags": [ "attack.defense_evasion", "attack.t1574.002" ], "falsepositives": [ "Very likely, needs more tuning" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND NewProcessName LIKE '%\\\\notepad.exe' ESCAPE '\\' AND (ImageLoaded LIKE '%\\\\samlib.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WinSCard.dll' ESCAPE '\\'))" ], "filename": "image_load_susp_uncommon_image_load.yml" }, { "title": "Amsi.DLL Load By Uncommon Process", "id": "facd1549-e416-48e0-b8c4-41d7215eedc8", "status": "experimental", "description": "Detects loading of Amsi.dll by uncommon processes", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.impact", "attack.t1490" ], "falsepositives": [ "Likely" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ImageLoaded LIKE '%\\\\amsi.dll' ESCAPE '\\' AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\ngentask.exe' ESCAPE '\\') OR (NewProcessName = '') OR (NewProcessName = '')))" ], "filename": "image_load_dll_amsi_uncommon_process.yml" }, { "title": "UAC Bypass Using Iscsicpl - ImageLoad", "id": "9ed5959a-c43c-4c59-84e3-d28628429456", "status": "experimental", "description": "Detects the \"iscsicpl.exe\" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\iscsicpl.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\iscsiexe.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE '%C:\\\\Windows\\\\%' ESCAPE '\\' AND ImageLoaded LIKE '%iscsiexe.dll%' ESCAPE '\\'))" ], "filename": "image_load_uac_bypass_iscsicpl.yml" }, { "title": "DLL Sideloading Of ShellChromeAPI.DLL", "id": "ee4c5d06-3abc-48cc-8885-77f1c20f4451", "status": "experimental", "description": "Detects processes loading the non-existent DLL \"ShellChromeAPI\". One known example is the \"DeviceEnroller\" binary in combination with the \"PhoneDeepLink\" flag tries to load this DLL.\nAdversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ImageLoaded LIKE '%\\\\ShellChromeAPI.dll' ESCAPE '\\')" ], "filename": "image_load_side_load_shell_chrome_api.yml" }, { "title": "HackTool - SILENTTRINITY Stager DLL Load", "id": "75c505b1-711d-4f68-a357-8c3fe37dbf2d", "status": "test", "description": "Detects SILENTTRINITY stager dll loading activity", "author": "Aleksey Potapov, oscd.community", "tags": [ "attack.command_and_control", "attack.t1071" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND Description LIKE '%st2stager%' ESCAPE '\\')" ], "filename": "image_load_hktl_silenttrinity_stager.yml" }, { "title": "Active Directory Parsing DLL Loaded Via Office Application", "id": "a2a3b925-7bb0-433b-b508-db9003263cc4", "status": "test", "description": "Detects DSParse DLL being loaded by an Office Product", "author": "Antonlovesdnb", "tags": [ "attack.execution", "attack.t1204.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mspub.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenote.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\onenoteim.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\') AND ImageLoaded LIKE '%\\\\dsparse.dll%' ESCAPE '\\')" ], "filename": "image_load_office_dsparse_dll_load.yml" }, { "title": "PCRE.NET Package Image Load", "id": "84b0a8f3-680b-4096-a45b-e9a89221727c", "status": "test", "description": "Detects processes loading modules related to PCRE.NET package", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ImageLoaded LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\ba9ea7344a4a5f591d6e5dc32a13494b\\\\%' ESCAPE '\\')" ], "filename": "image_load_pcre_net_load.yml" }, { "title": "DLL Sideloading Of DBGCORE.DLL", "id": "9ca2bf31-0570-44d8-a543-534c47c33ed7", "status": "experimental", "description": "Detects DLL sideloading of \"dbgcore.dll\"", "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "Legitimate applications loading their own versions of the DLL mentioned in this rule" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\' AND NOT (((ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Windows\\\\SystemTemp\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], "filename": "image_load_side_load_dbgcore_dll.yml" }, { "title": "Microsoft Office DLL Sideload", "id": "829a3bdf-34da-4051-9cf4-8ed221a8ae4f", "status": "experimental", "description": "Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location", "author": "Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ImageLoaded LIKE '%\\\\outllib.dll' ESCAPE '\\' AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\Root\\\\OFFICE%' ESCAPE '\\')))" ], "filename": "image_load_side_load_office_dlls.yml" }, { "title": "WMI Modules Loaded", "id": "671bb7e3-a020-4824-a00e-2ee5b55f385e", "status": "test", "description": "Detects non wmiprvse loading WMI modules", "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.execution", "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "informational", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ((ImageLoaded LIKE '%\\\\wmiclnt.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WmiApRpl.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiprov.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wmiutils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemcomn.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemprox.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\WMINet\\_Utils.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\wbemsvc.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\fastprox.dll' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WmiApSrv.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\DeviceCensus.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\CompatTelRunner.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdiagnhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\SIHClient.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ngentask.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\windows\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\windows\\\\system32\\\\MoUsoCoreWorker.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\windows\\\\system32\\\\wbem\\\\WMIADAP.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\Sysmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\wbem\\\\unsecapp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\logman.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\systeminfo.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\nvcontainer.exe' ESCAPE '\\' OR NewProcessName LIKE '%C:\\\\Windows\\\\System32\\\\wbem\\\\WMIC.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\opera\\_autoupdate.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], "filename": "image_load_wmi_module_load.yml" }, { "title": "Potential DLL Sideloading Via ClassicExplorer32.dll", "id": "caa02837-f659-466f-bca6-48bde2826ab4", "status": "experimental", "description": "Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ImageLoaded LIKE '%\\\\ClassicExplorer32.dll' ESCAPE '\\' AND NOT (ImageLoaded LIKE 'C:\\\\Program Files\\\\Classic Shell\\\\%' ESCAPE '\\'))" ], "filename": "image_load_side_load_classicexplorer32.yml" }, { "title": "DotNet CLR DLL Loaded By Scripting Applications", "id": "4508a70e-97ef-4300-b62b-ff27992990ea", "status": "test", "description": "Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.", "author": "omkar72, oscd.community", "tags": [ "attack.execution", "attack.privilege_escalation", "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (NewProcessName LIKE '%\\\\cmstp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msxsl.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\') AND (ImageLoaded LIKE '%\\\\clr.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscoree.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\mscorlib.dll' ESCAPE '\\'))" ], "filename": "image_load_susp_script_dotnet_clr_dll_load.yml" }, { "title": "UAC Bypass With Fake DLL", "id": "a5ea83a7-05a5-44c1-be2e-addccbbd8c03", "status": "test", "description": "Attempts to load dismcore.dll after dropping it", "author": "oscd.community, Dmitry Uchakin", "tags": [ "attack.persistence", "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002", "attack.t1574.002" ], "falsepositives": [ "Actions of a legitimate telnet client" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (NewProcessName LIKE '%\\\\dism.exe' ESCAPE '\\' AND ImageLoaded LIKE '%\\\\dismcore.dll' ESCAPE '\\') AND NOT (ImageLoaded LIKE 'C:\\\\Windows\\\\System32\\\\Dism\\\\dismcore.dll' ESCAPE '\\'))" ], "filename": "image_load_uac_bypass_via_dism.yml" }, { "title": "Load Of Dbghelp/Dbgcore DLL From Suspicious Process", "id": "0e277796-5f23-4e49-a490-483131d4f6e1", "status": "test", "description": "Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.\nTools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.\nAs an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.\n", "author": "Perez Diego (@darkquassar), oscd.community, Ecco", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND ((ImageLoaded LIKE '%\\\\dbghelp.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\dbgcore.dll' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\excel.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\outlook.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\bash.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\wscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\cscript.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mshta.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\dnx.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvcs.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sc.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\scriptrunner.exe' ESCAPE '\\')) AND NOT ((CommandLine LIKE 'C:\\\\WINDOWS\\\\winsxs\\\\%' ESCAPE '\\' AND CommandLine LIKE '%\\\\TiWorker.exe -Embedding' ESCAPE '\\')))" ], "filename": "image_load_dll_dbghelp_dbgcore_susp_load.yml" }, { "title": "Unsigned Image Loaded Into LSASS Process", "id": "857c8db3-c89b-42fb-882b-f681c7cf4da2", "status": "test", "description": "Loading unsigned image (DLL, EXE) into LSASS process", "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Valid user connecting using RDP" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND Signed = 'false')" ], "filename": "image_load_unsigned_image_loaded_into_lsass.yml" }, { "title": "Alternate PowerShell Hosts - Image", "id": "fe6e002f-f244-4278-9263-20e4b593827f", "status": "experimental", "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (Description = 'System.Management.Automation' AND ImageLoaded LIKE '%System.Management.Automation%' ESCAPE '\\') AND NOT (((NewProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\mscorsvw.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Citrix\\\\ConfigSync\\\\%' ESCAPE '\\') OR NewProcessName LIKE 'C:\\\\Program Files\\\\PowerShell\\\\7\\\\pwsh.exe' ESCAPE '\\') OR (NewProcessName = '')))" ], "filename": "image_load_alternate_powershell_hosts_moduleload.yml" }, { "title": "Potential Wazuh Security Platform DLL Sideloading", "id": "db77ce78-7e28-4188-9337-cf30e2b3ba9f", "status": "experimental", "description": "Detects potential DLL side loading of DLLs that are part of the Wazuh security platform", "author": "X__Junior (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.privilege_escalation", "attack.t1574.001", "attack.t1574.002" ], "falsepositives": [ "Many legitimate applications leverage this DLL. (Visual Studio, JetBrains, Ruby, Anaconda, GithubDesktop, etc.)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '7' AND (ImageLoaded LIKE '%\\\\libwazuhshared.dll' ESCAPE '\\' OR ImageLoaded LIKE '%\\\\libwinpthread-1.dll' ESCAPE '\\') AND NOT ((ImageLoaded LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ImageLoaded LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], "filename": "image_load_side_load_wazuh.yml" }, { "title": "Unusual File Download from Direct IP Address", "id": "025bd229-fd1f-4fdb-97ab-20006e1a5368", "status": "experimental", "description": "Detects the download of suspicious file type from URLs with IP", "author": "Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '15' AND Contents REGEXP 'http[s]?://[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}' AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\'))" ], "filename": "create_stream_hash_susp_ip_domains.yml" }, { "title": "Exports Registry Key To an Alternate Data Stream", "id": "0d7a9363-af70-4e7b-a3b7-1a176b7fbe84", "status": "test", "description": "Exports the target Registry key and hides it in the specified alternate data stream.", "author": "Oddvar Moe, Sander Wiebing, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '15' AND NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\')" ], "filename": "create_stream_hash_regedit_export_to_ads.yml" }, { "title": "Creation Of a Suspicious ADS File Outside a Browser Download", "id": "573df571-a223-43bc-846e-3f98da481eca", "status": "experimental", "description": "Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers", "author": "frack113", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Other legitimate browsers not currently included in the filter (please add them)", "Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '15' AND (Contents LIKE '[ZoneTransfer] ZoneId=3%' ESCAPE '\\' AND TargetFilename LIKE '%:Zone.Identifier' ESCAPE '\\' AND (TargetFilename LIKE '%.exe%' ESCAPE '\\' OR TargetFilename LIKE '%.scr%' ESCAPE '\\' OR TargetFilename LIKE '%.bat%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd%' ESCAPE '\\' OR TargetFilename LIKE '%.docx%' ESCAPE '\\' OR TargetFilename LIKE '%.hta%' ESCAPE '\\' OR TargetFilename LIKE '%.jse%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk%' ESCAPE '\\' OR TargetFilename LIKE '%.pptx%' ESCAPE '\\' OR TargetFilename LIKE '%.ps%' ESCAPE '\\' OR TargetFilename LIKE '%.reg%' ESCAPE '\\' OR TargetFilename LIKE '%.sct%' ESCAPE '\\' OR TargetFilename LIKE '%.vb%' ESCAPE '\\' OR TargetFilename LIKE '%.wsc%' ESCAPE '\\' OR TargetFilename LIKE '%.wsf%' ESCAPE '\\' OR TargetFilename LIKE '%.xlsx%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\brave.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\maxthon.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\WindowsApps\\\\MicrosoftEdge.exe' ESCAPE '\\' OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft\\\\EdgeCore\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\msedge.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\msedgewebview2.exe' ESCAPE '\\')) OR (NewProcessName LIKE '%\\\\opera.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\safari.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\seamonkey.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\vivaldi.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\whale.exe' ESCAPE '\\')))" ], "filename": "create_stream_hash_creation_internet_file.yml" }, { "title": "Unusual File Download From File Sharing Websites", "id": "ae02ed70-11aa-4a22-b397-c0d0e8f6ea99", "status": "experimental", "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.s0139", "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '15' AND (Contents LIKE '%transfer.sh%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.ps1:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.bat:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cmd:Zone%' ESCAPE '\\'))" ], "filename": "create_stream_hash_file_sharing_domains_download_unusual_extension.yml" }, { "title": "Hacktool Download", "id": "19b041f6-e583-40dc-b842-d6fa8011493f", "status": "experimental", "description": "Detects the creation of a file on disk that has an imphash of a well-known hack tool", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.s0139", "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '15' AND (Imphash IN ('bcca3c247b619dcd13c8cdff5f123932', '3a19059bd7688cb88e70005f18efc439', 'bf6223a49e45d99094406777eb6004ba', '0c106686a31bfe2ba931ae1cf6e9dbc6', '0d1447d4b3259b3c2a1d4cfb7ece13c3', '1b0369a1e06271833f78ffa70ffb4eaf', '4c1b52a19748428e51b14c278d0f58e3', '4d927a711f77d62cebd4f322cb57ec6f', '66ee036df5fc1004d9ed5e9a94a1086a', '672b13f4a0b6f27d29065123fe882dfc', '6bbd59cea665c4afcc2814c1327ec91f', '725bb81dc24214f6ecacc0cfb36ad30d', '9528a0e91e28fbb88ad433feabca2456', '9da6d5d77be11712527dcab86df449a3', 'a6e01bc1ab89f8d91d9eab72032aae88', 'b24c5eddaea4fe50c6a96a2a133521e4', 'd21bbc50dcc169d7b4d0f01962793154', 'fcc251cceae90d22c392215cc9a2d5d6', '23867a89c2b8fc733be6cf5ef902f2d1', 'a37ff327f8d48e8a4d2f757e1b6e70bc', 'f9a28c458284584a93b14216308d31bd', '6118619783fc175bc7ebecff0769b46e', '959a83047e80ab68b368fdb3f4c6e4ea', '563233bfa169acc7892451f71ad5850a', '87575cb7a0e0700eb37f2e3668671a08', '13f08707f759af6003837a150a371ba1', '1781f06048a7e58b323f0b9259be798b', '233f85f2d4bc9d6521a6caae11a1e7f5', '24af2584cbf4d60bbe5c6d1b31b3be6d', '632969ddf6dbf4e0f53424b75e4b91f2', '713c29b396b907ed71a72482759ed757', '749a7bb1f0b4c4455949c0b2bf7f9e9f', '8628b2608957a6b0c6330ac3de28ce2e', '8b114550386e31895dfab371e741123d', '94cb940a1a6b65bed4d5a8f849ce9793', '9d68781980370e00e0bd939ee5e6c141', 'b18a1401ff8f444056d29450fbc0a6ce', 'cb567f9498452721d77a451374955f5f', '730073214094cd328547bf1f72289752', '17b461a082950fc6332228572138b80c', 'dc25ee78e2ef4d36faa0badf1e7461c9', '819b19d53ca6736448f9325a85736792', '829da329ce140d873b4a8bde2cbfaa7e', 'c547f2e66061a8dffb6f5a3ff63c0a74', '0588081ab0e63ba785938467e1b10cca', '0d9ec08bac6c07d9987dfd0f1506587c', 'bc129092b71c89b4d4c8cdf8ea590b29', '4da924cf622d039d58bce71cdf05d242', 'e7a3a5c377e2d29324093377d7db1c66', '9a9dbec5c62f0380b4fa5fd31deffedf', 'af8a3976ad71e5d5fdfb67ddb8dadfce', '0c477898bbf137bbd6f2a54e3b805ff4', '0ca9f02b537bcea20d4ea5eb1a9fe338', '3ab3655e5a14d4eefc547f4781bf7f9e', 'e6f9d5152da699934b30daab206471f6', '3ad59991ccf1d67339b319b15a41b35d', 'ffdd59e0318b85a3e480874d9796d872', '0cf479628d7cc1ea25ec7998a92f5051', '07a2d4dcbd6cb2c6a45e6b101f0b6d51', 'd6d0f80386e1380d05cb78e871bc72b1', '38d9e015591bbfd4929e0d0f47fa0055', '0e2216679ca6e1094d63322e3412d650', 'ada161bf41b8e5e9132858cb54cab5fb', '2a1bc4913cd5ecb0434df07cb675b798', '11083e75553baae21dc89ce8f9a195e4', 'a23d29c9e566f2fa8ffbb79267f5df80', '4a07f944a83e8a7c2525efa35dd30e2f', '767637c23bb42cd5d7397cf58b0be688', '14c4e4c72ba075e9069ee67f39188ad8', '3c782813d4afce07bbfc5a9772acdbdc', '7d010c6bb6a3726f327f7e239166d127', '89159ba4dd04e4ce5559f132a9964eb3', '6f33f4a5fc42b8cec7314947bd13f30f', '5834ed4291bdeb928270428ebbaf7604', '5a8a8a43f25485e7ee1b201edcbc7a38', 'dc7d30b90b2d8abf664fbed2b1b59894', '41923ea1f824fe63ea5beb84db7a3e74', '3de09703c8e79ed2ca3f01074719906b', 'a53a02b997935fd8eedcb5f7abab9b9f', 'e96a73c7bf33a464c510ede582318bf2', '32089b8851bbf8bc2d014e9f37288c83', '09D278F9DE118EF09163C6140255C690', '03866661686829d806989e2fc5a72606', 'e57401fbdadcd4571ff385ab82bd5d6d', '84B763C45C0E4A3E7CA5548C710DB4EE', '19584675d94829987952432e018d5056', '330768a4f172e10acb6287b87289d83b', '885c99ccfbe77d1cbfcb9c4e7c1a3313', '22a22bc9e4e0d2f189f1ea01748816ac', '7fa30e6bb7e8e8a69155636e50bf1b28', '96df3a3731912449521f6f8d183279b1', '7e6cf3ff4576581271ac8a313b2aab46', '51791678f351c03a0eb4e2a7b05c6e17') OR (Hash LIKE '%IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3A19059BD7688CB88E70005F18EFC439%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=bf6223a49e45d99094406777eb6004ba%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C106686A31BFE2BA931AE1CF6E9DBC6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D1447D4B3259B3C2A1D4CFB7ECE13C3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1B0369A1E06271833F78FFA70FFB4EAF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4C1B52A19748428E51B14C278D0F58E3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4D927A711F77D62CEBD4F322CB57EC6F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=66EE036DF5FC1004D9ED5E9A94A1086A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=672B13F4A0B6F27D29065123FE882DFC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6BBD59CEA665C4AFCC2814C1327EC91F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=725BB81DC24214F6ECACC0CFB36AD30D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9528A0E91E28FBB88AD433FEABCA2456%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9DA6D5D77BE11712527DCAB86DF449A3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A6E01BC1AB89F8D91D9EAB72032AAE88%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B24C5EDDAEA4FE50C6A96A2A133521E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D21BBC50DCC169D7B4D0F01962793154%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FCC251CCEAE90D22C392215CC9A2D5D6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=F9A28C458284584A93B14216308D31BD%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6118619783FC175BC7EBECFF0769B46E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=563233BFA169ACC7892451F71AD5850A%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=87575CB7A0E0700EB37F2E3668671A08%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=13F08707F759AF6003837A150A371BA1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=1781F06048A7E58B323F0B9259BE798B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=713C29B396B907ED71A72482759ED757%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=8B114550386E31895DFAB371E741123D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9D68781980370E00E0BD939EE5E6C141%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=B18A1401FF8F444056D29450FBC0A6CE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=CB567F9498452721D77A451374955F5F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=730073214094CD328547BF1F72289752%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=17B461A082950FC6332228572138B80C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=819B19D53CA6736448F9325A85736792%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0588081AB0E63BA785938467E1B10CCA%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4DA924CF622D039D58BCE71CDF05D242%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E7A3A5C377E2D29324093377D7DB1C66%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E6F9D5152DA699934B30DAAB206471F6%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3AD59991CCF1D67339B319B15A41B35D%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=FFDD59E0318B85A3E480874D9796D872%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0CF479628D7CC1EA25EC7998A92F5051%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=D6D0F80386E1380D05CB78E871BC72B1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=38D9E015591BBFD4929E0D0F47FA0055%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=0E2216679CA6E1094D63322E3412D650%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=11083E75553BAAE21DC89CE8F9A195E4%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=767637C23BB42CD5D7397CF58B0BE688%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=14C4E4C72BA075E9069EE67F39188AD8%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7D010C6BB6A3726F327F7E239166D127%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=89159BA4DD04E4CE5559F132A9964EB3%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5834ED4291BDEB928270428EBBAF7604%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=3DE09703C8E79ED2CA3F01074719906B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=E96A73C7BF33A464C510EDE582318BF2%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=32089B8851BBF8BC2D014E9F37288C83%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=09D278F9DE118EF09163C6140255C690%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=03866661686829d806989e2fc5a72606%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=19584675D94829987952432E018D5056%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=330768A4F172E10ACB6287B87289D83B%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=96DF3A3731912449521F6F8D183279B1%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46%' ESCAPE '\\' OR Hash LIKE '%IMPHASH=51791678F351C03A0EB4E2A7B05C6E17%' ESCAPE '\\')))" ], "filename": "create_stream_hash_hacktool_download.yml" }, { "title": "Suspicious File Download From File Sharing Websites", "id": "52182dfb-afb7-41db-b4bc-5336cb29b464", "status": "experimental", "description": "Detects the download of suspicious file type from a well-known file and paste sharing domain", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.s0139", "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '15' AND (Contents LIKE '%https://transfer.sh/%' ESCAPE '\\' OR Contents LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Contents LIKE '%pastebin.com%' ESCAPE '\\' OR Contents LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Contents LIKE '%mediafire.com%' ESCAPE '\\' OR Contents LIKE '%mega.nz%' ESCAPE '\\' OR Contents LIKE '%ddns.net%' ESCAPE '\\' OR Contents LIKE '%.paste.ee%' ESCAPE '\\' OR Contents LIKE '%.hastebin.com%' ESCAPE '\\' OR Contents LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Contents LIKE '%ufile.io%' ESCAPE '\\' OR Contents LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Contents LIKE '%anonfiles.com%' ESCAPE '\\' OR Contents LIKE '%send.exploit.in%' ESCAPE '\\' OR Contents LIKE '%privatlab.net%' ESCAPE '\\' OR Contents LIKE '%privatlab.com%' ESCAPE '\\' OR Contents LIKE '%sendspace.com%' ESCAPE '\\' OR Contents LIKE '%pastetext.net%' ESCAPE '\\' OR Contents LIKE '%pastebin.pl%' ESCAPE '\\' OR Contents LIKE '%paste.ee%' ESCAPE '\\') AND (TargetFilename LIKE '%.exe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbs:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.vbe:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.dll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.one:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.hta:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.lnk:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.xll:Zone%' ESCAPE '\\' OR TargetFilename LIKE '%.cpl:Zone%' ESCAPE '\\'))" ], "filename": "create_stream_hash_file_sharing_domains_download_susp_extension.yml" }, { "title": "Hidden Executable In NTFS Alternate Data Stream", "id": "b69888d4-380c-45ce-9cf9-d9ce46e67821", "status": "test", "description": "Detects the creation of an ADS (Alternate Data Stream) that contains an executable (non-empty imphash)", "author": "Florian Roth (Nextron Systems), @0xrawsec", "tags": [ "attack.defense_evasion", "attack.s0139", "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '15' AND Hash LIKE '%IMPHASH=%' ESCAPE '\\' AND NOT (Hash LIKE '%IMPHASH=00000000000000000000000000000000%' ESCAPE '\\'))" ], "filename": "create_stream_hash_ads_executable.yml" }, { "title": "Potential Suspicious Winget Package Installation", "id": "a3f5c081-e75b-43a0-9f5b-51f26fe5dba2", "status": "experimental", "description": "Detects potential suspicious winget package installation from a suspicious source.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '15' AND Contents LIKE '[ZoneTransfer] ZoneId=3%' ESCAPE '\\' AND (Contents LIKE '%://1%' ESCAPE '\\' OR Contents LIKE '%://2%' ESCAPE '\\' OR Contents LIKE '%://3%' ESCAPE '\\' OR Contents LIKE '%://4%' ESCAPE '\\' OR Contents LIKE '%://5%' ESCAPE '\\' OR Contents LIKE '%://6%' ESCAPE '\\' OR Contents LIKE '%://7%' ESCAPE '\\' OR Contents LIKE '%://8%' ESCAPE '\\' OR Contents LIKE '%://9%' ESCAPE '\\') AND TargetFilename LIKE '%:Zone.Identifier' ESCAPE '\\' AND TargetFilename LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\')" ], "filename": "create_stream_hash_winget_susp_package_source.yml" }, { "title": "KeePass Password Dumping", "id": "77564cc2-7382-438b-a7f6-395c2ae53b9a", "status": "experimental", "description": "Detects remote thread creation in KeePass.exe indicating password dumping activity", "author": "Timon Hackenjos", "tags": [ "attack.credential_access", "attack.t1555.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '8' AND TargetImage LIKE '%\\\\KeePass.exe' ESCAPE '\\')" ], "filename": "create_remote_thread_win_password_dumper_keepass.yml" }, { "title": "CreateRemoteThread API and LoadLibrary", "id": "052ec6f6-1adc-41e6-907a-f1c813478bee", "status": "test", "description": "Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process", "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.defense_evasion", "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '8' AND StartModule LIKE '%\\\\kernel32.dll' ESCAPE '\\' AND StartFunction = 'LoadLibraryA')" ], "filename": "create_remote_thread_win_loadlibrary.yml" }, { "title": "Remote Thread Creation Via PowerShell", "id": "eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50", "status": "test", "description": "Detects the creation of a remote thread from a Powershell process to another process", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '8' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND NOT ((SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\')))" ], "filename": "create_remote_thread_win_powershell_crt.yml" }, { "title": "Suspicious Remote Thread Target", "id": "f016c716-754a-467f-a39e-63c06f773987", "status": "experimental", "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '8' AND (TargetImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\') AND NOT (SourceImage LIKE '%\\\\csrss.exe' ESCAPE '\\' OR SourceImage LIKE '%unknown process%' ESCAPE '\\' OR StartFunction = 'EtwpNotificationThread'))" ], "filename": "create_remote_thread_win_susp_remote_thread_target.yml" }, { "title": "Password Dumper Remote Thread in LSASS", "id": "f239b326-2f41-4d6b-9dfa-c846a60ef505", "status": "stable", "description": "Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage.\nThe process in field Process is the malicious program. A single execution can lead to hundreds of events.\n", "author": "Thomas Patzke", "tags": [ "attack.credential_access", "attack.s0005", "attack.t1003.001" ], "falsepositives": [ "Antivirus products" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '8' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND StartModule = '')" ], "filename": "create_remote_thread_win_password_dumper_lsass.yml" }, { "title": "CACTUSTORCH Remote Thread Creation", "id": "2e4e488a-6164-4811-9ea1-f960c7359c40", "status": "test", "description": "Detects remote thread creation from CACTUSTORCH as described in references.", "author": "@SBousseaden (detection), Thomas Patzke (rule)", "tags": [ "attack.defense_evasion", "attack.t1055.012", "attack.execution", "attack.t1059.005", "attack.t1059.007", "attack.t1218.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '8' AND (SourceImage LIKE '%\\\\System32\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\wscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\System32\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\SysWOW64\\\\%' ESCAPE '\\' AND StartModule = '')" ], "filename": "create_remote_thread_win_cactustorch.yml" }, { "title": "Potential Credential Dumping Attempt Via PowerShell Remote Thread", "id": "fb656378-f909-47c1-8747-278bf09f4f4f", "status": "experimental", "description": "Detects remote thread creation by PowerShell processes into \"lsass.exe\"", "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '8' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], "filename": "create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml" }, { "title": "Remote Thread Creation Via PowerShell In Rundll32", "id": "99b97608-3e21-4bfe-8217-2a127c396a0e", "status": "experimental", "description": "Detects the creation of a remote thread from a Powershell process in a rundll32 process", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1218.011", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '8' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" ], "filename": "create_remote_thread_win_powershell_crt_rundll32.yml" }, { "title": "Bumblebee Remote Thread Creation", "id": "994cac2b-92c2-44bf-8853-14f6ca39fbda", "status": "experimental", "description": "Detects remote thread injection events based on action seen used by bumblebee", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1218.011", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '8' AND (SourceImage LIKE '%\\\\wabmig.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ImagingDevices.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\rundll32.exe' ESCAPE '\\')" ], "filename": "create_remote_thread_win_bumblebee.yml" }, { "title": "Suspicious Remote Thread Source", "id": "66d31e5f-52d6-40a4-9615-002d3789a119", "status": "experimental", "description": "Offensive tradecraft is switching away from using APIs like \"CreateRemoteThread\", however, this is still largely observed in the wild.\nThis rule aims to detect suspicious processes (those we would not expect to behave in this way like winword.exe or outlook.exe) creating remote threads on other processes.\nIt is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.\n", "author": "Perez Diego (@darkquassar), oscd.community", "tags": [ "attack.privilege_escalation", "attack.defense_evasion", "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '8' AND (SourceImage LIKE '%\\\\bash.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cvtres.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\cscript.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\defrag.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dnx.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\esentutl.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\excel.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\expand.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\find.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\findstr.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\forfiles.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\gpupdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\hh.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\iexplore.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\installutil.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\lync.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\makecab.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mDNSResponder.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\monitoringhost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msbuild.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mshta.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\outlook.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ping.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\powerpnt.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\provtool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\python.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\robocopy.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\runonce.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\sapcimc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\smartscreen.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\spoolsv.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\tstheme.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\userinit.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssadmin.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\vssvc.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\w3wp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winscp.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wmic.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\wscript.exe' ESCAPE '\\') AND NOT ((SourceImage LIKE '%Visual Studio%' ESCAPE '\\' OR SourceParentImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\wininit.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\csrss.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\winlogon.exe' ESCAPE '\\' AND TargetParentImage = 'System' AND TargetParentProcessId = '4') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\provtool.exe' ESCAPE '\\' AND TargetParentProcessId = '0') OR (SourceImage LIKE '%\\\\git.exe' ESCAPE '\\' AND (TargetImage LIKE '%\\\\git.exe' ESCAPE '\\' OR TargetImage LIKE '%C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\VSSVC.exe' ESCAPE '\\' AND TargetImage = 'System') OR (SourceParentImage LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\schtasks.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\schtasks.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\conhost.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\NVIDIA Corporation\\\\NVIDIA GeForce Experience\\\\NVIDIA GeForce Experience.exe' ESCAPE '\\')))" ], "filename": "create_remote_thread_win_susp_remote_thread_source.yml" }, { "title": "Remote Thread Creation in Suspicious Targets", "id": "a1a144b7-5c9b-4853-a559-2172be8d4a03", "status": "experimental", "description": "Detects a remote thread creation in suspicious target images", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1055.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '8' AND (TargetImage LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\calc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\notepad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\sethc.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\write.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\wordpad.exe' ESCAPE '\\' OR TargetImage LIKE '%\\\\explorer.exe' ESCAPE '\\') AND NOT ((StartFunction = 'EtwpNotificationThread') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], "filename": "create_remote_thread_win_susp_targets.yml" }, { "title": "Remote Thread Creation Ttdinject.exe Proxy", "id": "c15e99a3-c474-48ab-b9a7-84549a7a9d16", "status": "experimental", "description": "Detects a remote thread creation of Ttdinject.exe used as proxy", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1127" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '8' AND SourceImage LIKE '%\\\\ttdinject.exe' ESCAPE '\\')" ], "filename": "create_remote_thread_win_ttdinjec.yml" }, { "title": "CobaltStrike Process Injection", "id": "6309645e-122d-4c5b-bb2b-22e4f9c2fa42", "status": "test", "description": "Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons", "author": "Olaf Hartong, Florian Roth (Nextron Systems), Aleksey Potapov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1055.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '8' AND (StartAddress LIKE '%0B80' ESCAPE '\\' OR StartAddress LIKE '%0C7C' ESCAPE '\\' OR StartAddress LIKE '%0C88' ESCAPE '\\'))" ], "filename": "create_remote_thread_win_cobaltstrike_process_injection.yml" }, { "title": "Microsoft Defender Blocked from Loading Unsigned DLL", "id": "0b0ea3cc-99c8-4730-9c53-45deee2a4c86", "status": "experimental", "description": "Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL", "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Security-Mitigations' AND EventID IN ('11', '12') AND (ProcessPath LIKE '%\\\\MpCmdRun.exe' ESCAPE '\\' OR ProcessPath LIKE '%\\\\NisSrv.exe' ESCAPE '\\'))" ], "filename": "win_security_mitigations_defender_load_unsigned_dll.yml" }, { "title": "Unsigned Binary Loaded From Suspicious Location", "id": "8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10", "status": "experimental", "description": "Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Security-Mitigations' AND EventID IN ('11', '12') AND (ImageName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR ImageName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR ImageName LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\'))" ], "filename": "win_security_mitigations_unsigned_dll_from_susp_location.yml" }, { "title": "Possible PetitPotam Coerce Authentication Attempt", "id": "1ce8c8a3-2723-48ed-8246-906ac91061a6", "status": "experimental", "description": "Detect PetitPotam coerced authentication activity.", "author": "Mauricio Velazco, Michael Haag", "tags": [ "attack.credential_access", "attack.t1187" ], "falsepositives": [ "Unknown. Feedback welcomed." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*' ESCAPE '\\' AND ShareName LIKE '%\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'lsarpc' AND SubjectUserName = 'ANONYMOUS LOGON')" ], "filename": "win_security_petitpotam_network_share.yml" }, { "title": "Mimikatz DC Sync", "id": "611eab06-a145-4dfa-a295-3ccc5c20f59a", "status": "experimental", "description": "Detects Mimikatz DC sync security events", "author": "Benjamin Delpy, Florian Roth (Nextron Systems), Scott Dermott, Sorina Ionescu", "tags": [ "attack.credential_access", "attack.s0002", "attack.t1003.006" ], "falsepositives": [ "Valid DC Sync that is not covered by the filters; please report", "Local Domain Admin account used for Azure AD Connect" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '4662' AND (Properties LIKE '%Replicating Directory Changes All%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%9923a32a-3607-11d2-b9be-0000f87a36b2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\') AND AccessMask = '0x100') AND NOT ((SubjectDomainName = 'Window Manager') OR ((SubjectUserName LIKE 'NT AUT%' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\')) OR (SubjectUserName LIKE '%$' ESCAPE '\\')))" ], "filename": "win_security_dcsync.yml" }, { "title": "Tap Driver Installation - Security", "id": "9c8afa4d-0022-48f0-9456-3712466f9701", "status": "test", "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "tags": [ "attack.exfiltration", "attack.t1048" ], "falsepositives": [ "Legitimate OpenVPN TAP insntallation" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%tap0901%' ESCAPE '\\')" ], "filename": "win_security_tap_driver_installation.yml" }, { "title": "Register new Logon Process by Rubeus", "id": "12e6d621-194f-4f59-90cc-1959e21e69f7", "status": "test", "description": "Detects potential use of Rubeus via registered new trusted logon process", "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "tags": [ "attack.lateral_movement", "attack.privilege_escalation", "attack.t1558.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4611' AND LogonProcessName = 'User32LogonProcesss')" ], "filename": "win_security_register_new_logon_process_by_rubeus.yml" }, { "title": "Addition of Domain Trusts", "id": "0255a820-e564-4e40-af2b-6ac61160335c", "status": "stable", "description": "Addition of domains is seldom and should be verified for legitimacy.", "author": "Thomas Patzke", "tags": [ "attack.persistence", "attack.t1098" ], "falsepositives": [ "Legitimate extension of domain structure" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4706')" ], "filename": "win_security_susp_add_domain_trust.yml" }, { "title": "VSSAudit Security Event Source Registration", "id": "e9faba72-4974-4ab2-a4c5-46e25ad59e9b", "status": "experimental", "description": "Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.", "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ "attack.credential_access", "attack.t1003.002" ], "falsepositives": [ "Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\\Windows\\System32\\VSSVC.exe." ], "level": "informational", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND AuditSourceName = 'VSSAudit' AND EventID IN ('4904', '4905'))" ], "filename": "win_security_vssaudit_secevent_source_registration.yml" }, { "title": "Password Protected ZIP File Opened", "id": "00ba9da1-b510-4f6b-b258-8d338836180f", "status": "experimental", "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Legitimate used of encrypted ZIP files" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\') AND NOT (TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\'))" ], "filename": "win_security_susp_opened_encrypted_zip.yml" }, { "title": "AD Privileged Users or Groups Reconnaissance", "id": "35ba1d85-724d-42a3-889f-2e2362bcaf23", "status": "experimental", "description": "Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs", "author": "Samir Bousseaden", "tags": [ "attack.discovery", "attack.t1087.002" ], "falsepositives": [ "If source account name is not an admin then its super suspicious" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND ((EventID = '4661' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\')) AND ((ObjectName LIKE '%-512' ESCAPE '\\' OR ObjectName LIKE '%-502' ESCAPE '\\' OR ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-505' ESCAPE '\\' OR ObjectName LIKE '%-519' ESCAPE '\\' OR ObjectName LIKE '%-520' ESCAPE '\\' OR ObjectName LIKE '%-544' ESCAPE '\\' OR ObjectName LIKE '%-551' ESCAPE '\\' OR ObjectName LIKE '%-555' ESCAPE '\\') OR ObjectName LIKE '%admin%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], "filename": "win_security_account_discovery.yml" }, { "title": "Security Event Log Cleared", "id": "a122ac13-daf8-4175-83a2-72c387be339d", "status": "test", "description": "Checks for event id 1102 which indicates the security event log was cleared.", "author": "Saw Winn Naung", "tags": [ "attack.t1070.001" ], "falsepositives": [ "Legitimate administrative activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')" ], "filename": "win_security_event_log_cleared.yml" }, { "title": "Security Eventlog Cleared", "id": "d99b79d2-0a6f-4f46-ad8b-260b6e17f982", "status": "test", "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1070.001", "car.2016-04-002" ], "falsepositives": [ "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", "System provisioning (system reset before the golden image creation)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND ((EventID = '517' AND Provider_Name = 'Security') OR (EventID = '1102' AND Provider_Name = 'Microsoft-Windows-Eventlog')))" ], "filename": "win_security_susp_eventlog_cleared.yml" }, { "title": "Suspicious Remote Logon with Explicit Credentials", "id": "941e5c45-cda7-4864-8cea-bbb7458d194a", "status": "experimental", "description": "Detects suspicious processes logging on with explicit credentials", "author": "oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton", "tags": [ "attack.t1078", "attack.lateral_movement" ], "falsepositives": [ "Administrators that use the RunAS command or scheduled tasks" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '4648' AND (ProcessName LIKE '%\\\\cmd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\powershell.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\pwsh.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\winrs.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wmic.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\net.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\net1.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\reg.exe' ESCAPE '\\')) AND NOT ((TargetServerName = 'localhost') OR (SubjectUserName LIKE '%$' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" ], "filename": "win_security_susp_logon_explicit_credentials.yml" }, { "title": "AD Object WriteDAC Access", "id": "028c7842-4243-41cd-be6f-12f3cf1a26c7", "status": "test", "description": "Detects WRITE_DAC access to a domain object", "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.defense_evasion", "attack.t1222.001" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectServer = 'DS' AND AccessMask = '0x40000' AND ObjectType IN ('19195a5b-6da0-11d0-afd3-00c04fd930c9', 'domainDNS'))" ], "filename": "win_security_ad_object_writedac_access.yml" }, { "title": "New or Renamed User Account with '$' in Attribute 'SamAccountName'", "id": "cfeed607-6aa4-4bbd-9627-b637deb723c8", "status": "test", "description": "Detects possible bypass EDR and SIEM via abnormal user account name.", "author": "Ilyas Ochkov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1036" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND ((EventID = '4720' AND SamAccountName LIKE '%$%' ESCAPE '\\') OR (EventID = '4781' AND NewTargetUserName LIKE '%$%' ESCAPE '\\')))" ], "filename": "win_security_new_or_renamed_user_account_with_dollar_sign.yml" }, { "title": "Suspicious Scheduled Task Creation", "id": "3a734d25-df5c-4b99-8034-af1ddb5883a4", "status": "experimental", "description": "Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.privilege_escalation", "attack.persistence", "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4698' AND (TaskContent LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContent LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContent LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContent LIKE '%regsvr32%' ESCAPE '\\' OR TaskContent LIKE '%rundll32%' ESCAPE '\\' OR TaskContent LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContent LIKE '%cmd%' ESCAPE '\\' OR TaskContent LIKE '%/c %' ESCAPE '\\' OR TaskContent LIKE '%/k %' ESCAPE '\\' OR TaskContent LIKE '%/r %' ESCAPE '\\' OR TaskContent LIKE '%powershell%' ESCAPE '\\' OR TaskContent LIKE '%pwsh%' ESCAPE '\\' OR TaskContent LIKE '%mshta%' ESCAPE '\\' OR TaskContent LIKE '%wscript%' ESCAPE '\\' OR TaskContent LIKE '%cscript%' ESCAPE '\\' OR TaskContent LIKE '%certutil%' ESCAPE '\\' OR TaskContent LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContent LIKE '%bash.exe%' ESCAPE '\\' OR TaskContent LIKE '%bash %' ESCAPE '\\' OR TaskContent LIKE '%scrcons%' ESCAPE '\\' OR TaskContent LIKE '%wmic %' ESCAPE '\\' OR TaskContent LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContent LIKE '%forfiles%' ESCAPE '\\' OR TaskContent LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContent LIKE '%hh.exe%' ESCAPE '\\'))" ], "filename": "win_security_susp_scheduled_task_creation.yml" }, { "title": "Invoke-Obfuscation Via Use MSHTA - Security", "id": "9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a", "status": "experimental", "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%mshta%' ESCAPE '\\' AND ServiceFileName LIKE '%vbscript:createobject%' ESCAPE '\\' AND ServiceFileName LIKE '%.run%' ESCAPE '\\' AND ServiceFileName LIKE '%window.close%' ESCAPE '\\')" ], "filename": "win_security_invoke_obfuscation_via_use_mshta_services_security.yml" }, { "title": "Secure Deletion with SDelete", "id": "39a80702-d7ca-4a83-b776-525b1f86a36d", "status": "test", "description": "Detects renaming of file while deletion with SDelete tool.", "author": "Thomas Patzke", "tags": [ "attack.impact", "attack.defense_evasion", "attack.t1070.004", "attack.t1027.005", "attack.t1485", "attack.t1553.002", "attack.s0195" ], "falsepositives": [ "Legitimate usage of SDelete" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID IN ('4656', '4663', '4658') AND (ObjectName LIKE '%.AAA' ESCAPE '\\' OR ObjectName LIKE '%.ZZZ' ESCAPE '\\'))" ], "filename": "win_security_susp_sdelete.yml" }, { "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created", "id": "1bbf25b9-8038-4154-a50b-118f2a32be27", "status": "test", "description": "Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.", "author": "James Pemberton / @4A616D6573", "tags": [ "attack.persistence", "attack.t1136.001", "attack.t1136.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4720' AND SamAccountName LIKE '%ANONYMOUS%' ESCAPE '\\' AND SamAccountName LIKE '%LOGON%' ESCAPE '\\')" ], "filename": "win_security_susp_local_anon_logon_created.yml" }, { "title": "SAM Registry Hive Handle Request", "id": "f8748f2c-89dc-4d95-afb0-5a2dfdbad332", "status": "test", "description": "Detects handles requested to SAM registry hive", "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.discovery", "attack.t1012", "attack.credential_access", "attack.t1552.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4656' AND ObjectType = 'Key' AND ObjectName LIKE '%\\\\SAM' ESCAPE '\\')" ], "filename": "win_security_sam_registry_hive_handle_request.yml" }, { "title": "Failed Code Integrity Checks", "id": "470ec5fa-7b4e-4071-b200-4c753100f49b", "status": "stable", "description": "Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.", "author": "Thomas Patzke", "tags": [ "attack.defense_evasion", "attack.t1027.001" ], "falsepositives": [ "Disk device errors" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID IN ('5038', '6281'))" ], "filename": "win_security_susp_codeintegrity_check_failure.yml" }, { "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege", "id": "f63508a0-c809-4435-b3be-ed819394d612", "status": "test", "description": "Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.\nWith this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.\nThis user right does not apply to Plug and Play device drivers.\nIf you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.\nThis will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.\n", "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '4673' AND PrivilegeList = 'SeLoadDriverPrivilege' AND Service = '-') AND NOT (((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Dism.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\fltMC.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\HelpPane.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\mmc.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wimserv.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\SystemSettingsBroker.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR ((ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procmon64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procmon.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\Microsoft%' ESCAPE '\\')))" ], "filename": "win_security_user_driver_loaded.yml" }, { "title": "Suspicious Teams Application Related ObjectAcess Event", "id": "25cde13e-8e20-4c29-b949-4e795b76f16f", "status": "experimental", "description": "Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.", "author": "@SerkinValery", "tags": [ "attack.credential_access", "attack.t1528" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '4663' AND (ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Cookies%' ESCAPE '\\' OR ObjectName LIKE '%\\\\Microsoft\\\\Teams\\\\Local Storage\\\\leveldb%' ESCAPE '\\')) AND NOT (ProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe%' ESCAPE '\\'))" ], "filename": "win_security_teams_suspicious_objectaccess.yml" }, { "title": "Windows Network Access Suspicious desktop.ini Action", "id": "35bc7e28-ee6b-492f-ab04-da58fcf6402e", "status": "test", "description": "Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.", "author": "Tim Shelton (HAWK.IO)", "tags": [ "attack.persistence", "attack.t1547.009" ], "falsepositives": [ "Read only access list authority" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '5145' AND ObjectType = 'File' AND RelativeTargetName LIKE '%\\\\desktop.ini' ESCAPE '\\' AND (AccessList LIKE '%WriteData%' ESCAPE '\\' OR AccessList LIKE '%DELETE%' ESCAPE '\\' OR AccessList LIKE '%WriteDAC%' ESCAPE '\\' OR AccessList LIKE '%AppendData%' ESCAPE '\\' OR AccessList LIKE '%AddSubdirectory%' ESCAPE '\\'))" ], "filename": "win_security_net_share_obj_susp_desktop_ini.yml" }, { "title": "Impacket PsExec Execution", "id": "32d56ea1-417f-44ff-822b-882873f5f43b", "status": "test", "description": "Detects execution of Impacket's psexec.py.", "author": "Bhabesh Raj", "tags": [ "attack.lateral_movement", "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%RemCom\\_stdin%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stdout%' ESCAPE '\\' OR RelativeTargetName LIKE '%RemCom\\_stderr%' ESCAPE '\\'))" ], "filename": "win_security_impacket_psexec.yml" }, { "title": "Azure AD Health Monitoring Agent Registry Keys Access", "id": "ff151c33-45fa-475d-af4f-c2f93571f4fe", "status": "test", "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\\SOFTWARE\\Microsoft\\Microsoft Online\\Reporting\\MonitoringAgent.\n", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "tags": [ "attack.discovery", "attack.t1012" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID IN ('4656', '4663') AND ObjectType = 'Key' AND ObjectName LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Microsoft Online\\\\Reporting\\\\MonitoringAgent' ESCAPE '\\') AND NOT ((ProcessName LIKE '%Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.InsightsService.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.PshSurrogate.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe%' ESCAPE '\\')))" ], "filename": "win_security_aadhealth_mon_agent_regkey_access.yml" }, { "title": "T1047 Wmiprvse Wbemcomn DLL Hijack", "id": "f6c68d5f-e101-4b86-8c84-7d96851fd65c", "status": "test", "description": "Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\\Windows\\System32\\wbem\\` directory over the network for a WMI DLL Hijack scenario.", "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ "attack.execution", "attack.t1047", "attack.lateral_movement", "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\wbem\\\\wbemcomn.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], "filename": "win_security_wmiprvse_wbemcomn_dll_hijack.yml" }, { "title": "Invoke-Obfuscation VAR+ Launcher - Security", "id": "dcf2db1f-f091-425b-a821-c05875b8925a", "status": "experimental", "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%\"set%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%/c%' ESCAPE '\\' OR ServiceFileName LIKE '%/r%' ESCAPE '\\'))" ], "filename": "win_security_invoke_obfuscation_var_services_security.yml" }, { "title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security", "id": "f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca", "status": "experimental", "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%rundll32.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\')" ], "filename": "win_security_invoke_obfuscation_via_rundll_services_security.yml" }, { "title": "NetNTLM Downgrade Attack", "id": "d3abac66-f11c-4ed0-8acb-50cc29c97eed", "status": "test", "description": "Detects NetNTLM downgrade attack", "author": "Florian Roth (Nextron Systems), wagga", "tags": [ "attack.defense_evasion", "attack.t1562.001", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4657' AND ObjectName LIKE '%\\\\REGISTRY\\\\MACHINE\\\\SYSTEM%' ESCAPE '\\' AND ObjectName LIKE '%ControlSet%' ESCAPE '\\' AND ObjectName LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND ObjectValueName IN ('LmCompatibilityLevel', 'NtlmMinClientSec', 'RestrictSendingNTLMTraffic'))" ], "filename": "win_security_net_ntlm_downgrade.yml" }, { "title": "Hacktool Ruler", "id": "24549159-ac1b-479c-8175-d42aea947cae", "status": "test", "description": "This events that are generated when using the hacktool Ruler by Sensepost", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.discovery", "attack.execution", "attack.t1087", "attack.t1114", "attack.t1059", "attack.t1550.002" ], "falsepositives": [ "Go utilities that use staaldraad awesome NTLM library" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND ((EventID = '4776' AND Workstation = 'RULER') OR (EventID IN ('4624', '4625') AND WorkstationName = 'RULER')))" ], "filename": "win_security_alert_ruler.yml" }, { "title": "Password Dumper Activity on LSASS", "id": "aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c", "status": "test", "description": "Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN", "author": "sigma", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4656' AND ProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND AccessMask = '0x705' AND ObjectType LIKE 'SAM\\_DOMAIN' ESCAPE '\\')" ], "filename": "win_security_susp_lsass_dump.yml" }, { "title": "Malicious Service Installations", "id": "cb062102-587e-4414-8efa-dbe3c7bf19c6", "status": "test", "description": "Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities.", "author": "Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (update)", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1003", "car.2013-09-005", "attack.t1543.003", "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'javamtsup')" ], "filename": "win_security_mal_service_installs.yml" }, { "title": "Possible DC Shadow Attack", "id": "32e19d25-4aed-4860-a55a-be99cb0bf7ed", "status": "experimental", "description": "Detects DCShadow via create new SPN", "author": "Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah", "tags": [ "attack.credential_access", "attack.t1207" ], "falsepositives": [ "Valid on domain controllers; exclude known DCs" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND ((EventID = '4742' AND ServicePrincipalNames LIKE '%GC/%' ESCAPE '\\') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'servicePrincipalName' AND AttributeValue LIKE 'GC/%' ESCAPE '\\')))" ], "filename": "win_security_possible_dc_shadow.yml" }, { "title": "Enabled User Right in AD to Control User Objects", "id": "311b6ce2-7890-4383-a8c2-663a9f6b43cd", "status": "test", "description": "Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.", "author": "@neu5ron", "tags": [ "attack.persistence", "attack.t1098" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4704' AND PrivilegeList LIKE '%SeEnableDelegationPrivilege%' ESCAPE '\\')" ], "filename": "win_security_alert_active_directory_user_control.yml" }, { "title": "Remote PowerShell Sessions Network Connections (WinRM)", "id": "13acf386-b8c6-4fe0-9a6e-c4756b974698", "status": "test", "description": "Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986", "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Legitimate use of remote PowerShell execution" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '5156' AND DestPort IN ('5985', '5986') AND LayerRTID = '44')" ], "filename": "win_security_remote_powershell_session.yml" }, { "title": "Metasploit Or Impacket Service Installation Via SMB PsExec", "id": "6fb63b40-e02a-403e-9ffd-3bcc1d749442", "status": "experimental", "description": "Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation", "author": "Bartlomiej Czyz, Relativity", "tags": [ "attack.lateral_movement", "attack.t1021.002", "attack.t1570", "attack.execution", "attack.t1569.002" ], "falsepositives": [ "Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '4697' AND ServiceFileName REGEXP '^%systemroot%\\\\[a-zA-Z]{8}\\.exe$' AND ServiceName REGEXP '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' AND ServiceStartType = '3' AND ServiceType = '0x10') AND NOT (ServiceName = 'PSEXESVC'))" ], "filename": "win_security_metasploit_or_impacket_smb_psexec_service_install.yml" }, { "title": "User Logoff Event", "id": "0badd08f-c6a3-4630-90d3-6875cca440be", "status": "experimental", "description": "Detects a user log-off activity. Could be used for example to correlate information during forensic investigations", "author": "frack113", "falsepositives": [ "Unknown" ], "level": "informational", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID IN ('4634', '4647'))" ], "filename": "win_security_user_logoff.yml" }, { "title": "Password Protected ZIP File Opened (Email Attachment)", "id": "571498c8-908e-40b4-910b-d2369159a3da", "status": "experimental", "description": "Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Legitimate used of encrypted ZIP files" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND TargetName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook%' ESCAPE '\\')" ], "filename": "win_security_susp_opened_encrypted_zip_outlook.yml" }, { "title": "PowerShell Scripts Installed as Services - Security", "id": "2a926e6a-4b81-4011-8a96-e36cc8c04302", "status": "test", "description": "Detects powershell script installed as a Service", "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.execution", "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%powershell%' ESCAPE '\\' OR ServiceFileName LIKE '%pwsh%' ESCAPE '\\'))" ], "filename": "win_security_powershell_script_installed_as_service.yml" }, { "title": "Generic Password Dumper Activity on LSASS", "id": "4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76", "status": "experimental", "description": "Detects process handle on LSASS process with certain access mask", "author": "Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)", "tags": [ "attack.credential_access", "car.2019-04-004", "attack.t1003.001" ], "falsepositives": [ "Legitimate software accessing LSASS process for legitimate reason; update the whitelist with it" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND ((EventID = '4656' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessMask LIKE '%0x40%' ESCAPE '\\' OR AccessMask LIKE '%0x1400%' ESCAPE '\\' OR AccessMask LIKE '%0x100000%' ESCAPE '\\' OR AccessMask LIKE '%0x1410%' ESCAPE '\\' OR AccessMask LIKE '%0x1010%' ESCAPE '\\' OR AccessMask LIKE '%0x1438%' ESCAPE '\\' OR AccessMask LIKE '%0x143a%' ESCAPE '\\' OR AccessMask LIKE '%0x1418%' ESCAPE '\\' OR AccessMask LIKE '%0x1f0fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f1fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f2fff%' ESCAPE '\\' OR AccessMask LIKE '%0x1f3fff%' ESCAPE '\\')) OR (EventID = '4663' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (AccessList LIKE '%4484%' ESCAPE '\\' OR AccessList LIKE '%4416%' ESCAPE '\\'))) AND NOT (((ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\lsm.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\csrss.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\wininit.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\minionhost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\VsTskMgr.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\GamingServices.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\MRT.exe' ESCAPE '\\' OR ProcessName LIKE '%RtkAudUService64' ESCAPE '\\') AND (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWow64\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysNative\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\taskhostw.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\CcmExec.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\aurora\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE '%\\\\x64\\\\SCENARIOENGINE.EXE' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND ProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND ProcessName LIKE '%\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND AccessList LIKE '%\\%\\%4484%' ESCAPE '\\')))" ], "filename": "win_security_susp_lsass_dump_generic.yml" }, { "title": "CobaltStrike Service Installations - Security", "id": "d7a95147-145f-4678-b85d-d1ff4a3bb3f6", "status": "test", "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ "attack.execution", "attack.privilege_escalation", "attack.lateral_movement", "attack.t1021.002", "attack.t1543.003", "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%ADMIN$%' ESCAPE '\\' AND ServiceFileName LIKE '%.exe%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%start%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\') OR ServiceFileName LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR (ServiceFileName LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ServiceFileName LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ServiceFileName LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\')))" ], "filename": "win_security_cobaltstrike_service_installs.yml" }, { "title": "Sysmon Channel Reference Deletion", "id": "18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc", "status": "test", "description": "Potential threat actor tampering with Sysmon manifest and eventually disabling it", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND ((EventID = '4657' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND ObjectValueName = 'Enabled' AND NewValue = '0') OR (EventID = '4663' AND (ObjectName LIKE '%WINEVT\\\\Publishers\\\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}%' ESCAPE '\\' OR ObjectName LIKE '%WINEVT\\\\Channels\\\\Microsoft-Windows-Sysmon/Operational%' ESCAPE '\\') AND AccessMask = '65536')))" ], "filename": "win_security_sysmon_channel_reference_deletion.yml" }, { "title": "Suspicious PsExec Execution", "id": "c462f537-a1e3-41a6-b5fc-b2c2cef9bf82", "status": "test", "description": "detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one", "author": "Samir Bousseaden", "tags": [ "attack.lateral_movement", "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND (RelativeTargetName LIKE '%-stdin' ESCAPE '\\' OR RelativeTargetName LIKE '%-stdout' ESCAPE '\\' OR RelativeTargetName LIKE '%-stderr' ESCAPE '\\')) AND NOT (RelativeTargetName LIKE 'PSEXESVC%' ESCAPE '\\'))" ], "filename": "win_security_susp_psexec.yml" }, { "title": "WMI Persistence - Security", "id": "f033f3f3-fd24-4995-97d8-a3bb17550a88", "status": "test", "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1546.003" ], "falsepositives": [ "Unknown (data set is too small; further testing needed)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'WMI Namespace' AND ObjectName LIKE '%subscription%' ESCAPE '\\')" ], "filename": "win_security_wmi_persistence.yml" }, { "title": "PetitPotam Suspicious Kerberos TGT Request", "id": "6a53d871-682d-40b6-83e0-b7c1a6c4e3a5", "status": "experimental", "description": "Detect suspicious Kerberos TGT requests.\nOnce an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes.\nOne way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus.\nThis request will generate a 4768 event with some unusual fields depending on the environment.\nThis analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.\n", "author": "Mauricio Velazco, Michael Haag", "tags": [ "attack.credential_access", "attack.t1187" ], "falsepositives": [ "False positives are possible if the environment is using certificates for authentication. We recommend filtering Account_Name to the Domain Controller computer accounts." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '4768' AND TargetUserName LIKE '%$' ESCAPE '\\' AND CertThumbprint LIKE '%' ESCAPE '\\') AND NOT ((IpAddress = '::1') OR (CertThumbprint = '')))" ], "filename": "win_security_petitpotam_susp_tgt_request.yml" }, { "title": "ISO Image Mount", "id": "0248a7bc-8a9a-4cd8-a57e-3ae8e073a073", "status": "experimental", "description": "Detects the mount of ISO images on an endpoint", "author": "Syed Hasan (@syedhasan009)", "tags": [ "attack.initial_access", "attack.t1566.001" ], "falsepositives": [ "Software installation ISO files" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '4663' AND ObjectServer = 'Security' AND ObjectType = 'File' AND ObjectName LIKE '\\\\Device\\\\CdRom%' ESCAPE '\\') AND NOT (ObjectName LIKE '\\\\Device\\\\CdRom0\\\\setup.exe' ESCAPE '\\'))" ], "filename": "win_security_iso_mount.yml" }, { "title": "RDP over Reverse SSH Tunnel WFP", "id": "5bed80b6-b3e8-428e-a3ae-d3c757589e41", "status": "experimental", "description": "Detects svchost hosting RDP termsvcs communicating with the loopback address", "author": "Samir Bousseaden", "tags": [ "attack.defense_evasion", "attack.command_and_control", "attack.lateral_movement", "attack.t1090.001", "attack.t1090.002", "attack.t1021.001", "car.2013-07-002" ], "falsepositives": [ "Programs that connect locally to the RDP port" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '5156' AND ((SourcePort = '3389' AND (DestAddress LIKE '127.%' ESCAPE '\\' OR DestAddress LIKE '::1' ESCAPE '\\')) OR (DestPort = '3389' AND (SourceAddress LIKE '127.%' ESCAPE '\\' OR SourceAddress LIKE '::1' ESCAPE '\\')))) AND NOT ((FilterOrigin = 'AppContainer Loopback') OR ((Application LIKE '%\\\\thor.exe' ESCAPE '\\' OR Application LIKE '%\\\\thor64.exe' ESCAPE '\\'))))" ], "filename": "win_security_rdp_reverse_tunnel.yml" }, { "title": "Win Susp Computer Name Containing Samtheadmin", "id": "39698b3f-da92-4bc6-bfb5-645a98386e45", "status": "experimental", "description": "Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool", "author": "elhoim", "tags": [ "cve.2021.42278", "cve.2021.42287", "attack.persistence", "attack.privilege_escalation", "attack.t1078" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND ((SamAccountName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND SamAccountName LIKE '%$' ESCAPE '\\') OR (TargetUserName LIKE 'SAMTHEADMIN-%' ESCAPE '\\' AND TargetUserName LIKE '%$' ESCAPE '\\')))" ], "filename": "win_security_susp_computer_name.yml" }, { "title": "Invoke-Obfuscation Via Stdin - Security", "id": "80b708f3-d034-40e4-a6c8-d23b7a7db3d1", "status": "experimental", "description": "Detects Obfuscated Powershell via Stdin in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%set%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND (ServiceFileName LIKE '%environment%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%${input)%' ESCAPE '\\'))" ], "filename": "win_security_invoke_obfuscation_via_stdin_services_security.yml" }, { "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'", "id": "6daac7fc-77d1-449a-a71a-e6b4d59a0e54", "status": "test", "description": "The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.", "author": "Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community", "tags": [ "attack.lateral_movement", "attack.privilege_escalation", "attack.t1558.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4673' AND Service = 'LsaRegisterLogonProcess()' AND Keywords = '0x8010000000000000')" ], "filename": "win_security_user_couldnt_call_priv_service_lsaregisterlogonprocess.yml" }, { "title": "LSASS Access from Non System Account", "id": "962fe167-e48d-4fd6-9974-11e5b9a5d6d1", "status": "experimental", "description": "Detects potential mimikatz-like tools accessing LSASS from non system account", "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID IN ('4663', '4656') AND AccessMask IN ('0x40', '0x1400', '0x100000', '0x1410', '0x1010', '0x1438', '0x143a', '0x1418', '0x1f0fff', '0x1f1fff', '0x1f2fff', '0x1f3fff', '40', '1400', '1000', '100000', '1410', '1010', '1438', '143a', '1418', '1f0fff', '1f1fff', '1f2fff', '1f3fff') AND ObjectType = 'Process' AND ObjectName LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((SubjectUserName LIKE '%$' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Program Files%' ESCAPE '\\') OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' AND AccessMask = '0x1410') OR (ProcessName LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" ], "filename": "win_security_lsass_access_non_system_account.yml" }, { "title": "Suspicious LDAP-Attributes Used", "id": "d00a9a72-2c09-4459-ad03-5e0a23351e36", "status": "test", "description": "Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.", "author": "xknow @xknow_infosec", "tags": [ "attack.t1001.003", "attack.command_and_control" ], "falsepositives": [ "Companies, who may use these default LDAP-Attributes for personal information" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeValue LIKE '%' ESCAPE '\\' AND AttributeLDAPDisplayName IN ('primaryInternationalISDNNumber', 'otherFacsimileTelephoneNumber', 'primaryTelexNumber'))" ], "filename": "win_security_susp_ldap_dataexchange.yml" }, { "title": "Add or Remove Computer from DC", "id": "20d96d95-5a20-4cf1-a483-f3bda8a7c037", "status": "experimental", "description": "Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.", "author": "frack113", "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID IN ('4741', '4743'))" ], "filename": "win_security_add_remove_computer.yml" }, { "title": "Invoke-Obfuscation Via Use Clip - Security", "id": "1a0a2ff1-611b-4dac-8216-8a7b47c618a6", "status": "experimental", "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%(Clipboard|i%' ESCAPE '\\')" ], "filename": "win_security_invoke_obfuscation_via_use_clip_services_security.yml" }, { "title": "Account Tampering - Suspicious Failed Logon Reasons", "id": "9eb99343-d336-4020-a3cd-67f3819e68ee", "status": "experimental", "description": "This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.defense_evasion", "attack.privilege_escalation", "attack.initial_access", "attack.t1078" ], "falsepositives": [ "User using a disabled account" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID IN ('4625', '4776') AND Status IN ('0xC0000072', '0xC000006F', '0xC0000070', '0xC0000413', '0xC000018C', '0xC000015B')) AND NOT (SubjectUserSid = 'S-1-0-0'))" ], "filename": "win_security_susp_failed_logon_reasons.yml" }, { "title": "HybridConnectionManager Service Installation", "id": "0ee4d8a5-4e67-4faf-acfa-62a78457d1f2", "status": "test", "description": "Rule to detect the Hybrid Connection Manager service installation.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.persistence", "attack.t1554" ], "falsepositives": [ "Legitimate use of Hybrid Connection Manager via Azure function apps." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceName = 'HybridConnectionManager' AND ServiceFileName LIKE '%HybridConnectionManager%' ESCAPE '\\')" ], "filename": "win_security_hybridconnectionmgr_svc_installation.yml" }, { "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security", "id": "4c54ba8f-73d2-4d40-8890-d9cf1dca3d30", "status": "test", "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&set%' ESCAPE '\\' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%-f%' ESCAPE '\\' AND (ServiceFileName LIKE '%{0}%' ESCAPE '\\' OR ServiceFileName LIKE '%{1}%' ESCAPE '\\' OR ServiceFileName LIKE '%{2}%' ESCAPE '\\' OR ServiceFileName LIKE '%{3}%' ESCAPE '\\' OR ServiceFileName LIKE '%{4}%' ESCAPE '\\' OR ServiceFileName LIKE '%{5}%' ESCAPE '\\'))" ], "filename": "win_security_invoke_obfuscation_via_var_services_security.yml" }, { "title": "Local User Creation", "id": "66b6be3d-55d0-4f47-9855-d69df21740ea", "status": "test", "description": "Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.", "author": "Patrick Bareiss", "tags": [ "attack.persistence", "attack.t1136.001" ], "falsepositives": [ "Domain Controller Logs", "Local accounts managed by privileged account management tools" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4720')" ], "filename": "win_security_user_creation.yml" }, { "title": "User Added to Local Administrators", "id": "c265cf08-3f99-46c1-8d59-328247057d57", "status": "stable", "description": "This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1078", "attack.persistence", "attack.t1098" ], "falsepositives": [ "Legitimate administrative activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '4732' AND (TargetUserName LIKE 'Administr%' ESCAPE '\\' OR TargetSid = 'S-1-5-32-544')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], "filename": "win_security_user_added_to_local_administrators.yml" }, { "title": "Suspicious Outbound Kerberos Connection - Security", "id": "eca91c7c-9214-47b9-b4c5-cb1d7e4f2350", "status": "test", "description": "Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.", "author": "Ilyas Ochkov, oscd.community", "tags": [ "attack.lateral_movement", "attack.t1558.003" ], "falsepositives": [ "Web Browsers" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '5156' AND DestPort = '88') AND NOT (((Application LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' OR Application LIKE 'C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\'))))" ], "filename": "win_security_susp_outbound_kerberos_connection.yml" }, { "title": "DCERPC SMB Spoolss Named Pipe", "id": "214e8f95-100a-4e04-bb31-ef6cba8ce07e", "status": "test", "description": "Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.", "author": "OTR (Open Threat Research)", "tags": [ "attack.lateral_movement", "attack.t1021.002" ], "falsepositives": [ "Domain Controllers acting as printer servers too? :)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'spoolss')" ], "filename": "win_security_dce_rpc_smb_spoolss_named_pipe.yml" }, { "title": "SCM Database Privileged Operation", "id": "dae8171c-5ec6-4396-b210-8466585b53e9", "status": "test", "description": "Detects non-system users performing privileged operation os the SCM database", "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "tags": [ "attack.privilege_escalation", "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '4674' AND ObjectType LIKE 'SC\\_MANAGER OBJECT' ESCAPE '\\' AND ObjectName = 'servicesactive' AND PrivilegeList = 'SeTakeOwnershipPrivilege') AND NOT (SubjectLogonId = '0x3e4' AND ProcessName LIKE '%:\\\\Windows\\\\System32\\\\services.exe' ESCAPE '\\'))" ], "filename": "win_security_scm_database_privileged_operation.yml" }, { "title": "Protected Storage Service Access", "id": "45545954-4016-43c6-855e-eae8f1c369dc", "status": "test", "description": "Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers", "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.lateral_movement", "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '%IPC%' ESCAPE '\\' AND RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\')" ], "filename": "win_security_protected_storage_service_access.yml" }, { "title": "Windows Pcap Drivers", "id": "7b687634-ab20-11ea-bb37-0242ac130002", "status": "test", "description": "Detects Windows Pcap driver installation based on a list of associated .sys files.", "author": "Cian Heasley", "tags": [ "attack.discovery", "attack.credential_access", "attack.t1040" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%pcap%' ESCAPE '\\' OR ServiceFileName LIKE '%npcap%' ESCAPE '\\' OR ServiceFileName LIKE '%npf%' ESCAPE '\\' OR ServiceFileName LIKE '%nm3%' ESCAPE '\\' OR ServiceFileName LIKE '%ndiscap%' ESCAPE '\\' OR ServiceFileName LIKE '%nmnt%' ESCAPE '\\' OR ServiceFileName LIKE '%windivert%' ESCAPE '\\' OR ServiceFileName LIKE '%USBPcap%' ESCAPE '\\' OR ServiceFileName LIKE '%pktmon%' ESCAPE '\\'))" ], "filename": "win_security_pcap_drivers.yml" }, { "title": "Remote Access Tool Services Have Been Installed - Security", "id": "c8b00925-926c-47e3-beea-298fd563728e", "status": "experimental", "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", "author": "Connor Martin, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1543.003", "attack.t1569.002" ], "falsepositives": [ "The rule doesn't look for anything suspicious so false positives are expected. If you use one of the tools mentioned, comment it out" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%SSUService%' ESCAPE '\\' OR ServiceFileName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceFileName LIKE '%Atera%' ESCAPE '\\' OR ServiceFileName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceFileName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceFileName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceFileName LIKE '%RPCService%' ESCAPE '\\' OR ServiceFileName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceFileName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceFileName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceFileName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceFileName LIKE '%monblanking%' ESCAPE '\\' OR ServiceFileName LIKE '%RManService%' ESCAPE '\\' OR ServiceFileName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceFileName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceFileName LIKE '%vncserver%' ESCAPE '\\' OR ServiceFileName LIKE '%Parsec%' ESCAPE '\\' OR ServiceFileName LIKE '%chromoting%' ESCAPE '\\' OR ServiceFileName LIKE '%Zoho%' ESCAPE '\\' OR ServiceFileName LIKE '%jumpcloud%' ESCAPE '\\'))" ], "filename": "win_security_service_install_remote_access_software.yml" }, { "title": "SysKey Registry Keys Access", "id": "9a4ff3b8-6187-4fd2-8e8b-e0eae1129495", "status": "test", "description": "Detects handle requests and access operations to specific registry keys to calculate the SysKey", "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.discovery", "attack.t1012" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID IN ('4656', '4663') AND ObjectType = 'key' AND (ObjectName LIKE '%lsa\\\\JD' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\GBG' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Skew1' ESCAPE '\\' OR ObjectName LIKE '%lsa\\\\Data' ESCAPE '\\'))" ], "filename": "win_security_syskey_registry_access.yml" }, { "title": "Unauthorized System Time Modification", "id": "faa031b5-21ed-4e02-8881-2591f98d82ed", "status": "test", "description": "Detect scenarios where a potentially unauthorized application or user is modifying the system time.", "author": "@neu5ron", "tags": [ "attack.defense_evasion", "attack.t1070.006" ], "falsepositives": [ "HyperV or other virtualization technologies with binary not listed in filter portion of detection" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4616' AND NOT (((ProcessName LIKE 'C:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\VBoxService.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe' ESCAPE '\\')) OR (ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND SubjectUserSid = 'S-1-5-19')))" ], "filename": "win_security_susp_time_modification.yml" }, { "title": "Invoke-Obfuscation Via Use Rundll32 - Security", "id": "cd0f7229-d16f-42de-8fe3-fba365fbcb3a", "status": "experimental", "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%shell32.dll%' ESCAPE '\\' AND ServiceFileName LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ServiceFileName LIKE '%value%' ESCAPE '\\' OR ServiceFileName LIKE '%invoke%' ESCAPE '\\' OR ServiceFileName LIKE '%comspec%' ESCAPE '\\' OR ServiceFileName LIKE '%iex%' ESCAPE '\\'))" ], "filename": "win_security_invoke_obfuscation_via_use_rundll32_services_security.yml" }, { "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right", "id": "2c99737c-585d-4431-b61a-c911d86ff32f", "status": "experimental", "description": "Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer", "author": "Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton; Maxence Fossat", "tags": [ "attack.persistence", "attack.t1098" ], "falsepositives": [ "New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '5136' AND AttributeLDAPDisplayName = 'ntSecurityDescriptor' AND (AttributeValue LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR AttributeValue LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT ((ObjectClass IN ('dnsNode', 'dnsZoneScope', 'dnsZone'))))" ], "filename": "win_security_account_backdoor_dcsync_rights.yml" }, { "title": "Password Protected ZIP File Opened (Suspicious Filenames)", "id": "54f0434b-726f-48a1-b2aa-067df14516e4", "status": "experimental", "description": "Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.", "author": "Florian Roth (Nextron Systems)", "falsepositives": [ "Legitimate used of encrypted ZIP files" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '5379' AND TargetName LIKE '%Microsoft\\_Windows\\_Shell\\_ZipFolder:filename%' ESCAPE '\\' AND (TargetName LIKE '%invoice%' ESCAPE '\\' OR TargetName LIKE '%new order%' ESCAPE '\\' OR TargetName LIKE '%rechnung%' ESCAPE '\\' OR TargetName LIKE '%factura%' ESCAPE '\\' OR TargetName LIKE '%delivery%' ESCAPE '\\' OR TargetName LIKE '%purchase%' ESCAPE '\\' OR TargetName LIKE '%order%' ESCAPE '\\' OR TargetName LIKE '%payment%' ESCAPE '\\'))" ], "filename": "win_security_susp_opened_encrypted_zip_filename.yml" }, { "title": "DPAPI Domain Backup Key Extraction", "id": "4ac1f50b-3bd0-4968-902d-868b4647937e", "status": "test", "description": "Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers", "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.credential_access", "attack.t1003.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4662' AND ObjectType = 'SecretObject' AND AccessMask = '0x2' AND ObjectName LIKE '%BCKUPKEY%' ESCAPE '\\')" ], "filename": "win_security_dpapi_domain_backupkey_extraction.yml" }, { "title": "Invoke-Obfuscation STDIN+ Launcher - Security", "id": "0c718a5e-4284-4fb9-b4d9-b9a50b3a1974", "status": "experimental", "description": "Detects Obfuscated use of stdin to execute PowerShell", "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%powershell%' ESCAPE '\\' AND (ServiceFileName LIKE '%${input}%' ESCAPE '\\' OR ServiceFileName LIKE '%noexit%' ESCAPE '\\') AND (ServiceFileName LIKE '% /c %' ESCAPE '\\' OR ServiceFileName LIKE '% /r %' ESCAPE '\\'))" ], "filename": "win_security_invoke_obfuscation_stdin_services_security.yml" }, { "title": "Persistence and Execution at Scale via GPO Scheduled Task", "id": "a8f29a7b-b137-4446-80a0-b804272f3da2", "status": "test", "description": "Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale", "author": "Samir Bousseaden", "tags": [ "attack.persistence", "attack.lateral_movement", "attack.t1053.005" ], "falsepositives": [ "If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\SYSVOL' ESCAPE '\\' AND RelativeTargetName LIKE '%ScheduledTasks.xml' ESCAPE '\\' AND (Accesses LIKE '%WriteData%' ESCAPE '\\' OR Accesses LIKE '%\\%\\%4417%' ESCAPE '\\'))" ], "filename": "win_security_gpo_scheduledtasks.yml" }, { "title": "Addition of SID History to Active Directory Object", "id": "2632954e-db1c-49cb-9936-67d1ef1d17d2", "status": "stable", "description": "An attacker can use the SID history attribute to gain additional privileges.", "author": "Thomas Patzke, @atc_project (improvements)", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1134.005" ], "falsepositives": [ "Migration of an account into a new domain" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID IN ('4765', '4766') OR ((EventID = '4738' AND NOT ((SidHistory LIKE '-' ESCAPE '\\' OR SidHistory LIKE '\\%\\%1793' ESCAPE '\\'))) AND NOT (SidHistory = ''))))" ], "filename": "win_security_susp_add_sid_history.yml" }, { "title": "Windows Defender Exclusion Set", "id": "e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d", "status": "test", "description": "Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender", "author": "@BarryShooshooga", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Intended inclusions by administrator" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4660', '4663') AND ObjectName LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\%' ESCAPE '\\')" ], "filename": "win_security_defender_bypass.yml" }, { "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security", "id": "c39f0c81-7348-4965-ab27-2fde35a1b641", "status": "test", "description": "Detects a threat actor creating a file named `iertutil.dll` in the `C:\\Program Files\\Internet Explorer\\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.", "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ "attack.lateral_movement", "attack.t1021.002", "attack.t1021.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '5145' AND RelativeTargetName LIKE '%\\\\Internet Explorer\\\\iertutil.dll' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], "filename": "win_security_dcom_iertutil_dll_hijack.yml" }, { "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security", "id": "ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34", "status": "test", "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ "attack.privilege_escalation", "attack.t1134.001", "attack.t1134.002" ], "falsepositives": [ "Highly unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND ((ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%cmd.exe%' ESCAPE '\\' AND ServiceFileName LIKE '%/c%' ESCAPE '\\' AND ServiceFileName LIKE '%echo%' ESCAPE '\\' AND ServiceFileName LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ServiceFileName LIKE '%rundll32%' ESCAPE '\\' AND ServiceFileName LIKE '%.dll,a%' ESCAPE '\\' AND ServiceFileName LIKE '%/p:%' ESCAPE '\\')))" ], "filename": "win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml" }, { "title": "AD User Enumeration", "id": "ab6bffca-beff-4baa-af11-6733f296d57a", "status": "test", "description": "Detects access to a domain user from a non-machine account", "author": "Maxime Thiebaut (@0xThiebaut)", "tags": [ "attack.discovery", "attack.t1087.002" ], "falsepositives": [ "Administrators configuring new users." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '4662' AND ObjectType LIKE '%bf967aba-0de6-11d0-a285-00aa003049e2%' ESCAPE '\\') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" ], "filename": "win_security_ad_user_enumeration.yml" }, { "title": "Remote Task Creation via ATSVC Named Pipe", "id": "f6de6525-4509-495a-8a82-1f8b0ed73a00", "status": "test", "description": "Detects remote task creation via at.exe or API interacting with ATSVC namedpipe", "author": "Samir Bousseaden", "tags": [ "attack.lateral_movement", "attack.persistence", "car.2013-05-004", "car.2015-04-001", "attack.t1053.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'atsvc' AND Accesses LIKE '%WriteData%' ESCAPE '\\')" ], "filename": "win_security_atsvc_task.yml" }, { "title": "DiagTrackEoP Default Login Username", "id": "2111118f-7e46-4fc8-974a-59fd8ec95196", "status": "experimental", "description": "Detects the default \"UserName\" used by the DiagTrackEoP POC", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND TargetOutboundUserName = 'thisisnotvaliduser')" ], "filename": "win_security_diagtrack_eop_default_login_username.yml" }, { "title": "A Member Was Removed From a Security-Enabled Global Group", "id": "02c39d30-02b5-45d2-b435-8aebfe5a8629", "status": "stable", "description": "Detects activity when a member is removed from a security-enabled global group", "author": "Alexandr Yampolskyi, SOC Prime", "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID IN ('633', '4729'))" ], "filename": "win_security_member_removed_security_enabled_global_group.yml" }, { "title": "Pass the Hash Activity 2", "id": "8eef149c-bd26-49f2-9e5a-9b00e3af499b", "status": "stable", "description": "Detects the attack technique pass the hash which is used to move laterally inside the network", "author": "Dave Kennedy, Jeff Warren (method) / David Vassallo (rule)", "tags": [ "attack.lateral_movement", "attack.t1550.002" ], "falsepositives": [ "Administrator activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND ((EventID = '4624' AND SubjectUserSid = 'S-1-0-0' AND LogonType = '3' AND LogonProcessName = 'NtLmSsp' AND KeyLength = '0') OR (EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo')) AND NOT (TargetUserName = 'ANONYMOUS LOGON'))" ], "filename": "win_security_pass_the_hash_2.yml" }, { "title": "RottenPotato Like Attack Pattern", "id": "16f5d8ca-44bd-47c8-acbe-6fc95a16c12f", "status": "test", "description": "Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like", "author": "@SBousseaden, Florian Roth", "tags": [ "attack.privilege_escalation", "attack.credential_access", "attack.t1557.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND TargetUserName = 'ANONYMOUS LOGON' AND WorkstationName = '-' AND IpAddress IN ('127.0.0.1', '::1'))" ], "filename": "win_security_susp_rottenpotato.yml" }, { "title": "Remote WMI ActiveScriptEventConsumers", "id": "9599c180-e3a8-4743-8f92-7fb96d3be648", "status": "test", "description": "Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.lateral_movement", "attack.privilege_escalation", "attack.persistence", "attack.t1546.003" ], "falsepositives": [ "SCCM" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '4624' AND LogonType = '3' AND ProcessName LIKE '%scrcons.exe' ESCAPE '\\') AND NOT (TargetLogonId = '0x3e7'))" ], "filename": "win_security_scrcons_remote_wmi_scripteventconsumer.yml" }, { "title": "Admin User Remote Logon", "id": "0f63e1ef-1eb9-4226-9d54-8927ca08520a", "status": "test", "description": "Detect remote login by Administrator user (depending on internal pattern).", "author": "juju4", "tags": [ "attack.lateral_movement", "attack.t1078.001", "attack.t1078.002", "attack.t1078.003", "car.2016-04-005" ], "falsepositives": [ "Legitimate administrative activity." ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND AuthenticationPackageName = 'Negotiate' AND TargetUserName LIKE 'Admin%' ESCAPE '\\')" ], "filename": "win_security_admin_rdp_login.yml" }, { "title": "Login with WMI", "id": "5af54681-df95-4c26-854f-2565e13cfab0", "status": "stable", "description": "Detection of logins performed with WMI", "author": "Thomas Patzke", "tags": [ "attack.execution", "attack.t1047" ], "falsepositives": [ "Monitoring tools", "Legitimate system administration" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4624' AND ProcessName LIKE '%\\\\WmiPrvSE.exe' ESCAPE '\\')" ], "filename": "win_security_susp_wmi_login.yml" }, { "title": "RDP Login from Localhost", "id": "51e33403-2a37-4d66-a574-1fda1782cc31", "status": "test", "description": "RDP login with localhost source address may be a tunnelled login", "author": "Thomas Patzke", "tags": [ "attack.lateral_movement", "car.2013-07-002", "attack.t1021.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '10' AND IpAddress IN ('::1', '127.0.0.1'))" ], "filename": "win_security_rdp_localhost_login.yml" }, { "title": "KrbRelayUp Attack Pattern", "id": "749c9f5e-b353-4b90-a9c1-05243357ca4b", "status": "experimental", "description": "Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like", "author": "@SBousseaden, Florian Roth", "tags": [ "attack.privilege_escalation", "attack.credential_access" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '3' AND AuthenticationPackageName = 'Kerberos' AND IpAddress = '127.0.0.1' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND TargetUserSid LIKE '%-500' ESCAPE '\\')" ], "filename": "win_security_susp_krbrelayup.yml" }, { "title": "Outgoing Logon with New Credentials", "id": "def8b624-e08f-4ae1-8612-1ba21190da6b", "status": "experimental", "description": "Detects logon events that specify new credentials", "author": "Max Altgelt (Nextron Systems)", "falsepositives": [ "Legitimate remote administration activity" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9')" ], "filename": "win_security_susp_logon_newcredentials.yml" }, { "title": "Failed Logon From Public IP", "id": "f88e112a-21aa-44bd-9b01-6ee2a2bbbed1", "status": "test", "description": "A login from a public IP can indicate a misconfigured firewall or network boundary.", "author": "NVISO", "tags": [ "attack.initial_access", "attack.persistence", "attack.t1078", "attack.t1190", "attack.t1133" ], "falsepositives": [ "Legitimate logon attempts over the internet", "IPv4-to-IPv6 mapped IPs" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4625' AND NOT ((IpAddress LIKE '%-%' ESCAPE '\\') OR ((IpAddress LIKE '10.%' ESCAPE '\\' OR IpAddress LIKE '192.168.%' ESCAPE '\\' OR IpAddress LIKE '172.16.%' ESCAPE '\\' OR IpAddress LIKE '172.17.%' ESCAPE '\\' OR IpAddress LIKE '172.18.%' ESCAPE '\\' OR IpAddress LIKE '172.19.%' ESCAPE '\\' OR IpAddress LIKE '172.20.%' ESCAPE '\\' OR IpAddress LIKE '172.21.%' ESCAPE '\\' OR IpAddress LIKE '172.22.%' ESCAPE '\\' OR IpAddress LIKE '172.23.%' ESCAPE '\\' OR IpAddress LIKE '172.24.%' ESCAPE '\\' OR IpAddress LIKE '172.25.%' ESCAPE '\\' OR IpAddress LIKE '172.26.%' ESCAPE '\\' OR IpAddress LIKE '172.27.%' ESCAPE '\\' OR IpAddress LIKE '172.28.%' ESCAPE '\\' OR IpAddress LIKE '172.29.%' ESCAPE '\\' OR IpAddress LIKE '172.30.%' ESCAPE '\\' OR IpAddress LIKE '172.31.%' ESCAPE '\\' OR IpAddress LIKE '127.%' ESCAPE '\\' OR IpAddress LIKE '169.254.%' ESCAPE '\\')) OR (IpAddress = '::1' OR (IpAddress LIKE 'fe80::%' ESCAPE '\\' OR IpAddress LIKE 'fc00::%' ESCAPE '\\'))))" ], "filename": "win_security_susp_failed_logon_source.yml" }, { "title": "Successful Overpass the Hash Attempt", "id": "192a0330-c20b-4356-90b6-7b7049ae0b87", "status": "test", "description": "Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.", "author": "Roberto Rodriguez (source), Dominik Schaudel (rule)", "tags": [ "attack.lateral_movement", "attack.s0002", "attack.t1550.002" ], "falsepositives": [ "Runas command-line tool using /netonly parameter" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'seclogo' AND AuthenticationPackageName = 'Negotiate')" ], "filename": "win_security_overpass_the_hash.yml" }, { "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln", "id": "8400629e-79a9-4737-b387-5db940ab2367", "status": "test", "description": "Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep", "author": "Florian Roth (Nextron Systems), Adam Bradbury (idea)", "tags": [ "attack.lateral_movement", "attack.t1210", "car.2013-07-002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4625' AND TargetUserName = 'AAAAAAA')" ], "filename": "win_security_rdp_bluekeep_poc_scanner.yml" }, { "title": "A Security-Enabled Global Group Was Deleted", "id": "b237c54b-0f15-4612-a819-44b735e0de27", "status": "stable", "description": "Detects activity when a security-enabled global group is deleted", "author": "Alexandr Yampolskyi, SOC Prime", "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID IN ('4730', '634'))" ], "filename": "win_security_security_enabled_global_group_deleted.yml" }, { "title": "A Member Was Added to a Security-Enabled Global Group", "id": "c43c26be-2e87-46c7-8661-284588c5a53e", "status": "stable", "description": "Detects activity when a member is added to a security-enabled global group", "author": "Alexandr Yampolskyi, SOC Prime", "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID IN ('4728', '632'))" ], "filename": "win_security_member_added_security_enabled_global_group.yml" }, { "title": "Potential Access Token Abuse", "id": "02f7c9c1-1ae8-4c6a-8add-04693807f92f", "status": "experimental", "description": "Detects potential token impersonation and theft. Example, when using \"DuplicateToken(Ex)\" and \"ImpersonateLoggedOnUser\" with the \"LOGON32_LOGON_NEW_CREDENTIALS flag\".", "author": "Michaela Adams, Zach Mathis", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1134.001" ], "falsepositives": [ "Anti-Virus" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4624' AND LogonType = '9' AND LogonProcessName = 'Advapi' AND AuthenticationPackageName = 'Negotiate' AND ImpersonationLevel LIKE '\\%\\%1833' ESCAPE '\\')" ], "filename": "win_security_access_token_abuse.yml" }, { "title": "Active Directory Replication from Non Machine Account", "id": "17d619c1-e020-4347-957e-1d1207455c93", "status": "test", "description": "Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.", "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.credential_access", "attack.t1003.006" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '4662' AND AccessMask = '0x100' AND (Properties LIKE '%1131f6aa-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%1131f6ad-9c07-11d1-f79f-00c04fc2dcd2%' ESCAPE '\\' OR Properties LIKE '%89e95b76-444d-4c62-991a-0facbeda640c%' ESCAPE '\\')) AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\' OR SubjectUserName LIKE 'MSOL\\_%' ESCAPE '\\'))" ], "filename": "win_security_ad_replication_non_machine_account.yml" }, { "title": "Suspicious Kerberos RC4 Ticket Encryption", "id": "496a0e47-0a33-4dca-b009-9e6ca3591f39", "status": "experimental", "description": "Detects service ticket requests using RC4 encryption type", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1558.003" ], "falsepositives": [ "Service accounts used on legacy systems (e.g. NetApp)", "Windows Domains with DFL 2003 and legacy systems" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '4769' AND TicketOptions = '0x40810000' AND TicketEncryptionType = '0x17') AND NOT (ServiceName LIKE '%$' ESCAPE '\\'))" ], "filename": "win_security_susp_rc4_kerberos.yml" }, { "title": "Active Directory User Backdoors", "id": "300bac00-e041-4ee2-9c36-e262656a6ecc", "status": "test", "description": "Detects scenarios where one can control another users or computers account without having to use their credentials.", "author": "@neu5ron", "tags": [ "attack.t1098", "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND ((EventID = '4738' AND NOT (AllowedToDelegateTo = '-' OR AllowedToDelegateTo = '')) OR ((EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToDelegateTo') OR (EventID = '5136' AND ObjectClass = 'user' AND AttributeLDAPDisplayName = 'servicePrincipalName') OR (EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-AllowedToActOnBehalfOfOtherIdentity'))))" ], "filename": "win_security_alert_ad_user_backdoors.yml" }, { "title": "Invoke-Obfuscation CLIP+ Launcher - Security", "id": "4edf51e1-cb83-4e1a-bc39-800e396068e3", "status": "experimental", "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%cmd%' ESCAPE '\\' AND ServiceFileName LIKE '%&&%' ESCAPE '\\' AND ServiceFileName LIKE '%clipboard]::%' ESCAPE '\\')" ], "filename": "win_security_invoke_obfuscation_clip_services_security.yml" }, { "title": "Service Installed By Unusual Client - Security", "id": "c4e92a97-a9ff-4392-9d2d-7a4c642768ca", "status": "experimental", "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", "author": "Tim Rauch", "tags": [ "attack.privilege_escalation", "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND (ClientProcessId = '0' OR ParentProcessId = '0'))" ], "filename": "win_security_service_installation_by_unusal_client.yml" }, { "title": "User with Privileges Logon", "id": "94309181-d345-4cbf-b5fe-061769bdf9cb", "status": "experimental", "description": "Detects logon with \"Special groups\" and \"Special Privileges\" can be thought of as Administrator groups or privileges.", "author": "frack113", "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID IN ('4672', '4964') AND NOT (SubjectUserSid = 'S-1-5-18'))" ], "filename": "win_security_admin_logon.yml" }, { "title": "Possible Shadow Credentials Added", "id": "f598ea0c-c25a-4f72-a219-50c44411c791", "status": "experimental", "description": "Detects possible addition of shadow credentials to an active directory object.", "author": "Nasreddine Bencherchali (Nextron Systems), Elastic (idea)", "tags": [ "attack.credential_access", "attack.t1556" ], "falsepositives": [ "Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions. (From elastic FP section)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '5136' AND AttributeLDAPDisplayName = 'msDS-KeyCredentialLink')" ], "filename": "win_security_susp_possible_shadow_credentials_added.yml" }, { "title": "ADCS Certificate Template Configuration Vulnerability", "id": "5ee3a654-372f-11ec-8d3d-0242ac130003", "status": "test", "description": "Detects certificate creation with template allowing risk permission subject", "author": "Orlinum , BlueDefenZer", "tags": [ "attack.privilege_escalation", "attack.credential_access" ], "falsepositives": [ "Administrator activity", "Proxy SSL certificate with subject modification", "Smart card enrollement" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND ((EventID = '4898' AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" ], "filename": "win_security_adcs_certificate_template_configuration_vulnerability.yml" }, { "title": "Azure AD Health Service Agents Registry Keys Access", "id": "1d2ab8ac-1a01-423b-9c39-001510eae8e8", "status": "test", "description": "This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).\nInformation from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).\nThis detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\\SOFTWARE\\Microsoft\\ADHealthAgent.\nMake sure you set the SACL to propagate to its sub-keys.\n", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC", "tags": [ "attack.discovery", "attack.t1012" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID IN ('4656', '4663') AND ObjectType = 'Key' AND ObjectName LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\ADHealthAgent' ESCAPE '\\') AND NOT ((ProcessName LIKE '%Microsoft.Identity.Health.Adfs.DiagnosticsAgent.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.InsightsService.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.MonitoringAgent.Startup.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Adfs.PshSurrogate.exe%' ESCAPE '\\' OR ProcessName LIKE '%Microsoft.Identity.Health.Common.Clients.ResourceMonitor.exe%' ESCAPE '\\')))" ], "filename": "win_security_aadhealth_svc_agent_regkey_access.yml" }, { "title": "External Disk Drive Or USB Storage Device", "id": "f69a87ea-955e-4fb4-adb2-bb9fd6685632", "status": "test", "description": "Detects external diskdrives or plugged in USB devices , EventID 6416 on windows 10 or later", "author": "Keith Wright", "tags": [ "attack.t1091", "attack.t1200", "attack.lateral_movement", "attack.initial_access" ], "falsepositives": [ "Legitimate administrative activity" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND ((EventID = '6416' AND ClassName = 'DiskDrive') OR DeviceDescription = 'USB Mass Storage Device'))" ], "filename": "win_security_external_device.yml" }, { "title": "Replay Attack Detected", "id": "5a44727c-3b85-4713-8c44-4401d5499629", "status": "experimental", "description": "Detects possible Kerberos Replay Attack on the domain controllers when \"KRB_AP_ERR_REPEAT\" Kerberos response is sent to the client", "author": "frack113", "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4649')" ], "filename": "win_security_replay_attack_detected.yml" }, { "title": "ETW Logging Disabled In .NET Processes - Registry", "id": "a4c90ea1-2634-4ca0-adbb-35eae169b6fc", "status": "test", "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", "attack.t1112", "attack.t1562" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND ((EventID = '4657' AND ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework' ESCAPE '\\' AND ObjectValueName = 'ETWEnabled' AND NewValue = '0') OR (EventID = '4657' AND ObjectName LIKE '%\\\\Environment%' ESCAPE '\\' AND (ObjectValueName LIKE 'COMPlus\\_ETWEnabled' ESCAPE '\\' OR ObjectValueName LIKE 'COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue = '0')))" ], "filename": "win_security_dot_net_etw_tamper.yml" }, { "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security", "id": "fd0f5778-d3cb-4c9a-9695-66759d04702a", "status": "experimental", "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ServiceFileName REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ServiceFileName REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ServiceFileName REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ServiceFileName REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ServiceFileName REGEXP '\\$VerbosePreference\\.ToString\\(' OR ServiceFileName REGEXP '\\String\\]\\s*\\$VerbosePreference'))" ], "filename": "win_security_invoke_obfuscation_obfuscated_iex_services_security.yml" }, { "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security", "id": "7a922f1b-2635-4d6c-91ef-af228b198ad3", "status": "experimental", "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND ServiceFileName LIKE '%new-object%' ESCAPE '\\' AND ServiceFileName LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND ServiceFileName LIKE '%readtoend%' ESCAPE '\\' AND (ServiceFileName LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR ServiceFileName LIKE '%system.io.streamreader%' ESCAPE '\\'))" ], "filename": "win_security_invoke_obfuscation_via_compress_services_security.yml" }, { "title": "Locked Workstation", "id": "411742ad-89b0-49cb-a7b0-3971b5c1e0a4", "status": "stable", "description": "Automatically lock workstation sessions after a standard period of inactivity.\nThe case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019.\n", "author": "Alexandr Yampolskyi, SOC Prime", "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4800')" ], "filename": "win_security_workstation_was_locked.yml" }, { "title": "Remote Service Activity via SVCCTL Named Pipe", "id": "586a8d6b-6bfe-4ad9-9d78-888cd2fe50c3", "status": "test", "description": "Detects remote service activity via remote access to the svcctl named pipe", "author": "Samir Bousseaden", "tags": [ "attack.lateral_movement", "attack.persistence", "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\' AND RelativeTargetName = 'svcctl' AND Accesses LIKE '%WriteData%' ESCAPE '\\')" ], "filename": "win_security_svcctl_remote_service.yml" }, { "title": "First Time Seen Remote Named Pipe", "id": "52d8b0c6-53d6-439a-9e41-52ad442ad9ad", "status": "test", "description": "This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes", "author": "Samir Bousseaden", "tags": [ "attack.lateral_movement", "attack.t1021.002" ], "falsepositives": [ "Update the excluded named pipe to filter out any newly observed legit named pipe" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\IPC$' ESCAPE '\\') AND NOT ((RelativeTargetName LIKE 'atsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'samr' ESCAPE '\\' OR RelativeTargetName LIKE 'lsarpc' ESCAPE '\\' OR RelativeTargetName LIKE 'lsass' ESCAPE '\\' OR RelativeTargetName LIKE 'winreg' ESCAPE '\\' OR RelativeTargetName LIKE 'netlogon' ESCAPE '\\' OR RelativeTargetName LIKE 'srvsvc' ESCAPE '\\' OR RelativeTargetName LIKE 'protected\\_storage' ESCAPE '\\' OR RelativeTargetName LIKE 'wkssvc' ESCAPE '\\' OR RelativeTargetName LIKE 'browser' ESCAPE '\\' OR RelativeTargetName LIKE 'netdfs' ESCAPE '\\' OR RelativeTargetName LIKE 'svcctl' ESCAPE '\\' OR RelativeTargetName LIKE 'spoolss' ESCAPE '\\' OR RelativeTargetName LIKE 'ntsvcs' ESCAPE '\\' OR RelativeTargetName LIKE 'LSM\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'HydraLsPipe' ESCAPE '\\' OR RelativeTargetName LIKE 'TermSrv\\_API\\_service' ESCAPE '\\' OR RelativeTargetName LIKE 'MsFteWds' ESCAPE '\\' OR RelativeTargetName LIKE 'sql\\\\query' ESCAPE '\\' OR RelativeTargetName LIKE 'eventlog' ESCAPE '\\')))" ], "filename": "win_security_lm_namedpipe.yml" }, { "title": "Important Scheduled Task Deleted/Disabled", "id": "7595ba94-cf3b-4471-aa03-4f6baa9e5fad", "status": "experimental", "description": "Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.privilege_escalation", "attack.persistence", "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID IN ('4699', '4701') AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\Schedule%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((EventID = '4699' AND SubjectUserName LIKE '%$' ESCAPE '\\' AND TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\')))" ], "filename": "win_security_susp_scheduled_task_delete_or_disable.yml" }, { "title": "Possible Impacket SecretDump Remote Activity", "id": "252902e3-5830-4cf6-bf21-c22083dfd5cf", "status": "experimental", "description": "Detect AD credential dumping using impacket secretdump HKTL", "author": "Samir Bousseaden, wagga", "tags": [ "attack.credential_access", "attack.t1003.002", "attack.t1003.004", "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '5145' AND ShareName LIKE '\\\\\\\\\\*\\\\ADMIN$' ESCAPE '\\' AND RelativeTargetName LIKE '%SYSTEM32\\\\%' ESCAPE '\\' AND RelativeTargetName LIKE '%.tmp%' ESCAPE '\\')" ], "filename": "win_security_impacket_secretdump.yml" }, { "title": "Processes Accessing the Microphone and Webcam", "id": "8cd538a4-62d5-4e83-810b-12d41e428d6e", "status": "test", "description": "Potential adversaries accessing the microphone and webcam in an endpoint.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.collection", "attack.t1123" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID IN ('4657', '4656', '4663') AND (ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\microphone\\\\NonPackaged%' ESCAPE '\\' OR ObjectName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\webcam\\\\NonPackaged%' ESCAPE '\\'))" ], "filename": "win_security_camera_microphone_access.yml" }, { "title": "Suspicious Scheduled Task Update", "id": "614cf376-6651-47c4-9dcc-6b9527f749f4", "status": "experimental", "description": "Detects update to a scheduled task event that contain suspicious keywords.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.privilege_escalation", "attack.persistence", "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4702' AND (TaskContentNew LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\WINDOWS\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%\\\\Temporary Internet%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\ProgramData\\\\%' ESCAPE '\\' OR TaskContentNew LIKE '%C:\\\\Perflogs\\\\%' ESCAPE '\\') AND (TaskContentNew LIKE '%regsvr32%' ESCAPE '\\' OR TaskContentNew LIKE '%rundll32%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%cmd%' ESCAPE '\\' OR TaskContentNew LIKE '%/c %' ESCAPE '\\' OR TaskContentNew LIKE '%/k %' ESCAPE '\\' OR TaskContentNew LIKE '%/r %' ESCAPE '\\' OR TaskContentNew LIKE '%powershell%' ESCAPE '\\' OR TaskContentNew LIKE '%pwsh%' ESCAPE '\\' OR TaskContentNew LIKE '%mshta%' ESCAPE '\\' OR TaskContentNew LIKE '%wscript%' ESCAPE '\\' OR TaskContentNew LIKE '%cscript%' ESCAPE '\\' OR TaskContentNew LIKE '%certutil%' ESCAPE '\\' OR TaskContentNew LIKE '%bitsadmin%' ESCAPE '\\' OR TaskContentNew LIKE '%bash.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%bash %' ESCAPE '\\' OR TaskContentNew LIKE '%scrcons%' ESCAPE '\\' OR TaskContentNew LIKE '%wmic %' ESCAPE '\\' OR TaskContentNew LIKE '%wmic.exe%' ESCAPE '\\' OR TaskContentNew LIKE '%forfiles%' ESCAPE '\\' OR TaskContentNew LIKE '%scriptrunner%' ESCAPE '\\' OR TaskContentNew LIKE '%hh.exe%' ESCAPE '\\'))" ], "filename": "win_security_susp_scheduled_task_update.yml" }, { "title": "Disabling Windows Event Auditing", "id": "69aeb277-f15f-4d2d-b32a-55e883609563", "status": "test", "description": "Detects scenarios where system auditing (ie: windows event log auditing) is disabled.\nThis may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed.\nAlso, it is recommended to turn off \"Local Group Policy Object Processing\" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as \"gpedit.msc\".\nPlease note, that disabling \"Local Group Policy Object Processing\" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.\n", "author": "@neu5ron", "tags": [ "attack.defense_evasion", "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4719' AND (AuditPolicyChanges LIKE '%\\%\\%8448%' ESCAPE '\\' OR AuditPolicyChanges LIKE '%\\%\\%8450%' ESCAPE '\\'))" ], "filename": "win_security_disable_event_logging.yml" }, { "title": "Kerberos Manipulation", "id": "f7644214-0eb0-4ace-9455-331ec4c09253", "status": "test", "description": "This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1212" ], "falsepositives": [ "Faulty legacy applications" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID IN ('675', '4768', '4769', '4771') AND FailureCode IN ('0x9', '0xA', '0xB', '0xF', '0x10', '0x11', '0x13', '0x14', '0x1A', '0x1F', '0x21', '0x22', '0x23', '0x24', '0x26', '0x27', '0x28', '0x29', '0x2C', '0x2D', '0x2E', '0x2F', '0x31', '0x32', '0x3E', '0x3F', '0x40', '0x41', '0x43', '0x44'))" ], "filename": "win_security_susp_kerberos_manipulation.yml" }, { "title": "Reconnaissance Activity", "id": "968eef52-9cff-4454-8992-1e74b9cbad6c", "status": "test", "description": "Detects activity as \"net user administrator /domain\" and \"net group domain admins /domain\"", "author": "Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community", "tags": [ "attack.discovery", "attack.t1087.002", "attack.t1069.002", "attack.s0039" ], "falsepositives": [ "Administrator activity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4661' AND AccessMask = '0x2d' AND (ObjectType LIKE 'SAM\\_USER' ESCAPE '\\' OR ObjectType LIKE 'SAM\\_GROUP' ESCAPE '\\') AND ObjectName LIKE 'S-1-5-21-%' ESCAPE '\\' AND (ObjectName LIKE '%-500' ESCAPE '\\' OR ObjectName LIKE '%-512' ESCAPE '\\'))" ], "filename": "win_security_susp_net_recon_activity.yml" }, { "title": "SCM Database Handle Failure", "id": "13addce7-47b2-4ca0-a98f-1de964d1d669", "status": "experimental", "description": "Detects non-system users failing to get a handle of the SCM database.", "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.discovery", "attack.t1010" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '4656' AND ObjectType LIKE 'SC\\_MANAGER OBJECT' ESCAPE '\\' AND ObjectName = 'ServicesActive' AND AccessMask = '0xf003f') AND NOT (SubjectLogonId = '0x3e4'))" ], "filename": "win_security_scm_database_handle_failure.yml" }, { "title": "Scheduled Task Deletion", "id": "4f86b304-3e02-40e3-aa5d-e88a167c9617", "status": "experimental", "description": "Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \\TASKNAME", "author": "David Strassegger, Tim Shelton", "tags": [ "attack.execution", "attack.privilege_escalation", "car.2013-08-001", "attack.t1053.005" ], "falsepositives": [ "Software installation" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4699' AND NOT ((TaskName LIKE '\\\\Microsoft\\\\Windows\\\\RemovalTools\\\\MRT\\_ERROR\\_HB' ESCAPE '\\') OR (TaskName LIKE '%\\\\Mozilla\\\\Firefox Default Browser Agent %' ESCAPE '\\')))" ], "filename": "win_security_scheduled_task_deletion.yml" }, { "title": "Denied Access To Remote Desktop", "id": "8e5c03fa-b7f0-11ea-b242-07e0576828d9", "status": "test", "description": "This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop.\nOften, this event can be generated by attackers when searching for available windows servers in the network.\n", "author": "Pushkarev Dmitry", "tags": [ "attack.lateral_movement", "attack.t1021.001" ], "falsepositives": [ "Valid user was not added to RDP group" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4825')" ], "filename": "win_security_not_allowed_rdp_access.yml" }, { "title": "DPAPI Domain Master Key Backup Attempt", "id": "39a94fd1-8c9a-4ff6-bf22-c058762f8014", "status": "test", "description": "Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.", "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.credential_access", "attack.t1003.004" ], "falsepositives": [ "If a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. Which will trigger this event." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4692')" ], "filename": "win_security_dpapi_domain_masterkey_backup_attempt.yml" }, { "title": "Weak Encryption Enabled and Kerberoast", "id": "f6de9536-0441-4b3f-a646-f4e00f300ffd", "status": "test", "description": "Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.", "author": "@neu5ron", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4738' AND ((((NewUacValue LIKE '%8___' ESCAPE '\\' OR NewUacValue LIKE '%9___' ESCAPE '\\' OR NewUacValue LIKE '%A___' ESCAPE '\\' OR NewUacValue LIKE '%B___' ESCAPE '\\' OR NewUacValue LIKE '%C___' ESCAPE '\\' OR NewUacValue LIKE '%D___' ESCAPE '\\' OR NewUacValue LIKE '%E___' ESCAPE '\\' OR NewUacValue LIKE '%F___' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8___' ESCAPE '\\' OR OldUacValue LIKE '%9___' ESCAPE '\\' OR OldUacValue LIKE '%A___' ESCAPE '\\' OR OldUacValue LIKE '%B___' ESCAPE '\\' OR OldUacValue LIKE '%C___' ESCAPE '\\' OR OldUacValue LIKE '%D___' ESCAPE '\\' OR OldUacValue LIKE '%E___' ESCAPE '\\' OR OldUacValue LIKE '%F___' ESCAPE '\\'))) OR ((NewUacValue LIKE '%1____' ESCAPE '\\' OR NewUacValue LIKE '%3____' ESCAPE '\\' OR NewUacValue LIKE '%5____' ESCAPE '\\' OR NewUacValue LIKE '%7____' ESCAPE '\\' OR NewUacValue LIKE '%9____' ESCAPE '\\' OR NewUacValue LIKE '%B____' ESCAPE '\\' OR NewUacValue LIKE '%D____' ESCAPE '\\' OR NewUacValue LIKE '%F____' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%1____' ESCAPE '\\' OR OldUacValue LIKE '%3____' ESCAPE '\\' OR OldUacValue LIKE '%5____' ESCAPE '\\' OR OldUacValue LIKE '%7____' ESCAPE '\\' OR OldUacValue LIKE '%9____' ESCAPE '\\' OR OldUacValue LIKE '%B____' ESCAPE '\\' OR OldUacValue LIKE '%D____' ESCAPE '\\' OR OldUacValue LIKE '%F____' ESCAPE '\\')))) OR ((NewUacValue LIKE '%8__' ESCAPE '\\' OR NewUacValue LIKE '%9__' ESCAPE '\\' OR NewUacValue LIKE '%A__' ESCAPE '\\' OR NewUacValue LIKE '%B__' ESCAPE '\\' OR NewUacValue LIKE '%C__' ESCAPE '\\' OR NewUacValue LIKE '%D__' ESCAPE '\\' OR NewUacValue LIKE '%E__' ESCAPE '\\' OR NewUacValue LIKE '%F__' ESCAPE '\\') AND NOT ((OldUacValue LIKE '%8__' ESCAPE '\\' OR OldUacValue LIKE '%9__' ESCAPE '\\' OR OldUacValue LIKE '%A__' ESCAPE '\\' OR OldUacValue LIKE '%B__' ESCAPE '\\' OR OldUacValue LIKE '%C__' ESCAPE '\\' OR OldUacValue LIKE '%D__' ESCAPE '\\' OR OldUacValue LIKE '%E__' ESCAPE '\\' OR OldUacValue LIKE '%F__' ESCAPE '\\')))))" ], "filename": "win_security_alert_enable_weak_encryption.yml" }, { "title": "Device Installation Blocked", "id": "c9eb55c3-b468-40ab-9089-db2862e42137", "status": "experimental", "description": "Detects an installation of a device that is forbidden by the system policy", "author": "frack113", "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '6423')" ], "filename": "win_security_device_installation_blocked.yml" }, { "title": "Password Change on Directory Service Restore Mode (DSRM) Account", "id": "53ad8e36-f573-46bf-97e4-15ba5bf4bb51", "status": "stable", "description": "The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.", "author": "Thomas Patzke", "tags": [ "attack.persistence", "attack.t1098" ], "falsepositives": [ "Initial installation of a domain controller" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4794')" ], "filename": "win_security_susp_dsrm_password_change.yml" }, { "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU", "id": "bfbd3291-de87-4b7c-88a2-d6a5deb28668", "status": "test", "description": "Detects certificate creation with template allowing risk permission subject and risky EKU", "author": "Orlinum , BlueDefenZer", "tags": [ "attack.privilege_escalation", "attack.credential_access" ], "falsepositives": [ "Administrator activity", "Proxy SSL certificate with subject modification", "Smart card enrollement" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND ((EventID = '4898' AND (TemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR TemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR TemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND TemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\') OR (EventID = '4899' AND (NewTemplateContent LIKE '%1.3.6.1.5.5.7.3.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.5.2.3.4%' ESCAPE '\\' OR NewTemplateContent LIKE '%1.3.6.1.4.1.311.20.2.2%' ESCAPE '\\' OR NewTemplateContent LIKE '%2.5.29.37.0%' ESCAPE '\\') AND NewTemplateContent LIKE '%CT\\_FLAG\\_ENROLLEE\\_SUPPLIES\\_SUBJECT%' ESCAPE '\\')))" ], "filename": "win_security_adcs_certificate_template_configuration_vulnerability_eku.yml" }, { "title": "Access to ADMIN$ Share", "id": "098d7118-55bc-4912-a836-dc6483a8d150", "status": "test", "description": "Detects access to $ADMIN share", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.lateral_movement", "attack.t1021.002" ], "falsepositives": [ "Legitimate administrative activity" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '5140' AND ShareName = 'Admin$') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], "filename": "win_security_admin_share_access.yml" }, { "title": "Transferring Files with Credential Data via Network Shares", "id": "910ab938-668b-401b-b08c-b596e80fdca5", "status": "test", "description": "Transferring files with well-known filenames (sensitive files with credential data) using network shares", "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ "attack.credential_access", "attack.t1003.002", "attack.t1003.001", "attack.t1003.003" ], "falsepositives": [ "Transferring sensitive files for legitimate administration work by legitimate administrator" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '5145' AND (RelativeTargetName LIKE '%\\\\mimidrv%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\lsass%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\windows\\\\minidump\\\\%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\hiberfil%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\sqldmpr%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\sam%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\ntds.dit%' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\security%' ESCAPE '\\'))" ], "filename": "win_security_transf_files_with_cred_data_via_network_shares.yml" }, { "title": "WCE wceaux.dll Access", "id": "1de68c67-af5c-4097-9c85-fe5578e09e67", "status": "test", "description": "Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host", "author": "Thomas Patzke", "tags": [ "attack.credential_access", "attack.t1003", "attack.s0005" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID IN ('4656', '4658', '4660', '4663') AND ObjectName LIKE '%\\\\wceaux.dll' ESCAPE '\\')" ], "filename": "win_security_mal_wceaux_dll.yml" }, { "title": "Hidden Local User Creation", "id": "7b449a5e-1db5-4dd0-a2dc-4e3a67282538", "status": "test", "description": "Detects the creation of a local hidden user account which should not happen for event ID 4720.", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1136.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4720' AND TargetUserName LIKE '%$' ESCAPE '\\')" ], "filename": "win_security_hidden_user_creation.yml" }, { "title": "SMB Create Remote File Admin Share", "id": "b210394c-ba12-4f89-9117-44a2464b9511", "status": "test", "description": "Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).", "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", "tags": [ "attack.lateral_movement", "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND (EventID = '5145' AND ShareName LIKE '%C$' ESCAPE '\\' AND AccessMask = '0x2') AND NOT (SubjectUserName LIKE '%$' ESCAPE '\\'))" ], "filename": "win_security_smb_file_creation_admin_shares.yml" }, { "title": "Credential Dumping Tools Service Execution - Security", "id": "f0d1feba-4344-4ca9-8121-a6c97bd6df52", "status": "test", "description": "Detects well-known credential dumping tools execution via service execution events", "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.credential_access", "attack.execution", "attack.t1003.001", "attack.t1003.002", "attack.t1003.004", "attack.t1003.005", "attack.t1003.006", "attack.t1569.002", "attack.s0005" ], "falsepositives": [ "Legitimate Administrator using credential dumping tool for password recovery" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '4697' AND (ServiceFileName LIKE '%fgexec%' ESCAPE '\\' OR ServiceFileName LIKE '%dumpsvc%' ESCAPE '\\' OR ServiceFileName LIKE '%cachedump%' ESCAPE '\\' OR ServiceFileName LIKE '%mimidrv%' ESCAPE '\\' OR ServiceFileName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceFileName LIKE '%servpw%' ESCAPE '\\' OR ServiceFileName LIKE '%pwdump%' ESCAPE '\\'))" ], "filename": "win_security_mal_creddumper.yml" }, { "title": "Suspicious Access to Sensitive File Extensions", "id": "91c945bc-2ad1-4799-a591-4d00198a1215", "status": "test", "description": "Detects known sensitive file extensions accessed on a network share", "author": "Samir Bousseaden", "tags": [ "attack.collection", "attack.t1039" ], "falsepositives": [ "Help Desk operator doing backup or re-imaging end user machine or backup software", "Users working with these data types or exchanging message files" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND EventID = '5145' AND (RelativeTargetName LIKE '%.pst' ESCAPE '\\' OR RelativeTargetName LIKE '%.ost' ESCAPE '\\' OR RelativeTargetName LIKE '%.msg' ESCAPE '\\' OR RelativeTargetName LIKE '%.nst' ESCAPE '\\' OR RelativeTargetName LIKE '%.oab' ESCAPE '\\' OR RelativeTargetName LIKE '%.edb' ESCAPE '\\' OR RelativeTargetName LIKE '%.nsf' ESCAPE '\\' OR RelativeTargetName LIKE '%.bak' ESCAPE '\\' OR RelativeTargetName LIKE '%.dmp' ESCAPE '\\' OR RelativeTargetName LIKE '%.kirbi' ESCAPE '\\' OR RelativeTargetName LIKE '%\\\\groups.xml' ESCAPE '\\' OR RelativeTargetName LIKE '%.rdp' ESCAPE '\\'))" ], "filename": "win_security_susp_raccess_sensitive_fext.yml" }, { "title": "Metasploit SMB Authentication", "id": "72124974-a68b-4366-b990-d30e0b2a190d", "status": "test", "description": "Alerts on Metasploit host's authentications on the domain.", "author": "Chakib Gzenayi (@Chak092), Hosni Mribah", "tags": [ "attack.lateral_movement", "attack.t1021.002" ], "falsepositives": [ "Linux hostnames composed of 16 characters." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Security' AND ((EventID IN ('4625', '4624') AND LogonType = '3' AND AuthenticationPackageName = 'NTLM' AND WorkstationName REGEXP '^[A-Za-z0-9]{16}$') OR (ProcessName = '' AND EventID = '4776' AND Workstation REGEXP '^[A-Za-z0-9]{16}$')))" ], "filename": "win_security_metasploit_authentication.yml" }, { "title": "USB Device Plugged", "id": "1a4bd6e3-4c6e-405d-a9a3-53a116e341d4", "status": "test", "description": "Detects plugged/unplugged USB devices", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.initial_access", "attack.t1200" ], "falsepositives": [ "Legitimate administrative activity" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Provider_Name = 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' AND EventID IN ('2003', '2100', '2102'))" ], "filename": "win_usb_device_plugged.yml" }, { "title": "Suspicious Digital Signature Of AppX Package", "id": "b5aa7d60-c17e-4538-97de-09029d6cd76b", "status": "experimental", "description": "Detects execution of AppX packages with known suspicious or malicious signature", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-AppxPackaging/Operational' AND EventID = '157' AND subjectName = 'CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization')" ], "filename": "win_appxpackaging_om_sups_appx_signature.yml" }, { "title": "Important Scheduled Task Deleted", "id": "9e3cb244-bdb8-4632-8c90-6079c8f4f16d", "status": "experimental", "description": "Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities", "author": "frack113", "tags": [ "attack.impact", "attack.t1489" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-TaskScheduler/Operational' AND (EventID = '141' AND (TaskName LIKE '%\\\\Windows\\\\SystemRestore\\\\SR%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\Windows Defender\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\BitLocker%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsBackup\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\WindowsUpdate\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\UpdateOrchestrator\\\\%' ESCAPE '\\' OR TaskName LIKE '%\\\\Windows\\\\ExploitGuard%' ESCAPE '\\')) AND NOT ((UserName LIKE '%AUTHORI%' ESCAPE '\\' OR UserName LIKE '%AUTORI%' ESCAPE '\\')))" ], "filename": "win_taskscheduler_susp_schtasks_delete.yml" }, { "title": "Scheduled Task Executed From A Suspicious Location", "id": "424273ea-7cf8-43a6-b712-375f925e481f", "status": "experimental", "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-TaskScheduler/Operational' AND EventID = '129' AND (Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\'))" ], "filename": "win_taskscheduler_execution_from_susp_locations.yml" }, { "title": "Scheduled Task Executed Uncommon LOLBIN", "id": "f0767f15-0fb3-44b9-851e-e8d9a6d0005d", "status": "experimental", "description": "Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1053.005" ], "falsepositives": [ "False positives may occur with some of the selected binaries if you have tasks using them (which could be very common in your environment). Exclude all the specific trusted tasks before using this rule" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-TaskScheduler/Operational' AND EventID = '129' AND (Path LIKE '%\\\\calc.exe' ESCAPE '\\' OR Path LIKE '%\\\\cscript.exe' ESCAPE '\\' OR Path LIKE '%\\\\mshta.exe' ESCAPE '\\' OR Path LIKE '%\\\\mspaint.exe' ESCAPE '\\' OR Path LIKE '%\\\\notepad.exe' ESCAPE '\\' OR Path LIKE '%\\\\regsvr32.exe' ESCAPE '\\' OR Path LIKE '%\\\\wscript.exe' ESCAPE '\\'))" ], "filename": "win_taskscheduler_lolbin_execution_via_task_scheduler.yml" }, { "title": "Code Integrity Attempted DLL Load", "id": "f8931561-97f5-4c46-907f-0a4a592e47a7", "description": "Detects attempted DLL load events that didn't meet anti-malware or Windows signing level requirements. It often means the file's signature is revoked or expired", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "status": "experimental", "tags": [ "attack.execution" ], "falsepositives": [ "Antivirus products" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3033' AND NOT ((FileNameBuffer LIKE '%\\\\Program Files\\\\DTrace\\\\dtrace.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND RequestedPolicy = '12' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\igd10iumd64.dll' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\Gui\\\\Keybase.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\') AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Bonjour\\\\mdnsNSP.dll' ESCAPE '\\' AND (ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessNameBuffer LIKE '%\\\\Windows\\\\System32\\\\SIHClient.exe' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Microsoft Office\\\\root\\\\vfs\\\\ProgramFilesCommonX64\\\\Microsoft Shared\\\\OFFICE%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\MSOXMLMF.DLL' ESCAPE '\\' AND RequestedPolicy = '7' AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\System32\\\\nvspcap64.dll' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\AppData\\\\Local\\\\slack\\\\app-%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\slack.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1') OR ((FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavcodec.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Mozilla Firefox\\\\mozavutil.dll' ESCAPE '\\') AND ProcessNameBuffer LIKE '%\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND RequestedPolicy = '8') OR ((FileNameBuffer LIKE '%\\\\Program Files\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\' OR FileNameBuffer LIKE '%\\\\Program Files (x86)\\\\Avast Software\\\\Avast\\\\aswAMSI.dll' ESCAPE '\\') AND RequestedPolicy IN ('8', '12') AND ValidatedPolicy = '1') OR (FileNameBuffer LIKE '%\\\\Windows\\\\assembly\\\\GAC\\\\%' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\mscorsvw.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\Microsoft.NET\\\\%' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy IN ('1', '2')) OR (FileNameBuffer LIKE '%\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND FileNameBuffer LIKE '%\\\\crashpad\\_handler.exe' ESCAPE '\\' AND ProcessNameBuffer LIKE '%\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe' ESCAPE '\\' AND RequestedPolicy = '8' AND ValidatedPolicy = '1')))" ], "filename": "win_codeintegrity_attempted_dll_load.yml" }, { "title": "Code Integrity Blocked Driver Load", "id": "e4be5675-4a53-426a-8c81-a8bb2387e947", "description": "Detects blocked load events that did not meet the authenticode signing level requirements or violated code integrity policy", "author": "Nasreddine Bencherchali (Nextron Systems)", "status": "experimental", "tags": [ "attack.privilege_escalation", "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3077')" ], "filename": "win_codeintegrity_blocked_driver_load.yml" }, { "title": "Block Load Of Revoked Driver", "id": "9b72b82d-f1c5-4632-b589-187159bc6ec1", "description": "Detects blocked load attempts of revoked drivers", "author": "Nasreddine Bencherchali (Nextron Systems)", "status": "experimental", "tags": [ "attack.privilege_escalation", "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-CodeIntegrity/Operational' AND EventID = '3023')" ], "filename": "win_codeintegrity_revoked_driver.yml" }, { "title": "HybridConnectionManager Service Running", "id": "b55d23e5-6821-44ff-8a6e-67218891e49f", "status": "test", "description": "Rule to detect the Hybrid Connection Manager service running on an endpoint.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.persistence", "attack.t1554" ], "falsepositives": [ "Legitimate use of Hybrid Connection Manager via Azure function apps." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-ServiceBus-Client' AND EventID IN ('40300', '40301', '40302') AND (Events MATCH ('\"HybridConnection\" OR \"sb://\" OR \"servicebus.windows.net\" OR \"HybridConnectionManage\"')))" ], "filename": "win_hybridconnectionmgr_svc_running.yml" }, { "title": "GALLIUM Artefacts - Builtin", "id": "3db10f25-2527-4b79-8d4b-471eb900ee29", "status": "test", "description": "Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.", "author": "Tim Burrell", "tags": [ "attack.credential_access", "attack.command_and_control", "attack.t1071" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '257' AND QNAME IN ('asyspy256.ddns.net', 'hotkillmail9sddcc.ddns.net', 'rosaf112.ddns.net', 'cvdfhjh1231.myftp.biz', 'sz2016rose.ddns.net', 'dffwescwer4325.myftp.biz', 'cvdfhjh1231.ddns.net'))" ], "filename": "win_dns_analytic_apt_gallium.yml" }, { "title": "MSSQL XPCmdshell Option Change", "id": "d08dd86f-681e-4a00-a92c-1db218754417", "status": "experimental", "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure setting is changed", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Legitimate enable/disable of the setting", "Note that since the event contain the change for both values. This means that this will trigger on both enable and disable" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '15457' AND Data LIKE '%xp\\_cmdshell%' ESCAPE '\\')" ], "filename": "win_mssql_xp_cmdshell_change.yml" }, { "title": "MSSQL XPCmdshell Suspicious Execution", "id": "7f103213-a04e-4d59-8261-213dddf22314", "status": "experimental", "description": "Detects when the MSSQL \"xp_cmdshell\" stored procedure is used to execute commands", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:xp\\_cmdshell%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" ], "filename": "win_mssql_xp_cmdshell_audit_log.yml" }, { "title": "MSSQL Add Account To Sysadmin Role", "id": "08200f85-2678-463e-9c32-88dce2f073d1", "status": "experimental", "description": "Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Rare legitimate administrative activity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sysadmin%' ESCAPE '\\' AND Data LIKE '%statement:alter server role [sysadmin] add member %' ESCAPE '\\')" ], "filename": "win_mssql_add_sysadmin_account.yml" }, { "title": "MSSQL SPProcoption Set", "id": "b3d57a5c-c92e-4b48-9a79-5f124b7cf964", "status": "experimental", "description": "Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Legitimate use of the feature by administrators (rare)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND Data LIKE '%object\\_name:sp\\_procoption%' ESCAPE '\\' AND Data LIKE '%statement:EXEC%' ESCAPE '\\')" ], "filename": "win_mssql_sp_procoption_set.yml" }, { "title": "MSSQL Extended Stored Procedure Backdoor Maggie", "id": "711ab2fe-c9ba-4746-8840-5228a58c3cb8", "status": "experimental", "description": "This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server", "author": "Denis Szadkowski, DIRT / DCSO CyTec", "tags": [ "attack.persistence", "attack.t1546" ], "falsepositives": [ "Legitimate extended stored procedures named maggie" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '8128' AND Message LIKE '%maggie%' ESCAPE '\\')" ], "filename": "win_mssql_sp_maggie.yml" }, { "title": "MSSQL Disable Audit Settings", "id": "350dfb37-3706-4cdc-9e2e-5e24bc3a46df", "status": "experimental", "description": "Detects when an attacker calls the \"ALTER SERVER AUDIT\" or \"DROP SERVER AUDIT\" transaction in order to delete or disable audit logs on the server", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "This event should only fire when an administrator is modifying the audit policy. Which should be a rare occurrence once it's set up" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND Provider_Name = 'MSSQLSERVER' AND EventID = '33205' AND (Data LIKE '%statement:ALTER SERVER AUDIT%' ESCAPE '\\' OR Data LIKE '%statement:DROP SERVER AUDIT%' ESCAPE '\\'))" ], "filename": "win_mssql_disable_audit_settings.yml" }, { "title": "Audit CVE Event", "id": "48d91a3a-2363-43ba-a456-ca71ac3da5c2", "status": "experimental", "description": "Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited.\nMS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability.\nUnfortunately, that is about the only instance of CVEs being written to this log.\n", "author": "Florian Roth (Nextron Systems), Zach Mathis", "tags": [ "attack.execution", "attack.t1203", "attack.privilege_escalation", "attack.t1068", "attack.defense_evasion", "attack.t1211", "attack.credential_access", "attack.t1212", "attack.lateral_movement", "attack.t1210", "attack.impact", "attack.t1499.004" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND Provider_Name IN ('Microsoft-Windows-Audit-CVE', 'Audit-CVE') AND EventID = '1')" ], "filename": "win_audit_cve.yml" }, { "title": "Microsoft Malware Protection Engine Crash - WER", "id": "6c82cf5c-090d-4d57-9188-533577631108", "status": "experimental", "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1211", "attack.t1562.001" ], "falsepositives": [ "MsMpEng might crash if the \"C:\\\" partition is full" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND Provider_Name = 'Windows Error Reporting' AND EventID = '1001' AND Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\')" ], "filename": "win_application_msmpeng_crash_wer.yml" }, { "title": "Backup Catalog Deleted", "id": "9703792d-fd9a-456d-a672-ff92efe4806a", "status": "test", "description": "Detects backup catalog deletions", "author": "Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection)", "tags": [ "attack.defense_evasion", "attack.t1070.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND EventID = '524' AND Provider_Name = 'Microsoft-Windows-Backup')" ], "filename": "win_susp_backup_delete.yml" }, { "title": "Application Uninstalled", "id": "570ae5ec-33dc-427c-b815-db86228ad43e", "status": "experimental", "description": "An application has been removed. Check if it is critical.", "author": "frack113", "tags": [ "attack.impact", "attack.t1489" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND Provider_Name = 'MsiInstaller' AND EventID IN ('11724', '1034'))" ], "filename": "win_builtin_remove_application.yml" }, { "title": "MSI Installation From Web", "id": "5594e67a-7f92-4a04-b65d-1a42fd824a60", "status": "experimental", "description": "Detects installation of a remote msi file from web.", "author": "Stamatis Chatzimangou", "tags": [ "attack.execution", "attack.t1218", "attack.t1218.007" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND Provider_Name = 'MsiInstaller' AND EventID IN ('1040', '1042') AND Data LIKE '%://%' ESCAPE '\\')" ], "filename": "win_msi_install_from_web.yml" }, { "title": "MSI Installation From Suspicious Locations", "id": "c7c8aa1c-5aff-408e-828b-998e3620b341", "status": "experimental", "description": "Detects MSI package installation from suspicious locations", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND (Provider_Name = 'MsiInstaller' AND EventID IN ('1040', '1042') AND (Data LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Data LIKE '%C:\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\\\\\\\*' ESCAPE '\\')) AND NOT ((Data LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\%' ESCAPE '\\') OR (Data LIKE '%C:\\\\Windows\\\\TEMP\\\\UpdHealthTools.msi%' ESCAPE '\\')))" ], "filename": "win_msi_install_from_susp_locations.yml" }, { "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379", "id": "7dbb86de-a0cc-494c-8aa8-b2996c9ef3c8", "status": "experimental", "description": "Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.initial_access", "attack.t1190" ], "falsepositives": [ "Other MSI packages for which your admins have used that name" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Data LIKE '%test pkg%' ESCAPE '\\')" ], "filename": "win_vul_cve_2021_41379.yml" }, { "title": "Atera Agent Installation", "id": "87261fb2-69d0-42fe-b9de-88c6b5f65a43", "status": "test", "description": "Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators", "author": "Bhabesh Raj", "tags": [ "attack.t1219" ], "falsepositives": [ "Legitimate Atera agent installation" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND EventID = '1033' AND Provider_Name = 'MsiInstaller' AND Message LIKE '%AteraAgent%' ESCAPE '\\')" ], "filename": "win_software_atera_rmm_agent_install.yml" }, { "title": "Potential Credential Dumping Via WER - Application", "id": "a18e0862-127b-43ca-be12-1a542c75c7c5", "status": "experimental", "description": "Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Rare legitimate crashing of the lsass process" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND AppName = 'lsass.exe' AND ExceptionCode = 'c0000001')" ], "filename": "win_werfault_susp_lsass_credential_dump.yml" }, { "title": "Microsoft Malware Protection Engine Crash", "id": "545a5da6-f103-4919-a519-e9aec1026ee4", "status": "experimental", "description": "This rule detects a suspicious crash of the Microsoft Malware Protection Engine", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1211", "attack.t1562.001" ], "falsepositives": [ "MsMpEng might crash if the \"C:\\\" partition is full" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND Provider_Name = 'Application Error' AND EventID = '1000' AND Data LIKE '%MsMpEng.exe%' ESCAPE '\\' AND Data LIKE '%mpengine.dll%' ESCAPE '\\')" ], "filename": "win_application_msmpeng_crash_error.yml" }, { "title": "Dump Ntds.dit To Suspicious Location", "id": "94dc4390-6b7c-4784-8ffc-335334404650", "status": "experimental", "description": "Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Legitimate backup operation/creating shadow copies" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND Provider_Name = 'ESENT' AND EventID = '325' AND Data LIKE '%ntds.dit%' ESCAPE '\\' AND (Data LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Appdata\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Data LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Data LIKE '%C:\\\\ntds.dit%' ESCAPE '\\'))" ], "filename": "win_esent_ntdsutil_abuse_susp_location.yml" }, { "title": "Ntdsutil Abuse", "id": "e6e88853-5f20-4c4a-8d26-cd469fd8d31f", "status": "experimental", "description": "Detects potential abuse of ntdsutil to dump ntds.dit database", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Legitimate backup operation/creating shadow copies" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND Provider_Name = 'ESENT' AND EventID IN ('216', '325', '326', '327') AND Data LIKE '%ntds.dit%' ESCAPE '\\')" ], "filename": "win_esent_ntdsutil_abuse.yml" }, { "title": "MSMQ Corrupted Packet Encountered", "id": "ae94b10d-fee9-4767-82bb-439b309d5a27", "status": "experimental", "description": "Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND Provider_Name = 'MSMQ' AND EventID = '2027' AND Level = '2')" ], "filename": "win_msmq_corrupted_packet.yml" }, { "title": "Restricted Software Access By SRP", "id": "b4c8da4a-1c12-46b0-8a2b-0a8521d03442", "status": "experimental", "description": "Detects restricted access to applications by the Software Restriction Policies (SRP) policy", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1072" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND Provider_Name = 'Microsoft-Windows-SoftwareRestrictionPolicies' AND EventID IN ('865', '866', '867', '868', '882'))" ], "filename": "win_software_restriction_policies_block.yml" }, { "title": "Suspicious AppX Package Locations", "id": "5cdeaf3d-1489-477c-95ab-c318559fc051", "status": "experimental", "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in suspicious locations", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR Path LIKE '%/users/public/%' ESCAPE '\\' OR Path LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\' OR Path LIKE '%C:/perflogs/%' ESCAPE '\\' OR Path LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR Path LIKE '%/desktop/%' ESCAPE '\\' OR Path LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR Path LIKE '%/Downloads/%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%C:/Windows/Temp/%' ESCAPE '\\' OR Path LIKE '%\\\\AppdData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR Path LIKE '%/AppdData/Local/Temp/%' ESCAPE '\\'))" ], "filename": "win_appxdeployment_server_susp_package_locations.yml" }, { "title": "Uncommon AppX Package Locations", "id": "c977cb50-3dff-4a9f-b873-9290f56132f1", "status": "experimental", "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is located in uncommon locations", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND NOT (((Path LIKE '%C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\SystemApps\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\PrintDialog\\\\%' ESCAPE '\\' OR Path LIKE '%C:\\\\Windows\\\\ImmersiveControlPanel\\\\%' ESCAPE '\\' OR Path LIKE '%x-windowsupdate://%' ESCAPE '\\' OR Path LIKE '%file:///C:/Program\\%20Files%' ESCAPE '\\')) OR ((Path LIKE '%https://statics.teams.cdn.office.net/%' ESCAPE '\\' OR Path LIKE '%microsoft.com%' ESCAPE '\\'))))" ], "filename": "win_appxdeployment_server_uncommon_package_locations.yml" }, { "title": "Suspicious AppX Package Installation Attempt", "id": "898d5fc9-fbc3-43de-93ad-38e97237c344", "status": "experimental", "description": "Detects an appx package installation with the error code \"0x80073cff\" which indicates that the package didn't meet the signing requirements and could be suspicious", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Legitimate AppX packages not signed by MS used part of an enterprise" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '401' AND ErrorCode = '0x80073cff')" ], "filename": "win_appxdeployment_server_susp_appx_package_installation.yml" }, { "title": "Deployment Of The AppX Package Was Blocked By The Policy", "id": "e021bbb5-407f-41f5-9dc9-1864c45a7a51", "status": "experimental", "description": "Detects an appx package deployment that was blocked by the local computer policy", "author": "frack113", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID IN ('441', '442', '453', '454'))" ], "filename": "win_appxdeployment_server_policy_block.yml" }, { "title": "Deployment AppX Package Was Blocked By AppLocker", "id": "6ae53108-c3a0-4bee-8f45-c7591a2c337f", "status": "experimental", "description": "Detects an appx package deployment that was blocked by AppLocker policy", "author": "frack113", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '412')" ], "filename": "win_appxdeployment_server_applocker_block.yml" }, { "title": "Potential Malicious AppX Package Installation Attempts", "id": "09d3b48b-be17-47f5-bf4e-94e7e75d09ce", "status": "experimental", "description": "Detects potential installation or installation attempts of known malicious appx packages", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Rare occasions where a malicious package uses the exact same name and version as a legtimate application" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID IN ('400', '401') AND PackageFullName LIKE '%3669e262-ec02-4e9d-bcb4-3d008b4afac9%' ESCAPE '\\')" ], "filename": "win_appxdeployment_server_mal_appx_names.yml" }, { "title": "Suspicious Remote AppX Package Locations", "id": "8b48ad89-10d8-4382-a546-50588c410f0d", "status": "experimental", "description": "Detects an appx package added the pipeline of the \"to be processed\" packages which is downloaded from a suspicious domain", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-AppXDeploymentServer/Operational' AND EventID = '854' AND (Path LIKE '%transfer.sh%' ESCAPE '\\' OR Path LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR Path LIKE '%pastebin.com%' ESCAPE '\\' OR Path LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR Path LIKE '%mediafire.com%' ESCAPE '\\' OR Path LIKE '%mega.nz%' ESCAPE '\\' OR Path LIKE '%ddns.net%' ESCAPE '\\' OR Path LIKE '%.paste.ee%' ESCAPE '\\' OR Path LIKE '%.hastebin.com%' ESCAPE '\\' OR Path LIKE '%.ghostbin.co/%' ESCAPE '\\' OR Path LIKE '%ufile.io%' ESCAPE '\\' OR Path LIKE '%storage.googleapis.com%' ESCAPE '\\' OR Path LIKE '%anonfiles.com%' ESCAPE '\\' OR Path LIKE '%send.exploit.in%' ESCAPE '\\' OR Path LIKE '%privatlab.net%' ESCAPE '\\' OR Path LIKE '%privatlab.com%' ESCAPE '\\' OR Path LIKE '%sendspace.com%' ESCAPE '\\' OR Path LIKE '%pastetext.net%' ESCAPE '\\' OR Path LIKE '%pastebin.pl%' ESCAPE '\\' OR Path LIKE '%paste.ee%' ESCAPE '\\'))" ], "filename": "win_appxdeployment_server_susp_domains.yml" }, { "title": "Potential Active Directory Reconnaissance/Enumeration Via LDAP", "id": "31d68132-4038-47c7-8f8e-635a39a7c174", "status": "test", "description": "Detects potential Active Directory enumeration via LDAP", "author": "Adeem Mawani", "tags": [ "attack.discovery", "attack.t1069.002", "attack.t1087.002", "attack.t1482" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-LDAP-Client/Debug' AND (((EventID = '30' AND (SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483648)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483656)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483652)%' ESCAPE '\\' OR SearchFilter LIKE '%(groupType:1.2.840.113556.1.4.803:=2147483650)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=805306369)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=805306368)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=536870913)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=536870912)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=268435457)%' ESCAPE '\\' OR SearchFilter LIKE '%(sAMAccountType=268435456)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=groupPolicyContainer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=organizationalUnit)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=Computer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=nTDSDSA)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=server)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=domain)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=person)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=group)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectCategory=user)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=trustedDomain)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=computer)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=server)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=group)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectClass=user)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=521)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=516)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=515)%' ESCAPE '\\' OR SearchFilter LIKE '%(primaryGroupID=512)%' ESCAPE '\\' OR SearchFilter LIKE '%Domain Admins%' ESCAPE '\\' OR SearchFilter LIKE '%objectGUID=\\*' ESCAPE '\\' OR SearchFilter LIKE '%(schemaIDGUID=\\*)%' ESCAPE '\\')) AND NOT (EventID = '30' AND (SearchFilter LIKE '%(domainSid=%)%' ESCAPE '\\' OR SearchFilter LIKE '%(objectSid=%)%' ESCAPE '\\'))) OR (EventID = '30' AND (SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=4194304)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=2097152)%' ESCAPE '\\' OR SearchFilter LIKE '%!(userAccountControl:1.2.840.113556.1.4.803:=1048574)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=524288)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=65536)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=8192)%' ESCAPE '\\' OR SearchFilter LIKE '%(userAccountControl:1.2.840.113556.1.4.803:=544)%' ESCAPE '\\' OR SearchFilter LIKE '%!(UserAccountControl:1.2.840.113556.1.4.803:=2)%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-AllowedToActOnBehalfOfOtherIdentity%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-AllowedToDelegateTo%' ESCAPE '\\' OR SearchFilter LIKE '%msDS-GroupManagedServiceAccount%' ESCAPE '\\' OR SearchFilter LIKE '%(accountExpires=9223372036854775807)%' ESCAPE '\\' OR SearchFilter LIKE '%(accountExpires=0)%' ESCAPE '\\' OR SearchFilter LIKE '%(adminCount=1)%' ESCAPE '\\' OR SearchFilter LIKE '%ms-MCS-AdmPwd%' ESCAPE '\\'))))" ], "filename": "win_ldap_recon.yml" }, { "title": "File Was Not Allowed To Run", "id": "401e5d00-b944-11ea-8f9a-00163ecd60ae", "status": "test", "description": "Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.", "author": "Pushkarev Dmitry", "tags": [ "attack.execution", "attack.t1204.002", "attack.t1059.001", "attack.t1059.003", "attack.t1059.005", "attack.t1059.006", "attack.t1059.007" ], "falsepositives": [ "Need tuning applocker or add exceptions in SIEM" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel IN ('Microsoft-Windows-AppLocker/MSI and Script', 'Microsoft-Windows-AppLocker/EXE and DLL', 'Microsoft-Windows-AppLocker/Packaged app-Deployment', 'Microsoft-Windows-AppLocker/Packaged app-Execution') AND EventID IN ('8004', '8007', '8022', '8025'))" ], "filename": "win_applocker_file_was_not_allowed_to_run.yml" }, { "title": "Remove Exported Mailbox from Exchange Webserver", "id": "09570ae5-889e-43ea-aac0-0e1221fb3d95", "status": "test", "description": "Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1070" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'MSExchange Management' AND = 'Remove-MailboxExportRequest' AND = ' -Identity ' AND = ' -Confirm \"False\"')" ], "filename": "win_exchange_proxyshell_remove_mailbox_export.yml" }, { "title": "Possible Exploitation of Exchange RCE CVE-2021-42321", "id": "c92f1896-d1d2-43c3-92d5-7a5b35c217bb", "status": "experimental", "description": "Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321", "author": "Florian Roth (Nextron Systems), @testanull", "tags": [ "attack.lateral_movement", "attack.t1210" ], "falsepositives": [ "Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'MSExchange Management' AND EventID IN ('6', '8') AND (Data LIKE '%Cmdlet failed. Cmdlet Get-App, %' ESCAPE '\\' OR Data LIKE '%Task Get-App throwing unhandled exception: System.InvalidCastException:%' ESCAPE '\\'))" ], "filename": "win_exchange_cve_2021_42321.yml" }, { "title": "Failed MSExchange Transport Agent Installation", "id": "c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa", "status": "experimental", "description": "Detects a failed installation of a Exchange Transport Agent", "author": "Tobias Michalski (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1505.002" ], "falsepositives": [ "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'MSExchange Management' AND EventID = '6' AND Data LIKE '%Install-TransportAgent%' ESCAPE '\\')" ], "filename": "win_exchange_transportagent_failed.yml" }, { "title": "MSExchange Transport Agent Installation - Builtin", "id": "4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6", "status": "test", "description": "Detects the Installation of a Exchange Transport Agent", "author": "Tobias Michalski (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1505.002" ], "falsepositives": [ "Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'MSExchange Management' AND Events MATCH ('\"Install-TransportAgent\"'))" ], "filename": "win_exchange_transportagent.yml" }, { "title": "Exchange Set OabVirtualDirectory ExternalUrl Property", "id": "9db37458-4df2-46a5-95ab-307e7f29e675", "status": "test", "description": "Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log", "author": "Jose Rodriguez @Cyb3rPandaH", "tags": [ "attack.persistence", "attack.t1505.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'MSExchange Management' AND = 'Set-OabVirtualDirectory' AND = 'ExternalUrl' AND LIKE 'Page\\_Load' ESCAPE '\\' AND = 'script')" ], "filename": "win_exchange_set_oabvirtualdirectory_externalurl.yml" }, { "title": "NTLM Brute Force", "id": "9c8acf1a-cbf9-4db6-b63c-74baabe03e59", "status": "test", "description": "Detects common NTLM brute force device names", "author": "Jerry Shockley '@jsh0x'", "tags": [ "attack.credential_access", "attack.t1110" ], "falsepositives": [ "Systems with names equal to the spoofed ones used by the brute force tools" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8004' AND WorkstationName IN ('Rdesktop', 'Remmina', 'Freerdp', 'Windows7', 'Windows8', 'Windows2012', 'Windows2016', 'Windows2019'))" ], "filename": "win_susp_ntlm_brute_force.yml" }, { "title": "NTLM Logon", "id": "98c3bcf1-56f2-49dc-9d8d-c66cf190238b", "status": "experimental", "description": "Detects logons using NTLM, which could be caused by a legacy source or attackers", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.lateral_movement", "attack.t1550.002" ], "falsepositives": [ "Legacy hosts" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8002' AND ProcessName LIKE '%' ESCAPE '\\')" ], "filename": "win_susp_ntlm_auth.yml" }, { "title": "Potential Remote Desktop Connection to Non-Domain Host", "id": "ce5678bb-b9aa-4fb5-be4b-e57f686256ad", "status": "test", "description": "Detects logons using NTLM to hosts that are potentially not part of the domain.", "author": "James Pemberton", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Host connections to valid domains, exclude these.", "Host connections not using host FQDN.", "Host connections to external legitimate domains." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Provider_Name = 'Microsoft-Windows-NTLM/Operational' AND EventID = '8001' AND TargetName LIKE 'TERMSRV%' ESCAPE '\\')" ], "filename": "win_susp_ntlm_rdp.yml" }, { "title": "Loading Diagcab Package From Remote Path", "id": "50cb47b8-2c33-4b23-a2e9-4600657d9746", "status": "experimental", "description": "Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Legitimate package hosted on a known and authorized remote location" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Diagnosis-Scripted/Operational' AND EventID = '101' AND PackagePath LIKE '%\\\\\\\\\\*' ESCAPE '\\')" ], "filename": "win_diagnosis_scripted_load_remote_diagcab.yml" }, { "title": "Standard User In High Privileged Group", "id": "7ac407cc-0f48-4328-aede-de1d2e6fef41", "status": "experimental", "description": "Detect standard users login that are part of high privileged groups such as the Administrator group", "author": "frack113", "tags": [ "attack.credential_access", "attack.privilege_escalation" ], "falsepositives": [ "Standard domain users who are part of the administrator group. These users shouldn't have these right. But in the case where it's necessary. They should be filtered out using the \"TargetUserName\" field" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-LSA/Operational' AND (EventID = '300' AND TargetUserSid LIKE 'S-1-5-21-%' ESCAPE '\\' AND (SidList LIKE '%S-1-5-32-544%' ESCAPE '\\' OR SidList LIKE '%-500}%' ESCAPE '\\' OR SidList LIKE '%-518}%' ESCAPE '\\' OR SidList LIKE '%-519}%' ESCAPE '\\')) AND NOT ((TargetUserSid LIKE '%-500' ESCAPE '\\' OR TargetUserSid LIKE '%-518' ESCAPE '\\' OR TargetUserSid LIKE '%-519' ESCAPE '\\')))" ], "filename": "win_lsa_server_normal_user_admin.yml" }, { "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client", "id": "0d18728b-f5bf-4381-9dcf-915539fff6c2", "status": "test", "description": "Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1071.004" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND ((QueryName LIKE 'aaa.stage.%' ESCAPE '\\' OR QueryName LIKE 'post.1%' ESCAPE '\\') OR QueryName LIKE '%.stage.123456.%' ESCAPE '\\'))" ], "filename": "win_dns_client__mal_cobaltstrike.yml" }, { "title": "DNS Query for MEGA.io Upload Domain - DNS Client", "id": "66474410-b883-415f-9f8d-75345a0a66a6", "status": "test", "description": "Detects DNS queries for subdomains used for upload to MEGA.io", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.exfiltration", "attack.t1567.002" ], "falsepositives": [ "Legitimate DNS queries and usage of Mega" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%userstorage.mega.co.nz%' ESCAPE '\\')" ], "filename": "win_dns_client_mega_nz.yml" }, { "title": "DNS Query for Anonfiles.com Domain - DNS Client", "id": "29f171d7-aa47-42c7-9c7b-3c87938164d9", "status": "experimental", "description": "Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.exfiltration", "attack.t1567.002" ], "falsepositives": [ "Rare legitimate access to anonfiles.com" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.anonfiles.com%' ESCAPE '\\')" ], "filename": "win_dns_client_anonymfiles_com.yml" }, { "title": "Query Tor Onion Address - DNS Client", "id": "8384bd26-bde6-4da9-8e5d-4174a7a47ca2", "status": "test", "description": "Detects DNS resolution of an .onion address related to Tor routing networks", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1090.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%.onion%' ESCAPE '\\')" ], "filename": "win_dns_client_tor_onion.yml" }, { "title": "DNS Query for Ufile.io Upload Domain - DNS Client", "id": "090ffaad-c01a-4879-850c-6d57da98452d", "status": "experimental", "description": "Detects DNS queries to \"ufile.io\". Which is often abused by malware for upload and exfiltration", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.exfiltration", "attack.t1567.002" ], "falsepositives": [ "Legitimate DNS queries and usage of Ufile" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-DNS Client Events/Operational' AND EventID = '3008' AND QueryName LIKE '%ufile.io%' ESCAPE '\\')" ], "filename": "win_dns_client_ufile_io.yml" }, { "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL", "id": "cbe51394-cd93-4473-b555-edf0144952d9", "status": "test", "description": "Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'DNS Server' AND EventID IN ('150', '770', '771'))" ], "filename": "win_dns_server_susp_server_level_plugin_dll.yml" }, { "title": "OpenSSH Server Listening On Socket", "id": "3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781", "status": "experimental", "description": "Detects scenarios where an attacker enables the OpenSSH server and server starts to listening on SSH socket.", "author": "mdecrevoisier", "tags": [ "attack.lateral_movement", "attack.t1021.004" ], "falsepositives": [ "Legitimate administrator activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'OpenSSH/Operational' AND EventID = '4' AND process = 'sshd' AND payload LIKE 'Server listening on %' ESCAPE '\\')" ], "filename": "win_sshd_openssh_server_listening_on_socket.yml" }, { "title": "Suspicious Application Installed", "id": "83c161b6-ca67-4f33-8ad0-644a0737cf07", "status": "experimental", "description": "Detects suspicious application installed by looking at the added shortcut to the app resolver cache", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Packages or applications being legitimately used by users or administrators" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Shell-Core/Operational' AND ((EventID = '28115' AND (Name LIKE '%Zenmap%' ESCAPE '\\' OR Name LIKE '%AnyDesk%' ESCAPE '\\' OR Name LIKE '%wireshark%' ESCAPE '\\' OR Name LIKE '%openvpn%' ESCAPE '\\')) OR (EventID = '28115' AND (AppID LIKE '%zenmap.exe%' ESCAPE '\\' OR AppID LIKE '%prokzult ad%' ESCAPE '\\' OR AppID LIKE '%wireshark%' ESCAPE '\\' OR AppID LIKE '%openvpn%' ESCAPE '\\'))))" ], "filename": "win_shell_core_susp_packages_installed.yml" }, { "title": "Suspicious Rejected SMB Guest Logon From IP", "id": "71886b70-d7b4-4dbf-acce-87d2ca135262", "status": "test", "description": "Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service", "author": "Florian Roth (Nextron Systems), KevTheHermit, fuzzyf10w", "tags": [ "attack.credential_access", "attack.t1110.001" ], "falsepositives": [ "Account fallback reasons (after failed login with specific account)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-SmbClient/Security' AND EventID = '31017' AND UserName = '' AND ServerName LIKE '\\\\1%' ESCAPE '\\')" ], "filename": "win_smbclient_security_susp_failed_guest_logon.yml" }, { "title": "Ngrok Usage with Remote Desktop Service", "id": "64d51a51-32a6-49f0-9f3d-17e34d640272", "status": "experimental", "description": "Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1090" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' AND EventID = '21' AND Address LIKE '%16777216%' ESCAPE '\\')" ], "filename": "win_terminalservices_rdp_ngrok.yml" }, { "title": "Sysinternals Tools AppX Versions Execution", "id": "d29a20b2-be4b-4827-81f2-3d8a59eab5fc", "status": "experimental", "description": "Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution" ], "falsepositives": [ "Legitimate usage of the applications from the Windows Store" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-AppModel-Runtime/Admin' AND EventID = '201' AND ImageName IN ('procdump.exe', 'psloglist.exe', 'psexec.exe', 'livekd.exe', 'ADExplorer.exe'))" ], "filename": "win_appmodel_runtime_sysinternals_tools_appx_execution.yml" }, { "title": "Windows Defender Firewall Has Been Reset To Its Default Configuration", "id": "04b60639-39c0-412a-9fbe-e82499c881a3", "status": "experimental", "description": "Detects activity when Windows Defender Firewall has been reset to its default configuration", "author": "frack113", "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID IN ('2032', '2060'))" ], "filename": "win_firewall_as_reset_config.yml" }, { "title": "Firewall Rule Modified In The Windows Firewall Exception List", "id": "5570c4d9-8fdd-4622-965b-403a5a101aa0", "status": "experimental", "description": "Detects when a rule has been modified in the windows firewall exception list", "author": "frack113", "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID IN ('2005', '2073') AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], "filename": "win_firewall_as_change_rule.yml" }, { "title": "The Windows Defender Firewall Service Failed To Load Group Policy", "id": "7ec15688-fd24-4177-ba43-1a950537ee39", "status": "experimental", "description": "Detects activity when The Windows Defender Firewall service failed to load Group Policy", "author": "frack113", "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID = '2009')" ], "filename": "win_firewall_as_failed_load_gpo.yml" }, { "title": "New Firewall Rule Added In Windows Firewall Exception List", "id": "cde0a575-7d3d-4a49-9817-b8004a7bf105", "status": "experimental", "description": "Detects when a rule has been added to the Windows Firewall exception list", "author": "frack113", "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2004', '2071') AND NOT ((Action = '2') OR ((ApplicationPath LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ApplicationPath LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\oobe\\\\Setup.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\dllhost.exe' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\')))) AND NOT ((ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" ], "filename": "win_firewall_as_add_rule.yml" }, { "title": "New Firewall Exception Rule Added For A Suspicious Folder", "id": "9e2575e7-2cb9-4da1-adc8-ed94221dca5e", "status": "experimental", "description": "Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder", "author": "frack113", "falsepositives": [ "Any legitimate application that runs from the AppData user directory" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND ((EventID IN ('2004', '2071') AND (ApplicationPath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ApplicationPath LIKE '%\\\\Temp\\\\%' ESCAPE '\\')) AND NOT ((Action = '2'))) AND NOT ((ApplicationPath LIKE '%\\\\AppData\\\\local\\\\microsoft\\\\teams\\\\current\\\\teams.exe' ESCAPE '\\') OR (ApplicationPath LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\') OR (ApplicationPath LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Messenger\\\\Messenger.exe' ESCAPE '\\')))" ], "filename": "win_firewall_as_add_rule_susp_folder.yml" }, { "title": "All Rules Have Been Deleted From The Windows Firewall Configuration", "id": "79609c82-a488-426e-abcf-9f341a39365d", "status": "experimental", "description": "Detects when a all the rules have been deleted from the Windows Defender Firewall configuration", "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2033', '2059') AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\'))) AND NOT ((ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" ], "filename": "win_firewall_as_delete_all_rules.yml" }, { "title": "Windows Firewall Settings Have Been Changed", "id": "00bb5bd5-1379-4fcf-a965-a5b6f7478064", "status": "experimental", "description": "Detects activity when the settings of the Windows firewall have been changed", "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND EventID IN ('2002', '2083', '2003', '2082', '2008'))" ], "filename": "win_firewall_as_setting_change.yml" }, { "title": "A Rule Has Been Deleted From The Windows Firewall Exception List", "id": "c187c075-bb3e-4c62-b4fa-beae0ffc211f", "status": "experimental", "description": "Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall", "author": "frack113", "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' AND (EventID IN ('2006', '2052') AND NOT (((ModifyingApplication LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ModifyingApplication LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (ModifyingApplication LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\'))) AND NOT ((ModifyingApplication LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND ModifyingApplication LIKE '%\\\\MsMpEng.exe' ESCAPE '\\')))" ], "filename": "win_firewall_as_delete_rule.yml" }, { "title": "Volume Shadow Copy Mount", "id": "f512acbf-e662-4903-843e-97ce4652b740", "status": "test", "description": "Detects volume shadow copy mount via windows event log", "author": "Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR)", "tags": [ "attack.credential_access", "attack.t1003.002" ], "falsepositives": [ "Legitimate use of volume shadow copy mounts (backups maybe)." ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-Ntfs' AND EventID = '98' AND DeviceName LIKE '%HarddiskVolumeShadowCopy%' ESCAPE '\\')" ], "filename": "win_system_volume_shadow_copy_mount.yml" }, { "title": "SAM Dump to AppData", "id": "839dd1e8-eda8-4834-8145-01beeee33acd", "status": "test", "description": "Detects suspicious SAM dump activity as cause by QuarksPwDump and other password dumpers", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-Kernel-General' AND EventID = '16' AND LIKE '\\\\AppData\\\\Local\\\\Temp\\\\SAM-' ESCAPE '\\' AND = '.dmp')" ], "filename": "win_system_susp_sam_dump.yml" }, { "title": "QuarksPwDump Clearing Access History", "id": "39f919f3-980b-4e6f-a975-8af7e507ef2b", "status": "test", "description": "Detects QuarksPwDump clearing access history in hive", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND EventID = '16' AND Provider_Name = 'Microsoft-Windows-Kernel-General' AND HiveName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\SAM%' ESCAPE '\\' AND HiveName LIKE '%.dmp' ESCAPE '\\')" ], "filename": "win_system_quarkspwdump_clearing_hive_access_history.yml" }, { "title": "Moriya Rootkit - System", "id": "25b9c01c-350d-4b95-bed1-836d04a4f324", "status": "experimental", "description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report", "author": "Bhabesh Raj", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'ZzNetSvc')" ], "filename": "win_system_moriya_rootkit.yml" }, { "title": "Suspicious Service Installation Script", "id": "70f00d10-60b2-4f34-b9a0-dc3df3fe762a", "status": "experimental", "description": "Detects suspicious service installation scripts", "author": "pH-T (Nextron Systems)", "tags": [ "attack.persistence", "attack.privilege_escalation", "car.2013-09-005", "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '% /c %' ESCAPE '\\' OR ImagePath LIKE '% /r %' ESCAPE '\\' OR ImagePath LIKE '% /k %' ESCAPE '\\') AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\' OR ImagePath LIKE '%wscript%' ESCAPE '\\' OR ImagePath LIKE '%cscript%' ESCAPE '\\' OR ImagePath LIKE '%mshta%' ESCAPE '\\' OR ImagePath LIKE '%rundll32%' ESCAPE '\\' OR ImagePath LIKE '%regsvr32%' ESCAPE '\\'))" ], "filename": "win_system_susp_service_installation_script.yml" }, { "title": "Invoke-Obfuscation CLIP+ Launcher - System", "id": "f7385ee2-0e0c-11eb-adc1-0242ac120002", "status": "experimental", "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%clipboard]::%' ESCAPE '\\')" ], "filename": "win_system_invoke_obfuscation_clip_services.yml" }, { "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System", "id": "51aa9387-1c53-4153-91cc-d73c59ae1ca9", "status": "experimental", "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references", "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND EventID = '7045' AND (ImagePath REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ImagePath REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ImagePath REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ImagePath REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ImagePath REGEXP '\\\\*mdr\\*\\W\\s*\\)\\.Name' OR ImagePath REGEXP '\\$VerbosePreference\\.ToString\\(' OR ImagePath REGEXP '\\String\\]\\s*\\$VerbosePreference'))" ], "filename": "win_system_invoke_obfuscation_obfuscated_iex_services.yml" }, { "title": "CobaltStrike Service Installations - System", "id": "5a105d34-05fc-401e-8553-272b45c1522d", "status": "test", "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement", "author": "Florian Roth (Nextron Systems), Wojciech Lesicki", "tags": [ "attack.execution", "attack.privilege_escalation", "attack.lateral_movement", "attack.t1021.002", "attack.t1543.003", "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%ADMIN$%' ESCAPE '\\' AND ImagePath LIKE '%.exe%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%start%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\') OR ImagePath LIKE '%powershell -nop -w hidden -encodedcommand%' ESCAPE '\\' OR ImagePath LIKE '%SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO%' ESCAPE '\\' OR ImagePath LIKE '%lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT%' ESCAPE '\\' OR ImagePath LIKE '%JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6%' ESCAPE '\\'))" ], "filename": "win_system_cobaltstrike_service_installs.yml" }, { "title": "New Service Uses Double Ampersand in Path", "id": "ca83e9f3-657a-45d0-88d6-c1ac280caf53", "status": "experimental", "description": "Detects a service installation that uses a suspicious double ampersand used in the image path value", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1027" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\')" ], "filename": "win_system_service_install_susp_double_ampersand.yml" }, { "title": "PowerShell Scripts Installed as Services", "id": "a2e5019d-a658-4c6a-92bf-7197b54e2cae", "status": "test", "description": "Detects powershell script installed as a Service", "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.execution", "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%powershell%' ESCAPE '\\' OR ImagePath LIKE '%pwsh%' ESCAPE '\\'))" ], "filename": "win_system_powershell_script_installed_as_service.yml" }, { "title": "Turla Service Install", "id": "1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4", "status": "test", "description": "This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.g0010", "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName IN ('srservice', 'ipvpn', 'hkmsvc'))" ], "filename": "win_system_apt_carbonpaper_turla.yml" }, { "title": "Sliver C2 Default Service Installation", "id": "31c51af6-e7aa-4da7-84d4-8f32cc580af2", "status": "experimental", "description": "Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands", "author": "Florian Roth (Nextron Systems), Nasreddine Bencherchali", "tags": [ "attack.execution", "attack.privilege_escalation", "attack.t1543.003", "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[a-zA-Z]:\\\\windows\\\\temp\\\\[a-zA-Z0-9]{10}\\.exe' OR ServiceName IN ('Sliver', 'Sliver implant')))" ], "filename": "win_system_service_install_sliver.yml" }, { "title": "Windows Service Terminated With Error", "id": "acfa2210-0d71-4eeb-b477-afab494d596c", "status": "experimental", "description": "Detects windows services that got terminated for whatever reason", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "False positives could occur since service termination could happen due to multiple reasons" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7023')" ], "filename": "win_system_service_terminated_error_generic.yml" }, { "title": "Anydesk Remote Access Software Service Installation", "id": "530a6faa-ff3d-4022-b315-50828e77eef5", "status": "experimental", "description": "Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Legitimate usage of the anydesk tool" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'AnyDesk Service')" ], "filename": "win_system_service_install_anydesk.yml" }, { "title": "Service Installation in Suspicious Folder", "id": "5e993621-67d4-488a-b9ae-b420d08b96cb", "status": "experimental", "description": "Detects service installation in suspicious folder appdata", "author": "pH-T (Nextron Systems)", "tags": [ "attack.persistence", "attack.privilege_escalation", "car.2013-09-005", "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\127.0.0.1%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\localhost%' ESCAPE '\\')) AND NOT ((ServiceName = 'Zoom Sharing Service' AND ImagePath LIKE '\"C:\\\\Program Files\\\\Common Files\\\\Zoom\\\\Support\\\\CptService.exe%' ESCAPE '\\')))" ], "filename": "win_system_susp_service_installation_folder.yml" }, { "title": "Invoke-Obfuscation VAR+ Launcher - System", "id": "8ca7004b-e620-4ecb-870e-86129b5b8e75", "status": "experimental", "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%\"set%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\'))" ], "filename": "win_system_invoke_obfuscation_var_services.yml" }, { "title": "Invoke-Obfuscation STDIN+ Launcher - System", "id": "72862bf2-0eb1-11eb-adc1-0242ac120002", "status": "experimental", "description": "Detects Obfuscated use of stdin to execute PowerShell", "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\' AND (ImagePath LIKE '%/c%' ESCAPE '\\' OR ImagePath LIKE '%/r%' ESCAPE '\\')) AND (ImagePath LIKE '%noexit%' ESCAPE '\\' OR (ImagePath LIKE '%input%' ESCAPE '\\' AND ImagePath LIKE '%$%' ESCAPE '\\')))" ], "filename": "win_system_invoke_obfuscation_stdin_services.yml" }, { "title": "PAExec Service Installation", "id": "de7ce410-b3fb-4e8a-b38c-3b999e2c3420", "status": "experimental", "description": "Detects PAExec service installation", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ServiceName LIKE 'PAExec-%' ESCAPE '\\' OR ImagePath LIKE 'C:\\\\WINDOWS\\\\PAExec-%' ESCAPE '\\'))" ], "filename": "win_system_service_install_paexec.yml" }, { "title": "Suspicious Service Installation", "id": "1d61f71d-59d2-479e-9562-4ff5f4ead16b", "status": "experimental", "description": "Detects suspicious service installation commands", "author": "pH-T (Nextron Systems)", "tags": [ "attack.persistence", "attack.privilege_escalation", "car.2013-09-005", "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '% -w hidden %' ESCAPE '\\' OR ImagePath LIKE '% -nop %' ESCAPE '\\' OR ImagePath LIKE '% -sta %' ESCAPE '\\' OR ImagePath LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR ImagePath LIKE '%\\\\\\\\.\\\\pipe%' ESCAPE '\\' OR ImagePath LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR ImagePath LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR ImagePath LIKE '%.downloadstring(%' ESCAPE '\\' OR ImagePath LIKE '%.downloadfile(%' ESCAPE '\\') OR (ImagePath LIKE '% -e%' ESCAPE '\\' AND (ImagePath LIKE '% JAB%' ESCAPE '\\' OR ImagePath LIKE '% SUVYI%' ESCAPE '\\' OR ImagePath LIKE '% SQBFAFgA%' ESCAPE '\\' OR ImagePath LIKE '% aWV4I%' ESCAPE '\\' OR ImagePath LIKE '% IAB%' ESCAPE '\\' OR ImagePath LIKE '% PAA%' ESCAPE '\\' OR ImagePath LIKE '% aQBlAHgA%' ESCAPE '\\')))) AND NOT ((ImagePath LIKE 'C:\\\\WINDOWS\\\\TEMP\\\\thor10-remote\\\\thor64.exe%' ESCAPE '\\') OR (ImagePath LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\%' ESCAPE '\\')))" ], "filename": "win_system_susp_service_installation.yml" }, { "title": "Important Windows Service Terminated Unexpectedly", "id": "56abae0c-6212-4b97-adc0-0b559bb950c3", "status": "experimental", "description": "Detects important or interesting windows services that got terminated unexpectedly.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Rare false positives could occur since service termination could happen due to multiple reasons" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7034') AND (param1 LIKE '%Message Queuing%' ESCAPE '\\' OR (Binary LIKE '%4d0053004d005100%' ESCAPE '\\' OR Binary LIKE '%6d0073006d007100%' ESCAPE '\\')))" ], "filename": "win_system_service_terminated_unexpectedly.yml" }, { "title": "Remote Utilities Host Service Install", "id": "85cce894-dd8b-4427-a958-5cc47a4dc9b9", "status": "experimental", "description": "Detects Remote Utilities Host service installation on the target system.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Legitimate use of the tool" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%\\\\rutserv.exe%' ESCAPE '\\' AND ImagePath LIKE '%-service%' ESCAPE '\\') OR ServiceName = 'Remote Utilities - Host'))" ], "filename": "win_system_service_install_remote_utilities.yml" }, { "title": "Tap Driver Installation", "id": "8e4cf0e5-aa5d-4dc3-beff-dc26917744a9", "status": "test", "description": "Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques", "author": "Daniil Yugoslavskiy, Ian Davis, oscd.community", "tags": [ "attack.exfiltration", "attack.t1048" ], "falsepositives": [ "Legitimate OpenVPN TAP insntallation" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%tap0901%' ESCAPE '\\')" ], "filename": "win_system_tap_driver_installation.yml" }, { "title": "Windows Defender Threat Detection Disabled - Service", "id": "6c0a7755-6d31-44fa-80e1-133e57752680", "status": "stable", "description": "Detects the \"Windows Defender Threat Protection\" service has been disabled", "author": "Ján Trenčanský, frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Administrator actions", "Auto updates of Windows Defender causes restarts" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND EventID = '7036' AND Provider_Name = 'Service Control Manager' AND param1 IN ('Windows Defender Antivirus Service', 'Service antivirus Microsoft Defender') AND param2 = 'stopped')" ], "filename": "win_system_defender_disabled.yml" }, { "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System", "id": "14bcba49-a428-42d9-b943-e2ce0f0f7ae6", "status": "experimental", "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&set%' ESCAPE '\\' AND ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%-f%' ESCAPE '\\' AND (ImagePath LIKE '%{0}%' ESCAPE '\\' OR ImagePath LIKE '%{1}%' ESCAPE '\\' OR ImagePath LIKE '%{2}%' ESCAPE '\\' OR ImagePath LIKE '%{3}%' ESCAPE '\\' OR ImagePath LIKE '%{4}%' ESCAPE '\\' OR ImagePath LIKE '%{5}%' ESCAPE '\\'))" ], "filename": "win_system_invoke_obfuscation_via_var_services.yml" }, { "title": "Service Installation with Suspicious Folder Pattern", "id": "1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2", "status": "test", "description": "Detects service installation with suspicious folder patterns", "author": "pH-T (Nextron Systems)", "tags": [ "attack.persistence", "attack.privilege_escalation", "car.2013-09-005", "attack.t1543.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath REGEXP '^[Cc]:\\\\[Pp]rogram[Dd]ata\\\\.{1,9}\\.exe' OR ImagePath REGEXP '^[Cc]:\\\\.{1,9}\\.exe'))" ], "filename": "win_system_susp_service_installation_folder_pattern.yml" }, { "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - System", "id": "175997c5-803c-4b08-8bb0-70b099f47595", "status": "experimental", "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%new-object%' ESCAPE '\\' AND ImagePath LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND ImagePath LIKE '%readtoend%' ESCAPE '\\' AND (ImagePath LIKE '%:system.io.compression.deflatestream%' ESCAPE '\\' OR ImagePath LIKE '%system.io.streamreader%' ESCAPE '\\'))" ], "filename": "win_system_invoke_obfuscation_via_compress_services.yml" }, { "title": "TacticalRMM Service Installation", "id": "4bb79b62-ef12-4861-981d-2aab43fab642", "status": "experimental", "description": "Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Legitimate use of the tool" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%tacticalrmm.exe%' ESCAPE '\\' OR ServiceName LIKE '%TacticalRMM Agent Service%' ESCAPE '\\'))" ], "filename": "win_system_service_install_tacticalrmm.yml" }, { "title": "Turla PNG Dropper Service", "id": "1228f8e2-7e79-4dea-b0ad-c91f1d5016c1", "status": "test", "description": "This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.g0010", "attack.t1543.003" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'WerFaultSvc')" ], "filename": "win_system_apt_turla_service_png.yml" }, { "title": "PsExec Service Installation", "id": "42c575ea-e41e-41f1-b248-8093c3e82a28", "status": "experimental", "description": "Detects PsExec service installation and execution events (service and Sysmon)", "author": "Thomas Patzke", "tags": [ "attack.execution", "attack.t1569.002", "attack.s0029" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND ((Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'PSEXESVC' AND ImagePath LIKE '%\\\\PSEXESVC.exe' ESCAPE '\\') OR (EventID = '7036' AND ServiceName = 'PSEXESVC')))" ], "filename": "win_system_service_install_psexec.yml" }, { "title": "Invoke-Obfuscation RUNDLL LAUNCHER - System", "id": "11b52f18-aaec-4d60-9143-5dd8cc4706b9", "status": "experimental", "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%rundll32.exe%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ImagePath LIKE '%powershell%' ESCAPE '\\')" ], "filename": "win_system_invoke_obfuscation_via_rundll_services.yml" }, { "title": "smbexec.py Service Installation", "id": "52a85084-6989-40c3-8f32-091e12e13f09", "status": "test", "description": "Detects the use of smbexec.py tool by detecting a specific service installation", "author": "Omer Faruk Celik", "tags": [ "attack.lateral_movement", "attack.execution", "attack.t1021.002", "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'BTOBTO' AND ImagePath LIKE '%\\\\execute.bat' ESCAPE '\\')" ], "filename": "win_system_hack_smbexec.yml" }, { "title": "New PDQDeploy Service - Server Side", "id": "ee9ca27c-9bd7-4cee-9b01-6e906be7cae3", "status": "experimental", "description": "Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines.\nPDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ "Legitimate use of the tool" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%PDQDeployService.exe%' ESCAPE '\\' OR ServiceName IN ('PDQDeploy', 'PDQ Deploy')))" ], "filename": "win_system_service_install_pdqdeploy.yml" }, { "title": "RTCore Suspicious Service Installation", "id": "91c49341-e2ef-40c0-ac45-49ec5c3fe26c", "status": "experimental", "description": "Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'RTCore64')" ], "filename": "win_system_susp_rtcore64_service_install.yml" }, { "title": "Hacktool Service Registration or Execution", "id": "d26ce60c-2151-403c-9a42-49420d87b5e4", "status": "test", "description": "Detects PsExec service installation and execution events (service and Sysmon)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1569.002", "attack.s0029" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036')) AND ((ServiceName LIKE '%WCESERVICE%' ESCAPE '\\' OR ServiceName LIKE '%WCE SERVICE%' ESCAPE '\\' OR ServiceName LIKE '%winexesvc%' ESCAPE '\\' OR ServiceName LIKE '%DumpSvc%' ESCAPE '\\' OR ServiceName LIKE '%pwdump%' ESCAPE '\\' OR ServiceName LIKE '%gsecdump%' ESCAPE '\\' OR ServiceName LIKE '%cachedump%' ESCAPE '\\') OR ImagePath LIKE '%bypass%' ESCAPE '\\'))" ], "filename": "win_system_service_install_hacktools.yml" }, { "title": "ProcessHacker Privilege Elevation", "id": "c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9", "status": "test", "description": "Detects a ProcessHacker tool that elevated privileges to a very high level", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.privilege_escalation", "attack.t1543.003", "attack.t1569.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName LIKE 'ProcessHacker%' ESCAPE '\\' AND AccountName = 'LocalSystem')" ], "filename": "win_system_susp_proceshacker.yml" }, { "title": "StoneDrill Service Install", "id": "9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6", "status": "test", "description": "This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.g0064", "attack.t1543.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ServiceName = 'NtsSrv' AND ImagePath LIKE '% LocalService' ESCAPE '\\')" ], "filename": "win_system_apt_stonedrill.yml" }, { "title": "New PDQDeploy Service - Client Side", "id": "b98a10af-1e1e-44a7-bab2-4cc026917648", "status": "experimental", "description": "Detects PDQDeploy service installation on the target system.\nWhen a package is deployed via PDQDeploy it installs a remote service on the target machine with the name \"PDQDeployRunner-X\" where \"X\" is an integer starting from 1\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ "Legitimate use of the tool" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%PDQDeployRunner-%' ESCAPE '\\' OR ServiceName LIKE 'PDQDeployRunner-%' ESCAPE '\\'))" ], "filename": "win_system_service_install_pdqdeploy_runner.yml" }, { "title": "Important Windows Service Terminated With Error", "id": "d6b5520d-3934-48b4-928c-2aa3f92d6963", "status": "experimental", "description": "Detects important or interesting windows services that got terminated for whatever reason", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Rare false positives could occur since service termination could happen due to multiple reasons" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7023') AND ((param1 LIKE '% Antivirus%' ESCAPE '\\' OR param1 LIKE '% Firewall%' ESCAPE '\\' OR param1 LIKE '%Application Guard%' ESCAPE '\\' OR param1 LIKE '%BitLocker Drive Encryption Service%' ESCAPE '\\' OR param1 LIKE '%Encrypting File System%' ESCAPE '\\' OR param1 LIKE '%Microsoft Defender%' ESCAPE '\\' OR param1 LIKE '%Threat Protection%' ESCAPE '\\' OR param1 LIKE '%Windows Event Log%' ESCAPE '\\') OR (Binary LIKE '%770069006e0064006500660065006e006400%' ESCAPE '\\' OR Binary LIKE '%4500760065006e0074004c006f006700%' ESCAPE '\\' OR Binary LIKE '%6d0070007300730076006300%' ESCAPE '\\' OR Binary LIKE '%530065006e0073006500%' ESCAPE '\\' OR Binary LIKE '%450046005300%' ESCAPE '\\' OR Binary LIKE '%420044004500530056004300%' ESCAPE '\\')))" ], "filename": "win_system_service_terminated_error_important.yml" }, { "title": "Invoke-Obfuscation Via Use Clip - System", "id": "63e3365d-4824-42d8-8b82-e56810fefa0c", "status": "experimental", "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%(Clipboard|i%' ESCAPE '\\')" ], "filename": "win_system_invoke_obfuscation_via_use_clip_services.yml" }, { "title": "Remote Access Tool Services Have Been Installed - System", "id": "1a31b18a-f00c-4061-9900-f735b96c99fc", "status": "experimental", "description": "Detects service installation of different remote access tools software. These software are often abused by threat actors to perform", "author": "Connor Martin, Nasreddine Bencherchali", "tags": [ "attack.persistence", "attack.t1543.003", "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID IN ('7045', '7036') AND (ServiceName LIKE '%SSUService%' ESCAPE '\\' OR ServiceName LIKE '%SplashtopRemoteService%' ESCAPE '\\' OR ServiceName LIKE '%Atera%' ESCAPE '\\' OR ServiceName LIKE '%LogMeIn%' ESCAPE '\\' OR ServiceName LIKE '%LMIGuardianSvc%' ESCAPE '\\' OR ServiceName LIKE '%TeamViewer%' ESCAPE '\\' OR ServiceName LIKE '%RPCService%' ESCAPE '\\' OR ServiceName LIKE '%RPCPerformanceService%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressStandaloneService%' ESCAPE '\\' OR ServiceName LIKE '%BASupportExpressSrvcUpdater%' ESCAPE '\\' OR ServiceName LIKE '%GoToMyPC%' ESCAPE '\\' OR ServiceName LIKE '%monblanking%' ESCAPE '\\' OR ServiceName LIKE '%RManService%' ESCAPE '\\' OR ServiceName LIKE '%GoToAssist%' ESCAPE '\\' OR ServiceName LIKE '%AmmyyAdmin%' ESCAPE '\\' OR ServiceName LIKE '%vncserver%' ESCAPE '\\' OR ServiceName LIKE '%Parsec%' ESCAPE '\\' OR ServiceName LIKE '%chromoting%' ESCAPE '\\' OR ServiceName LIKE '%Zoho%' ESCAPE '\\' OR ServiceName LIKE '%jumpcloud%' ESCAPE '\\'))" ], "filename": "win_system_service_install_remote_access_software.yml" }, { "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System", "id": "843544a7-56e0-4dcc-a44f-5cc266dd97d6", "status": "experimental", "description": "Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation", "author": "Teymur Kheirkhabarov, Ecco, Florian Roth", "tags": [ "attack.privilege_escalation", "attack.t1134.001", "attack.t1134.002" ], "falsepositives": [ "Highly unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND ((ImagePath LIKE '%cmd%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%cmd.exe%' ESCAPE '\\' AND ImagePath LIKE '%/c%' ESCAPE '\\' AND ImagePath LIKE '%echo%' ESCAPE '\\' AND ImagePath LIKE '%\\\\pipe\\\\%' ESCAPE '\\') OR (ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%.dll,a%' ESCAPE '\\' AND ImagePath LIKE '%/p:%' ESCAPE '\\') OR ImagePath LIKE '\\\\\\\\127.0.0.1\\\\ADMIN$\\\\%' ESCAPE '\\'))" ], "filename": "win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml" }, { "title": "Invoke-Obfuscation Via Use MSHTA - System", "id": "7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4", "status": "experimental", "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%mshta%' ESCAPE '\\' AND ImagePath LIKE '%vbscript:createobject%' ESCAPE '\\')" ], "filename": "win_system_invoke_obfuscation_via_use_mshta_services.yml" }, { "title": "Credential Dumping Tools Service Execution - System", "id": "4976aa50-8f41-45c6-8b15-ab3fc10e79ed", "status": "experimental", "description": "Detects well-known credential dumping tools execution via service execution events", "author": "Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.credential_access", "attack.execution", "attack.t1003.001", "attack.t1003.002", "attack.t1003.004", "attack.t1003.005", "attack.t1003.006", "attack.t1569.002", "attack.s0005" ], "falsepositives": [ "Legitimate Administrator using credential dumping tool for password recovery" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND (ImagePath LIKE '%fgexec%' ESCAPE '\\' OR ImagePath LIKE '%dumpsvc%' ESCAPE '\\' OR ImagePath LIKE '%cachedump%' ESCAPE '\\' OR ImagePath LIKE '%mimidrv%' ESCAPE '\\' OR ImagePath LIKE '%gsecdump%' ESCAPE '\\' OR ImagePath LIKE '%servpw%' ESCAPE '\\' OR ImagePath LIKE '%pwdump%' ESCAPE '\\'))" ], "filename": "win_system_mal_creddumper.yml" }, { "title": "Service Installed By Unusual Client - System", "id": "71c276aa-49cd-43d2-b920-2dcd3e6962d5", "status": "experimental", "description": "Detects a service installed by a client which has PID 0 or whose parent has PID 0", "author": "Tim Rauch", "tags": [ "attack.privilege_escalation", "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ProcessId = '0')" ], "filename": "win_system_system_service_installation_by_unusal_client.yml" }, { "title": "NetSupport Manager Service Install", "id": "2d510d8d-912b-45c5-b1df-36faa3d8c3f4", "status": "experimental", "description": "Detects NetSupport Manager service installation on the target system.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Legitimate use of the tool" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%\\\\NetSupport Manager\\\\client32.exe%' ESCAPE '\\' OR ServiceName = 'Client32'))" ], "filename": "win_system_service_install_netsupport_manager.yml" }, { "title": "Mesh Agent Service Installation", "id": "e0d1ad53-c7eb-48ec-a87a-72393cc6cedc", "status": "experimental", "description": "Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1219" ], "falsepositives": [ "Legitimate use of the tool" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND (Provider_Name = 'Service Control Manager' AND EventID = '7045') AND (ImagePath LIKE '%MeshAgent.exe%' ESCAPE '\\' OR ServiceName LIKE '%Mesh Agent%' ESCAPE '\\'))" ], "filename": "win_system_service_install_mesh_agent.yml" }, { "title": "Invoke-Obfuscation Via Use Rundll32 - System", "id": "641a4bfb-c017-44f7-800c-2aee0184ce9b", "status": "experimental", "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND ImagePath LIKE '%rundll32%' ESCAPE '\\' AND ImagePath LIKE '%shell32.dll%' ESCAPE '\\' AND ImagePath LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ImagePath LIKE '%value%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%comspec%' ESCAPE '\\' OR ImagePath LIKE '%iex%' ESCAPE '\\'))" ], "filename": "win_system_invoke_obfuscation_via_use_rundll32_services.yml" }, { "title": "Invoke-Obfuscation Via Stdin - System", "id": "487c7524-f892-4054-b263-8a0ace63fc25", "status": "experimental", "description": "Detects Obfuscated Powershell via Stdin in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Service Control Manager' AND EventID = '7045' AND ImagePath LIKE '%set%' ESCAPE '\\' AND ImagePath LIKE '%&&%' ESCAPE '\\' AND (ImagePath LIKE '%environment%' ESCAPE '\\' OR ImagePath LIKE '%invoke%' ESCAPE '\\' OR ImagePath LIKE '%input%' ESCAPE '\\'))" ], "filename": "win_system_invoke_obfuscation_via_stdin_services.yml" }, { "title": "KrbRelayUp Service Installation", "id": "e97d9903-53b2-41fc-8cb9-889ed4093e80", "status": "experimental", "description": "Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)", "author": "Sittikorn S, Tim Shelton", "tags": [ "attack.privilege_escalation", "attack.t1543" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND EventID = '7045' AND ServiceName = 'KrbSCM')" ], "filename": "win_system_krbrelayup_service_installation.yml" }, { "title": "Potential CVE-2021-42287 Exploitation Attempt", "id": "e80a0fee-1a62-4419-b31e-0d0db6e6013a", "status": "test", "description": "The attacker creates a computer object using those permissions with a password known to her.\nAfter that she clears the attribute ServicePrincipalName on the computer object.\nBecause she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.\n", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1558.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-Directory-Services-SAM' AND EventID IN ('16990', '16991'))" ], "filename": "win_system_exploit_cve_2021_42287.yml" }, { "title": "KDC RC4-HMAC Downgrade CVE-2022-37966", "id": "e6f81941-b1cd-4766-87db-9fc156f658ee", "status": "experimental", "description": "Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND EventID = '42' AND Provider_Name = 'Kerberos-Key-Distribution-Center' AND Level = '2')" ], "filename": "win_system_kdcsvc_rc4_downgrade.yml" }, { "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919", "id": "52a85084-6989-40c3-8f32-091e12e17692", "status": "experimental", "description": "During exploitation of this vulnerability, two logs (Provider_Name:Microsoft-Windows-User Profiles Service) with EventID 1511 and 1515 (maybe lot of false positives with this event) are created. Moreover, it appears the directory \\Users\\TEMP is created may be created during the exploitation. Viewed on 2008 Server", "author": "Cybex", "tags": [ "attack.execution" ], "falsepositives": [ "Corrupted user profiles - https://social.technet.microsoft.com/wiki/contents/articles/3571.windows-user-profiles-service-event-1511-windows-cannot-find-the-local-profile-and-is-logging-you-on-with-a-temporary-profile.aspx" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Application' AND EventID = '1511' AND Provider_Name = 'Microsoft-Windows-User Profiles Service')" ], "filename": "win_system_susp_vuln_cve_2022_21919_or_cve_2021_34484.yml" }, { "title": "DHCP Server Loaded the CallOut DLL", "id": "13fc89a9-971e-4ca6-b9dc-aa53a445bf40", "status": "test", "description": "This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded", "author": "Dimitrios Slamaris", "tags": [ "attack.defense_evasion", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND EventID = '1033' AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" ], "filename": "win_system_susp_dhcp_config.yml" }, { "title": "DHCP Server Error Failed Loading the CallOut DLL", "id": "75edd3fd-7146-48e5-9848-3013d7f0282c", "status": "test", "description": "This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded", "author": "Dimitrios Slamaris, @atc_project (fix)", "tags": [ "attack.defense_evasion", "attack.t1574.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND EventID IN ('1031', '1032', '1034') AND Provider_Name = 'Microsoft-Windows-DHCP-Server')" ], "filename": "win_system_susp_dhcp_config_failed.yml" }, { "title": "NTFS Vulnerability Exploitation", "id": "f14719ce-d3ab-4e25-9ce6-2899092260b0", "status": "test", "description": "This the exploitation of a NTFS vulnerability as reported without many details via Twitter", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.impact", "attack.t1499.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Ntfs' AND EventID = '55' AND Origin = 'File System Driver' AND Description LIKE '%contains a corrupted file record%' ESCAPE '\\' AND Description LIKE '%The name of the file is \"\\\\\"%' ESCAPE '\\')" ], "filename": "win_system_ntfs_vuln_exploit.yml" }, { "title": "NTLMv1 Logon Between Client and Server", "id": "e9d4ab66-a532-4ef7-a502-66a9e4a34f5d", "status": "experimental", "description": "Detects the reporting of NTLMv1 being used between a client and server", "author": "Tim Shelton", "tags": [ "attack.execution", "attack.t1550.002", "attack.s0363" ], "falsepositives": [ "Environments that use NTLMv1" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'LsaSrv' AND EventID = '6038')" ], "filename": "win_system_lsasrv_ntlmv1.yml" }, { "title": "Vulnerable Netlogon Secure Channel Connection Allowed", "id": "a0cb7110-edf0-47a4-9177-541a4083128a", "status": "test", "description": "Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.", "author": "NVISO", "tags": [ "attack.privilege_escalation", "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'NetLogon' AND EventID = '5829')" ], "filename": "win_system_vul_cve_2020_1472.yml" }, { "title": "Zerologon Exploitation Using Well-known Tools", "id": "18f37338-b9bd-4117-a039-280c81f7a596", "status": "stable", "description": "This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with \"kali\" hostname.", "author": "Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community", "tags": [ "attack.t1210", "attack.lateral_movement" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND EventID IN ('5805', '5723') AND (Events MATCH ('\"kali\" OR \"mimikatz\"')))" ], "filename": "win_system_possible_zerologon_exploitation_using_wellknown_tools.yml" }, { "title": "Local Privilege Escalation Indicator TabTip", "id": "bc2e25ed-b92b-4daa-b074-b502bdd1982b", "status": "experimental", "description": "Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1557.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-DistributedCOM' AND EventID = '10001' AND param1 LIKE 'C:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ink\\\\TabTip.exe' ESCAPE '\\' AND param2 = '2147943140' AND param3 = '{054AAE20-4BEA-4347-8A35-64A533254A9D}')" ], "filename": "win_system_lpe_indicators_tabtip.yml" }, { "title": "Windows Update Error", "id": "13cfeb75-9e33-4d04-b0f7-ab8faaa95a59", "status": "test", "description": "Windows Update get some error Check if need a 0-days KB", "author": "frack113", "tags": [ "attack.impact", "attack.resource_development", "attack.t1584" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Microsoft-Windows-WindowsUpdateClient' AND EventID IN ('16', '20', '24', '213', '217'))" ], "filename": "win_system_susp_system_update_error.yml" }, { "title": "Sysmon Crash", "id": "4d7f1827-1637-4def-8d8a-fd254f9454df", "status": "experimental", "description": "Detects application popup reporting a failure of the Sysmon service", "author": "Tim Shelton", "tags": [ "attack.defense_evasion", "attack.t1562" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND Provider_Name = 'Application Popup' AND EventID = '26' AND Caption = 'sysmon64.exe - Application Error')" ], "filename": "win_system_application_sysmon_crash.yml" }, { "title": "Eventlog Cleared", "id": "a62b37e0-45d3-48d9-a517-90c1a1b0186b", "status": "experimental", "description": "One of the Windows Eventlogs has been cleared. e.g. caused by \"wevtutil cl\" command execution", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1070.001", "car.2016-04-002" ], "falsepositives": [ "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", "System provisioning (system reset before the golden image creation)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND (EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog') AND NOT (Channel IN ('System', 'Security', 'Application')))" ], "filename": "win_system_eventlog_cleared.yml" }, { "title": "Important Windows Eventlog Cleared", "id": "100ef69e-3327-481c-8e5c-6d80d9507556", "status": "experimental", "description": "Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by \"wevtutil cl\" command execution", "author": "Florian Roth (Nextron Systems), Tim Shelton", "tags": [ "attack.defense_evasion", "attack.t1070.001", "car.2016-04-002" ], "falsepositives": [ "Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)", "System provisioning (system reset before the golden image creation)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND EventID = '104' AND Provider_Name = 'Microsoft-Windows-Eventlog' AND Channel IN ('System', 'Security', 'Application'))" ], "filename": "win_system_susp_eventlog_cleared.yml" }, { "title": "Potential RDP Exploit CVE-2019-0708", "id": "aaa5b30d-f418-420b-83a0-299cb6024885", "status": "test", "description": "Detect suspicious error on protocol RDP, potential CVE-2019-0708", "author": "Lionel PRAT, Christophe BROCAS, @atc_project (improvements)", "tags": [ "attack.lateral_movement", "attack.t1210", "car.2013-07-002" ], "falsepositives": [ "Bad connections or network interruptions" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'System' AND EventID IN ('56', '50') AND Provider_Name = 'TermDD')" ], "filename": "win_system_rdp_potential_cve_2019_0708.yml" }, { "title": "LSASS Access Detected via Attack Surface Reduction", "id": "a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98", "status": "experimental", "description": "Detects Access to LSASS Process", "author": "Markus Neis", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Google Chrome GoogleUpdate.exe", "Some Taskmgr.exe related activity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND (EventID = '1121' AND Path LIKE '%\\\\lsass.exe' ESCAPE '\\') AND NOT ((ProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (ProcessName LIKE '%\\\\thor64.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\thor.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\atiesrxx.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\CompatTelRunner.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\nvwmi64.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\Taskmgr.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\')) OR ((ProcessName LIKE 'C:\\\\Windows\\\\System32\\\\DriverStore\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\WINDOWS\\\\Installer\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR ProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\'))))" ], "filename": "win_defender_alert_lsass_access.yml" }, { "title": "Windows Defender Threat Detected", "id": "57b649ef-ff42-4fb0-8bf6-62da243a1708", "status": "stable", "description": "Detects all actions taken by Windows Defender malware detection engines", "author": "Ján Trenčanský", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('1006', '1116', '1015', '1117'))" ], "filename": "win_defender_threat.yml" }, { "title": "PSExec and WMI Process Creations Block", "id": "97b9ce1e-c5ab-11ea-87d0-0242ac130003", "status": "test", "description": "Detects blocking of process creations originating from PSExec and WMI commands", "author": "Bhabesh Raj", "tags": [ "attack.execution", "attack.lateral_movement", "attack.t1047", "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1121' AND (ProcessName LIKE '%\\\\wmiprvse.exe' ESCAPE '\\' OR ProcessName LIKE '%\\\\psexesvc.exe' ESCAPE '\\'))" ], "filename": "win_defender_psexec_wmi_asr.yml" }, { "title": "Windows Defender AMSI Trigger Detected", "id": "ea9bf0fa-edec-4fb8-8b78-b119f2528186", "status": "stable", "description": "Detects triggering of AMSI by Windows Defender.", "author": "Bhabesh Raj", "tags": [ "attack.execution", "attack.t1059" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1116' AND SourceName = 'AMSI')" ], "filename": "win_defender_amsi_trigger.yml" }, { "title": "Windows Defender Exclusions Added", "id": "1321dc4e-a1fe-481d-a016-52c45f0c8b4f", "status": "stable", "description": "Detects the Setting of Windows Defender Exclusions", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Administrator actions" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND NewValue LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" ], "filename": "win_defender_exclusions.yml" }, { "title": "Windows Defender Suspicious Configuration Changes", "id": "801bd44f-ceed-4eb6-887c-11544633c0aa", "status": "stable", "description": "Detects suspicious changes to the windows defender configuration", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Administrator activity (must be investigated)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5007' AND (NewValue LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableRemovableDriveScanning %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningMappedNetworkDrivesForFullScan %' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SpyNetReporting %' ESCAPE '\\' OR NewValue LIKE '%\\\\Real-Time Protection\\\\SubmitSamplesConsent %' ESCAPE '\\'))" ], "filename": "win_defender_suspicious_features_tampering.yml" }, { "title": "Windows Defender Real-Time Protection Failure/Restart", "id": "dd80db93-6ec2-4f4c-a017-ad40da6ffe81", "status": "stable", "description": "Detects issues with Windows Defender Real-Time Protection features", "author": "Nasreddine Bencherchali (Nextron Systems), Christopher Peacock '@securepeacock' (Update)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('3002', '3007'))" ], "filename": "win_defender_real_time_protection_errors.yml" }, { "title": "Windows Defender Threat Detection Disabled", "id": "fe34868f-6e0e-4882-81f6-c43aa8f15b62", "status": "stable", "description": "Detects disabling Windows Defender threat protection", "author": "Ján Trenčanský, frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Administrator actions (should be investigated)", "Seen being triggered occasionally during Windows 8 Defender Updates" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID IN ('5001', '5010', '5012', '5101'))" ], "filename": "win_defender_disabled.yml" }, { "title": "Win Defender Restored Quarantine File", "id": "bc92ca75-cd42-4d61-9a37-9d5aa259c88b", "status": "experimental", "description": "Detects the restoration of files from the defender quarantine", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Legitimate administrator activity restoring a file" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1009')" ], "filename": "win_defender_restored_quarantine_file.yml" }, { "title": "Microsoft Defender Tamper Protection Trigger", "id": "49e5bc24-8b86-49f1-b743-535f332c2856", "status": "stable", "description": "Detects blocked attempts to change any of Defender's settings such as \"Real Time Monitoring\" and \"Behavior Monitoring\"", "author": "Bhabesh Raj, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Administrator might try to disable defender features during testing (must be investigated)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '5013' AND (Value LIKE '%\\\\Windows Defender\\\\DisableAntiSpyware' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\DisableAntiVirus' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableArchiveScanning' ESCAPE '\\' OR Value LIKE '%\\\\Windows Defender\\\\Scan\\\\DisableScanningNetworkFiles' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR Value LIKE '%\\\\Real-Time Protection\\\\DisableScriptScanning' ESCAPE '\\'))" ], "filename": "win_defender_tamper_protection_trigger.yml" }, { "title": "Windows Defender Malware Detection History Deletion", "id": "2afe6582-e149-11ea-87d0-0242ac130003", "status": "test", "description": "Windows Defender logs when the history of detected infections is deleted. Log file will contain the message \"Windows Defender Antivirus has removed history of malware and other potentially unwanted software\".", "author": "Cian Heasley", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Deletion of Defender malware detections history for legitimate reasons" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND EventID = '1013')" ], "filename": "win_defender_history_delete.yml" }, { "title": "Windows Defender Exploit Guard Tamper", "id": "a3ab73f1-bd46-4319-8f06-4b20d0617886", "status": "experimental", "description": "Detects when someone is adding or removing applications or folder from exploit guard \"ProtectedFolders\" and \"AllowedApplications\"", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Windows Defender/Operational' AND ((EventID = '5007' AND NewValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\')) OR (EventID = '5007' AND OldValue LIKE '%\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders\\\\%' ESCAPE '\\')))" ], "filename": "win_defender_exploit_guard_tamper.yml" }, { "title": "BITS Transfer Job With Uncommon Or Suspicious Remote TLD", "id": "6d44fb93-e7d2-475c-9d3d-54c9c1e33427", "status": "experimental", "description": "Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.t1197" ], "falsepositives": [ "This rule doesn't exclude other known TLDs such as \".org\" or \".net\". It's recommended to apply additional filters for software and scripts that leverage the BITS service" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND NOT (((RemoteName LIKE '%.azureedge.net/%' ESCAPE '\\' OR RemoteName LIKE '%.com/%' ESCAPE '\\' OR RemoteName LIKE '%.sfx.ms/%' ESCAPE '\\' OR RemoteName LIKE '%download.mozilla.org/%' ESCAPE '\\'))))" ], "filename": "win_bits_client_new_transfer_via_uncommon_tld.yml" }, { "title": "BITS Transfer Job Download To Potential Suspicious Folder", "id": "f8a56cb7-a363-44ed-a82f-5926bb44cd05", "status": "experimental", "description": "Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.t1197" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (LocalName LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR LocalName LIKE '%C:\\\\PerfLogs\\\\%' ESCAPE '\\'))" ], "filename": "win_bits_client_new_trasnfer_susp_local_folder.yml" }, { "title": "BITS Transfer Job Downloading File Potential Suspicious Extension", "id": "b85e5894-9b19-4d86-8c87-a2f3b81f0521", "status": "experimental", "description": "Detects new BITS transfer job saving local files with potential suspicious extensions", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.t1197" ], "falsepositives": [ "While the file extensions in question can be suspicious at times. It's best to add filters according to your environment to avoid large amount false positives" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (LocalName LIKE '%.bat' ESCAPE '\\' OR LocalName LIKE '%.dll' ESCAPE '\\' OR LocalName LIKE '%.exe' ESCAPE '\\' OR LocalName LIKE '%.hta' ESCAPE '\\' OR LocalName LIKE '%.ps1' ESCAPE '\\' OR LocalName LIKE '%.psd1' ESCAPE '\\' OR LocalName LIKE '%.sh' ESCAPE '\\' OR LocalName LIKE '%.vbe' ESCAPE '\\' OR LocalName LIKE '%.vbs' ESCAPE '\\')) AND NOT ((LocalName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND RemoteName LIKE '%.com%' ESCAPE '\\')))" ], "filename": "win_bits_client_new_transfer_saving_susp_extensions.yml" }, { "title": "New BITS Job Created Via Bitsadmin", "id": "1ff315dc-2a3a-4b71-8dde-873818d25d39", "status": "test", "description": "Detects the creation of a new bits job by Bitsadmin", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.t1197" ], "falsepositives": [ "Many legitimate applications or scripts could leverage \"bitsadmin\". This event is best correlated with EID 16403 via the JobID field" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '3' AND processPath LIKE '%\\\\bitsadmin.exe' ESCAPE '\\')" ], "filename": "win_bits_client_new_job_via_bitsadmin.yml" }, { "title": "BITS Transfer Job Download From File Sharing Domains", "id": "d635249d-86b5-4dad-a8c7-d7272b788586", "status": "experimental", "description": "Detects BITS transfer job downloading files from a file sharing domain.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.t1197" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '16403' AND (RemoteName LIKE '%.ghostbin.co/%' ESCAPE '\\' OR RemoteName LIKE '%.hastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%.paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%anonfiles.com%' ESCAPE '\\' OR RemoteName LIKE '%cdn.discordapp.com/attachments/%' ESCAPE '\\' OR RemoteName LIKE '%ddns.net%' ESCAPE '\\' OR RemoteName LIKE '%gist.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%mediafire.com%' ESCAPE '\\' OR RemoteName LIKE '%mega.nz%' ESCAPE '\\' OR RemoteName LIKE '%paste.ee%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.com%' ESCAPE '\\' OR RemoteName LIKE '%pastebin.pl%' ESCAPE '\\' OR RemoteName LIKE '%pastetext.net%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.com%' ESCAPE '\\' OR RemoteName LIKE '%privatlab.net%' ESCAPE '\\' OR RemoteName LIKE '%raw.githubusercontent.com%' ESCAPE '\\' OR RemoteName LIKE '%send.exploit.in%' ESCAPE '\\' OR RemoteName LIKE '%sendspace.com%' ESCAPE '\\' OR RemoteName LIKE '%storage.googleapis.com%' ESCAPE '\\' OR RemoteName LIKE '%transfer.sh%' ESCAPE '\\' OR RemoteName LIKE '%ufile.io%' ESCAPE '\\'))" ], "filename": "win_bits_client_new_transfer_via_file_sharing_domains.yml" }, { "title": "BITS Transfer Job Download From Direct IP", "id": "90f138c1-f578-4ac3-8c49-eecfd847c8b7", "status": "experimental", "description": "Detects a BITS transfer job downloading file(s) from a direct IP address.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.t1197" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND (EventID = '16403' AND (RemoteName LIKE '%http://1%' ESCAPE '\\' OR RemoteName LIKE '%http://2%' ESCAPE '\\' OR RemoteName LIKE '%http://3%' ESCAPE '\\' OR RemoteName LIKE '%http://4%' ESCAPE '\\' OR RemoteName LIKE '%http://5%' ESCAPE '\\' OR RemoteName LIKE '%http://6%' ESCAPE '\\' OR RemoteName LIKE '%http://7%' ESCAPE '\\' OR RemoteName LIKE '%http://8%' ESCAPE '\\' OR RemoteName LIKE '%http://9%' ESCAPE '\\' OR RemoteName LIKE '%https://1%' ESCAPE '\\' OR RemoteName LIKE '%https://2%' ESCAPE '\\' OR RemoteName LIKE '%https://3%' ESCAPE '\\' OR RemoteName LIKE '%https://4%' ESCAPE '\\' OR RemoteName LIKE '%https://5%' ESCAPE '\\' OR RemoteName LIKE '%https://6%' ESCAPE '\\' OR RemoteName LIKE '%https://7%' ESCAPE '\\' OR RemoteName LIKE '%https://8%' ESCAPE '\\' OR RemoteName LIKE '%https://9%' ESCAPE '\\')) AND NOT (((RemoteName LIKE '%://10.%' ESCAPE '\\' OR RemoteName LIKE '%://192.168.%' ESCAPE '\\' OR RemoteName LIKE '%://172.16.%' ESCAPE '\\' OR RemoteName LIKE '%://172.17.%' ESCAPE '\\' OR RemoteName LIKE '%://172.18.%' ESCAPE '\\' OR RemoteName LIKE '%://172.19.%' ESCAPE '\\' OR RemoteName LIKE '%://172.20.%' ESCAPE '\\' OR RemoteName LIKE '%://172.21.%' ESCAPE '\\' OR RemoteName LIKE '%://172.22.%' ESCAPE '\\' OR RemoteName LIKE '%://172.23.%' ESCAPE '\\' OR RemoteName LIKE '%://172.24.%' ESCAPE '\\' OR RemoteName LIKE '%://172.25.%' ESCAPE '\\' OR RemoteName LIKE '%://172.26.%' ESCAPE '\\' OR RemoteName LIKE '%://172.27.%' ESCAPE '\\' OR RemoteName LIKE '%://172.28.%' ESCAPE '\\' OR RemoteName LIKE '%://172.29.%' ESCAPE '\\' OR RemoteName LIKE '%://172.30.%' ESCAPE '\\' OR RemoteName LIKE '%://172.31.%' ESCAPE '\\' OR RemoteName LIKE '%://127.%' ESCAPE '\\' OR RemoteName LIKE '%://169.254.%' ESCAPE '\\')) OR ((RemoteName LIKE '%https://7-%' ESCAPE '\\' OR RemoteName LIKE '%http://7-%' ESCAPE '\\'))))" ], "filename": "win_bits_client_new_transfer_via_ip_address.yml" }, { "title": "New BITS Job Created Via PowerShell", "id": "fe3a2d49-f255-4d10-935c-bda7391108eb", "status": "experimental", "description": "Detects the creation of a new bits job by PowerShell", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.t1197" ], "falsepositives": [ "Administrator PowerShell scripts" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-Bits-Client/Operational' AND EventID = '3' AND (processPath LIKE '%\\\\powershell.exe' ESCAPE '\\' OR processPath LIKE '%\\\\pwsh.exe' ESCAPE '\\'))" ], "filename": "win_bits_client_new_job_via_powershell.yml" }, { "title": "WMI Persistence", "id": "0b7889b4-5577-4521-a60a-3376ee7f9f7b", "status": "test", "description": "Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.", "author": "Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1546.003" ], "falsepositives": [ "Unknown (data set is too small; further testing needed)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Microsoft-Windows-WMI-Activity/Operational' AND ((EventID = '5861' AND (Events MATCH ('\"ActiveScriptEventConsumer\" OR \"CommandLineEventConsumer\" OR \"CommandLineTemplate\"'))) OR EventID = '5859') AND NOT (Provider = 'SCM Event Provider' AND Query LIKE 'select % from MSFT\\_SCMEventLogEvent' ESCAPE '\\' AND User = 'S-1-5-32-544' AND PossibleCause = 'Permanent'))" ], "filename": "win_wmi_persistence.yml" }, { "title": "Removal Of SD Value to Hide Schedule Task - Registry", "id": "acd74772-5f88-45c7-956b-6a7b36c294d2", "status": "experimental", "description": "Remove SD (Security Descriptor) value in \\Schedule\\TaskCache\\Tree registry hive to hide schedule task. This technique is used by Tarrask malware", "author": "Sittikorn S", "tags": [ "attack.defense_evasion", "attack.t1562" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '12' AND EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%SD%' ESCAPE '\\')" ], "filename": "registry_delete_schtasks_hide_task_via_sd_value_removal.yml" }, { "title": "Terminal Server Client Connection History Cleared - Registry", "id": "07bdd2f5-9c58-4f38-aec8-e101bb79ef8d", "status": "test", "description": "Detects the deletion of registry keys containing the MSTSC connection history", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1070", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '12' AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Default\\\\MRU%' ESCAPE '\\') OR (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\Microsoft\\\\Terminal Server Client\\\\Servers\\\\%' ESCAPE '\\')))" ], "filename": "registry_delete_mstsc_history_cleared.yml" }, { "title": "Folder Removed From Exploit Guard ProtectedFolders List - Registry", "id": "272e55a4-9e6b-4211-acb6-78f51f0b1b40", "status": "experimental", "description": "Detects the removal of folders from the \"ProtectedFolders\" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Legitimate administrators removing applications (should always be investigated)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '12' AND EventType = 'DeleteValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\ProtectedFolders%' ESCAPE '\\')" ], "filename": "registry_delete_exploit_guard_protected_folders.yml" }, { "title": "Removal Of Index Value to Hide Schedule Task - Registry", "id": "526cc8bc-1cdc-48ad-8b26-f19bff969cec", "status": "experimental", "description": "Detects when the \"index\" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as \"schtasks /query\"", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '12' AND EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\')" ], "filename": "registry_delete_schtasks_hide_task_via_index_value_removal.yml" }, { "title": "Removal of Potential COM Hijacking Registry Keys", "id": "96f697b0-b499-4e5d-9908-a67bec11cdb6", "status": "test", "description": "Detects any deletion of entries in \".*\\shell\\open\\command\" registry keys.\nThese registry keys might have been used for COM hijacking activities by a threat actor or an attacker and the deletion could indicate steps to remove its tracks.\n", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '12' AND (EventType = 'DeleteKey' AND TargetObject LIKE '%\\\\shell\\\\open\\\\command' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Dropbox.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Dropbox.%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\Wireshark\\_uninstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\wireshark-capture-file\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Opera\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Opera\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\installer.exe' ESCAPE '\\') OR (NewProcessName LIKE '%peazip%' ESCAPE '\\' AND TargetObject LIKE '%\\\\PeaZip.%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Everything.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Everything.%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Java\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\installer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Classes\\\\WOW6432Node\\\\CLSID\\\\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}%' ESCAPE '\\')))" ], "filename": "registry_delete_removal_com_hijacking_registry_key.yml" }, { "title": "Removal Of AMSI Provider Registry Keys", "id": "41d1058a-aea7-4952-9293-29eaaf516465", "status": "test", "description": "Detects the deletion of AMSI provider registry key entries in HKLM\\Software\\Microsoft\\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '12' AND EventType = 'DeleteKey' AND (TargetObject LIKE '%{2781761E-28E0-4109-99FE-B9D127C57AFE}' ESCAPE '\\' OR TargetObject LIKE '%{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' ESCAPE '\\'))" ], "filename": "registry_delete_removal_amsi_registry_key.yml" }, { "title": "Potential Persistence Via Disk Cleanup Handler - Registry", "id": "d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a", "status": "experimental", "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.\nThe disk cleanup manager is part of the operating system. It displays the dialog box […]\nThe user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Legitimate new entry added by windows" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\VolumeCaches\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\Active Setup Temp Folders' ESCAPE '\\' OR TargetObject LIKE '%\\\\BranchCache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Content Indexer Cleaner' ESCAPE '\\' OR TargetObject LIKE '%\\\\D3D Shader Cache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Delivery Optimization Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Device Driver Packages' ESCAPE '\\' OR TargetObject LIKE '%\\\\Diagnostic Data Viewer database files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Downloaded Program Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\DownloadsFolder' ESCAPE '\\' OR TargetObject LIKE '%\\\\Feedback Hub Archive log files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Internet Cache Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Language Pack' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft Office Temp Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Offline Pages Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Old ChkDsk Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Previous Installations' ESCAPE '\\' OR TargetObject LIKE '%\\\\Recycle Bin' ESCAPE '\\' OR TargetObject LIKE '%\\\\RetailDemo Offline Content' ESCAPE '\\' OR TargetObject LIKE '%\\\\Setup Log Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\System error memory dump files' ESCAPE '\\' OR TargetObject LIKE '%\\\\System error minidump files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Setup Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Temporary Sync Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Thumbnail Cache' ESCAPE '\\' OR TargetObject LIKE '%\\\\Update Cleanup' ESCAPE '\\' OR TargetObject LIKE '%\\\\Upgrade Discarded Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\User file versions' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Defender' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Error Reporting Files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows ESD installation files' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows Upgrade Log Files' ESCAPE '\\')))" ], "filename": "registry_add_persistence_disk_cleanup_handler_entry.yml" }, { "title": "Potential Ursnif Malware Activity - Registry", "id": "21f17060-b282-4249-ade0-589ea3591558", "status": "test", "description": "Detects registry keys related to Ursnif malware.", "author": "megan201296", "tags": [ "attack.execution", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND TargetObject LIKE '%\\\\Software\\\\AppDataLow\\\\Software\\\\Microsoft\\\\%' ESCAPE '\\') AND NOT ((TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\RepService\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\IME\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\AppDataLow\\\\Software\\\\Microsoft\\\\Edge\\\\%' ESCAPE '\\')))" ], "filename": "registry_add_malware_ursnif.yml" }, { "title": "PUA - Sysinternals Tools Execution - Registry", "id": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", "status": "experimental", "description": "Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the \"accepteula\" registry key.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.resource_development", "attack.t1588.002" ], "falsepositives": [ "Legitimate use of SysInternals tools. Filter the legitimate paths used in your environnement" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sysinternals%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\')" ], "filename": "registry_add_pua_sysinternals_susp_execution_via_eula.yml" }, { "title": "Potential Persistence Via Logon Scripts - Registry", "id": "9ace0707-b560-49b8-b6ca-5148b42f39fb", "status": "test", "description": "Detects creation of UserInitMprLogonScript persistence method", "author": "Tom Ueltschi (@c_APT_ure)", "tags": [ "attack.t1037.001", "attack.persistence", "attack.lateral_movement" ], "falsepositives": [ "Exclude legitimate logon scripts" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%UserInitMprLogonScript%' ESCAPE '\\')" ], "filename": "registry_add_persistence_logon_scripts_userinitmprlogonscript.yml" }, { "title": "Potential Persistence Via New AMSI Providers - Registry", "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f705", "status": "experimental", "description": "Detects when an attacker registers a new AMSI provider in order to achieve persistence", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Legitimate security products adding their own AMSI providers. Filter these according to your environment" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\AMSI\\\\Providers\\\\%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')))" ], "filename": "registry_add_persistence_amsi_providers.yml" }, { "title": "Potential NetWire RAT Activity - Registry", "id": "1d218616-71b0-4c40-855b-9dbe75510f7f", "status": "experimental", "description": "Detects registry keys related to NetWire RAT", "author": "Christopher Peacock", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\software\\\\NetWire%' ESCAPE '\\')" ], "filename": "registry_add_malware_netwire.yml" }, { "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry", "id": "f50f3c09-557d-492d-81db-9064a8d4e211", "status": "experimental", "description": "Detects the creation of the \"accepteula\" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.resource_development", "attack.t1588.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND (TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoggedon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPing%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsService%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SDelete%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsLoggedon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsLoggedon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsPing.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsPing64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsService64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\sdelete.exe' ESCAPE '\\')))" ], "filename": "registry_add_pua_sysinternals_renamed_execution_via_eula.yml" }, { "title": "Potential COM Object Hijacking Via TreatAs Subkey - Registry", "id": "9b0f8a61-91b2-464f-aceb-0527e0a45020", "status": "experimental", "description": "Detects COM object hijacking via TreatAs subkey", "author": "Kutepov Anton, oscd.community", "tags": [ "attack.persistence", "attack.t1546.015" ], "falsepositives": [ "Maybe some system utilities in rare cases use linking keys for backward compatibility" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'CreateKey' AND TargetObject LIKE '%HKU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Classes\\\\CLSID\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\TreatAs%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\')))" ], "filename": "registry_add_persistence_com_key_linking.yml" }, { "title": "PUA - Sysinternal Tool Execution - Registry", "id": "25ffa65d-76d8-4da5-a832-3f2b0136e133", "status": "experimental", "description": "Detects the execution of a Sysinternals Tool via the creation of the \"accepteula\" registry key", "author": "Markus Neis", "tags": [ "attack.resource_development", "attack.t1588.002" ], "falsepositives": [ "Legitimate use of SysInternals tools", "Programs that use the same Registry Key" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'New registry value created' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'CreateKey' AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\')" ], "filename": "registry_add_pua_sysinternals_execution_via_eula.yml" }, { "title": "Enable Local Manifest Installation With Winget", "id": "fa277e82-9b78-42dd-b05c-05555c7b6015", "status": "experimental", "description": "Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.persistence" ], "falsepositives": [ "Administrators or developers might enable this for testing purposes or to install custom private packages" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\AppInstaller\\\\EnableLocalManifestFiles' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], "filename": "registry_set_winget_enable_local_manifest.yml" }, { "title": "PowerShell as a Service in Registry", "id": "4a5f5a5e-ac01-474b-9b4e-d61298c9df1d", "status": "test", "description": "Detects that a powershell code is written to the registry as a service.", "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.execution", "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%pwsh%' ESCAPE '\\'))" ], "filename": "registry_set_powershell_as_service.yml" }, { "title": "New RUN Key Pointing to Suspicious Folder", "id": "02ee49e2-e294-4d0f-9278-f5b3212fc588", "status": "experimental", "description": "Detects suspicious new RUN key element pointing to an executable in a suspicious folder", "author": "Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Software using weird folders for updates" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\%' ESCAPE '\\')) AND ((NewValue LIKE '%C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Default\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%\\\\%' ESCAPE '\\') OR (NewValue LIKE '\\%Public\\%\\\\%' ESCAPE '\\' OR NewValue LIKE 'wscript%' ESCAPE '\\' OR NewValue LIKE 'cscript%' ESCAPE '\\')))" ], "filename": "registry_set_susp_run_key_img_folder.yml" }, { "title": "Potential Registry Persistence Attempt Via DbgManagedDebugger", "id": "9827ae57-3802-418f-994b-d5ecf5cd974b", "status": "experimental", "description": "Detects the addition of the \"Debugger\" value to the \"DbgManagedDebugger\" key in order to achieve persistence. Which will get invoked when an application crashes", "author": "frack113", "tags": [ "attack.persistence", "attack.t1574" ], "falsepositives": [ "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\.NETFramework\\\\DbgManagedDebugger' ESCAPE '\\') AND NOT (NewValue LIKE '\"C:\\\\Windows\\\\system32\\\\vsjitdebugger.exe\" PID \\%d APPDOM \\%d EXTEXT \"\\%s\" EVTHDL \\%d' ESCAPE '\\'))" ], "filename": "registry_set_dbgmanageddebugger_persistence.yml" }, { "title": "Potential PowerShell Execution Policy Tampering", "id": "fad91067-08c5-4d1a-8d8c-d96a21b37814", "status": "experimental", "description": "Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\ShellIds\\\\Microsoft.PowerShell\\\\ExecutionPolicy' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ExecutionPolicy' ESCAPE '\\') AND (NewValue LIKE '%Bypass%' ESCAPE '\\' OR NewValue LIKE '%RemoteSigned%' ESCAPE '\\' OR NewValue LIKE '%Unrestricted%' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\'))))" ], "filename": "registry_set_powershell_execution_policy.yml" }, { "title": "Potential Persistence Via AutodialDLL", "id": "e6fe26ee-d063-4f5b-b007-39e90aaf50e3", "status": "experimental", "description": "Detects change the the \"AutodialDLL\" key which could be used as a persistence method to load custom DLL via the \"ws2_32\" library", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Services\\\\WinSock2\\\\Parameters\\\\AutodialDLL%' ESCAPE '\\')" ], "filename": "registry_set_persistence_autodial_dll.yml" }, { "title": "Register New IFiltre For Persistence", "id": "b23818c7-e575-4d13-8012-332075ec0a2b", "status": "experimental", "description": "Detects when an attacker register a new IFilter for an exntesion. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index. You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Legitimate registration of IFilters by the OS or software" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\.%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentHandler%' ESCAPE '\\') OR (EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_LOCAL\\_MACHINE\\\\SOFTWARE\\\\Classes\\\\CLSID%' ESCAPE '\\') AND TargetObject LIKE '%\\\\PersistentAddinsRegistered\\\\{89BCB740-6119-101A-BCB7-00DD010655AF}%' ESCAPE '\\')) AND NOT (((TargetObject LIKE '%\\\\CLSID\\\\{4F46F75F-199F-4C63-8B7D-86D48FE7970C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{4887767F-7ADC-4983-B576-88FB643D6F79}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D3B41FA1-01E3-49AF-AA25-1D0D824275AE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{72773E1A-B711-4d8d-81FA-B9A43B0650DD}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{098f2470-bae0-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{1AA9BF05-9A97-48c1-BA28-D9DCE795E93C}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{2e2294a9-50d7-4fe7-a09f-e6492e185884}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3B224B11-9363-407e-850F-C9E1FFACD8FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{3DDEB7A4-8ABF-4D82-B9EE-E1F4552E95BE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C1-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5645C8C4-E277-11CF-8FDA-00AA00A14F93}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{58A9EBF6-5755-4554-A67E-A2467AD1447B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{5e941d80-bf96-11cd-b579-08002b30bfeb}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{698A4FFC-63A3-4E70-8F00-376AD29363FB}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7E9D8D44-6926-426F-AA2B-217A819A5CCE}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{8CD34779-9F10-4f9b-ADFB-B3FAEABDAB5A}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{9694E38A-E081-46ac-99A0-8743C909ACB6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{98de59a0-d175-11cd-a7bd-00006b827d94}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{B4132098-7A03-423D-9463-163CB07C151F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{d044309b-5da6-4633-b085-4ed02522e5a5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{D169C14A-5148-4322-92C8-754FC9D018D8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{DD75716E-B42E-4978-BB60-1497B92E30C4}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E2F83EED-62DE-4A9F-9CD0-A1D40DCD13B6}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{E772CEB3-E203-4828-ADF1-765713D981B8}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{eec97550-47a9-11cf-b952-00aa0051fe20}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{FB10BD80-A331-4e9e-9EB7-00279903AD99}\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\'))))" ], "filename": "registry_set_persistence_ifilter.yml" }, { "title": "UAC Bypass Using Windows Media Player - Registry", "id": "5f9db380-ea57-4d1e-beab-8a2d33397e93", "status": "test", "description": "Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\C:\\\\Program Files\\\\Windows Media Player\\\\osk.exe' ESCAPE '\\' AND NewValue = 'Binary Data')" ], "filename": "registry_set_uac_bypass_wmp.yml" }, { "title": "Bypass UAC Using SilentCleanup Task", "id": "724ea201-6514-4f38-9739-e5973c34f49a", "status": "test", "description": "There is an auto-elevated task called SilentCleanup located in %windir%\\system32\\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC", "author": "frack113", "tags": [ "attack.privilege_escalation", "attack.defense_evasion", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Environment\\\\windir' ESCAPE '\\' AND NewValue LIKE '%&REM%' ESCAPE '\\' AND EventType = 'SetValue')" ], "filename": "registry_set_bypass_uac_using_silentcleanup_task.yml" }, { "title": "Disable Privacy Settings Experience in Registry", "id": "0372e1f9-0fd2-40f7-be1b-a7b2b848fa7b", "status": "experimental", "description": "Detects registry modifications that disable Privacy Settings Experience", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Legitimate admin script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\OOBE\\\\DisablePrivacyExperience' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_disable_privacy_settings_experience.yml" }, { "title": "Add Debugger Entry To AeDebug For Persistence", "id": "092af964-4233-4373-b4ba-d86ea2890288", "status": "experimental", "description": "Detects when an attacker adds a new \"Debugger\" value to the \"AeDebug\" key in order to achieve persistence which will get invoked when an application crashes", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Legitimate use of the key to setup a debugger. Which is often the case on developers machines" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AeDebug\\\\Debugger%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\') AND NOT (NewValue LIKE '\"C:\\\\WINDOWS\\\\system32\\\\vsjitdebugger.exe\" -p \\%ld -e \\%ld -j 0x\\%p' ESCAPE '\\'))" ], "filename": "registry_set_aedebug_persistence.yml" }, { "title": "Adwind RAT / JRAT - Registry", "id": "42f0e038-767e-4b85-9d96-2c6335bad0b5", "status": "experimental", "description": "Detects javaw.exe in AppData folder as used by Adwind / JRAT", "author": "Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.execution", "attack.t1059.005", "attack.t1059.007" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND NewValue LIKE '\\%AppData\\%\\\\Roaming\\\\Oracle\\\\bin\\\\%' ESCAPE '\\')" ], "filename": "registry_set_mal_adwind.yml" }, { "title": "Suspicious Powershell In Registry Run Keys", "id": "8d85cf08-bf97-4260-ba49-986a2a65129c", "status": "experimental", "description": "Detects potential PowerShell commands or code within registry run keys", "author": "frack113, Florian Roth", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Legitimate admin or third party scripts. Baseline according to your environment" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\' AND (NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%pwsh %' ESCAPE '\\' OR NewValue LIKE '%FromBase64String%' ESCAPE '\\' OR NewValue LIKE '%.DownloadFile(%' ESCAPE '\\' OR NewValue LIKE '%.DownloadString(%' ESCAPE '\\' OR NewValue LIKE '% -w hidden %' ESCAPE '\\' OR NewValue LIKE '% -w 1 %' ESCAPE '\\' OR NewValue LIKE '%-windowstyle hidden%' ESCAPE '\\' OR NewValue LIKE '%-window hidden%' ESCAPE '\\' OR NewValue LIKE '% -nop %' ESCAPE '\\' OR NewValue LIKE '% -encodedcommand %' ESCAPE '\\' OR NewValue LIKE '%-ExecutionPolicy Bypass%' ESCAPE '\\' OR NewValue LIKE '%Invoke-Expression%' ESCAPE '\\' OR NewValue LIKE '%IEX (%' ESCAPE '\\' OR NewValue LIKE '%Invoke-Command%' ESCAPE '\\' OR NewValue LIKE '%ICM -%' ESCAPE '\\' OR NewValue LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR NewValue LIKE '%IWR %' ESCAPE '\\' OR NewValue LIKE '% -noni %' ESCAPE '\\' OR NewValue LIKE '% -noninteractive %' ESCAPE '\\'))" ], "filename": "registry_set_powershell_in_run_keys.yml" }, { "title": "Execution DLL of Choice Using WAB.EXE", "id": "fc014922-5def-4da9-a0fc-28c973f41bfb", "status": "test", "description": "This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.", "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\WAB\\\\DLLPath' ESCAPE '\\') AND NOT (NewValue LIKE '\\%CommonProgramFiles\\%\\\\System\\\\wab32.dll' ESCAPE '\\'))" ], "filename": "registry_set_wab_dllpath_reg_change.yml" }, { "title": "Persistence Via New SIP Provider", "id": "5a2b21ee-6aaa-4234-ac9d-59a59edf90a1", "status": "experimental", "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.defense_evasion", "attack.t1553.003" ], "falsepositives": [ "Legitimate SIP being registered by the OS or different software." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Dll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\$DLL%' ESCAPE '\\')) AND NOT ((NewValue IN ('WINTRUST.DLL', 'mso.dll')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CryptSIPDll%' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Windows\\\\System32\\\\PsfSip.dll' ESCAPE '\\')))" ], "filename": "registry_set_sip_persistence.yml" }, { "title": "ETW Logging Disabled For rpcrt4.dll", "id": "90f342e1-1aaa-4e43-b092-39fda57ed11e", "status": "experimental", "description": "Detects changes to the \"ExtErrorInformation\" key in order to disable ETW logging for rpcrt4.dll", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1112", "attack.t1562" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\Rpc\\\\ExtErrorInformation' ESCAPE '\\' AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000002)'))" ], "filename": "registry_set_rpcrt4_etw_tamper.yml" }, { "title": "Potential Signing Bypass Via Windows Developer Features - Registry", "id": "b110ebaf-697f-4da1-afd5-b536fa27a2c1", "status": "experimental", "description": "Detects when the enablement of developer features such as \"Developer Mode\" or \"Application Sideloading\". Which allows the user to install untrusted packages.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\AppModelUnlock%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\Appx\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\AllowAllTrustedApps' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllowDevelopmentWithoutDevLicense' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], "filename": "registry_set_turn_on_dev_features.yml" }, { "title": "Potential Persistence Via TypedPaths", "id": "086ae989-9ca6-4fe7-895a-759c5544f247", "status": "experimental", "description": "Detects modification addition to the 'TypedPaths' key in the user or admin registry from a non standard application. Which might indicate persistence attempt", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\TypedPaths\\\\%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\explorer.exe' ESCAPE '\\')))" ], "filename": "registry_set_persistence_typed_paths.yml" }, { "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)", "id": "2d9403d5-7927-46b7-8216-37ab7c9ec5e3", "status": "test", "description": "Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.", "author": "Sittikorn S", "tags": [ "attack.defense_evasion", "attack.t1221" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKCR\\\\ms-msdt\\\\%' ESCAPE '\\')" ], "filename": "registry_set_cve_2022_30190_msdt_follina.yml" }, { "title": "Activate Suppression of Windows Security Center Notifications", "id": "0c93308a-3f1b-40a9-b649-57ea1a1c1d63", "status": "experimental", "description": "Detect set Notification_Suppress to 1 to disable the windows security center notification", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\UX Configuration\\\\Notification\\_Suppress' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], "filename": "registry_set_suppress_defender_notifications.yml" }, { "title": "Suspicious Keyboard Layout Load", "id": "34aa0252-6039-40ff-951f-939fd6ce47d8", "status": "test", "description": "Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.resource_development", "attack.t1588.002" ], "falsepositives": [ "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Keyboard Layout\\\\Preload\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Keyboard Layout\\\\Substitutes\\\\%' ESCAPE '\\') AND (NewValue LIKE '%00000429%' ESCAPE '\\' OR NewValue LIKE '%00050429%' ESCAPE '\\' OR NewValue LIKE '%0000042a%' ESCAPE '\\'))" ], "filename": "registry_set_susp_keyboard_layout_load.yml" }, { "title": "Disabled Windows Defender Eventlog", "id": "fcddca7c-b9c0-4ddf-98da-e1e2d18b0157", "status": "experimental", "description": "Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Other Antivirus software installations could cause Windows to disable that eventlog (unknown)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Windows Defender/Operational\\\\Enabled%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_disabled_microsoft_defender_eventlog.yml" }, { "title": "New Application in AppCompat", "id": "60936b49-fca0-4f32-993d-7415edcf9a5d", "status": "test", "description": "A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.execution", "attack.t1204.002" ], "falsepositives": [ "This rule is to explore new applications on an endpoint. False positives depends on the organization.", "Newly setup system.", "Legitimate installation of new application." ], "level": "informational", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\AppCompatFlags\\\\Compatibility Assistant\\\\Store\\\\%' ESCAPE '\\')" ], "filename": "registry_set_new_application_appcompat.yml" }, { "title": "Change the Fax Dll", "id": "9e3357ba-09d4-4fbd-a7c5-ad6386314513", "status": "experimental", "description": "Detect possible persistence using Fax DLL load when service restart", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Fax\\\\Device Providers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImageName%' ESCAPE '\\') AND NOT (NewValue LIKE '\\%systemroot\\%\\\\system32\\\\fxst30.dll' ESCAPE '\\'))" ], "filename": "registry_set_fax_dll_persistance.yml" }, { "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG", "id": "0442defa-b4a2-41c9-ae2c-ea7042fc4701", "status": "experimental", "description": "Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003" ], "falsepositives": [ "Other legitimate network providers used and not filtred in this rule" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NetworkProvider%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\WebClient\\\\NetworkProvider%' ESCAPE '\\' OR TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanWorkstation\\\\NetworkProvider%' ESCAPE '\\' OR TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\RDPNP\\\\NetworkProvider%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" ], "filename": "registry_set_new_network_provider.yml" }, { "title": "Winlogon Notify Key Logon Persistence", "id": "bbf59793-6efb-4fa1-95ca-a7d288e52c88", "status": "test", "description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", "author": "frack113", "tags": [ "attack.persistence", "attack.t1547.004" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\logon' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue')" ], "filename": "registry_set_winlogon_notify_key.yml" }, { "title": "Disable Microsoft Defender Firewall via Registry", "id": "974515da-6cc5-4c95-ae65-f97f9150ec7f", "status": "test", "description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\EnableFirewall' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_disable_defender_firewall.yml" }, { "title": "Disable Microsoft Office Security Features", "id": "7c637634-c95d-4bbf-b26c-a82510874b34", "status": "test", "description": "Disable Microsoft Office Security Features by registry", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%VBAWarnings' ESCAPE '\\' OR TargetObject LIKE '%DisableInternetFilesInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableUnsafeLocationsInPV' ESCAPE '\\' OR TargetObject LIKE '%DisableAttachementsInPV' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], "filename": "registry_set_disable_microsoft_office_security_features.yml" }, { "title": "UAC Bypass Abusing Winsat Path Parsing - Registry", "id": "6597be7b-ac61-4ac8-bef4-d3ec88174853", "status": "test", "description": "Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Root\\\\InventoryApplicationFile\\\\winsat.exe|%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LowerCaseLongPath' ESCAPE '\\' AND NewValue LIKE 'c:\\\\users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\appdata\\\\local\\\\temp\\\\system32\\\\winsat.exe' ESCAPE '\\')" ], "filename": "registry_set_uac_bypass_winsat.yml" }, { "title": "Winget Admin Settings Modification", "id": "6db5eaf9-88f7-4ed9-af7d-9ef2ad12f236", "status": "experimental", "description": "Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.persistence" ], "falsepositives": [ "The event doesn't contain information about the type of change. False positives are expected with legitimate changes" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND NewProcessName LIKE '%\\\\winget.exe' ESCAPE '\\' AND TargetObject LIKE '\\\\REGISTRY\\\\A\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\LocalState\\\\admin\\_settings' ESCAPE '\\')" ], "filename": "registry_set_winget_admin_settings_tampering.yml" }, { "title": "Wow6432Node Classes Autorun Keys Modification", "id": "18f2065c-d36c-464a-a748-bcf909acb2e3", "status": "test", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Classes%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ExtShellFolderViews%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ColumnHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\CopyHookHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AllFileSystemObjects\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\PropertySheetHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\ContextMenuHandlers%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" ], "filename": "registry_set_asep_reg_keys_modification_wow6432node_classes.yml" }, { "title": "COM Hijack via Sdclt", "id": "07743f65-7ec9-404a-a519-913db7118a8d", "status": "test", "description": "Detects changes to 'HKCU\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute'", "author": "Omkar Gudhate", "tags": [ "attack.privilege_escalation", "attack.t1546", "attack.t1548" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\')" ], "filename": "registry_set_comhijack_sdclt.yml" }, { "title": "Common Autorun Keys Modification", "id": "f59c3faf-50f3-464b-9f4c-1b67ab512d99", "status": "experimental", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows CE Services\\\\AutoStart%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Command Processor\\\\Autorun%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\Setup\\\\CmdLine%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Ctf\\\\LangBarAddin%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Command Processor\\\\Autorun%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Protocols\\\\Handler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Protocols\\\\Filter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Classes\\\\Htmlfile\\\\Shell\\\\Open\\\\Command\\\\(Default)%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Environment\\\\UserInitMprLogonScript%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Control Panel\\\\Desktop\\\\Scrnsave.exe%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\UrlSearchHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Desktop\\\\Components%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Classes\\\\Clsid\\\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\\\Inprocserver32%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\Scrnsave.exe%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR ((TargetObject LIKE '%\\\\Office\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Classes\\\\PROTOCOLS\\\\Handler\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ClickToRunStore\\\\HKMU\\\\SOFTWARE\\\\Classes\\\\PROTOCOLS\\\\Handler\\\\%' ESCAPE '\\') OR NewValue IN ('{314111c7-a502-11d2-bbca-00c04f8ec294}', '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}', '{42089D2D-912D-4018-9087-2B87803E93FB}', '{5504BE45-A83B-4808-900A-3A5C36E7F77A}', '{807583E5-5146-11D5-A672-00B0D022E945}')) OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{8A69D345-D564-463c-AFF1-A69D9E530F96}%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{9459C573-B17A-45AE-9F64-1857B5D58CEE}%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\{89820200-ECBD-11cf-8B85-00AA005B4383}%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" ], "filename": "registry_set_asep_reg_keys_modification_common.yml" }, { "title": "CrashControl CrashDump Disabled", "id": "2ff692c2-4594-41ec-8fcb-46587de769e0", "status": "experimental", "description": "Detects disabling the CrashDump per registry (as used by HermeticWiper)", "author": "Tobias Michalski (Nextron Systems)", "tags": [ "attack.t1564", "attack.t1112" ], "falsepositives": [ "Legitimate disabling of crashdumps" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SYSTEM\\\\CurrentControlSet\\\\Control\\\\CrashControl%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_crashdump_disabled.yml" }, { "title": "Potential Persistence Via Event Viewer Events.asp", "id": "a1e11042-a74a-46e6-b07c-c4ce8ecc239b", "status": "test", "description": "Detects potential registry persistence technique using the Event Viewer \"Events.asp\" technique", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionURL%' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgram' ESCAPE '\\' AND NewValue LIKE '\\%\\%SystemRoot\\%\\%\\\\PCHealth\\\\HelpCtr\\\\Binaries\\\\HelpCtr.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Event Viewer\\\\MicrosoftRedirectionProgramCommandLineParameters' ESCAPE '\\' AND NewValue LIKE '-url hcp://services/centers/support_topic=\\%\\%s' ESCAPE '\\') OR (NewValue = 'http://go.microsoft.com/fwlink/events.asp') OR (NewValue = '(Empty)')))" ], "filename": "registry_set_persistence_event_viewer_events_asp.yml" }, { "title": "Lsass Full Dump Request Via DumpType Registry Settings", "id": "33efc23c-6ea2-4503-8cfe-bdf82ce8f719", "status": "experimental", "description": "Detects the setting of the \"DumpType\" registry value to \"2\" which stands for a \"Full Dump\". Technique such as LSASS Shtinkering requires this value to be \"2\" in order to dump LSASS.", "author": "@pbssubhash", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Legitimate application that needs to do a full dump of their process" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\lsass.exe\\\\DumpType%' ESCAPE '\\') AND NewValue = 'DWORD (0x00000002)')" ], "filename": "registry_set_lsass_usermode_dumping.yml" }, { "title": "Hide Schedule Task Via Index Value Tamper", "id": "5b16df71-8615-4f7f-ac9b-6c43c0509e61", "status": "experimental", "description": "Detects when the \"index\" value of a scheduled task is modified from the registry\nWhich effectively hides it from any tooling such as \"schtasks /query\" (Read the referenced link for more information about the effects of this technique)\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\%' ESCAPE '\\' AND TargetObject LIKE '%Index%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_hide_scheduled_task_via_index_tamper.yml" }, { "title": "CurrentControlSet Autorun Keys Modification", "id": "f674e36a-4b91-431e-8aef-f8a96c2aca35", "status": "experimental", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SecurityProviders\\\\SecurityProviders%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SafeBoot\\\\AlternateShell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Print\\\\Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Print\\\\Monitors%' ESCAPE '\\' OR TargetObject LIKE '%\\\\NetworkProvider\\\\Order%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Lsa\\\\Notification Packages%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Lsa\\\\Authentication Packages%' ESCAPE '\\' OR TargetObject LIKE '%\\\\BootVerificationProgram\\\\ImagePath%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor%' ESCAPE '\\' AND (NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' OR NewValue LIKE 'CutePDF Writer' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%Print\\\\Monitors\\\\Appmon\\\\Ports\\\\Microsoft.Office.OneNote\\_%' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\NetworkProvider\\\\Order\\\\ProviderOrder' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver' ESCAPE '\\' AND NewValue = 'VNCpm.dll')))" ], "filename": "registry_set_asep_reg_keys_modification_currentcontrolset.yml" }, { "title": "Potential Persistence Via Visual Studio Tools for Office", "id": "9d15044a-7cfe-4d23-8085-6ebc11df7685", "status": "experimental", "description": "Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.", "author": "Bhabesh Raj", "tags": [ "attack.t1137.006", "attack.persistence" ], "falsepositives": [ "Legitimate Addin Installation" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Word\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Excel\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\Powerpoint\\\\Addins\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\VSTO\\\\Security\\\\Inclusion\\\\%' ESCAPE '\\')) AND NOT (((NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regsvr32.exe' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\winword.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\integrator.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\RegSvr.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\Antivirus.AsOutExt\\\\%' ESCAPE '\\')))" ], "filename": "registry_set_persistence_office_vsto.yml" }, { "title": "Scheduled TaskCache Change by Uncommon Program", "id": "4720b7df-40c3-48fd-bbdf-fd4b3c464f0d", "status": "experimental", "description": "Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious", "author": "Syed Hasan (@syedhasan009)", "tags": [ "attack.persistence", "attack.t1053", "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\%' ESCAPE '\\') AND NOT (((TargetObject LIKE '%Microsoft\\\\Windows\\\\UpdateOrchestrator%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\SoftwareProtectionPlatform\\\\SvcRestartTask\\\\Index%' ESCAPE '\\' OR TargetObject LIKE '%Microsoft\\\\Windows\\\\Flighting\\\\OneSettings\\\\RefreshCache\\\\Index%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\{B66B135D-DA06-4FC4-95F8-7458E1D10129}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\Integration\\\\Integrator.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Dropbox\\\\Update\\\\DropboxUpdate.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tree\\\\Microsoft\\\\Windows\\\\PLA\\\\Server Manager Performance Monitor\\\\%' ESCAPE '\\') OR (NewProcessName = 'System')))" ], "filename": "registry_set_taskcache_entry.yml" }, { "title": "Wow6432Node CurrentVersion Autorun Keys Modification", "id": "b29aed60-ebd1-442b-9cb5-16a1d0324adb", "status": "experimental", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ShellServiceObjectDelayLoad%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnceEx\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServices\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServicesOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellServiceObjects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellIconOverlayIdentifiers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellExecuteHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\SharedTaskScheduler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (NewProcessName LIKE '%C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\{%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\setup.exe%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\OfficeClickToRun.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Office\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Wow6432Node\\\\%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects\\\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\\\\%' ESCAPE '\\') OR (NewValue LIKE '%-A251-47B7-93E1-CDD82E34AF8B}' ESCAPE '\\' OR NewValue = 'grpconv -o' OR NewValue LIKE '%C:\\\\Program Files%' ESCAPE '\\' AND NewValue LIKE '%\\\\Dropbox\\\\Client\\\\Dropbox.exe%' ESCAPE '\\' AND NewValue LIKE '% /systemstartup%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects\\\\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\\\\NoExplorer' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\windowsdesktop-runtime-%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}' ESCAPE '\\' OR TargetObject LIKE '%\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{7037b699-7382-448c-89a7-4765961d2537}' ESCAPE '\\') AND NewValue LIKE '\"C:\\\\ProgramData\\\\Package Cache\\\\%' ESCAPE '\\' AND NewValue LIKE '%.exe\" /burn.runonce' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewValue LIKE '\"C:\\\\ProgramData\\\\Package Cache\\\\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\\\\windowsdesktop-runtime-%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\VC\\_redist.x64.exe' ESCAPE '\\' AND NewValue LIKE '%}\\\\VC\\_redist.x64.exe\" /burn.runonce' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Package Cache%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\') AND (NewProcessName LIKE '%\\\\winsdksetup.exe%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\windowsdesktop-runtime-%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AspNetCoreSharedFrameworkBundle-%' ESCAPE '\\') AND NewValue LIKE '% /burn.runonce' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')))" ], "filename": "registry_set_asep_reg_keys_modification_wow6432node.yml" }, { "title": "Potential Attachment Manager Settings Attachments Tamper", "id": "ee77a5db-b0f3-4be2-bfd4-b58be1c6b15a", "status": "experimental", "description": "Detects tampering with attachment manager settings policies attachments (See reference for more information)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Attachments\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\HideZoneInfoOnProperties' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR (TargetObject LIKE '%\\\\SaveZoneInformation' ESCAPE '\\' AND NewValue = 'DWORD (0x00000002)') OR (TargetObject LIKE '%\\\\ScanWithAntiVirus' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')))" ], "filename": "registry_set_policies_attachments_tamper.yml" }, { "title": "Tamper With Sophos AV Registry Keys", "id": "9f4662ac-17ca-43aa-8f12-5d7b989d0101", "status": "experimental", "description": "Detects tamper attempts to sophos av functionality via registry key modification", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Some FP may occur when the feature is disabled by the AV itself, you should always investigate if the action was legitimate" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SAVEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos Endpoint Defense\\\\TamperProtection\\\\Config\\\\SEDEnabled%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Sophos\\\\SAVService\\\\TamperProtection\\\\Enabled%' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_sophos_av_tamper.yml" }, { "title": "Change Winevt Event Access Permission Via Registry", "id": "7d9263bd-dc47-4a58-bc92-5474abab390c", "status": "experimental", "description": "Detects tampering with the \"ChannelAccess\" registry key in order to change access to windows event channel", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ChannelAccess' ESCAPE '\\' AND (NewValue LIKE '%(A;;0x1;;;SY)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x5;;;BA)%' ESCAPE '\\' OR NewValue LIKE '%(A;;0x1;;;LA)%' ESCAPE '\\')) AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\')))" ], "filename": "registry_set_change_winevt_channelaccess.yml" }, { "title": "Internet Explorer Autorun Keys Modification", "id": "a80f662f-022f-4429-9b8c-b1a41aaa6688", "status": "test", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Internet Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Internet Explorer%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Toolbar%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer Bars%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR ((TargetObject LIKE '%\\\\Extensions\\\\{2670000A-7350-4f3c-8081-5663EE0C6C49}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Extensions\\\\{A95fe080-8f5d-11d2-a20b-00aa003c157a}%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Toolbar\\\\ShellBrowser\\\\ITBar7Layout' ESCAPE '\\' OR TargetObject LIKE '%\\\\Toolbar\\\\ShowDiscussionButton' ESCAPE '\\' OR TargetObject LIKE '%\\\\Toolbar\\\\Locked' ESCAPE '\\'))))" ], "filename": "registry_set_asep_reg_keys_modification_internet_explorer.yml" }, { "title": "Potential PendingFileRenameOperations Tamper", "id": "4eec988f-7bf0-49f1-8675-1e6a510b3a2a", "status": "experimental", "description": "Detect changes to the \"PendingFileRenameOperations\" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1036.003" ], "falsepositives": [ "Installers and updaters may set currently in use files for rename after a reboot." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\PendingFileRenameOperations%' ESCAPE '\\') AND ((NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\reg.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\regedit.exe' ESCAPE '\\')))" ], "filename": "registry_set_susp_pendingfilerenameoperations.yml" }, { "title": "Potential AutoLogger Sessions Tampering", "id": "f37b4bce-49d0-4087-9f5b-58bffda77316", "status": "experimental", "description": "Detects tampering with autologger trace sessions which is a technique used by attackers to disable logging", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\WMI\\\\Autologger\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\EventLog-%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Defender%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Enable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Start' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\')))" ], "filename": "registry_set_disable_autologger_sessions.yml" }, { "title": "Add DisallowRun Execution to Registry", "id": "275641a5-a492-45e2-a817-7c81e9d9d3e9", "status": "experimental", "description": "Detect set DisallowRun to 1 to prevent user running specific computer program", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\DisallowRun' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], "filename": "registry_set_disallowrun_execution.yml" }, { "title": "CurrentVersion Autorun Keys Modification", "id": "20f0ee37-5942-4e45-b7d5-c5b5db9df5cd", "status": "experimental", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ShellServiceObjectDelayLoad%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Run\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunOnceEx\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServices\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\RunServicesOnce\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\System\\\\Shell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Policies\\\\Explorer\\\\Run%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Startup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Shutdown%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Logon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Group Policy\\\\Scripts\\\\Logoff%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellServiceObjects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellIconOverlayIdentifiers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\ShellExecuteHooks%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\SharedTaskScheduler%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Explorer\\\\Browser Helper Objects%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\PLAP Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Provider Filters%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)' OR TargetObject LIKE '%\\\\NgcFirst\\\\ConsecutiveSwitchCount' ESCAPE '\\' OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Spotify\\\\Spotify.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\devicecensus.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\winsat.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\Update\\\\OneDriveSetup.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\KeePass Password Safe 2\\\\ShInstUtil.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Everything\\\\Everything.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\LogonUI.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{D6886603-9D2F-4EB2-B667-1971041FA96B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{BEC09223-B018-416D-A0AC-523971B639F5}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Authentication\\\\Credential Providers\\\\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\Install\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\regsvr32.exe' ESCAPE '\\' AND TargetObject LIKE '%DropboxExt%' ESCAPE '\\' AND NewValue LIKE '%A251-47B7-93E1-CDD82E34AF8B}' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Opera Browser Assistant' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Opera\\\\assistant\\\\browser\\_assistant.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\iTunesHelper' ESCAPE '\\' AND NewValue LIKE '\"C:\\\\Program Files\\\\iTunes\\\\iTunesHelper.exe\"' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\zoommsirepair' ESCAPE '\\' AND NewValue LIKE '\"C:\\\\Program Files\\\\Zoom\\\\bin\\\\installer.exe\" /repair' ESCAPE '\\') OR (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Greenshot' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Greenshot\\\\Greenshot.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\GoogleDriveFS' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\GoogleDriveFS.exe%' ESCAPE '\\') OR (TargetObject LIKE '%GoogleDrive%' ESCAPE '\\' AND NewValue IN ('{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}', '{A8E52322-8734-481D-A7E2-27B309EF8D56}', '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}', '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}')) OR ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c rmdir /s /q \"C:\\\\Users\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \"C:\\\\Users\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\{%' ESCAPE '\\' AND NewValue LIKE '%\\\\AppData\\\\Local\\\\Package Cache\\\\{%' ESCAPE '\\' AND NewValue LIKE '%}\\\\python-%' ESCAPE '\\' AND NewValue LIKE '%.exe\" /burn.runonce' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND NewValue LIKE '%\\\\Microsoft\\\\Teams\\\\Update.exe --processStart %' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\userinit.exe' ESCAPE '\\' AND NewValue = 'ctfmon.exe /n') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\Setup\\\\%' ESCAPE '\\' AND (NewValue LIKE '\"C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\AvLaunch.exe\" /gui' ESCAPE '\\' OR NewValue LIKE '\"C:\\\\Program Files (x86)\\\\AVG\\\\Antivirus\\\\AvLaunch.exe\" /gui' ESCAPE '\\' OR NewValue LIKE '{472083B0-C522-11CF-8763-00608CC02F24}' ESCAPE '\\')) OR ((NewProcessName LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\aurora-dashboard' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Program Files\\\\Aurora-Agent\\\\tools\\\\aurora-dashboard.exe' ESCAPE '\\') OR (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Everything' ESCAPE '\\' AND NewValue LIKE '%\\\\Everything\\\\Everything.exe\" -startup' ESCAPE '\\')))" ], "filename": "registry_set_asep_reg_keys_modification_currentversion.yml" }, { "title": "VBScript Payload Stored in Registry", "id": "46490193-1b22-4c29-bdd6-5bf63907216f", "status": "experimental", "description": "Detects VBScript content stored into registry keys as seen being used by UNC2452 group", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion%' ESCAPE '\\' AND (NewValue LIKE '%vbscript:%' ESCAPE '\\' OR NewValue LIKE '%jscript:%' ESCAPE '\\' OR NewValue LIKE '%mshtml,%' ESCAPE '\\' OR NewValue LIKE '%RunHTMLApplication%' ESCAPE '\\' OR NewValue LIKE '%Execute(%' ESCAPE '\\' OR NewValue LIKE '%CreateObject%' ESCAPE '\\' OR NewValue LIKE '%window.close%' ESCAPE '\\')) AND NOT ((TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\msiexec.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Installer\\\\UserData\\\\%' ESCAPE '\\' AND (NewValue LIKE '%\\\\Microsoft.NET\\\\Primary Interop Assemblies\\\\Microsoft.mshtml.dll%' ESCAPE '\\' OR NewValue LIKE '%<\\\\Microsoft.mshtml,fileVersion=%' ESCAPE '\\' OR NewValue LIKE '%\\_mshtml\\_dll\\_%' ESCAPE '\\' OR NewValue LIKE '%<\\\\Microsoft.mshtml,culture=%' ESCAPE '\\'))))" ], "filename": "registry_set_vbs_payload_stored.yml" }, { "title": "Registry Disable System Restore", "id": "5de03871-5d46-4539-a82d-3aa992a69a83", "status": "experimental", "description": "Detects the modification of the registry to disable a system restore on the computer", "author": "frack113", "tags": [ "attack.impact", "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows NT\\\\SystemRestore%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SystemRestore%' ESCAPE '\\') AND (TargetObject LIKE '%DisableConfig' ESCAPE '\\' OR TargetObject LIKE '%DisableSR' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], "filename": "registry_set_disable_system_restore.yml" }, { "title": "Modification of IE Registry Settings", "id": "d88d0ab2-e696-4d40-a2ed-9790064e66b3", "status": "experimental", "description": "Detects modification of the registry settings used for Internet Explorer and other Windows components that use these settings. An attacker can abuse this registry key to add a domain to the trusted sites Zone or insert javascript for persistence", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings%' ESCAPE '\\') AND NOT ((NewValue LIKE 'DWORD%' ESCAPE '\\') OR (NewValue IN ('Cookie:', 'Visited:', '(Empty)')) OR ((TargetObject LIKE '%\\\\Cache%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ZoneMap%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WpadDecision%' ESCAPE '\\')) OR (NewValue = 'Binary Data') OR (TargetObject LIKE '%\\\\Accepted Documents\\\\%' ESCAPE '\\')))" ], "filename": "registry_set_persistence_ie.yml" }, { "title": "CurrentVersion NT Autorun Keys Modification", "id": "cbf93e5d-ca6c-4722-8bea-e9119007c248", "status": "experimental", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Winlogon\\\\VmApplet%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Userinit%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Taskman%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\Shell%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\GpExtensions%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\AppSetup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\AlternateShells\\\\AvailableShells%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\IconServiceLib%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Appinit\\_Dlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Image File Execution Options%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Font Drivers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Drivers32%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Run%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Load%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\DisableExceptionChainValidation' ESCAPE '\\' OR TargetObject LIKE '%\\\\MitigationOptions' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\ClickToRunStore\\\\HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ClickToRun\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Winlogon\\\\GPExtensions\\\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\\\PreviousPolicyAreas%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Winlogon\\\\GPExtensions\\\\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\\\\MaxNoGPOListChangesInterval%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000009)', 'DWORD (0x000003c0)')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\ngen.exe' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\StandaloneUpdater\\\\OneDriveSetup.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\Delete Cached Update Binary' ESCAPE '\\' AND NewValue LIKE 'C:\\\\Windows\\\\system32\\\\cmd.exe /q /c del /q \"C:\\\\Users\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\Update\\\\OneDriveSetup.exe\"' ESCAPE '\\')))" ], "filename": "registry_set_asep_reg_keys_modification_currentversion_nt.yml" }, { "title": "Persistence Via Hhctrl.ocx", "id": "f10ed525-97fe-4fed-be7c-2feecca941b1", "status": "experimental", "description": "Detects when an attacker modifies the registry value of the \"hhctrl\" to point to a custom binary", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{52A2AAAE-085D-4187-97EA-8C30DB990436}\\\\InprocServer32\\\\(Default)%' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\System32\\\\hhctrl.ocx' ESCAPE '\\'))" ], "filename": "registry_set_hhctrl_persistence.yml" }, { "title": "Potential Registry Persistence Attempt Via Windows Telemetry", "id": "73a883d0-0348-4be4-a8d8-51031c2564f8", "status": "test", "description": "Detects potential persistence behaviour using the windows telemetry registry key.\nWindows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections.\nThis binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run.\nThe problem is, it will run any arbitrary command without restriction of location or type.\n", "author": "Lednyov Alexey, oscd.community, Sreeman", "tags": [ "attack.persistence", "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\TelemetryController\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Command' ESCAPE '\\' AND (NewValue LIKE '%.sh%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.bin%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.cmd%' ESCAPE '\\' OR NewValue LIKE '%.js%' ESCAPE '\\' OR NewValue LIKE '%.ps%' ESCAPE '\\' OR NewValue LIKE '%.vb%' ESCAPE '\\' OR NewValue LIKE '%.jar%' ESCAPE '\\' OR NewValue LIKE '%.hta%' ESCAPE '\\' OR NewValue LIKE '%.msi%' ESCAPE '\\' OR NewValue LIKE '%.vbs%' ESCAPE '\\')) AND NOT ((NewValue LIKE '%\\\\system32\\\\CompatTelRunner.exe%' ESCAPE '\\' OR NewValue LIKE '%\\\\system32\\\\DeviceCensus.exe%' ESCAPE '\\')))" ], "filename": "registry_set_telemetry_persistence.yml" }, { "title": "Potential Persistence Via Scrobj.dll COM Hijacking", "id": "fe20dda1-6f37-4379-bbe0-a98d400cae90", "status": "experimental", "description": "Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute", "author": "frack113", "tags": [ "attack.persistence", "attack.t1546.015" ], "falsepositives": [ "Legitimate use of the dll." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%InprocServer32\\\\(Default)' ESCAPE '\\' AND NewValue LIKE 'C:\\\\WINDOWS\\\\system32\\\\scrobj.dll' ESCAPE '\\')" ], "filename": "registry_set_persistence_scrobj_dll.yml" }, { "title": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification", "id": "480421f9-417f-4d3b-9552-fd2728443ec8", "status": "experimental", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Windows\\\\Appinit\\_Dlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Image File Execution Options%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Drivers32%' ESCAPE '\\')) AND NOT ((NewValue LIKE '(Empty)' ESCAPE '\\' OR NewValue LIKE '\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options' ESCAPE '\\')))" ], "filename": "registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml" }, { "title": "ScreenSaver Registry Key Set", "id": "40b6e656-4e11-4c0c-8772-c1cc6dae34ce", "status": "experimental", "description": "Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl", "author": "Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)", "tags": [ "attack.defense_evasion", "attack.t1218.011" ], "falsepositives": [ "Legitimate use of screen saver" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE%' ESCAPE '\\' AND NewValue LIKE '%.scr' ESCAPE '\\') AND NOT ((NewValue LIKE '%C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')))" ], "filename": "registry_set_scr_file_executed_by_rundll32.yml" }, { "title": "New DNS ServerLevelPluginDll Installed", "id": "e61e8a88-59a9-451c-874e-70fcc9740d67", "status": "experimental", "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1574.002", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\services\\\\DNS\\\\Parameters\\\\ServerLevelPluginDll' ESCAPE '\\')" ], "filename": "registry_set_dns_server_level_plugin_dll.yml" }, { "title": "Disable Sysmon Event Logging Via Registry", "id": "4916a35e-bfc4-47d0-8e25-a003d7067061", "status": "experimental", "description": "Detects changes in Sysmon driver altitude. If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.", "author": "B.Talebi", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Legitimate driver altitude change to hide sysmon" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Instances\\\\Sysmon Instance\\\\Altitude' ESCAPE '\\')" ], "filename": "registry_set_change_sysmon_driver_altitude.yml" }, { "title": "Outlook Macro Execution Without Warning Setting Enabled", "id": "e3b50fa5-3c3f-444e-937b-0a99d33731cd", "status": "test", "description": "Detects the modification of Outlook security setting to allow unprompted execution of macros.", "author": "@ScoubiMtl", "tags": [ "attack.persistence", "attack.command_and_control", "attack.t1137", "attack.t1008", "attack.t1546" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\Level' ESCAPE '\\' AND NewValue LIKE '%0x00000001%' ESCAPE '\\')" ], "filename": "registry_set_office_outlook_enable_macro_execution.yml" }, { "title": "Windows Defender Service Disabled", "id": "e1aa95de-610a-427d-b9e7-9b46cfafbe6a", "status": "experimental", "description": "Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry", "author": "Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Administrator actions" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\WinDefend\\\\Start' ESCAPE '\\' AND NewValue = 'DWORD (0x00000004)')" ], "filename": "registry_set_disable_windows_defender_service.yml" }, { "title": "Modify User Shell Folders Startup Value", "id": "9c226817-8dc9-46c2-a58d-66655aafd7dc", "status": "experimental", "description": "Detect modification of the startup key to a path where a payload could be stored to be launched during startup", "author": "frack113", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1547.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders%' ESCAPE '\\' AND TargetObject LIKE '%Startup' ESCAPE '\\')" ], "filename": "registry_set_susp_user_shell_folders.yml" }, { "title": "Winlogon AllowMultipleTSSessions Enable", "id": "f7997770-92c3-4ec9-b112-774c4ef96f96", "status": "experimental", "description": "Detects when the 'AllowMultipleTSSessions' value is enabled.\nWhich allows for multiple Remote Desktop connection sessions to be opened at once.\nThis is often used by attacker as a way to connect to an RDP session without disconnecting the other users\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Legitimate use of the multi session functionality" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AllowMultipleTSSessions' ESCAPE '\\' AND NewValue LIKE '%DWORD (0x00000001)' ESCAPE '\\')" ], "filename": "registry_set_winlogon_allow_multiple_tssessions.yml" }, { "title": "Add Debugger Entry To Hangs Key For Persistence", "id": "833ef470-fa01-4631-a79b-6f291c9ac498", "status": "experimental", "description": "Detects when an attacker adds a new \"Debugger\" value to the \"Hangs\" key in order to achieve persistence which will get invoked when an application crashes", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "This value is not set by default but could be rarly used by administrators" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\Debugger%' ESCAPE '\\')" ], "filename": "registry_set_hangs_debugger_persistence.yml" }, { "title": "Disable Exploit Guard Network Protection on Windows Defender", "id": "bf9e1387-b040-4393-9851-1598f8ecfae9", "status": "experimental", "description": "Detects disabling Windows Defender Exploit Guard Network Protection", "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride%' ESCAPE '\\' AND NewValue = 'DWORD (00000001)')" ], "filename": "registry_set_disabled_exploit_guard_net_protection_on_ms_defender.yml" }, { "title": "CobaltStrike Service Installations in Registry", "id": "61a7697c-cb79-42a8-a2ff-5f0cdfae0130", "status": "test", "description": "Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.\nWe can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml)\nIn some SIEM you can catch those events also in HKLM\\System\\ControlSet001\\Services or HKLM\\System\\ControlSet002\\Services, however, this rule is based on a regular sysmon's events.\n", "author": "Wojciech Lesicki", "tags": [ "attack.execution", "attack.privilege_escalation", "attack.lateral_movement", "attack.t1021.002", "attack.t1543.003", "attack.t1569.002" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%HKLM\\\\System\\\\CurrentControlSet\\\\Services%' ESCAPE '\\') AND ((NewValue LIKE '%ADMIN$%' ESCAPE '\\' AND NewValue LIKE '%.exe%' ESCAPE '\\') OR (NewValue LIKE '%\\%COMSPEC\\%%' ESCAPE '\\' AND NewValue LIKE '%start%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\')))" ], "filename": "registry_set_cobaltstrike_service_installs.yml" }, { "title": "Suspicious Printer Driver Empty Manufacturer", "id": "e0813366-0407-449a-9869-a2db1119dc41", "status": "test", "description": "Detects a suspicious printer driver installation with an empty Manufacturer value", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.privilege_escalation", "attack.t1574", "cve.2021.1675" ], "falsepositives": [ "Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Manufacturer%' ESCAPE '\\' AND NewValue = '(Empty)') AND NOT ((TargetObject LIKE '%\\\\CutePDF Writer v4.0\\\\%' ESCAPE '\\') OR ((TargetObject LIKE '%\\\\VNC Printer (PS)\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\VNC Printer (UD)\\\\%' ESCAPE '\\')) OR (TargetObject LIKE '%\\\\Version-3\\\\PDF24\\\\%' ESCAPE '\\')))" ], "filename": "registry_set_susp_printer_driver.yml" }, { "title": "Change User Account Associated with the FAX Service", "id": "e3fdf743-f05b-4051-990a-b66919be1743", "status": "experimental", "description": "Detect change of the user account associated with the FAX service to avoid the escalation problem.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\Fax\\\\ObjectName' ESCAPE '\\' AND NOT (NewValue LIKE '%NetworkService%' ESCAPE '\\'))" ], "filename": "registry_set_fax_change_service_user.yml" }, { "title": "New Root or CA or AuthRoot Certificate to Store", "id": "d223b46b-5621-4037-88fe-fda32eead684", "status": "experimental", "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", "author": "frack113", "tags": [ "attack.impact", "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\Root\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\CA\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\EnterpriseCertificates\\\\AuthRoot\\\\Certificates\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Blob' ESCAPE '\\' AND NewValue = 'Binary Data')" ], "filename": "registry_set_install_root_or_ca_certificat.yml" }, { "title": "COM Hijacking via TreatAs", "id": "dc5c24af-6995-49b2-86eb-a9ff62199e82", "status": "experimental", "description": "Detect modification of TreatAs key to enable \"rundll32.exe -sta\" command", "author": "frack113", "tags": [ "attack.persistence", "attack.t1546.015" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%TreatAs\\\\(Default)' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\integration\\\\integrator.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\svchost.exe' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\'))))" ], "filename": "registry_set_treatas_persistence.yml" }, { "title": "Potential Persistence Via Mpnotify", "id": "92772523-d9c1-4c93-9547-b0ca500baba3", "status": "experimental", "description": "Detects when an attacker register a new SIP provider for persistence and defense evasion", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Might trigger if a legitimate new SIP provider is registered. But this is not a common occurrence in an environment and should be investigated either way" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\mpnotify%' ESCAPE '\\')" ], "filename": "registry_set_persistence_mpnotify.yml" }, { "title": "Disable Windows Event Logging Via Registry", "id": "2f78da12-f7c7-430b-8b19-a28f269b77a3", "status": "experimental", "description": "Detects tampering with the \"Enabled\" registry key in order to disable windows logging of a windows event channel", "author": "frack113, Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.002" ], "falsepositives": [ "Rare falsepositives may occur from legitimate administrators disabling specific event log for troubleshooting" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE '%\\\\Windows\\\\system32\\\\wevtutil.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\winsxs\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\TiWorker.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-FileInfoMinifilter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-ASN1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Kernel-AppCompat\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Runtime\\\\Error\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-CAPI2/Operational\\\\%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\WINEVT\\\\Channels\\\\Microsoft-Windows-Compat-Appraiser%' ESCAPE '\\'))) AND NOT ((NewProcessName = '') OR (NewProcessName = '')))" ], "filename": "registry_set_disable_winevt_logging.yml" }, { "title": "Potential Persistence Via DLLPathOverride", "id": "a1b1fd53-9c4a-444c-bae0-34a330fc7aa8", "status": "experimental", "description": "Detects when an attacker adds a new \"DLLPathOverride\" value to the \"Natural Language\" key in order to achieve persistence which will get invoked by \"SearchIndexer.exe\" process", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\ContentIndex\\\\Language\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\StemmerDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBDLLPathOverride%' ESCAPE '\\' OR TargetObject LIKE '%\\\\StemmerClass%' ESCAPE '\\' OR TargetObject LIKE '%\\\\WBreakerClass%' ESCAPE '\\'))" ], "filename": "registry_set_persistence_natural_language.yml" }, { "title": "Disable PUA Protection on Windows Defender", "id": "8ffc5407-52e3-478f-9596-0a7371eafe13", "status": "experimental", "description": "Detects disabling Windows Defender PUA protection", "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_disabled_pua_protection_on_microsoft_defender.yml" }, { "title": "Potential Persistence Via Outlook Today Pages", "id": "487bb375-12ef-41f6-baae-c6a1572b4dd1", "status": "experimental", "description": "Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key \"UserDefinedUrl\".", "author": "Tobias Michalski (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Today\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%Stamp' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR TargetObject LIKE '%UserDefinedUrl' ESCAPE '\\')) AND NOT (((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\')))" ], "filename": "registry_set_persistence_outlook_todaypage.yml" }, { "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry", "id": "6763c6c8-bd01-4687-bc8d-4fa52cf8ba08", "status": "experimental", "description": "Detects an attacker trying to enable the outlook security setting \"EnableUnsafeClientMailRules\" which allows outlook to run applications or execute macros", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\EnableUnsafeClientMailRules' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], "filename": "registry_set_office_outlook_enable_unsafe_client_mail_rules.yml" }, { "title": "Potential Persistence Via COM Search Order Hijacking", "id": "a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12", "status": "experimental", "description": "Detects potential COM object hijacking leveraging the COM Search Order", "author": "Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien", "tags": [ "attack.persistence", "attack.t1546.015" ], "falsepositives": [ "Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\') AND NOT (((NewValue LIKE '%\\%\\%systemroot\\%\\%\\\\system32\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%\\%systemroot\\%\\%\\\\SysWow64\\\\%' ESCAPE '\\')) OR ((NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\FileCoAuthLib64.dll%' ESCAPE '\\' OR NewValue LIKE '%\\\\FileSyncShell64.dll%' ESCAPE '\\' OR NewValue LIKE '%\\\\FileSyncApi64.dll%' ESCAPE '\\')) OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\SecurityHealthService.exe' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\TeamsMeetingAddin\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Microsoft.Teams.AddinLoader.dll%' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Roaming\\\\Dropbox\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\DropboxExt64.%.dll%' ESCAPE '\\') OR (NewValue LIKE '%TmopIEPlg.dll' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\wuauclt.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (NewValue LIKE '%\\\\FileRepository\\\\nvmdi.inf%' ESCAPE '\\') OR (NewProcessName LIKE '%\\\\MicrosoftEdgeUpdateComRegisterShell64.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\WINDOWS\\\\SYSTEM32\\\\dxdiag.exe' ESCAPE '\\') OR ((NewValue LIKE 'C:\\\\Windows\\\\pyshellext.amd64.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\pyshellext.dll' ESCAPE '\\')) OR ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\dnssdX.dll' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Windows\\\\SysWOW64\\\\dnssdX.dll' ESCAPE '\\')) OR (NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR ((NewValue LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\')) OR (NewValue LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\%' ESCAPE '\\') OR (NewValue LIKE '%C:\\\\WINDOWS\\\\system32\\\\GamingServicesProxy.dll%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\System32\\\\Autopilot.dll%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\SecurityHealthService.exe' ESCAPE '\\' AND NewValue LIKE '%C:\\\\Windows\\\\System32\\\\SecurityHealth%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\regsvr32.exe' ESCAPE '\\') AND TargetObject LIKE '%\\\\InProcServer32\\\\(Default)' ESCAPE '\\')))" ], "filename": "registry_set_persistence_search_order.yml" }, { "title": "Blue Mockingbird - Registry", "id": "92b0b372-a939-44ed-a11b-5136cf680e27", "status": "experimental", "description": "Attempts to detect system changes made by Blue Mockingbird", "author": "Trent Liffick (@tliffick)", "tags": [ "attack.execution", "attack.t1112", "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\wercplsupport\\\\Parameters\\\\ServiceDll' ESCAPE '\\')" ], "filename": "registry_set_mal_blue_mockingbird.yml" }, { "title": "Classes Autorun Keys Modification", "id": "9df5f547-c86a-433e-b533-f2794357e242", "status": "experimental", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Classes%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\ExtShellFolderViews%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Folder\\\\Shellex\\\\ColumnHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Filter%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Exefile\\\\Shell\\\\Open\\\\Command\\\\(Default)%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Directory\\\\Shellex\\\\CopyHookHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{AC757296-3522-4E11-9862-C17BE5A1767E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{7ED96837-96F0-4812-B211-F13C24117ED3}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CLSID\\\\{083863F1-70DE-11d0-BD40-00A0C911CE86}\\\\Instance%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Classes\\\\AllFileSystemObjects\\\\ShellEx\\\\DragDropHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\.exe%' ESCAPE '\\' OR TargetObject LIKE '%\\\\.cmd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\PropertySheetHandlers%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ShellEx\\\\ContextMenuHandlers%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR (NewValue = '{807583E5-5146-11D5-A672-00B0D022E945}') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\drvinst.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\lnkfile\\\\shellex\\\\ContextMenuHandlers\\\\%' ESCAPE '\\')))" ], "filename": "registry_set_asep_reg_keys_modification_classes.yml" }, { "title": "Disable Macro Runtime Scan Scope", "id": "ab871450-37dc-4a3a-997f-6662aa8ae0f1", "description": "Detects tampering with the MacroRuntimeScanScope registry key to disable runtime scanning of enabled macros", "status": "experimental", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Common\\\\Security%' ESCAPE '\\' AND TargetObject LIKE '%\\\\MacroRuntimeScanScope' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_disable_macroruntimescanscope.yml" }, { "title": "Disable Windows Firewall by Registry", "id": "e78c408a-e2ea-43cd-b5ea-51975cf358c0", "status": "experimental", "description": "Detect set EnableFirewall to 0 to disable the windows firewall", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall\\\\StandardProfile\\\\EnableFirewall' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall\\\\DomainProfile\\\\EnableFirewall' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_disable_windows_firewall.yml" }, { "title": "PowerShell Logging Disabled Via Registry Key Tampering", "id": "fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7", "status": "experimental", "description": "Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1564.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\PowerShell\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Microsoft\\\\PowerShellCore\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\ModuleLogging\\\\EnableModuleLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\ScriptBlockLogging\\\\EnableScriptBlockInvocationLogging' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableTranscripting' ESCAPE '\\' OR TargetObject LIKE '%\\\\Transcription\\\\EnableInvocationHeader' ESCAPE '\\' OR TargetObject LIKE '%\\\\EnableScripts' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_powershell_logging_disabled.yml" }, { "title": "Disabled RestrictedAdminMode For RDS", "id": "d6ce7ebd-260b-4323-9768-a9631c8d4db2", "status": "experimental", "description": "Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode.\nRestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.\nThis prevents your credentials from being harvested during the initial connection process if the remote server has been compromise\n", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\DisableRestrictedAdmin' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], "filename": "registry_set_lsa_disablerestrictedadmin.yml" }, { "title": "Registry Hide Function from User", "id": "5a93eb65-dffa-4543-b761-94aa60098fb6", "status": "test", "description": "Detects registry modifications that hide internal tools or functions from the user (malware like Agent Tesla, Hermetic Wiper uses this technique)", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Legitimate admin script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideClock' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAHealth' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCANetwork' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAPower' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\HideSCAVolume' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowInfoTip' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowCompColor' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" ], "filename": "registry_set_hide_function_user.yml" }, { "title": "Registry Explorer Policy Modification", "id": "1c3121ed-041b-4d97-a075-07f54f20fb4a", "status": "test", "description": "Detects registry modifications that disable internal tools or functions in explorer (malware like Agent Tesla uses this technique)", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Legitimate admin script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoLogOff' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoDesktop' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoRun' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFind' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoControlPanel' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoFileMenu' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoClose' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoSetTaskbar' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoPropertiesMyDocuments' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\NoTrayContextMenu' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], "filename": "registry_set_set_nopolicies_user.yml" }, { "title": "Potential Persistence Using DebugPath", "id": "df4dc653-1029-47ba-8231-3c44238cc0ae", "status": "experimental", "description": "Detects potential persistence using Appx DebugPath", "author": "frack113", "tags": [ "attack.persistence", "attack.t1546.015" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ActivatableClasses\\\\Package\\\\Microsoft.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\DebugPath' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PackagedAppXDebug\\\\Microsoft.%' ESCAPE '\\' AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\')))" ], "filename": "registry_set_persistence_appx_debugger.yml" }, { "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension", "id": "b64a026b-8deb-4c1d-92fd-98893209dff1", "status": "test", "description": "Running Chrome VPN Extensions via the Registry install 2 vpn extension", "author": "frack113", "tags": [ "attack.persistence", "attack.t1133" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%Software\\\\Wow6432Node\\\\Google\\\\Chrome\\\\Extensions%' ESCAPE '\\' AND TargetObject LIKE '%update\\_url' ESCAPE '\\' AND EventType = 'SetValue' AND (TargetObject LIKE '%fdcgdnkidjaadafnichfpabhfomcebme%' ESCAPE '\\' OR TargetObject LIKE '%fcfhplploccackoneaefokcmbjfbkenj%' ESCAPE '\\' OR TargetObject LIKE '%bihmplhobchoageeokmgbdihknkjbknd%' ESCAPE '\\' OR TargetObject LIKE '%gkojfkhlekighikafcpjkiklfbnlmeio%' ESCAPE '\\' OR TargetObject LIKE '%jajilbjjinjmgcibalaakngmkilboobh%' ESCAPE '\\' OR TargetObject LIKE '%gjknjjomckknofjidppipffbpoekiipm%' ESCAPE '\\' OR TargetObject LIKE '%nabbmpekekjknlbkgpodfndbodhijjem%' ESCAPE '\\' OR TargetObject LIKE '%kpiecbcckbofpmkkkdibbllpinceiihk%' ESCAPE '\\' OR TargetObject LIKE '%nlbejmccbhkncgokjcmghpfloaajcffj%' ESCAPE '\\' OR TargetObject LIKE '%omghfjlpggmjjaagoclmmobgdodcjboh%' ESCAPE '\\' OR TargetObject LIKE '%bibjcjfmgapbfoljiojpipaooddpkpai%' ESCAPE '\\' OR TargetObject LIKE '%mpcaainmfjjigeicjnlkdfajbioopjko%' ESCAPE '\\' OR TargetObject LIKE '%jljopmgdobloagejpohpldgkiellmfnc%' ESCAPE '\\' OR TargetObject LIKE '%lochiccbgeohimldjooaakjllnafhaid%' ESCAPE '\\' OR TargetObject LIKE '%nhnfcgpcbfclhfafjlooihdfghaeinfc%' ESCAPE '\\' OR TargetObject LIKE '%ookhnhpkphagefgdiemllfajmkdkcaim%' ESCAPE '\\' OR TargetObject LIKE '%namfblliamklmeodpcelkokjbffgmeoo%' ESCAPE '\\' OR TargetObject LIKE '%nbcojefnccbanplpoffopkoepjmhgdgh%' ESCAPE '\\' OR TargetObject LIKE '%majdfhpaihoncoakbjgbdhglocklcgno%' ESCAPE '\\' OR TargetObject LIKE '%lnfdmdhmfbimhhpaeocncdlhiodoblbd%' ESCAPE '\\' OR TargetObject LIKE '%eppiocemhmnlbhjplcgkofciiegomcon%' ESCAPE '\\' OR TargetObject LIKE '%cocfojppfigjeefejbpfmedgjbpchcng%' ESCAPE '\\' OR TargetObject LIKE '%foiopecknacmiihiocgdjgbjokkpkohc%' ESCAPE '\\' OR TargetObject LIKE '%hhdobjgopfphlmjbmnpglhfcgppchgje%' ESCAPE '\\' OR TargetObject LIKE '%jgbaghohigdbgbolncodkdlpenhcmcge%' ESCAPE '\\' OR TargetObject LIKE '%inligpkjkhbpifecbdjhmdpcfhnlelja%' ESCAPE '\\' OR TargetObject LIKE '%higioemojdadgdbhbbbkfbebbdlfjbip%' ESCAPE '\\' OR TargetObject LIKE '%hipncndjamdcmphkgngojegjblibadbe%' ESCAPE '\\' OR TargetObject LIKE '%iolonopooapdagdemdoaihahlfkncfgg%' ESCAPE '\\' OR TargetObject LIKE '%nhfjkakglbnnpkpldhjmpmmfefifedcj%' ESCAPE '\\' OR TargetObject LIKE '%jpgljfpmoofbmlieejglhonfofmahini%' ESCAPE '\\' OR TargetObject LIKE '%fgddmllnllkalaagkghckoinaemmogpe%' ESCAPE '\\' OR TargetObject LIKE '%ejkaocphofnobjdedneohbbiilggdlbi%' ESCAPE '\\' OR TargetObject LIKE '%keodbianoliadkoelloecbhllnpiocoi%' ESCAPE '\\' OR TargetObject LIKE '%hoapmlpnmpaehilehggglehfdlnoegck%' ESCAPE '\\' OR TargetObject LIKE '%poeojclicodamonabcabmapamjkkmnnk%' ESCAPE '\\' OR TargetObject LIKE '%dfkdflfgjdajbhocmfjolpjbebdkcjog%' ESCAPE '\\' OR TargetObject LIKE '%kcdahmgmaagjhocpipbodaokikjkampi%' ESCAPE '\\' OR TargetObject LIKE '%klnkiajpmpkkkgpgbogmcgfjhdoljacg%' ESCAPE '\\' OR TargetObject LIKE '%lneaocagcijjdpkcabeanfpdbmapcjjg%' ESCAPE '\\' OR TargetObject LIKE '%pgfpignfckbloagkfnamnolkeaecfgfh%' ESCAPE '\\' OR TargetObject LIKE '%jplnlifepflhkbkgonidnobkakhmpnmh%' ESCAPE '\\' OR TargetObject LIKE '%jliodmnojccaloajphkingdnpljdhdok%' ESCAPE '\\' OR TargetObject LIKE '%hnmpcagpplmpfojmgmnngilcnanddlhb%' ESCAPE '\\' OR TargetObject LIKE '%ffbkglfijbcbgblgflchnbphjdllaogb%' ESCAPE '\\' OR TargetObject LIKE '%kcndmbbelllkmioekdagahekgimemejo%' ESCAPE '\\' OR TargetObject LIKE '%jdgilggpfmjpbodmhndmhojklgfdlhob%' ESCAPE '\\' OR TargetObject LIKE '%bihhflimonbpcfagfadcnbbdngpopnjb%' ESCAPE '\\' OR TargetObject LIKE '%ppajinakbfocjfnijggfndbdmjggcmde%' ESCAPE '\\' OR TargetObject LIKE '%oofgbpoabipfcfjapgnbbjjaenockbdp%' ESCAPE '\\' OR TargetObject LIKE '%bhnhkdgoefpmekcgnccpnhjfdgicfebm%' ESCAPE '\\' OR TargetObject LIKE '%knmmpciebaoojcpjjoeonlcjacjopcpf%' ESCAPE '\\' OR TargetObject LIKE '%dhadilbmmjiooceioladdphemaliiobo%' ESCAPE '\\' OR TargetObject LIKE '%jedieiamjmoflcknjdjhpieklepfglin%' ESCAPE '\\' OR TargetObject LIKE '%mhngpdlhojliikfknhfaglpnddniijfh%' ESCAPE '\\' OR TargetObject LIKE '%omdakjcmkglenbhjadbccaookpfjihpa%' ESCAPE '\\' OR TargetObject LIKE '%npgimkapccfidfkfoklhpkgmhgfejhbj%' ESCAPE '\\' OR TargetObject LIKE '%akeehkgglkmpapdnanoochpfmeghfdln%' ESCAPE '\\' OR TargetObject LIKE '%gbmdmipapolaohpinhblmcnpmmlgfgje%' ESCAPE '\\' OR TargetObject LIKE '%aigmfoeogfnljhnofglledbhhfegannp%' ESCAPE '\\' OR TargetObject LIKE '%cgojmfochfikphincbhokimmmjenhhgk%' ESCAPE '\\' OR TargetObject LIKE '%ficajfeojakddincjafebjmfiefcmanc%' ESCAPE '\\' OR TargetObject LIKE '%ifnaibldjfdmaipaddffmgcmekjhiloa%' ESCAPE '\\' OR TargetObject LIKE '%jbnmpdkcfkochpanomnkhnafobppmccn%' ESCAPE '\\' OR TargetObject LIKE '%apcfdffemoinopelidncddjbhkiblecc%' ESCAPE '\\' OR TargetObject LIKE '%mjolnodfokkkaichkcjipfgblbfgojpa%' ESCAPE '\\' OR TargetObject LIKE '%oifjbnnafapeiknapihcmpeodaeblbkn%' ESCAPE '\\' OR TargetObject LIKE '%plpmggfglncceinmilojdkiijhmajkjh%' ESCAPE '\\' OR TargetObject LIKE '%mjnbclmflcpookeapghfhapeffmpodij%' ESCAPE '\\' OR TargetObject LIKE '%bblcccknbdbplgmdjnnikffefhdlobhp%' ESCAPE '\\' OR TargetObject LIKE '%aojlhgbkmkahabcmcpifbolnoichfeep%' ESCAPE '\\' OR TargetObject LIKE '%lcmammnjlbmlbcaniggmlejfjpjagiia%' ESCAPE '\\' OR TargetObject LIKE '%knajdeaocbpmfghhmijicidfcmdgbdpm%' ESCAPE '\\' OR TargetObject LIKE '%bdlcnpceagnkjnjlbbbcepohejbheilk%' ESCAPE '\\' OR TargetObject LIKE '%edknjdjielmpdlnllkdmaghlbpnmjmgb%' ESCAPE '\\' OR TargetObject LIKE '%eidnihaadmmancegllknfbliaijfmkgo%' ESCAPE '\\' OR TargetObject LIKE '%ckiahbcmlmkpfiijecbpflfahoimklke%' ESCAPE '\\' OR TargetObject LIKE '%macdlemfnignjhclfcfichcdhiomgjjb%' ESCAPE '\\' OR TargetObject LIKE '%chioafkonnhbpajpengbalkececleldf%' ESCAPE '\\' OR TargetObject LIKE '%amnoibeflfphhplmckdbiajkjaoomgnj%' ESCAPE '\\' OR TargetObject LIKE '%llbhddikeonkpbhpncnhialfbpnilcnc%' ESCAPE '\\' OR TargetObject LIKE '%pcienlhnoficegnepejpfiklggkioccm%' ESCAPE '\\' OR TargetObject LIKE '%iocnglnmfkgfedpcemdflhkchokkfeii%' ESCAPE '\\' OR TargetObject LIKE '%igahhbkcppaollcjeaaoapkijbnphfhb%' ESCAPE '\\' OR TargetObject LIKE '%njpmifchgidinihmijhcfpbdmglecdlb%' ESCAPE '\\' OR TargetObject LIKE '%ggackgngljinccllcmbgnpgpllcjepgc%' ESCAPE '\\' OR TargetObject LIKE '%kchocjcihdgkoplngjemhpplmmloanja%' ESCAPE '\\' OR TargetObject LIKE '%bnijmipndnicefcdbhgcjoognndbgkep%' ESCAPE '\\' OR TargetObject LIKE '%lklekjodgannjcccdlbicoamibgbdnmi%' ESCAPE '\\' OR TargetObject LIKE '%dbdbnchagbkhknegmhgikkleoogjcfge%' ESCAPE '\\' OR TargetObject LIKE '%egblhcjfjmbjajhjhpmnlekffgaemgfh%' ESCAPE '\\' OR TargetObject LIKE '%ehbhfpfdkmhcpaehaooegfdflljcnfec%' ESCAPE '\\' OR TargetObject LIKE '%bkkgdjpomdnfemhhkalfkogckjdkcjkg%' ESCAPE '\\' OR TargetObject LIKE '%almalgbpmcfpdaopimbdchdliminoign%' ESCAPE '\\' OR TargetObject LIKE '%akkbkhnikoeojlhiiomohpdnkhbkhieh%' ESCAPE '\\' OR TargetObject LIKE '%gbfgfbopcfokdpkdigfmoeaajfmpkbnh%' ESCAPE '\\' OR TargetObject LIKE '%bniikohfmajhdcffljgfeiklcbgffppl%' ESCAPE '\\' OR TargetObject LIKE '%lejgfmmlngaigdmmikblappdafcmkndb%' ESCAPE '\\' OR TargetObject LIKE '%ffhhkmlgedgcliajaedapkdfigdobcif%' ESCAPE '\\' OR TargetObject LIKE '%gcknhkkoolaabfmlnjonogaaifnjlfnp%' ESCAPE '\\' OR TargetObject LIKE '%pooljnboifbodgifngpppfklhifechoe%' ESCAPE '\\' OR TargetObject LIKE '%fjoaledfpmneenckfbpdfhkmimnjocfa%' ESCAPE '\\' OR TargetObject LIKE '%aakchaleigkohafkfjfjbblobjifikek%' ESCAPE '\\' OR TargetObject LIKE '%dpplabbmogkhghncfbfdeeokoefdjegm%' ESCAPE '\\' OR TargetObject LIKE '%padekgcemlokbadohgkifijomclgjgif%' ESCAPE '\\' OR TargetObject LIKE '%bfidboloedlamgdmenmlbipfnccokknp%' ESCAPE '\\'))" ], "filename": "registry_set_chrome_extension.yml" }, { "title": "UAC Bypass via Sdclt", "id": "5b872a46-3b90-45c1-8419-f675db8053aa", "status": "experimental", "description": "Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)", "author": "Omer Yampel, Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002", "car.2019-04-001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\exefile\\\\shell\\\\runas\\\\command\\\\isolatedCommand' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Classes\\\\Folder\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND NewValue REGEXP '-1[0-9]{3}\\\\Software\\\\Classes\\\\')))" ], "filename": "registry_set_uac_bypass_sdclt.yml" }, { "title": "Set TimeProviders DllName", "id": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "status": "experimental", "description": "Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProvider.\nAdversaries may abuse time providers to execute DLLs when the system boots.\nThe Windows Time service (W32Time) enables time synchronization across and within domains.\n", "author": "frack113", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1547.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\W32Time\\\\TimeProviders%' ESCAPE '\\' AND TargetObject LIKE '%DllName' ESCAPE '\\') AND NOT (NewValue LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL' ESCAPE '\\'))" ], "filename": "registry_set_timeproviders_dllname.yml" }, { "title": "Potential Persistence Via COM Hijacking From Suspicious Locations", "id": "3d968d17-ffa4-4bc0-bfdc-f139de76ce77", "status": "experimental", "description": "Detects potential COM object hijacking where the \"Server\" (In/Out) is pointing to a supsicious or unsuale location", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1546.015" ], "falsepositives": [ "Probable legitimate applications. If you find these please add them to an exclusion list" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKCR\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CLASSES\\_ROOT\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKCU\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKEY\\_CURRENT\\_USER\\\\Software\\\\Classes\\\\CLSID\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\InprocServer32\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%\\\\LocalServer32\\\\(Default)' ESCAPE '\\') AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\System32\\\\spool\\\\drivers\\\\color\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%appdata\\%%' ESCAPE '\\'))" ], "filename": "registry_set_persistence_com_hijacking_susp_locations.yml" }, { "title": "Changing RDP Port to Non Standard Number", "id": "509e84b9-a71a-40e0-834f-05470369bd1e", "status": "test", "description": "Remote desktop is a common feature in operating systems.\nIt allows a user to log into an interactive session with a system desktop graphical user interface on a remote system.\nMicrosoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).\n", "author": "frack113", "tags": [ "attack.persistence", "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\PortNumber' ESCAPE '\\') AND NOT (NewValue = 'DWORD (0x00000d3d)'))" ], "filename": "registry_set_change_rdp_port.yml" }, { "title": "Blackbyte Ransomware Registry", "id": "83314318-052a-4c90-a1ad-660ece38d276", "status": "test", "description": "BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LocalAccountTokenFilterPolicy' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLinkedConnections' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem\\\\LongPathsEnabled' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')" ], "filename": "registry_set_blackbyte_ransomware.yml" }, { "title": "ETW Logging Disabled For SCM", "id": "4f281b83-0200-4b34-bf35-d24687ea57c2", "status": "experimental", "description": "Detects changes to the \"TracingDisabled\" key in order to disable ETW logging for services.exe (SCM)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1112", "attack.t1562" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Tracing\\\\SCM\\\\Regular\\\\TracingDisabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], "filename": "registry_set_services_etw_tamper.yml" }, { "title": "Enabling COR Profiler Environment Variables", "id": "ad89044a-8f49-4673-9a55-cbd88a1b374f", "status": "test", "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.defense_evasion", "attack.t1574.012" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\COR\\_ENABLE\\_PROFILING' ESCAPE '\\' OR TargetObject LIKE '%\\\\COR\\_PROFILER' ESCAPE '\\'))" ], "filename": "registry_set_enabling_cor_profiler_env_variables.yml" }, { "title": "Potential Persistence Via GlobalFlags", "id": "36803969-5421-41ec-b92f-8500f79c23b0", "status": "test", "description": "Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys", "author": "Karneades, Jonhnathan Ribeiro, Florian Roth", "tags": [ "attack.privilege_escalation", "attack.persistence", "attack.defense_evasion", "attack.t1546.012", "car.2013-01-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Image File Execution Options\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\GlobalFlag%' ESCAPE '\\' AND TargetObject LIKE '%\\\\SilentProcessExit\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\ReportingMode%' ESCAPE '\\' OR TargetObject LIKE '%\\\\MonitorProcess%' ESCAPE '\\'))" ], "filename": "registry_set_persistence_globalflags.yml" }, { "title": "Potential Persistence Via MyComputer Registry Keys", "id": "8fbe98a8-8f9d-44f8-aa71-8c572e29ef06", "status": "experimental", "description": "Detects modification to the \"Default\" value of the \"MyComputer\" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Unlikely but if you experience FPs add specific processes and locations you would like to monitor for" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\MyComputer%' ESCAPE '\\' AND TargetObject LIKE '%(Default)' ESCAPE '\\')" ], "filename": "registry_set_persistence_mycomputer.yml" }, { "title": "System Scripts Autorun Keys Modification", "id": "e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1", "status": "test", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Startup%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Shutdown%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Logon%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Logoff%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" ], "filename": "registry_set_asep_reg_keys_modification_system_scripts.yml" }, { "title": "Usage of Renamed Sysinternals Tools - RegistrySet", "id": "8023f872-3f1d-4301-a384-801889917ab4", "status": "experimental", "description": "Detects non-sysinternals tools setting the \"accepteula\" key which normally is set on sysinternals tool execution", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.resource_development", "attack.t1588.002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\PsExec%' ESCAPE '\\' OR TargetObject LIKE '%\\\\ProcDump%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Handle%' ESCAPE '\\' OR TargetObject LIKE '%\\\\LiveKd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Process Explorer%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsLoglist%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PsPasswd%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Active Directory Explorer%' ESCAPE '\\') AND TargetObject LIKE '%\\\\EulaAccepted' ESCAPE '\\') AND NOT ((NewProcessName LIKE '%\\\\PsExec.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\PsExec64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procdump64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\livekd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\psloglist64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\pspasswd64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADExplorer64.exe' ESCAPE '\\')))" ], "filename": "registry_set_renamed_sysinternals_eula_accepted.yml" }, { "title": "Service Binary in Uncommon Folder", "id": "277dc340-0540-42e7-8efb-5ff460045e07", "status": "experimental", "description": "Detect the creation of a service with a service binary located in a uncommon directory", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Roaming\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\') OR (NewValue LIKE '%\\\\AppData\\\\Roaming\\\\Zoom%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Zoom%' ESCAPE '\\')))" ], "filename": "registry_set_creation_service_uncommon_folder.yml" }, { "title": "Potential Attachment Manager Settings Associations Tamper", "id": "a9b6c011-ab69-4ddb-bc0a-c4f21c80ec47", "status": "experimental", "description": "Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Associations\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\DefaultFileTypeRisk' ESCAPE '\\' AND NewValue = 'DWORD (0x00006152)') OR (TargetObject LIKE '%\\\\LowRiskFileTypes' ESCAPE '\\' AND (NewValue LIKE '%.zip;%' ESCAPE '\\' OR NewValue LIKE '%.rar;%' ESCAPE '\\' OR NewValue LIKE '%.exe;%' ESCAPE '\\' OR NewValue LIKE '%.bat;%' ESCAPE '\\' OR NewValue LIKE '%.com;%' ESCAPE '\\' OR NewValue LIKE '%.cmd;%' ESCAPE '\\' OR NewValue LIKE '%.reg;%' ESCAPE '\\' OR NewValue LIKE '%.msi;%' ESCAPE '\\' OR NewValue LIKE '%.htm;%' ESCAPE '\\' OR NewValue LIKE '%.html;%' ESCAPE '\\'))))" ], "filename": "registry_set_policies_associations_tamper.yml" }, { "title": "Wdigest Enable UseLogonCredential", "id": "d6a9b252-c666-4de6-8806-5561bbbd3bdc", "status": "test", "description": "Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to enable clear-text credentials", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%WDigest\\\\UseLogonCredential' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], "filename": "registry_set_wdigest_enable_uselogoncredential.yml" }, { "title": "Potential EventLog File Location Tampering", "id": "0cb8d736-995d-4ce7-a31e-1e8d452a1459", "status": "experimental", "description": "Detects tampering with EventLog service \"file\" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting", "author": "D3F7A5105", "tags": [ "attack.defense_evasion", "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\EventLog\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\File' ESCAPE '\\') AND NOT (NewValue LIKE '%\\\\System32\\\\Winevt\\\\Logs\\\\%' ESCAPE '\\'))" ], "filename": "registry_set_evtx_file_key_tamper.yml" }, { "title": "Suspicious Environment Variable Has Been Registered", "id": "966315ef-c5e1-4767-ba25-fce9c8de3660", "status": "test", "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Environment\\\\%' ESCAPE '\\') AND (NewValue IN ('powershell', 'pwsh') OR (NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%TVqQAAMAAAAEAAAA%' ESCAPE '\\' OR NewValue LIKE '%TVpQAAIAAAAEAA8A%' ESCAPE '\\' OR NewValue LIKE '%TVqAAAEAAAAEABAA%' ESCAPE '\\' OR NewValue LIKE '%TVoAAAAAAAAAAAAA%' ESCAPE '\\' OR NewValue LIKE '%TVpTAQEAAAAEAAAA%' ESCAPE '\\' OR NewValue LIKE '%SW52b2tlL%' ESCAPE '\\' OR NewValue LIKE '%ludm9rZS%' ESCAPE '\\' OR NewValue LIKE '%JbnZva2Ut%' ESCAPE '\\' OR NewValue LIKE '%SQBuAHYAbwBrAGUALQ%' ESCAPE '\\' OR NewValue LIKE '%kAbgB2AG8AawBlAC0A%' ESCAPE '\\' OR NewValue LIKE '%JAG4AdgBvAGsAZQAtA%' ESCAPE '\\') OR (NewValue LIKE 'SUVY%' ESCAPE '\\' OR NewValue LIKE 'SQBFAF%' ESCAPE '\\' OR NewValue LIKE 'SQBuAH%' ESCAPE '\\' OR NewValue LIKE 'cwBhA%' ESCAPE '\\' OR NewValue LIKE 'aWV4%' ESCAPE '\\' OR NewValue LIKE 'aQBlA%' ESCAPE '\\' OR NewValue LIKE 'R2V0%' ESCAPE '\\' OR NewValue LIKE 'dmFy%' ESCAPE '\\' OR NewValue LIKE 'dgBhA%' ESCAPE '\\' OR NewValue LIKE 'dXNpbm%' ESCAPE '\\' OR NewValue LIKE 'H4sIA%' ESCAPE '\\' OR NewValue LIKE 'Y21k%' ESCAPE '\\' OR NewValue LIKE 'cABhAH%' ESCAPE '\\' OR NewValue LIKE 'Qzpc%' ESCAPE '\\' OR NewValue LIKE 'Yzpc%' ESCAPE '\\')))" ], "filename": "registry_set_suspicious_env_variables.yml" }, { "title": "Potential Persistence Via Excel Add-in - Registry", "id": "961e33d1-4f86-4fcf-80ab-930a708b2f82", "status": "experimental", "description": "Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.", "author": "frack113", "tags": [ "attack.persistence", "attack.t1137.006" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Excel\\\\Options' ESCAPE '\\' AND NewValue LIKE '/R %' ESCAPE '\\' AND NewValue LIKE '%.xll' ESCAPE '\\')" ], "filename": "registry_set_persistence_xll.yml" }, { "title": "UAC Bypass via Event Viewer - Registry Set", "id": "7c81fec3-1c1d-43b0-996a-46753041b1b6", "status": "experimental", "description": "Detects UAC bypass method using Windows event viewer", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002", "car.2019-04-001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\mscfile\\\\shell\\\\open\\\\command' ESCAPE '\\')" ], "filename": "registry_set_uac_bypass_eventvwr.yml" }, { "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry", "id": "bf4fc428-dcc3-4bbd-99fe-2422aeee2544", "status": "test", "description": "Potential adversaries stopping ETW providers recording loaded .NET assemblies.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", "attack.t1112", "attack.t1562" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\ETWEnabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\COMPlus\\_ETWEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\COMPlus\\_ETWFlags' ESCAPE '\\') AND NewValue IN ('0', 'DWORD (0x00000000)'))))" ], "filename": "registry_set_dot_net_etw_tamper.yml" }, { "title": "ServiceDll Hijack", "id": "612e47e9-8a59-43a6-b404-f48683f45bd6", "status": "experimental", "description": "Detects changes to the \"ServiceDLL\" value related to a service in the registry. This is often used as a method of persistence.", "author": "frack113", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1543.003" ], "falsepositives": [ "Administrative scripts", "Installation of a service" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Parameters\\\\ServiceDll' ESCAPE '\\') AND NOT ((NewValue LIKE 'C:\\\\Windows\\\\system32\\\\spool\\\\drivers\\\\x64\\\\3\\\\PrintConfig.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\ServiceDll' ESCAPE '\\' AND NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\poqexec.exe' ESCAPE '\\')))" ], "filename": "registry_set_servicedll_hijack.yml" }, { "title": "Potential Persistence Via CHM Helper DLL", "id": "976dd1f2-a484-45ec-aa1d-0e87e882262b", "status": "experimental", "description": "Detects when an attacker modifies the registry key \"HtmlHelp Author\" to achieve persistence", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\HtmlHelp Author\\\\Location%' ESCAPE '\\'))" ], "filename": "registry_set_persistence_chm.yml" }, { "title": "Enable Microsoft Dynamic Data Exchange", "id": "63647769-326d-4dde-a419-b925cc0caf42", "status": "test", "description": "Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.", "author": "frack113", "tags": [ "attack.execution", "attack.t1559.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\Word\\\\Security\\\\AllowDDE' ESCAPE '\\' AND NewValue IN ('DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Excel\\\\Security\\\\DisableDDEServerLaunch' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Security\\\\DisableDDEServerLookup' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" ], "filename": "registry_set_office_enable_dde.yml" }, { "title": "Potential Persistence Via LSA Extensions", "id": "41f6531d-af6e-4c6e-918f-b946f2b85a36", "status": "experimental", "description": "Detects when an attacker modifies the \"REG_MULTI_SZ\" value named \"Extensions\" to include a custom DLL to achieve persistence via lsass.\nThe \"Extensions\" list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\LsaExtensionConfig\\\\LsaSrv\\\\Extensions%' ESCAPE '\\')" ], "filename": "registry_set_persistence_lsa_extension.yml" }, { "title": "Registry Persitence via Service in Safe Mode", "id": "1547e27c-3974-43e2-a7d7-7f484fb928ec", "status": "experimental", "description": "Detects the modification of the registry to allow a driver or service to persist in Safe Mode.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1564.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\(Default)' ESCAPE '\\' AND NewValue = 'Service') AND NOT ((NewProcessName LIKE 'C:\\\\WINDOWS\\\\system32\\\\msiexec.exe' ESCAPE '\\' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Minimal\\\\SAVService\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\Network\\\\SAVService\\\\(Default)' ESCAPE '\\'))))" ], "filename": "registry_set_add_load_service_in_safe_mode.yml" }, { "title": "IE Change Domain Zone", "id": "45e112d0-7759-4c2a-aa36-9f8fb79d3393", "status": "experimental", "description": "Hides the file extension through modification of the registry", "author": "frack113", "tags": [ "attack.persistence", "attack.t1137" ], "falsepositives": [ "Administrative scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\ZoneMap\\\\Domains\\\\%' ESCAPE '\\') AND NOT (NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', '(Empty)')))" ], "filename": "registry_set_change_security_zones.yml" }, { "title": "Service Binary in Suspicious Folder", "id": "a07f0359-4c90-4dc4-a681-8ffea40b4f47", "status": "experimental", "description": "Detect the creation of a service with a service binary located in a suspicious directory", "author": "Florian Roth (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Start' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\') AND NewValue IN ('DWORD (0x00000000)', 'DWORD (0x00000001)', 'DWORD (0x00000002)')) OR (EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\ImagePath' ESCAPE '\\' AND (NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Perflogs\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\ADMIN$\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Temp\\\\%' ESCAPE '\\'))) AND NOT ((NewProcessName LIKE '%\\\\Common Files\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Temp\\\\%' ESCAPE '\\')))" ], "filename": "registry_set_creation_service_susp_folder.yml" }, { "title": "Office Security Settings Changed", "id": "a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd", "status": "experimental", "description": "Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)", "author": "Trent Liffick (@tliffick)", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Valid Macros and/or internal documents" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Security\\\\Trusted Documents\\\\TrustRecords' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\AccessVBOM' ESCAPE '\\' OR TargetObject LIKE '%\\\\Security\\\\VBAWarnings' ESCAPE '\\'))" ], "filename": "registry_set_office_security.yml" }, { "title": "Disable UAC Using Registry", "id": "48437c39-9e5f-47fb-af95-3d663c3f2919", "status": "experimental", "description": "Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA from 1 to 0", "author": "frack113", "tags": [ "attack.privilege_escalation", "attack.defense_evasion", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_disable_uac_registry.yml" }, { "title": "RDP Sensitive Settings Changed to Zero", "id": "a2863fbc-d5cb-48d5-83fb-d976d4b1743b", "status": "test", "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc.\n", "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.t1112" ], "falsepositives": [ "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND (TargetObject LIKE '%\\\\fDenyTSConnections' ESCAPE '\\' OR TargetObject LIKE '%\\\\fSingleSessionPerUser' ESCAPE '\\' OR TargetObject LIKE '%\\\\UserAuthentication' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_terminal_server_suspicious.yml" }, { "title": "Add Port Monitor Persistence in Registry", "id": "944e8941-f6f6-4ee8-ac05-1c224e923c0e", "status": "experimental", "description": "Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.\nA port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.\n", "author": "frack113", "tags": [ "attack.persistence", "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\%' ESCAPE '\\' AND NewValue LIKE '%.dll' ESCAPE '\\' AND EventType = 'SetValue') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\spoolsv.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Monitors\\\\CutePDF Writer Monitor v4.0\\\\Driver%' ESCAPE '\\' AND NewValue LIKE 'cpwmon64\\_v40.dll' ESCAPE '\\' AND (User LIKE '%AUTHORI%' ESCAPE '\\' OR User LIKE '%AUTORI%' ESCAPE '\\')) OR (TargetObject LIKE '%Control\\\\Print\\\\Monitors\\\\MONVNC\\\\Driver%' ESCAPE '\\') OR (TargetObject LIKE '%Control\\\\Print\\\\Environments\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Drivers\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\VNC Printer%' ESCAPE '\\')))" ], "filename": "registry_set_add_port_monitor.yml" }, { "title": "Potential Persistence Via Custom Protocol Handler", "id": "fdbf0b9d-0182-4c43-893b-a1eaab92d085", "status": "experimental", "description": "Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Legitimate applications registering a new custom protocol handler" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (TargetObject LIKE 'HKCR\\\\%' ESCAPE '\\' AND NewValue LIKE 'URL:%' ESCAPE '\\') AND NOT ((NewValue LIKE 'URL:ms-%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\%' ESCAPE '\\'))))" ], "filename": "registry_set_persistence_custom_protocol_handler.yml" }, { "title": "Allow RDP Remote Assistance Feature", "id": "37b437cf-3fc5-4c8e-9c94-1d7c9aff842b", "status": "experimental", "description": "Detect enable rdp feature to allow specific user to rdp connect on the targeted machine", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Legitimate use of the feature (alerts should be investigated either way)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\fAllowToGetHelp' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], "filename": "registry_set_allow_rdp_remote_assistance_feature.yml" }, { "title": "Suspicious Application Allowed Through Exploit Guard", "id": "42205c73-75c8-4a63-9db1-e3782e06fda0", "status": "experimental", "description": "Detects applications being added to the \"allowed applications\" list of exploit guard in order to bypass controlled folder settings", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\AllowedApplications%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\'))" ], "filename": "registry_set_exploit_guard_susp_allowed_apps.yml" }, { "title": "Potential AMSI COM Server Hijacking", "id": "160d2780-31f7-4922-8b3a-efce30e63e96", "status": "experimental", "description": "Detects changes to the AMSI come server registry key in order disable AMSI scanning functionalities. When AMSI attempts to starts its COM component, it will query its registered CLSID and return a non-existent COM server. This causes a load failure and prevents any scanning methods from being accessed, ultimately rendering AMSI useless", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\\\\InProcServer32\\\\(Default)' ESCAPE '\\') AND NOT (NewValue LIKE '\\%windir\\%\\\\system32\\\\amsi.dll' ESCAPE '\\'))" ], "filename": "registry_set_amsi_com_hijack.yml" }, { "title": "Disable Windows Security Center Notifications", "id": "3ae1a046-f7db-439d-b7ce-b8b366b81fa6", "status": "experimental", "description": "Detect set UseActionCenterExperience to 0 to disable the windows security center notification", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%Windows\\\\CurrentVersion\\\\ImmersiveShell\\\\UseActionCenterExperience' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_disable_security_center_notifications.yml" }, { "title": "Session Manager Autorun Keys Modification", "id": "046218bd-e0d8-4113-a3c3-895a12b2b298", "status": "test", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ "attack.persistence", "attack.t1547.001", "attack.t1546.009" ], "falsepositives": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Control\\\\Session Manager%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\SetupExecute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\S0InitialCommand%' ESCAPE '\\' OR TargetObject LIKE '%\\\\KnownDlls%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Execute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\BootExecute%' ESCAPE '\\' OR TargetObject LIKE '%\\\\AppCertDlls%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" ], "filename": "registry_set_asep_reg_keys_modification_session_manager.yml" }, { "title": "Bypass UAC Using DelegateExecute", "id": "46dd5308-4572-4d12-aa43-8938f0184d4f", "status": "test", "description": "Bypasses User Account Control using a fileless method", "author": "frack113", "tags": [ "attack.privilege_escalation", "attack.defense_evasion", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\' AND NewValue = '(Empty)')" ], "filename": "registry_set_bypass_uac_using_delegateexecute.yml" }, { "title": "Windows Defender Exclusions Added - Registry", "id": "a982fc9c-6333-4ffb-a51d-addb04e8b529", "status": "test", "description": "Detects the Setting of Windows Defender Exclusions", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Administrator actions" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Exclusions%' ESCAPE '\\')" ], "filename": "registry_set_defender_exclusions.yml" }, { "title": "Registry Modification to Hidden File Extension", "id": "5df86130-4e95-4a54-90f7-26541b40aec2", "status": "test", "description": "Hides the file extension through modification of the registry", "author": "frack113", "tags": [ "attack.persistence", "attack.t1137" ], "falsepositives": [ "Administrative scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\HideFileExt' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\' AND NewValue = 'DWORD (0x00000002)')))" ], "filename": "registry_set_hidden_extention.yml" }, { "title": "Outlook Security Settings Updated - Registry", "id": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", "status": "test", "description": "Detects changes to the registry values related to outlook security settings", "author": "frack113", "tags": [ "attack.persistence", "attack.t1137" ], "falsepositives": [ "Administrative activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Outlook\\\\Security\\\\%' ESCAPE '\\' AND EventType = 'SetValue')" ], "filename": "registry_set_office_outlook_security_settings.yml" }, { "title": "Disable Windows Defender Functionalities Via Registry Keys", "id": "0eb46774-f1ab-4a74-8238-1155855f2263", "status": "experimental", "description": "Detects when attackers or tools disable Windows Defender functionalities via the windows registry", "author": "AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Administrator actions" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\') AND (((TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableBehaviorMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableIOAVProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableOnAccessProtection' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableRealtimeMonitoring' ESCAPE '\\' OR TargetObject LIKE '%\\\\Real-Time Protection\\\\DisableScanOnRealtimeEnable' ESCAPE '\\' OR TargetObject LIKE '%\\\\Reporting\\\\DisableEnhancedNotifications' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\DisableBlockAtFirstSeen' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiSpyware' ESCAPE '\\' OR TargetObject LIKE '%\\\\DisableAntiVirus' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\SpyNet\\\\SpynetReporting' ESCAPE '\\' OR TargetObject LIKE '%\\\\SpyNet\\\\SubmitSamplesConsent' ESCAPE '\\' OR TargetObject LIKE '%\\\\MpEngine\\\\MpEnablePus' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" ], "filename": "registry_set_windows_defender_tamper.yml" }, { "title": "DNS-over-HTTPS Enabled by Registry", "id": "04b45a8a-d11d-49e4-9acc-4a1b524407a5", "status": "test", "description": "Detects when a user enables DNS-over-HTTPS.\nThis can be used to hide internet activity or be used to hide the process of exfiltrating data.\nWith this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.\n", "author": "Austin Songer", "tags": [ "attack.defense_evasion", "attack.t1140", "attack.t1112" ], "falsepositives": [ "Unlikely" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode' ESCAPE '\\' AND NewValue = 'secure') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\\\\Enabled' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')))" ], "filename": "registry_set_dns_over_https_enabled.yml" }, { "title": "Registry Persistence via Explorer Run Key", "id": "b7916c2a-fa2f-4795-9477-32b731f70f11", "status": "test", "description": "Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder", "author": "Florian Roth (Nextron Systems), oscd.community", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run' ESCAPE '\\') AND ((NewValue LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\ProgramData\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\$Recycle.bin\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE 'C:\\\\Users\\\\Default\\\\%' ESCAPE '\\') OR NewValue LIKE '%\\\\AppData\\\\%' ESCAPE '\\'))" ], "filename": "registry_set_susp_reg_persist_explorer_run.yml" }, { "title": "Disable Administrative Share Creation at Startup", "id": "c7dcacd0-cc59-4004-b0a4-1d6cdebe6f3e", "status": "test", "description": "Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1070.005" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%AutoShareWks' ESCAPE '\\' OR TargetObject LIKE '%AutoShareServer' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_disable_administrative_share.yml" }, { "title": "Office Autorun Keys Modification", "id": "baecf8fb-edbf-429f-9ade-31fc3f22b970", "status": "experimental", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Office%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Word\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PowerPoint\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Onenote\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Access\\\\Addins%' ESCAPE '\\' OR TargetObject LIKE '%test\\\\Special\\\\Perf%' ESCAPE '\\')) AND NOT ((NewValue = '(Empty)') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Microsoft Office\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Office\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\regsvr32.exe%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\Excel\\\\Addins\\\\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\ExcelPlugInShell.PowerMapConnect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\NativeShim\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\NativeShim.InquireConnector.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Excel\\\\Addins\\\\PowerPivotExcelClientAddIn.NativeEntry.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\AccessAddin.DC\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\ColleagueImport.ColleagueImportAddin\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\EvernoteCC.EvernoteContactConnector\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\AddIns\\\\EvernoteOLRD.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\Microsoft.VbaAddinForOutlook.1\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OcOffice.OcForms\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OneNote.OutlookAddin%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OscAddin.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\OutlookChangeNotifier.Connect\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UCAddin.LyncAddin.1%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UCAddin.UCAddin.1%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\Addins\\\\UmOutlookAddin.FormRegionAddin\\\\%' ESCAPE '\\')) OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\ClickToRun\\\\Updates\\\\%' ESCAPE '\\') AND NewProcessName LIKE '%\\\\OfficeClickToRun.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\AVG\\\\Antivirus\\\\RegSvr.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Office\\\\Outlook\\\\Addins\\\\Antivirus.AsOutExt\\\\%' ESCAPE '\\')))" ], "filename": "registry_set_asep_reg_keys_modification_office.yml" }, { "title": "Modification of Explorer Hidden Keys", "id": "5a5152f1-463f-436b-b2f5-8eceb3964b42", "status": "experimental", "description": "Detects modifications to the hidden files keys in registry. This technique is abused by several malware families to hide their files from normal users.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1564.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\ShowSuperHidden' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Advanced\\\\Hidden' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_hide_file.yml" }, { "title": "New File Association Using Exefile", "id": "44a22d59-b175-4f13-8c16-cbaef5b581ff", "status": "test", "description": "Detects the abuse of the exefile handler in new file association. Used for bypass of security products.", "author": "Andreas Hunkeler (@Karneades)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%Classes\\\\.%' ESCAPE '\\' AND NewValue = 'exefile' AND EventType = 'SetValue')" ], "filename": "registry_set_file_association_exefile.yml" }, { "title": "Potential Persistence Via Outlook Home Page", "id": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", "status": "experimental", "description": "Detects potential persistence activity via outlook home pages.", "author": "Tobias Michalski (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Office\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Outlook\\\\WebView\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\URL' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Calendar\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Inbox\\\\%' ESCAPE '\\'))" ], "filename": "registry_set_persistence_outlook_homepage.yml" }, { "title": "Disable Tamper Protection on Windows Defender", "id": "93d298a1-d28f-47f1-a468-d971e7796679", "status": "experimental", "description": "Detects disabling Windows Defender Tamper Protection", "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)') AND NOT ((NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\')))" ], "filename": "registry_set_disabled_tamper_protection_on_microsoft_defender.yml" }, { "title": "Custom File Open Handler Executes PowerShell", "id": "7530b96f-ad8e-431d-a04d-ac85cc461fdc", "status": "experimental", "description": "Detects the abuse of custom file open handler, executing powershell", "author": "CD_R0M_", "tags": [ "attack.defense_evasion", "attack.t1202" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND TargetObject LIKE '%shell\\\\open\\\\command\\\\%' ESCAPE '\\' AND NewValue LIKE '%powershell%' ESCAPE '\\' AND NewValue LIKE '%-command%' ESCAPE '\\' AND EventType = 'SetValue')" ], "filename": "registry_set_custom_file_open_handler_powershell_execution.yml" }, { "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download", "id": "3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d", "status": "experimental", "description": "Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any\nanomalous executables with suspicious arguments. The downloaded file will be in C:\\Users\\redacted\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdaterreSignInSettingsConfig.json\n", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\OneDrive\\\\UpdateOfficeConfig\\\\UpdateRingSettingURLFromOC%' ESCAPE '\\')" ], "filename": "registry_set_lolbin_onedrivestandaloneupdater.yml" }, { "title": "Persistence Via Disk Cleanup Handler - Autorun", "id": "d4e2745c-f0c6-4bde-a3ab-b553b3f693cc", "status": "experimental", "description": "Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.\nThe disk cleanup manager is part of the operating system.\nIt displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.\nAlthough Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.\nInstead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.\nAny developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\VolumeCaches\\\\%' ESCAPE '\\') AND ((TargetObject LIKE '%\\\\Autorun%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)') OR ((TargetObject LIKE '%\\\\CleanupString%' ESCAPE '\\' OR TargetObject LIKE '%\\\\PreCleanupString%' ESCAPE '\\') AND (NewValue LIKE '%cmd%' ESCAPE '\\' OR NewValue LIKE '%powershell%' ESCAPE '\\' OR NewValue LIKE '%rundll32%' ESCAPE '\\' OR NewValue LIKE '%mshta%' ESCAPE '\\' OR NewValue LIKE '%cscript%' ESCAPE '\\' OR NewValue LIKE '%wscript%' ESCAPE '\\' OR NewValue LIKE '%wsl%' ESCAPE '\\' OR NewValue LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\TEMP\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%' ESCAPE '\\'))))" ], "filename": "registry_set_disk_cleanup_handler_autorun_persistence.yml" }, { "title": "Disable Internal Tools or Feature in Registry", "id": "e2482f8d-3443-4237-b906-cc145d87a076", "status": "experimental", "description": "Detects registry modifications that change features of internal Windows tools (malware like Agent Tesla uses this technique)", "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Legitimate admin script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableRegistryTools' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\DisableCMD' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableTaskmgr' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\Explorer\\\\DisableNotificationCenter' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableChangePassword' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\DisableLockWorkstation' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\StartMenuLogOff' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)') OR (EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\shutdownwithoutlogon' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\PushNotifications\\\\ToastEnabled' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Storage\\\\Write Protection' ESCAPE '\\' OR TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\StorageDevicePolicies\\\\WriteProtect' ESCAPE '\\') AND NewValue = 'DWORD (0x00000000)')))" ], "filename": "registry_set_disable_function_user.yml" }, { "title": "Scripted Diagnostics Turn Off Check Enabled - Registry", "id": "7d995e63-ec83-4aa3-89d5-8a17b5c87c86", "status": "experimental", "description": "Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability", "author": "Christopher Peacock @securepeacock, SCYTHE @scythe_io", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Administrator actions" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Policies\\\\Microsoft\\\\Windows\\\\ScriptedDiagnostics\\\\TurnOffCheck' ESCAPE '\\' AND NewValue = 'DWORD (0x00000001)')" ], "filename": "registry_set_enabling_turnoffcheck.yml" }, { "title": "RDP Sensitive Settings Changed", "id": "3f6b7b62-61aa-45db-96bd-9c31b36b653c", "status": "test", "description": "Detects tampering of RDP Terminal Service/Server sensitive settings.\nSuch as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc\n", "author": "Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali", "tags": [ "attack.defense_evasion", "attack.persistence", "attack.t1112" ], "falsepositives": [ "Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (((EventType = 'SetValue' AND (TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\Shadow' ESCAPE '\\' AND NewValue IN ('DWORD (0x00000001)', 'DWORD (0x00000002)', 'DWORD (0x00000003)', 'DWORD (0x00000004)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%\\\\fAllowUnsolicited' ESCAPE '\\' OR TargetObject LIKE '%\\\\fAllowUnsolicitedFullControl' ESCAPE '\\') AND NewValue = 'DWORD (0x00000001)')) OR (EventType = 'SetValue' AND (TargetObject LIKE '%\\\\services\\\\TermService\\\\Parameters\\\\ServiceDll%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Terminal Server\\\\InitialProgram%' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\InitialProgram%' ESCAPE '\\'))))" ], "filename": "registry_set_terminal_server_tampering.yml" }, { "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting", "id": "396ae3eb-4174-4b9b-880e-dc0364d78a19", "status": "experimental", "description": "Detects the modification of Outlook setting \"LoadMacroProviderOnBoot\" which if enabled allows the automatic loading of any configured VBA project/module", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.command_and_control", "attack.t1137", "attack.t1008", "attack.t1546" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\Outlook\\\\LoadMacroProviderOnBoot' ESCAPE '\\' AND NewValue LIKE '%0x00000001%' ESCAPE '\\')" ], "filename": "registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" }, { "title": "Potential Persistence Via App Paths Default Property", "id": "707e097c-e20f-4f67-8807-1f72ff4500d6", "status": "experimental", "description": "Detects changes to the \"Default\" property for keys located in the \\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\ registry. Which might be used as a method of persistence\nThe entries found under App Paths are used primarily for the following purposes.\nFirst, to map an application's executable file name to that file's fully qualified path.\nSecond, to pre-pend information to the PATH environment variable on a per-application, per-process basis.\n", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1546.012" ], "falsepositives": [ "Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\App Paths%' ESCAPE '\\' AND (TargetObject LIKE '%(Default)' ESCAPE '\\' OR TargetObject LIKE '%Path' ESCAPE '\\') AND (NewValue LIKE '%\\\\Users\\\\Public%' ESCAPE '\\' OR NewValue LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Desktop\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewValue LIKE '%\\%temp\\%%' ESCAPE '\\' OR NewValue LIKE '%\\%tmp\\%%' ESCAPE '\\' OR NewValue LIKE '%iex%' ESCAPE '\\' OR NewValue LIKE '%Invoke-%' ESCAPE '\\' OR NewValue LIKE '%rundll32%' ESCAPE '\\' OR NewValue LIKE '%regsvr32%' ESCAPE '\\' OR NewValue LIKE '%mshta%' ESCAPE '\\' OR NewValue LIKE '%cscript%' ESCAPE '\\' OR NewValue LIKE '%wscript%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.hta%' ESCAPE '\\' OR NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.ps1%' ESCAPE '\\'))" ], "filename": "registry_set_persistence_app_paths.yml" }, { "title": "Suspicious Service Installed", "id": "f2485272-a156-4773-82d7-1d178bc4905b", "status": "test", "description": "Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders.\nBoth services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)\n", "author": "xknow (@xknow_infosec), xorxes (@xor_xes)", "tags": [ "attack.t1562.001", "attack.defense_evasion" ], "falsepositives": [ "Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\NalDrv\\\\ImagePath' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PROCEXP152\\\\ImagePath' ESCAPE '\\')) AND NOT ((NewProcessName LIKE '%\\\\procexp64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procexp.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon64.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\procmon.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\handle64.exe' ESCAPE '\\') AND NewValue LIKE '%\\\\WINDOWS\\\\system32\\\\Drivers\\\\PROCEXP152.SYS%' ESCAPE '\\'))" ], "filename": "registry_set_susp_service_installed.yml" }, { "title": "NET NGenAssemblyUsageLog Registry Key Tamper", "id": "28036918-04d3-423d-91c0-55ecf99fb892", "status": "experimental", "description": "Detects changes to the NGenAssemblyUsageLog registry key.\n.NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).\nBy simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.\n", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\NGenAssemblyUsageLog' ESCAPE '\\')" ], "filename": "registry_set_net_cli_ngenassemblyusagelog.yml" }, { "title": "Hiding User Account Via SpecialAccounts Registry Key", "id": "f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd", "status": "test", "description": "Detects modifications to the registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist\" where the value is set to \"0\" in order to hide user account from being listed on the logon screen.", "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ "attack.defense_evasion", "attack.t1564.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\SpecialAccounts\\\\UserList%' ESCAPE '\\' AND NewValue = 'DWORD (0x00000000)')" ], "filename": "registry_set_special_accounts.yml" }, { "title": "WinSock2 Autorun Keys Modification", "id": "d6c2ce7e-afb5-4337-9ca4-4b5254ed0565", "status": "test", "description": "Detects modification of autostart extensibility point (ASEP) in registry.", "author": "Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason", "Legitimate administrator sets up autorun keys for legitimate reason" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\\\System\\\\CurrentControlSet\\\\Services\\\\WinSock2\\\\Parameters%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\Protocol\\_Catalog9\\\\Catalog\\_Entries%' ESCAPE '\\' OR TargetObject LIKE '%\\\\NameSpace\\_Catalog5\\\\Catalog\\_Entries%' ESCAPE '\\')) AND NOT (NewValue = '(Empty)' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\MsiExec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\'))" ], "filename": "registry_set_asep_reg_keys_modification_winsock2.yml" }, { "title": "Potential Persistence Via Shim Database Modification", "id": "dfb5b4e8-91d0-4291-b40a-e3b0d3942c45", "status": "experimental", "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", "author": "frack113", "tags": [ "attack.persistence", "attack.t1546.011" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND ((TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\%' ESCAPE '\\') AND EventType = 'SetValue') AND NOT (NewValue = ''))" ], "filename": "registry_set_persistence_shim_databases.yml" }, { "title": "DHCP Callout DLL Installation", "id": "9d3436ef-9476-4c43-acca-90ce06bdf33a", "status": "test", "description": "Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)", "author": "Dimitrios Slamaris", "tags": [ "attack.defense_evasion", "attack.t1574.002", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'Setvalue' AND (TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutDlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\Services\\\\DHCPServer\\\\Parameters\\\\CalloutEnabled' ESCAPE '\\'))" ], "filename": "registry_set_dhcp_calloutdll.yml" }, { "title": "Bypass UAC Using Event Viewer", "id": "674202d0-b22a-4af4-ae5f-2eda1f3da1af", "status": "experimental", "description": "Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification", "author": "frack113", "tags": [ "attack.persistence", "attack.t1547.010" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security') AND (EventType = 'SetValue' AND TargetObject LIKE '%\\_Classes\\\\mscfile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\') AND NOT (NewValue LIKE '\\%SystemRoot\\%\\\\system32\\\\mmc.exe \"\\%1\" \\%%' ESCAPE '\\'))" ], "filename": "registry_set_bypass_uac_using_eventviewer.yml" }, { "title": "Suspicious New Printer Ports in Registry (CVE-2020-1048)", "id": "7ec912f2-5175-4868-b811-ec13ad0f8567", "status": "test", "description": "Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048", "author": "EagleEye Team, Florian Roth (Nextron Systems), NVISO", "tags": [ "attack.persistence", "attack.execution", "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "New printer port install on host" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Ports%' ESCAPE '\\' AND (NewValue LIKE '%.dll%' ESCAPE '\\' OR NewValue LIKE '%.exe%' ESCAPE '\\' OR NewValue LIKE '%.bat%' ESCAPE '\\' OR NewValue LIKE '%.com%' ESCAPE '\\' OR NewValue LIKE '%C:%' ESCAPE '\\'))" ], "filename": "registry_set_cve_2020_1048_new_printer_port.yml" }, { "title": "Narrator's Feedback-Hub Persistence", "id": "f663a6d9-9d1b-49b8-b2b1-0637914d199a", "status": "test", "description": "Detects abusing Windows 10 Narrator's Feedback-Hub", "author": "Dmitriy Lifanov, oscd.community", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'DeleteValue' AND TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR TargetObject LIKE '%\\\\AppXypsaf9f1qserqevf0sws76dx4k9a5206\\\\Shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\'))" ], "filename": "registry_event_narrator_feedback_persistance.yml" }, { "title": "Windows Credential Editor Registry", "id": "a6b33c02-8305-488f-8585-03cb2a7763f2", "status": "test", "description": "Detects the use of Windows Credential Editor (WCE)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001", "attack.s0005" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Services\\\\WCESERVICE\\\\Start%' ESCAPE '\\')" ], "filename": "registry_event_hack_wce_reg.yml" }, { "title": "PrinterNightmare Mimimkatz Driver Name", "id": "ba6b9e43-1d45-4d3c-a504-1043a64c8469", "status": "test", "description": "Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527", "author": "Markus Neis, @markus_neis, Florian Roth", "tags": [ "attack.execution", "attack.t1204", "cve.2021.1675", "cve.2021.34527" ], "falsepositives": [ "Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\QMS 810\\\\%' ESCAPE '\\' OR TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows x64\\\\Drivers\\\\Version-3\\\\mimikatz%' ESCAPE '\\') OR (TargetObject LIKE '%legitprinter%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments\\\\Windows%' ESCAPE '\\')) OR ((TargetObject LIKE '%\\\\Control\\\\Print\\\\Environments%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentVersion\\\\Print\\\\Printers%' ESCAPE '\\') AND (TargetObject LIKE '%Gentil Kiwi%' ESCAPE '\\' OR TargetObject LIKE '%mimikatz printer%' ESCAPE '\\' OR TargetObject LIKE '%Kiwi Legit Printer%' ESCAPE '\\'))))" ], "filename": "registry_event_mimikatz_printernightmare.yml" }, { "title": "NetNTLM Downgrade Attack - Registry", "id": "d67572a0-e2ec-45d6-b8db-c100d14b8ef2", "status": "test", "description": "Detects NetNTLM downgrade attack", "author": "Florian Roth (Nextron Systems), wagga", "tags": [ "attack.defense_evasion", "attack.t1562.001", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%ControlSet%' ESCAPE '\\' AND TargetObject LIKE '%\\\\Control\\\\Lsa%' ESCAPE '\\' AND (TargetObject LIKE '%\\\\lmcompatibilitylevel' ESCAPE '\\' OR TargetObject LIKE '%\\\\NtlmMinClientSec' ESCAPE '\\' OR TargetObject LIKE '%\\\\RestrictSendingNTLMTraffic' ESCAPE '\\'))" ], "filename": "registry_event_net_ntlm_downgrade.yml" }, { "title": "New DLL Added to AppCertDlls Registry Key", "id": "6aa1d992-5925-4e9f-a49b-845e51d1de01", "status": "test", "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation\nby causing a malicious DLL to be loaded and run in the context of separate processes on the computer.\n", "author": "Ilyas Ochkov, oscd.community", "tags": [ "attack.persistence", "attack.t1546.009" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\Session Manager\\\\AppCertDlls' ESCAPE '\\' OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurentControlSet\\\\Control\\\\Session Manager\\\\AppCertDlls' ESCAPE '\\'))" ], "filename": "registry_event_new_dll_added_to_appcertdlls_registry_key.yml" }, { "title": "Sticky Key Like Backdoor Usage - Registry", "id": "baca5663-583c-45f9-b5dc-ea96a22ce542", "status": "experimental", "description": "Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen", "author": "Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community", "tags": [ "attack.privilege_escalation", "attack.persistence", "attack.t1546.008", "car.2014-11-003", "car.2014-11-008" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\sethc.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\utilman.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\osk.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Magnify.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\Narrator.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\DisplaySwitch.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\atbroker.exe\\\\Debugger' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\HelpPane.exe\\\\Debugger' ESCAPE '\\'))" ], "filename": "registry_event_stickykey_like_backdoor.yml" }, { "title": "Pandemic Registry Key", "id": "47e0852a-cf81-4494-a8e6-31864f8c86ed", "status": "test", "description": "Detects Pandemic Windows Implant", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.lateral_movement", "attack.t1105" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SYSTEM\\\\CurrentControlSet\\\\services\\\\null\\\\Instance%' ESCAPE '\\')" ], "filename": "registry_event_apt_pandemic.yml" }, { "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique", "id": "55e29995-75e7-451a-bef0-6225e2f13597", "status": "experimental", "description": "Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\lsass.exe%' ESCAPE '\\')" ], "filename": "registry_event_silentprocessexit_lsass.yml" }, { "title": "Registry Persistence Mechanisms in Recycle Bin", "id": "277efb8f-60be-4f10-b4d3-037802f37167", "status": "experimental", "description": "Detects persistence registry keys for Recycle Bin", "author": "frack113", "tags": [ "attack.persistence", "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((EventType = 'RenameKey' AND NewName LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open%' ESCAPE '\\') OR (EventType = 'SetValue' AND TargetObject LIKE '%\\\\CLSID\\\\{645FF040-5081-101B-9F08-00AA002F954E}\\\\shell\\\\open\\\\command\\\\(Default)%' ESCAPE '\\')))" ], "filename": "registry_event_persistence_recycle_bin.yml" }, { "title": "HybridConnectionManager Service Installation - Registry", "id": "ac8866c7-ce44-46fd-8c17-b24acff96ca8", "status": "experimental", "description": "Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.resource_development", "attack.t1608" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\Services\\\\HybridConnectionManager%' ESCAPE '\\' OR (EventType = 'SetValue' AND NewValue LIKE '%Microsoft.HybridConnectionManager.Listener.exe%' ESCAPE '\\')))" ], "filename": "registry_event_hybridconnectionmgr_svc_installation.yml" }, { "title": "Esentutl Volume Shadow Copy Service Keys", "id": "5aad0995-46ab-41bd-a9ff-724f41114971", "status": "test", "description": "Detects the volume shadow copy service initialization and processing via esentutl. Registry keys such as HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Diag\\\\VolSnap\\\\Volume are captured.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.credential_access", "attack.t1003.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS%' ESCAPE '\\' AND NewProcessName LIKE '%esentutl.exe' ESCAPE '\\') AND NOT (TargetObject LIKE '%System\\\\CurrentControlSet\\\\Services\\\\VSS\\\\Start%' ESCAPE '\\'))" ], "filename": "registry_event_esentutl_volume_shadow_copy_service_keys.yml" }, { "title": "WINEKEY Registry Modification", "id": "b98968aa-dbc0-4a9c-ac35-108363cbf8d5", "status": "test", "description": "Detects potential malicious modification of run keys by winekey or team9 backdoor", "author": "omkar72", "tags": [ "attack.persistence", "attack.t1547" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\Backup Mgr' ESCAPE '\\')" ], "filename": "registry_event_runkey_winekey.yml" }, { "title": "OceanLotus Registry Activity", "id": "4ac5fc44-a601-4c06-955b-309df8c4e9d4", "status": "test", "description": "Detects registry keys created in OceanLotus (also known as APT32) attacks", "author": "megan201296, Jonhnathan Ribeiro", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model' ESCAPE '\\' OR ((TargetObject LIKE 'HKCU\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\App\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%AppXbf13d4ea2945444d8b13e2121cb6b663\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX70162486c7554f7f80f481985d67586d\\\\%' ESCAPE '\\' OR TargetObject LIKE '%AppX37cc7fdccd644b4f85f4b22d5a3f105a\\\\%' ESCAPE '\\') AND (TargetObject LIKE '%Application' ESCAPE '\\' OR TargetObject LIKE '%DefaultIcon' ESCAPE '\\')) OR (TargetObject LIKE 'HKCU\\\\%' ESCAPE '\\' AND (TargetObject LIKE '%Classes\\\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\AppX3bbba44c6cae4d9695755183472171e2\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\\\%' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\CLSID\\\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\\\Model%' ESCAPE '\\'))))" ], "filename": "registry_event_apt_oceanlotus_registry.yml" }, { "title": "Disable Security Events Logging Adding Reg Key MiniNt", "id": "919f2ef0-be2d-4a7a-b635-eb2b41fde044", "status": "test", "description": "Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events.", "author": "Ilyas Ochkov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1562.001", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\' AND EventType = 'CreateKey') OR NewName LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\MiniNt' ESCAPE '\\'))" ], "filename": "registry_event_disable_security_events_logging_adding_reg_key_minint.yml" }, { "title": "Potential Qakbot Registry Activity", "id": "1c8e96cd-2bed-487d-9de0-b46c90cade56", "status": "experimental", "description": "Detects a registry key used by IceID in a campaign that distributes malicious OneNote files", "author": "Hieu Tran", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Software\\\\firm\\\\soft\\\\Name' ESCAPE '\\')" ], "filename": "registry_event_malware_qakbot_registry.yml" }, { "title": "Path To Screensaver Binary Modified", "id": "67a6c006-3fbe-46a7-9074-2ba3b82c3000", "status": "test", "description": "Detects value modification of registry key containing path to binary used as screensaver.", "author": "Bartlomiej Czyz @bczyz1, oscd.community", "tags": [ "attack.persistence", "attack.privilege_escalation", "attack.t1546.002" ], "falsepositives": [ "Legitimate modification of screensaver" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND TargetObject LIKE '%\\\\Control Panel\\\\Desktop\\\\SCRNSAVE.EXE' ESCAPE '\\' AND NOT ((NewProcessName LIKE '%\\\\rundll32.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\explorer.exe' ESCAPE '\\')))" ], "filename": "registry_event_modify_screensaver_binary_path.yml" }, { "title": "Run Once Task Configuration in Registry", "id": "c74d7efc-8826-45d9-b8bb-f04fac9e4eff", "status": "test", "description": "Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup", "author": "Avneet Singh @v3t0_, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Legitimate modification of the registry key by legitimate program" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components%' ESCAPE '\\' AND TargetObject LIKE '%\\\\StubPath' ESCAPE '\\') AND NOT ((NewValue LIKE '\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\%' ESCAPE '\\' AND NewValue LIKE '%\\\\Installer\\\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level%' ESCAPE '\\') OR ((NewValue LIKE '\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' OR NewValue LIKE '\"C:\\\\Program Files\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\') AND NewValue LIKE '%\\\\Installer\\\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable' ESCAPE '\\')))" ], "filename": "registry_event_runonce_persistence.yml" }, { "title": "FlowCloud Malware", "id": "5118765f-6657-4ddb-a487-d7bd673abbf1", "status": "test", "description": "Detects FlowCloud malware from threat group TA410.", "author": "NVISO", "tags": [ "attack.persistence", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\HARDWARE\\\\{2DB80286-1784-48b5-A751-B6ED1F490303}' ESCAPE '\\') OR TargetObject LIKE 'HKLM\\\\SYSTEM\\\\Setup\\\\PrintResponsor\\\\%' ESCAPE '\\'))" ], "filename": "registry_event_mal_flowcloud.yml" }, { "title": "Leviathan Registry Key Activity", "id": "70d43542-cd2d-483c-8f30-f16b436fd7db", "status": "test", "description": "Detects registry key used by Leviathan APT in Malaysian focused campaign", "author": "Aidan Bracher", "tags": [ "attack.persistence", "attack.t1547.001" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\ntkd' ESCAPE '\\')" ], "filename": "registry_event_apt_leviathan.yml" }, { "title": "Shell Open Registry Keys Manipulation", "id": "152f3630-77c1-4284-bcc0-4cc68ab2f6e7", "status": "test", "description": "Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002", "attack.t1546.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (((EventType = 'SetValue' AND TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\SymbolicLinkValue' ESCAPE '\\' AND NewValue LIKE '%\\\\Software\\\\Classes\\\\{%' ESCAPE '\\') OR TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\DelegateExecute' ESCAPE '\\') OR ((EventType = 'SetValue' AND (TargetObject LIKE '%Classes\\\\ms-settings\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\' OR TargetObject LIKE '%Classes\\\\exefile\\\\shell\\\\open\\\\command\\\\(Default)' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))))" ], "filename": "registry_event_shell_open_keys_manipulation.yml" }, { "title": "PortProxy Registry Key", "id": "a54f842a-3713-4b45-8c84-5f136fdebd3c", "status": "test", "description": "Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.", "author": "Andreas Hunkeler (@Karneades)", "tags": [ "attack.lateral_movement", "attack.defense_evasion", "attack.command_and_control", "attack.t1090" ], "falsepositives": [ "WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)", "Synergy Software KVM (https://symless.com/synergy)" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE 'HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\PortProxy\\\\v4tov4\\\\tcp' ESCAPE '\\')" ], "filename": "registry_event_portproxy_registry_key.yml" }, { "title": "Wdigest CredGuard Registry Modification", "id": "1a2d6c47-75b0-45bd-b133-2c0be75349fd", "status": "test", "description": "Detects potential malicious modification of the property value of IsCredGuardEnabled from\nHKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest to disable Cred Guard on a system.\nThis is usually used with UseLogonCredential to manipulate the caching credentials.\n", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\IsCredGuardEnabled' ESCAPE '\\')" ], "filename": "registry_event_disable_wdigest_credential_guard.yml" }, { "title": "OilRig APT Registry Persistence", "id": "7bdf2a7c-3acc-4091-9581-0a77dad1c5b5", "status": "test", "description": "Detects OilRig registry persistence as reported by Nyotron in their March 2018 report", "author": "Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.persistence", "attack.g0049", "attack.t1053.005", "attack.s0111", "attack.t1543.003", "attack.defense_evasion", "attack.t1112", "attack.command_and_control", "attack.t1071.004" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UMe' ESCAPE '\\' OR TargetObject LIKE '%SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\UT' ESCAPE '\\'))" ], "filename": "registry_event_apt_oilrig_mar18.yml" }, { "title": "Potential Ransomware Activity Using LegalNotice Message", "id": "8b9606c9-28be-4a38-b146-0e313cc232c1", "status": "experimental", "description": "Detect changes to the \"LegalNoticeCaption\" or \"LegalNoticeText\" registry values where the message set contains keywords often used in ransomware ransom messages", "author": "frack113", "tags": [ "attack.impact", "attack.t1491.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4657' AND (OperationType LIKE 'Existing registry value modified' ESCAPE '\\') AND Channel = 'Security' AND EventType = 'SetValue' AND (TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeCaption%' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\LegalNoticeText%' ESCAPE '\\') AND (NewValue LIKE '%encrypted%' ESCAPE '\\' OR NewValue LIKE '%Unlock-Password%' ESCAPE '\\' OR NewValue LIKE '%paying%' ESCAPE '\\'))" ], "filename": "registry_set_legalnotice_susp_message.yml" }, { "title": "Windows Registry Trust Record Modification", "id": "295a59c1-7b79-4b47-a930-df12c15fc9c2", "status": "test", "description": "Alerts on trust record modification within the registry, indicating usage of macros", "author": "Antonlovesdnb", "tags": [ "attack.initial_access", "attack.t1566.001" ], "falsepositives": [ "Alerts on legitimate macro usage as well, will need to filter as appropriate" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%TrustRecords%' ESCAPE '\\')" ], "filename": "registry_event_trust_record_modification.yml" }, { "title": "RedMimicry Winnti Playbook Registry Manipulation", "id": "5b175490-b652-4b02-b1de-5b5b4083c5f8", "status": "test", "description": "Detects actions caused by the RedMimicry Winnti playbook", "author": "Alexander Rausch", "tags": [ "attack.defense_evasion", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%HKLM\\\\SOFTWARE\\\\Microsoft\\\\HTMLHelp\\\\data%' ESCAPE '\\')" ], "filename": "registry_event_redmimicry_winnti_reg.yml" }, { "title": "UAC Bypass Via Wsreset", "id": "6ea3bf32-9680-422d-9f50-e90716b12a66", "status": "test", "description": "Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.", "author": "oscd.community, Dmitry Uchakin", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\\\Shell\\\\open\\\\command' ESCAPE '\\')" ], "filename": "registry_event_bypass_via_wsreset.yml" }, { "title": "CMSTP Execution Registry Event", "id": "b6d235fc-1d38-4b12-adbe-325f06728f37", "status": "stable", "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", "author": "Nik Seetharaman", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1218.003", "attack.g0069", "car.2019-04-001" ], "falsepositives": [ "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\cmmgr32.exe%' ESCAPE '\\')" ], "filename": "registry_event_cmstp_execution_by_registry.yml" }, { "title": "Office Application Startup - Office Test", "id": "3d27f6dd-1c74-4687-b4fa-ca849d128d1c", "status": "test", "description": "Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started", "author": "omkar72", "tags": [ "attack.persistence", "attack.t1137.002" ], "falsepositives": [ "Unlikely" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (TargetObject LIKE 'HKCU\\\\Software\\\\Microsoft\\\\Office test\\\\Special\\\\Perf' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\Software\\\\Microsoft\\\\Office test\\\\Special\\\\Perf' ESCAPE '\\'))" ], "filename": "registry_event_office_test_regadd.yml" }, { "title": "Suspicious Camera and Microphone Access", "id": "62120148-6b7a-42be-8b91-271c04e281a3", "status": "test", "description": "Detects Processes accessing the camera and microphone from suspicious folder", "author": "Den Iuzvyk", "tags": [ "attack.collection", "attack.t1125", "attack.t1123" ], "falsepositives": [ "Unlikely, there could be conferencing software running from a Temp folder accessing the devices" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\CapabilityAccessManager\\\\ConsentStore\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\NonPackaged%' ESCAPE '\\' AND (TargetObject LIKE '%microphone%' ESCAPE '\\' OR TargetObject LIKE '%webcam%' ESCAPE '\\') AND (TargetObject LIKE '%:#Windows#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#$Recycle.bin#%' ESCAPE '\\' OR TargetObject LIKE '%:#Temp#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Public#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Default#%' ESCAPE '\\' OR TargetObject LIKE '%:#Users#Desktop#%' ESCAPE '\\'))" ], "filename": "registry_event_susp_mic_cam_access.yml" }, { "title": "Suspicious Run Key from Download", "id": "9c5037d1-c568-49b3-88c7-9846a5bdc2be", "status": "test", "description": "Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1547.001" ], "falsepositives": [ "Software installers downloaded and used by users" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND (NewProcessName LIKE '%\\\\Downloads\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Temporary Internet Files\\\\Content.Outlook\\\\%' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Local Settings\\\\Temporary Internet Files\\\\%' ESCAPE '\\') AND TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\%' ESCAPE '\\')" ], "filename": "registry_event_susp_download_run_key.yml" }, { "title": "Atbroker Registry Change", "id": "9577edbb-851f-4243-8c91-1d5b50c1a39b", "status": "experimental", "description": "Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'", "author": "Mateusz Wydra, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1218", "attack.persistence", "attack.t1547" ], "falsepositives": [ "Creation of non-default, legitimate at usage" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\ATs%' ESCAPE '\\' OR TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\Configuration%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\atbroker.exe' ESCAPE '\\' AND TargetObject LIKE '%\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\Configuration%' ESCAPE '\\' AND NewValue = '(Empty)') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Installer\\\\MSI%' ESCAPE '\\' AND TargetObject LIKE '%Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Accessibility\\\\ATs%' ESCAPE '\\')))" ], "filename": "registry_event_susp_atbroker_change.yml" }, { "title": "Security Support Provider (SSP) Added to LSA Configuration", "id": "eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc", "status": "test", "description": "Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.", "author": "iwillkeepwatch", "tags": [ "attack.persistence", "attack.t1547.005" ], "falsepositives": [ "Unlikely" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\Security Packages' ESCAPE '\\' OR TargetObject LIKE 'HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\msiexec.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\')))" ], "filename": "registry_event_ssp_added_lsa_config.yml" }, { "title": "Creation of a Local Hidden User Account by Registry", "id": "460479f3-80b7-42da-9c43-2cc1d54dbccd", "status": "experimental", "description": "Sysmon registry detection of a local hidden user account.", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.persistence", "attack.t1136.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND TargetObject LIKE '%\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\%' ESCAPE '\\' AND TargetObject LIKE '%$' ESCAPE '\\' AND NewProcessName LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], "filename": "registry_event_add_local_hidden_user.yml" }, { "title": "DLL Load via LSASS", "id": "b3503044-60ce-4bf4-bbcb-e3db98788823", "status": "test", "description": "Detects a method to load DLL via LSASS process using an undocumented Registry key", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.persistence", "attack.t1547.008" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND (TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\DirectoryServiceExtPt%' ESCAPE '\\' OR TargetObject LIKE '%\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\LsaDbExtPt%' ESCAPE '\\') AND NOT ((NewProcessName LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND (NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\ntdsa.dll' ESCAPE '\\' OR NewValue LIKE '\\%\\%systemroot\\%\\%\\\\system32\\\\lsadb.dll' ESCAPE '\\'))))" ], "filename": "registry_event_susp_lsass_dll_load.yml" }, { "title": "Registry Entries For Azorult Malware", "id": "f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7", "status": "test", "description": "Detects the presence of a registry key created during Azorult execution", "author": "Trent Liffick", "tags": [ "attack.execution", "attack.t1112" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational' AND EventID IN ('12', '13') AND TargetObject LIKE '%SYSTEM\\\\%' ESCAPE '\\' AND TargetObject LIKE '%\\\\services\\\\localNETService' ESCAPE '\\')" ], "filename": "registry_event_mal_azorult.yml" }, { "title": "New DLL Added to AppInit_DLLs Registry Key", "id": "4f84b697-c9ed-4420-8ab5-e09af5b2345d", "status": "test", "description": "DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows are loaded by user32.dll into every process that loads user32.dll", "author": "Ilyas Ochkov, oscd.community, Tim Shelton", "tags": [ "attack.persistence", "attack.t1546.010" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID IN ('12', '13', '14') AND Channel = 'Microsoft-Windows-Sysmon/Operational') AND ((TargetObject LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\' OR TargetObject LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\') OR (NewName LIKE '%\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\' OR NewName LIKE '%\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit\\_Dlls' ESCAPE '\\')) AND NOT (NewValue = '(Empty)'))" ], "filename": "registry_event_new_dll_added_to_appinit_dlls_registry_key.yml" }, { "title": "Netcat The Powershell Version", "id": "c5b20776-639a-49bf-94c7-84f912b91c15", "status": "test", "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1095" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (HostApplication LIKE '%powercat %' ESCAPE '\\' OR HostApplication LIKE '%powercat.ps1%' ESCAPE '\\'))" ], "filename": "posh_pc_powercat.yml" }, { "title": "Renamed Powershell Under Powershell Channel", "id": "30a8cb77-8eb3-4cfb-8e79-ad457c5a4592", "status": "test", "description": "Detects renamed powershell", "author": "Harish Segar, frack113", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND HostName = 'ConsoleHost' AND NOT ((HostApplication LIKE 'powershell.exe%' ESCAPE '\\' OR HostApplication LIKE 'C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe%' ESCAPE '\\')))" ], "filename": "posh_pc_renamed_powershell.yml" }, { "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell", "id": "f65e22f9-819e-4f96-9c7b-498364ae7a25", "status": "test", "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Windows PowerShell' AND HostApplication LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (HostApplication LIKE '%-ModuleName %' ESCAPE '\\' OR HostApplication LIKE '%-ModulePath %' ESCAPE '\\' OR HostApplication LIKE '%-ScriptBlock %' ESCAPE '\\' OR HostApplication LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" ], "filename": "posh_pc_susp_athremotefxvgpudisablementcommand.yml" }, { "title": "Use Get-NetTCPConnection", "id": "b366adb4-d63d-422d-8a2c-186463b5ded0", "status": "test", "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", "author": "frack113", "tags": [ "attack.discovery", "attack.t1049" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-NetTCPConnection%' ESCAPE '\\')" ], "filename": "posh_pc_susp_get_nettcpconnection.yml" }, { "title": "Nslookup PowerShell Download Cradle", "id": "999bff6d-dc15-44c9-9f5c-e1051bfc86e1", "status": "experimental", "description": "Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records", "author": "Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%powershell%' ESCAPE '\\' AND HostApplication LIKE '%nslookup%' ESCAPE '\\' AND (HostApplication LIKE '%-q=txt%' ESCAPE '\\' OR HostApplication LIKE '%-querytype=txt%' ESCAPE '\\'))" ], "filename": "posh_pc_abuse_nslookup_with_dns_records.yml" }, { "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell", "id": "71ff406e-b633-4989-96ec-bc49d825a412", "status": "test", "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", "author": "frack113", "tags": [ "attack.collection", "attack.t1074.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Windows PowerShell' AND HostApplication LIKE '%Compress-Archive %' ESCAPE '\\' AND HostApplication LIKE '% -Path %' ESCAPE '\\' AND HostApplication LIKE '% -DestinationPath %' ESCAPE '\\' AND HostApplication LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], "filename": "posh_pc_susp_zip_compress.yml" }, { "title": "PowerShell Downgrade Attack - PowerShell", "id": "6331d09b-4785-4c13-980f-f96661356249", "status": "experimental", "description": "Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0", "author": "Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND EngineVersion LIKE '2.%' ESCAPE '\\' AND NOT (HostVersion LIKE '2.%' ESCAPE '\\'))" ], "filename": "posh_pc_downgrade_attack.yml" }, { "title": "Alternate PowerShell Hosts", "id": "d7326048-328b-4d5e-98af-86e84b17c765", "status": "test", "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Programs using PowerShell directly without invocation of a dedicated interpreter", "MSP Detection Searcher", "Citrix ConfigSync.ps1" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '400' AND Channel = 'Windows PowerShell') AND HostApplication LIKE '%' ESCAPE '\\' AND NOT ((HostApplication LIKE 'powershell%' ESCAPE '\\' OR HostApplication LIKE 'C:\\\\WINDOWS\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe%' ESCAPE '\\') OR ContextInfo LIKE '%Citrix\\\\ConfigSync\\\\ConfigSync.ps1%' ESCAPE '\\'))" ], "filename": "posh_pc_alternate_powershell_hosts.yml" }, { "title": "Remote PowerShell Session (PS Classic)", "id": "60167e5c-84b2-4c95-a7ac-86281f27c445", "status": "test", "description": "Detects remote PowerShell sessions", "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.execution", "attack.t1059.001", "attack.lateral_movement", "attack.t1021.006" ], "falsepositives": [ "Legitimate use remote PowerShell sessions" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ServerRemoteHost' AND HostApplication LIKE '%wsmprovhost.exe%' ESCAPE '\\')" ], "filename": "posh_pc_remote_powershell_session.yml" }, { "title": "Suspicious Non PowerShell WSMAN COM Provider", "id": "df9a0e0e-fedb-4d6c-8668-d765dfc92aa7", "status": "test", "description": "Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.execution", "attack.t1059.001", "attack.lateral_movement", "attack.t1021.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (Channel = 'Windows PowerShell' AND ProviderName = 'WSMan' AND NOT (HostApplication LIKE '%powershell%' ESCAPE '\\'))" ], "filename": "posh_pc_wsman_com_provider_no_powershell.yml" }, { "title": "PowerShell Called from an Executable Version Mismatch", "id": "c70e019b-1479-4b65-b0cc-cd0c6093a599", "status": "test", "description": "Detects PowerShell called from an executable by the version mismatch method", "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND (EngineVersion LIKE '2.%' ESCAPE '\\' OR EngineVersion LIKE '4.%' ESCAPE '\\' OR EngineVersion LIKE '5.%' ESCAPE '\\') AND HostVersion LIKE '3.%' ESCAPE '\\')" ], "filename": "posh_pc_exe_calling_ps.yml" }, { "title": "Suspicious PowerShell Download", "id": "3236fcd0-b7e3-4433-b4f8-86ad61a9af2d", "status": "experimental", "description": "Detects suspicious PowerShell download command", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "PowerShell scripts that download content from the Internet" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Net.WebClient%' ESCAPE '\\' AND (HostApplication LIKE '%.DownloadFile(%' ESCAPE '\\' OR HostApplication LIKE '%.DownloadString(%' ESCAPE '\\'))" ], "filename": "posh_pc_susp_download.yml" }, { "title": "Suspicious XOR Encoded PowerShell Command Line - PowerShell", "id": "812837bb-b17f-45e9-8bd0-0ec35d2e3bd6", "status": "experimental", "description": "Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.", "author": "Teymur Kheirkhabarov, Harish Segar (rule)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostName = 'ConsoleHost' AND (HostApplication LIKE '%bxor%' ESCAPE '\\' OR HostApplication LIKE '%join%' ESCAPE '\\' OR HostApplication LIKE '%char%' ESCAPE '\\'))" ], "filename": "posh_pc_xor_commandline.yml" }, { "title": "Delete Volume Shadow Copies Via WMI With PowerShell", "id": "87df9ee1-5416-453a-8a08-e8d4a51e9ce1", "status": "stable", "description": "Shadow Copies deletion using operating systems utilities via PowerShell", "author": "frack113", "tags": [ "attack.impact", "attack.t1490" ], "falsepositives": [ "Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '400' AND Channel = 'Windows PowerShell' AND HostApplication LIKE '%Get-WmiObject%' ESCAPE '\\' AND HostApplication LIKE '% Win32\\_Shadowcopy%' ESCAPE '\\' AND (HostApplication LIKE '%Delete()%' ESCAPE '\\' OR HostApplication LIKE '%Remove-WmiObject%' ESCAPE '\\'))" ], "filename": "posh_pc_delete_volume_shadow_copies.yml" }, { "title": "Tamper Windows Defender - PSClassic", "id": "ec19ebab-72dc-40e1-9728-4c0b805d722c", "status": "experimental", "description": "Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '600' AND Channel = 'Windows PowerShell') AND ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND (HostApplication LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR HostApplication LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR HostApplication LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((HostApplication LIKE '%Set-MpPreference%' ESCAPE '\\' AND HostApplication LIKE '%Allow%' ESCAPE '\\' AND (HostApplication LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR HostApplication LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (HostApplication LIKE '%ltdefac %' ESCAPE '\\' OR HostApplication LIKE '%mtdefac %' ESCAPE '\\' OR HostApplication LIKE '%htdefac %' ESCAPE '\\' OR HostApplication LIKE '%stdefac %' ESCAPE '\\'))))" ], "filename": "posh_pc_tamper_with_windows_defender.yml" }, { "title": "Create Volume Shadow Copy with Powershell", "id": "afd12fed-b0ec-45c9-a13d-aa86625dac81", "status": "test", "description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1003.003" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%).Create(%' ESCAPE '\\' AND ScriptBlockText LIKE '%ClientAccessible%' ESCAPE '\\')" ], "filename": "posh_ps_create_volume_shadow_copy.yml" }, { "title": "Windows Screen Capture with CopyFromScreen", "id": "d4a11f63-2390-411c-9adf-d791fd152830", "status": "experimental", "description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\n", "author": "frack113", "tags": [ "attack.collection", "attack.t1113" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%.CopyFromScreen%' ESCAPE '\\')" ], "filename": "posh_ps_capture_screenshots.yml" }, { "title": "Suspicious GPO Discovery With Get-GPO", "id": "eb2fd349-ec67-4caa-9143-d79c7fb34441", "status": "experimental", "description": "Detect use of Get-GPO to get one GPO or all the GPOs in a domain.", "author": "frack113", "tags": [ "attack.discovery", "attack.t1615" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-GPO%' ESCAPE '\\')" ], "filename": "posh_ps_susp_get_gpo.yml" }, { "title": "Powershell Suspicious Win32_PnPEntity", "id": "b26647de-4feb-4283-af6b-6117661283c5", "status": "test", "description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.", "author": "frack113", "tags": [ "attack.discovery", "attack.t1120" ], "falsepositives": [ "Admin script" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Win32\\_PnPEntity%' ESCAPE '\\')" ], "filename": "posh_ps_susp_win32_pnpentity.yml" }, { "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script", "id": "c1337eb8-921a-4b59-855b-4ba188ddcc42", "status": "experimental", "description": "Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", "author": "Tim Rauch", "tags": [ "attack.impact", "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%gcim%' ESCAPE '\\') AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%rwmi%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-CimInstance%' ESCAPE '\\' OR ScriptBlockText LIKE '%rcim%' ESCAPE '\\'))" ], "filename": "posh_ps_susp_win32_shadowcopy_deletion.yml" }, { "title": "Suspicious PowerShell Invocations - Specific", "id": "ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71", "status": "experimental", "description": "Detects suspicious PowerShell invocation command parameters", "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noni%' ESCAPE '\\' AND ScriptBlockText LIKE '%-nop%' ESCAPE '\\' AND ScriptBlockText LIKE '% -c %' ESCAPE '\\' AND ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\') OR (ScriptBlockText LIKE '% -w %' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ep%' ESCAPE '\\' AND ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Enc%' ESCAPE '\\') OR (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%reg%' ESCAPE '\\' AND ScriptBlockText LIKE '%add%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ScriptBlockText LIKE '%bypass%' ESCAPE '\\' AND ScriptBlockText LIKE '%-noprofile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-windowstyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%hidden%' ESCAPE '\\' AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%system.net.webclient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.download%' ESCAPE '\\') OR (ScriptBlockText LIKE '%iex%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], "filename": "posh_ps_susp_invocation_specific.yml" }, { "title": "Potential PowerShell Obfuscation Using Character Join", "id": "e8314f79-564d-4f79-bc13-fbc0bf2660d8", "status": "experimental", "description": "Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1027", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%-Alias%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Value (-join(%' ESCAPE '\\')" ], "filename": "posh_ps_susp_alias_obfscuation.yml" }, { "title": "NTFS Alternate Data Stream", "id": "8c521530-5169-495d-a199-0a3a881ad24e", "status": "test", "description": "Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.", "author": "Sami Ruohonen", "tags": [ "attack.defense_evasion", "attack.t1564.004", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%set-content%' ESCAPE '\\' OR ScriptBlockText LIKE '%add-content%' ESCAPE '\\') AND ScriptBlockText LIKE '%-stream%' ESCAPE '\\')" ], "filename": "posh_ps_ntfs_ads_access.yml" }, { "title": "WMImplant Hack Tool", "id": "8028c2c3-e25a-46e3-827f-bbb5abf181d7", "status": "test", "description": "Detects parameters used by WMImplant", "author": "NVISO", "tags": [ "attack.execution", "attack.t1047", "attack.t1059.001" ], "falsepositives": [ "Administrative scripts that use the same keywords." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%WMImplant%' ESCAPE '\\' OR ScriptBlockText LIKE '% change\\_user %' ESCAPE '\\' OR ScriptBlockText LIKE '% gen\\_cli %' ESCAPE '\\' OR ScriptBlockText LIKE '% command\\_exec %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% disable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_wdigest %' ESCAPE '\\' OR ScriptBlockText LIKE '% enable\\_winrm %' ESCAPE '\\' OR ScriptBlockText LIKE '% registry\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% remote\\_posh %' ESCAPE '\\' OR ScriptBlockText LIKE '% sched\\_job %' ESCAPE '\\' OR ScriptBlockText LIKE '% service\\_mod %' ESCAPE '\\' OR ScriptBlockText LIKE '% process\\_kill %' ESCAPE '\\' OR ScriptBlockText LIKE '% active\\_users %' ESCAPE '\\' OR ScriptBlockText LIKE '% basic\\_info %' ESCAPE '\\' OR ScriptBlockText LIKE '% power\\_off %' ESCAPE '\\' OR ScriptBlockText LIKE '% vacant\\_system %' ESCAPE '\\' OR ScriptBlockText LIKE '% logon\\_events %' ESCAPE '\\'))" ], "filename": "posh_ps_wmimplant.yml" }, { "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell", "id": "e54f5149-6ba3-49cf-b153-070d24679126", "status": "experimental", "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" ], "filename": "posh_ps_invoke_obfuscation_via_var.yml" }, { "title": "PowerShell ADRecon Execution", "id": "bf72941a-cba0-41ea-b18c-9aca3925690d", "status": "experimental", "description": "Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7", "author": "Bhabesh Raj", "tags": [ "attack.discovery", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Function Get-ADRExcelComOb%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADRDomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%ADRecon-Report.xlsx%' ESCAPE '\\'))" ], "filename": "posh_ps_adrecon_execution.yml" }, { "title": "Suspicious IO.FileStream", "id": "70ad982f-67c8-40e0-a955-b920c2fa05cb", "status": "test", "description": "Open a handle on the drive volume via the \\\\.\\ DOS device path specifier and perform direct access read of the first few bytes of the volume.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1070.003" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%IO.FileStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\\\\\.\\\\\\*' ESCAPE '\\')" ], "filename": "posh_ps_susp_iofilestream.yml" }, { "title": "Dnscat Execution", "id": "a6d67db4-6220-436d-8afc-f3842fe05d43", "status": "test", "description": "Dnscat exfiltration tool execution", "author": "Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.exfiltration", "attack.t1048", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Legitimate usage of PowerShell Dnscat2 — DNS Exfiltration tool (unlikely)" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Dnscat2%' ESCAPE '\\')" ], "filename": "posh_ps_dnscat_execution.yml" }, { "title": "PowerShell Create Local User", "id": "243de76f-4725-4f2e-8225-a8a69b15ad61", "status": "test", "description": "Detects creation of a local user via PowerShell", "author": "@ROxPinTeddy", "tags": [ "attack.execution", "attack.t1059.001", "attack.persistence", "attack.t1136.001" ], "falsepositives": [ "Legitimate user creation" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-LocalUser%' ESCAPE '\\')" ], "filename": "posh_ps_create_local_user.yml" }, { "title": "Powershell Store File In Alternate Data Stream", "id": "a699b30e-d010-46c8-bbd1-ee2e26765fe9", "status": "test", "description": "Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1564.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FilePath \"$env:comspec\" %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ArgumentList %' ESCAPE '\\' AND ScriptBlockText LIKE '%>%' ESCAPE '\\')" ], "filename": "posh_ps_store_file_in_alternate_data_stream.yml" }, { "title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock", "id": "1139d2e2-84b1-4226-b445-354492eba8ba", "status": "experimental", "description": "Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs", "author": "James Pemberton / @4A616D6573", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR ScriptBlockText LIKE '%iwr %' ESCAPE '\\' OR ScriptBlockText LIKE '%wget %' ESCAPE '\\' OR ScriptBlockText LIKE '%curl %' ESCAPE '\\' OR ScriptBlockText LIKE '%Net.WebClient%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-BitsTransfer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resume-BitsTransfer%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Net.WebRequest]::create%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RestMethod%' ESCAPE '\\' OR ScriptBlockText LIKE '%WinHttp.WinHttpRequest%' ESCAPE '\\') AND NOT (Path LIKE 'C:\\\\Packages\\\\Plugins\\\\Microsoft.GuestConfiguration.ConfigurationforWindows\\\\%' ESCAPE '\\'))" ], "filename": "posh_ps_web_request_cmd_and_cmdlets.yml" }, { "title": "WMIC Unquoted Services Path Lookup - PowerShell", "id": "09658312-bc27-4a3b-91c5-e49ab9046d1b", "status": "experimental", "description": "Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1047" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject %' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi %' ESCAPE '\\') AND ScriptBlockText LIKE '% Win32\\_Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%Name%' ESCAPE '\\' AND ScriptBlockText LIKE '%DisplayName%' ESCAPE '\\' AND ScriptBlockText LIKE '%PathName%' ESCAPE '\\' AND ScriptBlockText LIKE '%StartMode%' ESCAPE '\\')" ], "filename": "posh_ps_wmi_unquoted_service_search.yml" }, { "title": "Replace Desktop Wallpaper by Powershell", "id": "c5ac6a1e-9407-45f5-a0ce-ca9a0806a287", "status": "test", "description": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.\nThis may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper\n", "author": "frack113", "tags": [ "attack.impact", "attack.t1491.001" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Get-ItemProperty%' ESCAPE '\\' AND ScriptBlockText LIKE '%Registry::%' ESCAPE '\\' AND ScriptBlockText LIKE '%HKEY\\_CURRENT\\_USER\\\\Control Panel\\\\Desktop\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%WallPaper%' ESCAPE '\\') OR ScriptBlockText LIKE '%SystemParametersInfo(20,0,%,3)%' ESCAPE '\\'))" ], "filename": "posh_ps_susp_wallpaper.yml" }, { "title": "Suspicious X509Enrollment - Ps Script", "id": "504d63cb-0dba-4d02-8531-e72981aace2c", "status": "experimental", "description": "Detect use of X509Enrollment", "author": "frack113", "falsepositives": [ "Legitimate administrative script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%X509Enrollment.CBinaryConverter%' ESCAPE '\\' OR ScriptBlockText LIKE '%884e2002-217d-11da-b2a4-000e7bbb2b09%' ESCAPE '\\'))" ], "filename": "posh_ps_x509enrollment.yml" }, { "title": "PowerShell PSAttack", "id": "b7ec41a4-042c-4f31-a5db-d0fcde9fa5c5", "status": "test", "description": "Detects the use of PSAttack PowerShell hack tool", "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PS ATTACK!!!%' ESCAPE '\\')" ], "filename": "posh_ps_psattack.yml" }, { "title": "Windows Defender Exclusions Added - PowerShell", "id": "c1344fa2-323b-4d2e-9176-84b4d4821c88", "status": "experimental", "description": "Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions", "author": "Tim Rauch", "tags": [ "attack.defense_evasion", "attack.t1562", "attack.execution", "attack.t1059" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -ExclusionPath %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionExtension %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionProcess %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ExclusionIpAddress %' ESCAPE '\\') AND (ScriptBlockText LIKE '%Add-MpPreference %' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MpPreference %' ESCAPE '\\'))" ], "filename": "posh_ps_win_defender_exclusions_added.yml" }, { "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script", "id": "e17121b4-ef2a-4418-8a59-12fb1631fa9e", "status": "test", "description": "Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil", "author": "frack113", "tags": [ "attack.impact", "attack.t1490" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Shadowcopy%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Delete()%' ESCAPE '\\')" ], "filename": "posh_ps_susp_win32_shadowcopy.yml" }, { "title": "Invoke-Obfuscation Via Use Clip - Powershell", "id": "db92dd33-a3ad-49cf-8c2c-608c3e30ace0", "status": "experimental", "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" ], "filename": "posh_ps_invoke_obfuscation_via_use_clip.yml" }, { "title": "Suspicious Connection to Remote Account", "id": "1883444f-084b-419b-ac62-e0d0c5b3693f", "status": "test", "description": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.\nWithout knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism\n", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1110.001" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%System.DirectoryServices.Protocols.LdapDirectoryIdentifier%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.Net.NetworkCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.DirectoryServices.Protocols.LdapConnection%' ESCAPE '\\'))" ], "filename": "posh_ps_susp_networkcredential.yml" }, { "title": "AMSI Bypass Pattern Assembly GetType", "id": "e0d6c087-2d1c-47fd-8799-3904103c5a98", "status": "experimental", "description": "Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001", "attack.execution" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Ref].Assembly.GetType%' ESCAPE '\\' AND ScriptBlockText LIKE '%SetValue($null,$true)%' ESCAPE '\\' AND ScriptBlockText LIKE '%NonPublic,Static%' ESCAPE '\\')" ], "filename": "posh_ps_amsi_bypass_pattern_nov22.yml" }, { "title": "Suspicious PowerShell Mailbox Export to Share - PS", "id": "4a241dea-235b-4a7e-8d76-50d817b146c4", "status": "experimental", "description": "Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.exfiltration" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-MailboxExportRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -FilePath \\\\\\\\\\*' ESCAPE '\\')" ], "filename": "posh_ps_mailboxexport_share.yml" }, { "title": "Invoke-Obfuscation Via Stdin - Powershell", "id": "86b896ba-ffa1-4fea-83e3-ee28a4c915c7", "status": "experimental", "description": "Detects Obfuscated Powershell via Stdin in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$\\{?input).*&&.*\"')" ], "filename": "posh_ps_invoke_obfuscation_via_stdin.yml" }, { "title": "PowerShell Hotfix Enumeration", "id": "f5d1def8-1de0-4a0e-9794-1f6f27dd605c", "status": "experimental", "description": "Detects call to \"Win32_QuickFixEngineering\" in order to enumerate installed hotfixes often used in \"enum\" scripts by attackers", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery" ], "falsepositives": [ "Legitimate administration scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Win32\\_QuickFixEngineering%' ESCAPE '\\' AND ScriptBlockText LIKE '%HotFixID%' ESCAPE '\\')" ], "filename": "posh_ps_hotfix_enum.yml" }, { "title": "Dump Credentials from Windows Credential Manager With PowerShell", "id": "99c49d9c-34ea-45f7-84a7-4751ae6b2cbc", "status": "test", "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1555" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Get-PasswordVaultCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CredManCreds%' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Windows.Security.Credentials.PasswordVault%' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%Microsoft.CSharp.CSharpCodeProvider%' ESCAPE '\\' AND ScriptBlockText LIKE '%[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())%' ESCAPE '\\' AND ScriptBlockText LIKE '%Collections.ArrayList%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.CodeDom.Compiler.CompilerParameters%' ESCAPE '\\')))" ], "filename": "posh_ps_dump_password_windows_credential_manager.yml" }, { "title": "Suspicious SSL Connection", "id": "195626f3-5f1b-4403-93b7-e6cfd4d6a078", "status": "test", "description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1573" ], "falsepositives": [ "Legitimate administrative script" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Net.Security.SslStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%Net.Security.RemoteCertificateValidationCallback%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AuthenticateAsClient%' ESCAPE '\\')" ], "filename": "posh_ps_susp_ssl_keyword.yml" }, { "title": "Malicious PowerShell Commandlets - ScriptBlock", "id": "89819aa4-bbd6-46bc-88ec-c7f7fe30efa6", "status": "test", "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "author": "Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer", "tags": [ "attack.execution", "attack.discovery", "attack.t1482", "attack.t1087", "attack.t1087.001", "attack.t1087.002", "attack.t1069.001", "attack.t1069.002", "attack.t1069", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Add-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Check-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR ScriptBlockText LIKE '%Decrypt-Hash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Exploit-Jboss%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADR%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRExcel%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRHTML%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRJSON%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-ADRXML%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-Fruit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ADIDNS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChromeDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-FoxDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-GPPPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IndexedItem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LSASecret%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RickAstley%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Screenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServicePermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-System%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Unconstrained%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VaultCredential%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Login%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-SSP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Certify%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DAFT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DCSync%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Farmer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Gopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Grouper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Lockless%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MITM6%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PortScan%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSInject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RunAs%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SCShell%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Sharp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StandIn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tater%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Whisker%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WireTap%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR ScriptBlockText LIKE '%MailRaider%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-HoneyHash%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-InMemoryModule%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Minidump%' ESCAPE '\\' OR ScriptBlockText LIKE '%Port-Scan%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerBreach%' ESCAPE '\\' OR ScriptBlockText LIKE '%powercat %' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerUp%' ESCAPE '\\' OR ScriptBlockText LIKE '%PowerView%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MacAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Wallpaper%' ESCAPE '\\' OR ScriptBlockText LIKE '%Show-TargetScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-CaptureServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR ScriptBlockText LIKE '%VolumeShadowCopyTools%' ESCAPE '\\') AND NOT (((ScriptBlockText LIKE '%Get-SystemDriveInfo%' ESCAPE '\\' OR ScriptBlockText LIKE '%C:\\\\ProgramData\\\\Amazon\\\\EC2-Windows\\\\Launch\\\\Module\\\\%' ESCAPE '\\'))))" ], "filename": "posh_ps_malicious_commandlets.yml" }, { "title": "Recon Information for Export with PowerShell", "id": "a9723fcc-881c-424c-8709-fd61442ab3c3", "status": "test", "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data", "author": "frack113", "tags": [ "attack.collection", "attack.t1119" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-Service %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ChildItem %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Process %' ESCAPE '\\') AND ScriptBlockText LIKE '%> $env:TEMP\\\\%' ESCAPE '\\')" ], "filename": "posh_ps_susp_recon_export.yml" }, { "title": "Suspicious Mount-DiskImage", "id": "29e1c216-6408-489d-8a06-ee9d151ef819", "status": "test", "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1553.005" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Mount-DiskImage %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ImagePath %' ESCAPE '\\')" ], "filename": "posh_ps_susp_mount_diskimage.yml" }, { "title": "Potential Suspicious Windows Feature Enabled", "id": "55c925c1-7195-426b-a136-a9396800e29b", "status": "experimental", "description": "Detects usage of the built-in PowerShell cmdlet \"Enable-WindowsOptionalFeature\" used as a Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", "author": "frack113", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Legitimate usage of the features listed in the rule." ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Enable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%TelnetServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Internet-Explorer-Optional-amd64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TFTP%' ESCAPE '\\' OR ScriptBlockText LIKE '%SMB1Protocol%' ESCAPE '\\' OR ScriptBlockText LIKE '%Client-ProjFS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft-Windows-Subsystem-Linux%' ESCAPE '\\'))" ], "filename": "posh_ps_enable_susp_windows_optional_feature.yml" }, { "title": "Suspicious PowerShell Download - Powershell Script", "id": "403c2cc0-7f6b-4925-9423-bfa573bed7eb", "status": "experimental", "description": "Detects suspicious PowerShell download command", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "PowerShell scripts that download content from the Internet" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Net.WebClient%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.DownloadFile(%' ESCAPE '\\' OR ScriptBlockText LIKE '%.DownloadString(%' ESCAPE '\\'))" ], "filename": "posh_ps_susp_download.yml" }, { "title": "Suspicious New-PSDrive to Admin Share", "id": "1c563233-030e-4a07-af8c-ee0490a66d3a", "status": "experimental", "description": "Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.", "author": "frack113", "tags": [ "attack.lateral_movement", "attack.t1021.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-PSDrive%' ESCAPE '\\' AND ScriptBlockText LIKE '%-psprovider %' ESCAPE '\\' AND ScriptBlockText LIKE '%filesystem%' ESCAPE '\\' AND ScriptBlockText LIKE '%-root %' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\\\\\\\*' ESCAPE '\\' AND ScriptBlockText LIKE '%$%' ESCAPE '\\')" ], "filename": "posh_ps_susp_new_psdrive.yml" }, { "title": "Clear PowerShell History - PowerShell", "id": "26b692dc-1722-49b2-b496-a8258aa6371d", "status": "experimental", "description": "Detects keywords that could indicate clearing PowerShell history", "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1070.003" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (((ScriptBlockText LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND ScriptBlockText LIKE '%–HistorySaveStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%SaveNothing%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND ScriptBlockText LIKE '%-HistorySaveStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%SaveNothing%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%del%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\')))" ], "filename": "posh_ps_clear_powershell_history.yml" }, { "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell", "id": "a5a30a6e-75ca-4233-8b8c-42e0f2037d3b", "status": "experimental", "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%rundll32%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (ScriptBlockText LIKE '%value%' ESCAPE '\\' OR ScriptBlockText LIKE '%invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%comspec%' ESCAPE '\\' OR ScriptBlockText LIKE '%iex%' ESCAPE '\\'))" ], "filename": "posh_ps_invoke_obfuscation_via_use_rundll32.yml" }, { "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript", "id": "975b2262-9a49-439d-92a6-0709cccdf0b2", "status": "experimental", "description": "Detects usage of the \"Add-AppxPackage\" or it's alias \"Add-AppPackage\" to install unsigned AppX packages", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.defense_evasion" ], "falsepositives": [ "Installation of unsigned packages for testing purposes" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AppPackage %' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-AppxPackage %' ESCAPE '\\') AND ScriptBlockText LIKE '% -AllowUnsigned%' ESCAPE '\\')" ], "filename": "posh_ps_install_unsigned_appx_packages.yml" }, { "title": "Silence.EDA Detection", "id": "3ceb2083-a27f-449a-be33-14ec1b7cc973", "status": "test", "description": "Detects Silence EmpireDNSAgent as described in the Group-IP report", "author": "Alina Stepchenkova, Group-IB, oscd.community", "tags": [ "attack.execution", "attack.t1059.001", "attack.command_and_control", "attack.t1071.004", "attack.t1572", "attack.impact", "attack.t1529", "attack.g0091", "attack.s0363" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.Diagnostics.Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%Stop-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Restart-Computer%' ESCAPE '\\' AND ScriptBlockText LIKE '%Exception in execution%' ESCAPE '\\' AND ScriptBlockText LIKE '%$cmdargs%' ESCAPE '\\' AND ScriptBlockText LIKE '%Close-Dnscat2Tunnel%' ESCAPE '\\' AND ScriptBlockText LIKE '%set type=$LookupType`nserver%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Command | nslookup 2>&1 | Out-String%' ESCAPE '\\' AND ScriptBlockText LIKE '%New-RandomDNSField%' ESCAPE '\\' AND ScriptBlockText LIKE '%[Convert]::ToString($SYNOptions, 16)%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session.Dead = $True%' ESCAPE '\\' AND ScriptBlockText LIKE '%$Session[\"Driver\"] -eq%' ESCAPE '\\')" ], "filename": "posh_ps_apt_silence_eda.yml" }, { "title": "Suspicious Export-PfxCertificate", "id": "aa7a3fce-bef5-4311-9cc1-5f04bb8c308c", "status": "test", "description": "Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal private keys from compromised machines", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1552.004" ], "falsepositives": [ "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Export-PfxCertificate%' ESCAPE '\\' AND NOT ((ScriptBlockText LIKE '%CmdletsToExport = @(%' ESCAPE '\\')))" ], "filename": "posh_ps_susp_export_pfxcertificate.yml" }, { "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell", "id": "e6cb92b4-b470-4eb8-8a9d-d63e8583aae0", "status": "experimental", "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%rundll32.exe%' ESCAPE '\\' AND ScriptBlockText LIKE '%shell32.dll%' ESCAPE '\\' AND ScriptBlockText LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND ScriptBlockText LIKE '%powershell%' ESCAPE '\\')" ], "filename": "posh_ps_invoke_obfuscation_via_rundll.yml" }, { "title": "Code Executed Via Office Add-in XLL File", "id": "36fbec91-fa1b-4d5d-8df1-8d8edcb632ad", "status": "test", "description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", "author": "frack113", "tags": [ "attack.persistence", "attack.t1137.006" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject %' ESCAPE '\\' AND ScriptBlockText LIKE '%.application%' ESCAPE '\\' AND ScriptBlockText LIKE '%.RegisterXLL%' ESCAPE '\\')" ], "filename": "posh_ps_office_comobject_registerxll.yml" }, { "title": "Potential Active Directory Enumeration Using AD Module - PsScript", "id": "9e620995-f2d8-4630-8430-4afd89f77604", "status": "experimental", "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.reconnaissance", "attack.discovery", "attack.impact" ], "falsepositives": [ "Legitimate use of the library for administrative activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Import-Module %' ESCAPE '\\' AND ScriptBlockText LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\') OR ScriptBlockText LIKE '%ipmo Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\'))" ], "filename": "posh_ps_active_directory_module_dll_import.yml" }, { "title": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy", "id": "bbb9495b-58fc-4016-b9df-9a3a1b67ca82", "status": "test", "description": "Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.", "author": "frack113", "tags": [ "attack.discovery", "attack.t1201" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-AdDefaultDomainPasswordPolicy%' ESCAPE '\\')" ], "filename": "posh_ps_susp_get_addefaultdomainpasswordpolicy.yml" }, { "title": "Add New Windows Capability - ScriptBlock", "id": "155c7fd5-47b4-49b2-bbeb-eb4fab335429", "status": "experimental", "description": "Detects usage of the \"Add-WindowsCapability\" cmdlet to add new windows capabilities. Notable capabilities could be \"OpenSSH\" and others.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution" ], "falsepositives": [ "Legitimate usage of the capabilities by administartors or users. Filter accordingly" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-WindowsCapability %' ESCAPE '\\' AND ScriptBlockText LIKE '%OpenSSH.%' ESCAPE '\\')" ], "filename": "posh_ps_add_windows_capability.yml" }, { "title": "Potential AMSI Bypass Using NULL Bits - ScriptBlockLogging", "id": "fa2559c8-1197-471d-9cdd-05a0273d4522", "status": "experimental", "description": "Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%if(0){{{0}}}'' -f $(0 -as [char]) +%' ESCAPE '\\' OR ScriptBlockText LIKE '%#%' ESCAPE '\\'))" ], "filename": "posh_ps_amsi_null_bits_bypass.yml" }, { "title": "PowerShell Deleted Mounted Share", "id": "66a4d409-451b-4151-94f4-a55d559c49b0", "status": "test", "description": "Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation", "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ "attack.defense_evasion", "attack.t1070.005" ], "falsepositives": [ "Administrators or Power users may remove their shares via cmd line" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Remove-SmbShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-FileShare%' ESCAPE '\\'))" ], "filename": "posh_ps_susp_mounted_share_deletion.yml" }, { "title": "PowerShell WMI Win32_Product Install MSI", "id": "91109523-17f0-4248-a800-f81d9e7c081d", "status": "experimental", "description": "Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218.007" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-CimMethod %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName %' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Product %' ESCAPE '\\' AND ScriptBlockText LIKE '%-MethodName %' ESCAPE '\\' AND ScriptBlockText LIKE '%.msi%' ESCAPE '\\')" ], "filename": "posh_ps_win32_product_install_msi.yml" }, { "title": "Powershell Sensitive File Discovery", "id": "7d416556-6502-45b2-9bad-9d2f05f38997", "status": "experimental", "description": "Detect adversaries enumerate sensitive files", "author": "frack113", "tags": [ "attack.discovery", "attack.t1083" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%ls%' ESCAPE '\\' OR ScriptBlockText LIKE '%get-childitem%' ESCAPE '\\' OR ScriptBlockText LIKE '%gci%' ESCAPE '\\') AND ScriptBlockText LIKE '%-recurse%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.pass%' ESCAPE '\\' OR ScriptBlockText LIKE '%.kdbx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.kdb%' ESCAPE '\\'))" ], "filename": "posh_ps_sensitive_file_discovery.yml" }, { "title": "Tamper Windows Defender - ScriptBlockLogging", "id": "14c71865-6cd3-44ae-adaa-1db923fae5f2", "status": "experimental", "description": "Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.", "author": "frack113, elhoim, Tim Shelton (fps, alias support)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%DisableRealtimeMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles 1%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRealtimeMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBehaviorMonitoring $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScriptScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableArchiveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableBlockAtFirstSeen $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIOAVProtection $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableIntrusionPreventionSystem $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableRemovableDriveScanning $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningMappedNetworkDrivesForFullScan $true%' ESCAPE '\\' OR ScriptBlockText LIKE '%DisableScanningNetworkFiles $true%' ESCAPE '\\')) OR ((ScriptBlockText LIKE '%Set-MpPreference%' ESCAPE '\\' AND ScriptBlockText LIKE '%Allow%' ESCAPE '\\' AND (ScriptBlockText LIKE '%LowThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%ModerateThreatDefaultAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%HighThreatDefaultAction%' ESCAPE '\\')) OR (ScriptBlockText LIKE '%ltdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%mtdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%htdefac %' ESCAPE '\\' OR ScriptBlockText LIKE '%stdefac %' ESCAPE '\\'))))" ], "filename": "posh_ps_tamper_defender.yml" }, { "title": "Active Directory Group Enumeration With Get-AdGroup", "id": "8c3a6607-b7dc-4f0d-a646-ef38c00b76ee", "status": "experimental", "description": "Detects usage of the \"Get-AdGroup\" cmdlet to enumerate Groups within Active Directory", "author": "frack113", "tags": [ "attack.discovery", "attack.t1069.002" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-AdGroup %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Filter%' ESCAPE '\\')" ], "filename": "posh_ps_get_adgroup.yml" }, { "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging", "id": "ae2bdd58-0681-48ac-be7f-58ab4e593458", "status": "experimental", "description": "Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-MpPreference%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-ControlledFolderAccessProtectedFolders %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Ids %' ESCAPE '\\' OR ScriptBlockText LIKE '%-AttackSurfaceReductionRules\\_Actions %' ESCAPE '\\' OR ScriptBlockText LIKE '%-CheckForSignaturesBeforeRunningScan %' ESCAPE '\\'))" ], "filename": "posh_ps_tamper_defender_remove_mppreference.yml" }, { "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell", "id": "20e5497e-331c-4cd5-8d36-935f6e2a9a07", "status": "experimental", "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%new-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (ScriptBlockText LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR ScriptBlockText LIKE '%system.io.streamreader%' ESCAPE '\\') AND ScriptBlockText LIKE '%readtoend' ESCAPE '\\')" ], "filename": "posh_ps_invoke_obfuscation_via_compress.yml" }, { "title": "Suspicious Unblock-File", "id": "5947497f-1aa4-41dd-9693-c9848d58727d", "status": "test", "description": "Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1553.005" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Unblock-File %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\')" ], "filename": "posh_ps_susp_unblock_file.yml" }, { "title": "Powershell Local Email Collection", "id": "2837e152-93c8-43d2-85ba-c3cd3c2ae614", "status": "test", "description": "Adversaries may target user email on local systems to collect sensitive information.\nFiles containing email data can be acquired from a users local system, such as Outlook storage or cache files.\n", "author": "frack113", "tags": [ "attack.collection", "attack.t1114.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-Inbox.ps1%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Office.Interop.Outlook%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Office.Interop.Outlook.olDefaultFolders%' ESCAPE '\\' OR ScriptBlockText LIKE '%-comobject outlook.application%' ESCAPE '\\'))" ], "filename": "posh_ps_susp_mail_acces.yml" }, { "title": "Execution via CL_Invocation.ps1 - Powershell", "id": "4cd29327-685a-460e-9dac-c3ab96e549dc", "status": "experimental", "description": "Detects Execution via SyncInvoke in CL_Invocation.ps1 module", "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.defense_evasion", "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Invocation.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%SyncInvoke%' ESCAPE '\\')" ], "filename": "posh_ps_cl_invocation_lolscript.yml" }, { "title": "Potential Data Exfiltration Via Audio File", "id": "e4f93c99-396f-47c8-bb0f-201b1fa69034", "status": "experimental", "description": "Detects potential exfiltration attempt via audio file using PowerShell", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.exfiltration" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[System.Math]::%' ESCAPE '\\' AND ScriptBlockText LIKE '%[IO.FileMode]::%' ESCAPE '\\' AND ScriptBlockText LIKE '%BinaryWriter%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x52%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x49%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x46%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x57%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x41%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x56%' ESCAPE '\\' AND ScriptBlockText LIKE '%0x45%' ESCAPE '\\' AND ScriptBlockText LIKE '%0xAC%' ESCAPE '\\')" ], "filename": "posh_ps_audio_exfiltration.yml" }, { "title": "Malicious Nishang PowerShell Commandlets", "id": "f772cee9-b7c2-4cb2-8f07-49870adc02e0", "status": "experimental", "description": "Detects Commandlet names and arguments from the Nishang exploitation framework", "author": "Alec Costello", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-ConstrainedDelegationBackdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Copy-VSS%' ESCAPE '\\' OR ScriptBlockText LIKE '%Create-MultipleSessions%' ESCAPE '\\' OR ScriptBlockText LIKE '%DataToEncode%' ESCAPE '\\' OR ScriptBlockText LIKE '%DNS\\_TXT\\_Pwnage%' ESCAPE '\\' OR ScriptBlockText LIKE '%Do-Exfiltration-Dns%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download\\_Execute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Download-Execute-PS%' ESCAPE '\\' OR ScriptBlockText LIKE '%DownloadAndExtractFromRemoteRegistry%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' OR ScriptBlockText LIKE '%DumpHashes%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-DuplicateToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-Duplication%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-Command-MSSQL%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-DNSTXT-Code%' ESCAPE '\\' OR ScriptBlockText LIKE '%Execute-OnTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExetoText%' ESCAPE '\\' OR ScriptBlockText LIKE '%exfill%' ESCAPE '\\' OR ScriptBlockText LIKE '%ExfilOption%' ESCAPE '\\' OR ScriptBlockText LIKE '%FakeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireBuster%' ESCAPE '\\' OR ScriptBlockText LIKE '%FireListener%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Information %' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PassHints%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Web-Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WebCredentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WLAN-Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%HTTP-Backdoor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AmsiBypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-BruteForce%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CredentialsPhish%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Decode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Encode%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Interceptor%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRegsvr%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-JSRatRundll%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MimikatzWDigestDowngrade%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-NetworkRelay%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellIcmp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PowerShellUdp%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Prasadhak%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PSGcat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-PsGcatAgent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SessionGopher%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-SSIDExfil%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoggedKeys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Nishang%' ESCAPE '\\' OR ScriptBlockText LIKE '%NotAllNameSpaces%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-CHM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OUT-DNSTXT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-HTA%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-RundllCommand%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCF%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-SCT%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Shortcut%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-WebQuery%' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-Word%' ESCAPE '\\' OR ScriptBlockText LIKE '%Parse\\_Keys%' ESCAPE '\\' OR ScriptBlockText LIKE '%Password-List%' ESCAPE '\\' OR ScriptBlockText LIKE '%Powerpreter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Persistence%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-PoshRat%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-Update%' ESCAPE '\\' OR ScriptBlockText LIKE '%Run-EXEonRemote%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DCShadowPermissions%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemotePSRemoting%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-RemoteWMI%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode32%' ESCAPE '\\' OR ScriptBlockText LIKE '%Shellcode64%' ESCAPE '\\' OR ScriptBlockText LIKE '%StringtoBase64%' ESCAPE '\\' OR ScriptBlockText LIKE '%TexttoExe%' ESCAPE '\\'))" ], "filename": "posh_ps_nishang_malicious_commandlets.yml" }, { "title": "Execution via CL_Mutexverifiers.ps1", "id": "39776c99-1c7b-4ba0-b5aa-641525eee1a4", "status": "test", "description": "Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module", "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.defense_evasion", "attack.t1216" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CL\\_Mutexverifiers.ps1%' ESCAPE '\\' AND ScriptBlockText LIKE '%runAfterCancelProcess%' ESCAPE '\\')" ], "filename": "posh_ps_cl_mutexverifiers_lolscript.yml" }, { "title": "PowerShell Write-EventLog Usage", "id": "35f41cd7-c98e-469f-8a02-ec4ba0cc7a7e", "status": "experimental", "description": "Detects usage of the \"Write-EventLog\" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion" ], "falsepositives": [ "Legitimate applications writing events via this cmdlet. Investigate alerts to determine if the action is benign" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Write-EventLog%' ESCAPE '\\' AND ScriptBlockText LIKE '%-RawData %' ESCAPE '\\')" ], "filename": "posh_ps_susp_write_eventlog.yml" }, { "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction", "id": "dddfebae-c46f-439c-af7a-fdb6bde90218", "status": "test", "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", "author": "Ensar Şamil, @sblmsrsn, OSCD Community", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "App-V clients" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%SyncAppvPublishingServer.exe%' ESCAPE '\\')" ], "filename": "posh_ps_syncappvpublishingserver_exe.yml" }, { "title": "Windows PowerShell Upload Web Request", "id": "d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb", "status": "experimental", "description": "Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command", "author": "frack113", "tags": [ "attack.exfiltration", "attack.t1020" ], "falsepositives": [ "Legitimate script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' OR ScriptBlockText LIKE '%iwr %' ESCAPE '\\') AND ScriptBlockText LIKE '%-Method %' ESCAPE '\\' AND (ScriptBlockText LIKE '% Put %' ESCAPE '\\' OR ScriptBlockText LIKE '% Post %' ESCAPE '\\'))" ], "filename": "posh_ps_upload.yml" }, { "title": "Access to Browser Login Data", "id": "fc028194-969d-4122-8abe-0470d5b8f12f", "status": "test", "description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1555.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Opera Software\\\\Opera Stable\\\\Login Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Mozilla\\\\Firefox\\\\Profiles%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Microsoft\\\\Edge\\\\User Data\\\\Default%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Google\\\\Chrome\\\\User Data\\\\Default\\\\Login Data For Account%' ESCAPE '\\'))" ], "filename": "posh_ps_access_to_browser_login_data.yml" }, { "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell", "id": "e55a5195-4724-480e-a77e-3ebe64bd3759", "status": "experimental", "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%set%' ESCAPE '\\' AND ScriptBlockText LIKE '%&&%' ESCAPE '\\' AND ScriptBlockText LIKE '%mshta%' ESCAPE '\\' AND ScriptBlockText LIKE '%vbscript:createobject%' ESCAPE '\\' AND ScriptBlockText LIKE '%.run%' ESCAPE '\\' AND ScriptBlockText LIKE '%(window.close)%' ESCAPE '\\')" ], "filename": "posh_ps_invoke_obfuscation_via_use_mhsta.yml" }, { "title": "Live Memory Dump Using Powershell", "id": "cd185561-4760-45d6-a63e-a51325112cae", "status": "test", "description": "Detects usage of a PowerShell command to dump the live memory of a Windows machine", "author": "Max Altgelt (Nextron Systems)", "tags": [ "attack.t1003" ], "falsepositives": [ "Diagnostics" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-StorageDiagnosticInfo%' ESCAPE '\\' AND ScriptBlockText LIKE '%-IncludeLiveDump%' ESCAPE '\\')" ], "filename": "posh_ps_memorydump_getstoragediagnosticinfo.yml" }, { "title": "Suspicious Eventlog Clear", "id": "0f017df3-8f5a-414f-ad6b-24aff1128278", "status": "experimental", "description": "Detects usage of known powershell cmdlets such as \"Clear-EventLog\" to clear the windows event logs", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1070.001" ], "falsepositives": [ "Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Clear-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Limit-EventLog %' ESCAPE '\\' OR ScriptBlockText LIKE '%Clear-WinEvent %' ESCAPE '\\'))" ], "filename": "posh_ps_susp_clear_eventlog.yml" }, { "title": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell", "id": "c2993223-6da8-4b1a-88ee-668b8bf315e9", "status": "experimental", "description": "Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1033" ], "falsepositives": [ "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADUser %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter \\*' ESCAPE '\\' AND (ScriptBlockText LIKE '% > %' ESCAPE '\\' OR ScriptBlockText LIKE '% | Select %' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-File%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Content%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\'))" ], "filename": "posh_ps_user_discovery_get_aduser.yml" }, { "title": "Automated Collection Command PowerShell", "id": "c1dda054-d638-4c16-afc8-53e007f3fbc5", "status": "test", "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data.", "author": "frack113", "tags": [ "attack.collection", "attack.t1119" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%.doc%' ESCAPE '\\' OR ScriptBlockText LIKE '%.docx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.xls%' ESCAPE '\\' OR ScriptBlockText LIKE '%.xlsx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.ppt%' ESCAPE '\\' OR ScriptBlockText LIKE '%.pptx%' ESCAPE '\\' OR ScriptBlockText LIKE '%.rtf%' ESCAPE '\\' OR ScriptBlockText LIKE '%.pdf%' ESCAPE '\\' OR ScriptBlockText LIKE '%.txt%' ESCAPE '\\') AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Recurse %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Include %' ESCAPE '\\')" ], "filename": "posh_ps_automated_collection.yml" }, { "title": "Powershell DNSExfiltration", "id": "d59d7842-9a21-4bc6-ba98-64bfe0091355", "status": "test", "description": "DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel", "author": "frack113", "tags": [ "attack.exfiltration", "attack.t1048" ], "falsepositives": [ "Legitimate script" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Invoke-DNSExfiltrator%' ESCAPE '\\' OR (ScriptBlockText LIKE '% -i %' ESCAPE '\\' AND ScriptBlockText LIKE '% -d %' ESCAPE '\\' AND ScriptBlockText LIKE '% -p %' ESCAPE '\\' AND ScriptBlockText LIKE '% -doh %' ESCAPE '\\' AND ScriptBlockText LIKE '% -t %' ESCAPE '\\')))" ], "filename": "posh_ps_invoke_dnsexfiltration.yml" }, { "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell", "id": "779c8c12-0eb1-11eb-adc1-0242ac120002", "status": "experimental", "description": "Detects Obfuscated use of stdin to execute PowerShell", "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$?\\{?input\\}?|noexit).+\"')" ], "filename": "posh_ps_invoke_obfuscation_stdin.yml" }, { "title": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script", "id": "df69cb1d-b891-4cd9-90c7-d617d90100ce", "status": "experimental", "description": "Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.", "author": "frack113", "falsepositives": [ "Legitimate administrative script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%FromBase64String%' ESCAPE '\\' AND ScriptBlockText LIKE '%MemoryStream%' ESCAPE '\\' AND ScriptBlockText LIKE '%H4sI%' ESCAPE '\\')" ], "filename": "posh_ps_frombase64string_archive.yml" }, { "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS", "id": "22d80745-6f2c-46da-826b-77adaededd74", "status": "experimental", "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.defense_evasion", "attack.privilege_escalation", "attack.t1574.011" ], "falsepositives": [ "Rare intended use of hidden services", "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%D;;%' ESCAPE '\\' AND (ScriptBlockText LIKE '%;;;IU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SU%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;BA%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;SY%' ESCAPE '\\' OR ScriptBlockText LIKE '%;;;WD%' ESCAPE '\\'))" ], "filename": "posh_ps_susp_service_dacl_modification_set_service.yml" }, { "title": "PowerShell Get-Process LSASS in ScriptBlock", "id": "84c174ab-d3ef-481f-9c86-a50d0b8e3edb", "status": "test", "description": "Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process lsass%' ESCAPE '\\')" ], "filename": "posh_ps_susp_getprocess_lsass.yml" }, { "title": "Suspicious Get-WmiObject", "id": "0332a266-b584-47b4-933d-a00b103e1b37", "status": "experimental", "description": "The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers", "author": "frack113", "tags": [ "attack.persistence", "attack.t1546" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\') AND NOT ((Path LIKE '%\\\\CL\\_Utility.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%function Get-FreeSpace%' ESCAPE '\\' AND ScriptBlockText LIKE '%SELECT % FROM Win32\\_LogicalDisk WHERE MediaType=12%' ESCAPE '\\')))" ], "filename": "posh_ps_susp_gwmi.yml" }, { "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script", "id": "b7a3c9a3-09ea-4934-8864-6a32cacd98d9", "status": "experimental", "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", "author": "frack113", "tags": [ "attack.collection", "attack.t1074.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Compress-Archive %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Path %' ESCAPE '\\' AND ScriptBlockText LIKE '% -DestinationPath %' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], "filename": "posh_ps_susp_zip_compress.yml" }, { "title": "Get-ADUser Enumeration Using UserAccountControl Flags", "id": "96c982fe-3d08-4df4-bed2-eb14e02f21c8", "status": "test", "description": "Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.", "author": "frack113", "tags": [ "attack.discovery", "attack.t1033" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADUser%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Filter%' ESCAPE '\\' AND ScriptBlockText LIKE '%useraccountcontrol%' ESCAPE '\\' AND ScriptBlockText LIKE '%-band%' ESCAPE '\\' AND ScriptBlockText LIKE '%4194304%' ESCAPE '\\')" ], "filename": "posh_ps_as_rep_roasting.yml" }, { "title": "Troubleshooting Pack Cmdlet Execution", "id": "03409c93-a7c7-49ba-9a4c-a00badf2a153", "status": "experimental", "description": "Detects execution of \"TroubleshootingPack\" cmdlets to leverage CVE-2022-30190 or action similar to \"msdt\" lolbin (as described in LOLBAS)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1202" ], "falsepositives": [ "Legitimate usage of \"TroubleshootingPack\" cmdlet for troubleshooting purposes" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-TroubleshootingPack%' ESCAPE '\\' AND ScriptBlockText LIKE '%C:\\\\Windows\\\\Diagnostics\\\\System\\\\PCW%' ESCAPE '\\' AND ScriptBlockText LIKE '%-AnswerFile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Unattended%' ESCAPE '\\')" ], "filename": "posh_ps_susp_follina_execution.yml" }, { "title": "Powershell Execute Batch Script", "id": "b5522a23-82da-44e5-9c8b-e10ed8955f88", "status": "test", "description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n", "author": "frack113", "tags": [ "attack.execution", "attack.t1059.003" ], "falsepositives": [ "Legitimate administration script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND (ScriptBlockText LIKE '%.cmd%' ESCAPE '\\' OR ScriptBlockText LIKE '%.bat%' ESCAPE '\\'))" ], "filename": "posh_ps_susp_execute_batch_script.yml" }, { "title": "PowerShell ShellCode", "id": "16b37b70-6fcf-4814-a092-c36bd3aafcbd", "status": "test", "description": "Detects Base64 encoded Shellcode", "author": "David Ledbetter (shellcode), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1055", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%AAAAYInlM%' ESCAPE '\\' AND (ScriptBlockText LIKE '%OiCAAAAYInlM%' ESCAPE '\\' OR ScriptBlockText LIKE '%OiJAAAAYInlM%' ESCAPE '\\'))" ], "filename": "posh_ps_shellcode_b64.yml" }, { "title": "Suspicious Invoke-Item From Mount-DiskImage", "id": "902cedee-0398-4e3a-8183-6f3a89773a96", "status": "test", "description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1553.005" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Mount-DiskImage %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ImagePath %' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-Volume%' ESCAPE '\\' AND ScriptBlockText LIKE '%.DriveLetter%' ESCAPE '\\' AND ScriptBlockText LIKE '%invoke-item %' ESCAPE '\\' AND ScriptBlockText LIKE '%):\\\\%' ESCAPE '\\')" ], "filename": "posh_ps_run_from_mount_diskimage.yml" }, { "title": "Execute Invoke-command on Remote Host", "id": "7b836d7f-179c-4ba4-90a7-a7e60afb48e6", "status": "test", "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", "author": "frack113", "tags": [ "attack.lateral_movement", "attack.t1021.006" ], "falsepositives": [ "Legitimate script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%invoke-command %' ESCAPE '\\' AND ScriptBlockText LIKE '% -ComputerName %' ESCAPE '\\')" ], "filename": "posh_ps_invoke_command_remote.yml" }, { "title": "Change PowerShell Policies to an Insecure Level - PowerShell", "id": "61d0475c-173f-4844-86f7-f3eebae1c66b", "status": "experimental", "description": "Detects use of Set-ExecutionPolicy to set insecure policies", "author": "frack113", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Administrator script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Set-ExecutionPolicy%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Unrestricted%' ESCAPE '\\' OR ScriptBlockText LIKE '%bypass%' ESCAPE '\\' OR ScriptBlockText LIKE '%RemoteSigned%' ESCAPE '\\')) AND NOT ((ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://chocolatey.org/install.ps1'')%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\AppData\\\\Roaming\\\\Code\\\\%' ESCAPE '\\')))" ], "filename": "posh_ps_set_policies_to_unsecure_level.yml" }, { "title": "Clearing Windows Console History", "id": "bde47d4b-9987-405c-94c7-b080410e8ea7", "status": "test", "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", "attack.t1070", "attack.t1070.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Clear-History%' ESCAPE '\\' OR ((ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' OR ScriptBlockText LIKE '%rm%' ESCAPE '\\') AND (ScriptBlockText LIKE '%ConsoleHost\\_history.txt%' ESCAPE '\\' OR ScriptBlockText LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\'))))" ], "filename": "posh_ps_clearing_windows_console_history.yml" }, { "title": "PSAsyncShell - Asynchronous TCP Reverse Shell", "id": "afd3df04-948d-46f6-ae44-25966c44b97f", "status": "experimental", "description": "Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PSAsyncShell%' ESCAPE '\\')" ], "filename": "posh_ps_psasyncshell.yml" }, { "title": "Powershell Add Name Resolution Policy Table Rule", "id": "4368354e-1797-463c-bc39-a309effbe8d7", "status": "test", "description": "Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.\nThis will bypass the default DNS server and uses a specified server for answering the query.\n", "author": "Borna Talebi", "tags": [ "attack.impact", "attack.t1565" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-DnsClientNrptRule%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namesp%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSe%' ESCAPE '\\')" ], "filename": "posh_ps_add_dnsclient_rule.yml" }, { "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell", "id": "73e67340-0d25-11eb-adc1-0242ac120002", "status": "experimental", "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" ], "filename": "posh_ps_invoke_obfuscation_clip.yml" }, { "title": "Windows Firewall Profile Disabled", "id": "488b44e7-3781-4a71-888d-c95abfacf44d", "status": "experimental", "description": "Detects when a user disables the Windows Firewall via a Profile to help evade defense.", "author": "Austin Songer @austinsonger", "tags": [ "attack.defense_evasion", "attack.t1562.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-NetFirewallProfile %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Enabled %' ESCAPE '\\' AND ScriptBlockText LIKE '% False%' ESCAPE '\\' AND (ScriptBlockText LIKE '% -All %' ESCAPE '\\' OR ScriptBlockText LIKE '%Public%' ESCAPE '\\' OR ScriptBlockText LIKE '%Domain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Private%' ESCAPE '\\'))" ], "filename": "posh_ps_windows_firewall_profile_disabled.yml" }, { "title": "Potential WinAPI Calls Via PowerShell Scripts", "id": "03d83090-8cba-44a0-b02f-0b756a050306", "status": "experimental", "description": "Detects use of WinAPI Functions in PowerShell scripts", "author": "Nikita Nazarov, oscd.community, Tim Shelton", "tags": [ "attack.execution", "attack.t1059.001", "attack.t1106" ], "falsepositives": [ "Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%AddSecurityPackage%' ESCAPE '\\' OR ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%Advapi32%' ESCAPE '\\' OR ScriptBlockText LIKE '%CloseHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateProcessWithToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateRemoteThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%CreateUserThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%DangerousGetHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%DuplicateTokenEx%' ESCAPE '\\' OR ScriptBlockText LIKE '%EnumerateSecurityPackages%' ESCAPE '\\' OR ScriptBlockText LIKE '%FreeLibrary%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetDelegateForFunctionPointer%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetLogonSessionData%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetModuleHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetProcAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetProcessHandle%' ESCAPE '\\' OR ScriptBlockText LIKE '%GetTokenInformation%' ESCAPE '\\' OR ScriptBlockText LIKE '%ImpersonateLoggedOnUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%kernel32%' ESCAPE '\\' OR ScriptBlockText LIKE '%LoadLibrary%' ESCAPE '\\' OR ScriptBlockText LIKE '%memcpy%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%msvcrt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ntdll%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenDesktop%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenProcessToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenThreadToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%OpenWindowStation%' ESCAPE '\\' OR ScriptBlockText LIKE '%QueueUserApc%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory%' ESCAPE '\\' OR ScriptBlockText LIKE '%RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%RtlCreateUserThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%secur32%' ESCAPE '\\' OR ScriptBlockText LIKE '%SetThreadToken%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualAlloc%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualFree%' ESCAPE '\\' OR ScriptBlockText LIKE '%VirtualProtect%' ESCAPE '\\' OR ScriptBlockText LIKE '%WaitForSingleObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%WriteInt32%' ESCAPE '\\' OR ScriptBlockText LIKE '%WriteProcessMemory%' ESCAPE '\\' OR ScriptBlockText LIKE '%ZeroFreeGlobalAllocUnicode%' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '# Copyright 2016 Amazon.com, Inc. or its affiliates.%' ESCAPE '\\' AND ScriptBlockText LIKE '%function Import-SerialPortUtil %' ESCAPE '\\')))" ], "filename": "posh_ps_accessing_win_api.yml" }, { "title": "Enumerate Credentials from Windows Credential Manager With PowerShell", "id": "603c6630-5225-49c1-8047-26c964553e0e", "status": "test", "description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1555" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%vaultcmd%' ESCAPE '\\' AND ScriptBlockText LIKE '%/listcreds:%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows Credentials%' ESCAPE '\\' OR ScriptBlockText LIKE '%Web Credentials%' ESCAPE '\\'))" ], "filename": "posh_ps_enumerate_password_windows_credential_manager.yml" }, { "title": "Potential Keylogger Activity", "id": "965e2db9-eddb-4cf6-a986-7a967df651e4", "status": "experimental", "description": "Detects PowerShell scripts that contains reference to keystroke capturing functions", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.collection", "attack.credential_access", "attack.t1056.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Windows.Input.Keyboard]::IsKeyDown([System.Windows.Input.Key]::%' ESCAPE '\\')" ], "filename": "posh_ps_susp_keylogger_activity.yml" }, { "title": "Potential PowerShell Obfuscation Using Alias Cmdlets", "id": "96cd126d-f970-49c4-848a-da3a09f55c55", "status": "experimental", "description": "Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.execution", "attack.t1027", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Set-Alias %' ESCAPE '\\' OR ScriptBlockText LIKE '%New-Alias %' ESCAPE '\\'))" ], "filename": "posh_ps_susp_set_alias.yml" }, { "title": "Potential Invoke-Mimikatz PowerShell Script", "id": "189e3b02-82b2-4b90-9662-411eb64486d4", "status": "experimental", "description": "Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.", "author": "Tim Rauch", "tags": [ "attack.credential_access", "attack.t1003" ], "falsepositives": [ "Mimikatz can be useful for testing the security of networks" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%DumpCreds%' ESCAPE '\\' AND ScriptBlockText LIKE '%DumpCerts%' ESCAPE '\\') OR ScriptBlockText LIKE '%sekurlsa::logonpasswords%' ESCAPE '\\' OR (ScriptBlockText LIKE '%crypto::certificates%' ESCAPE '\\' AND ScriptBlockText LIKE '%CERT\\_SYSTEM\\_STORE\\_LOCAL\\_MACHINE%' ESCAPE '\\')))" ], "filename": "posh_ps_potential_invoke_mimikatz.yml" }, { "title": "Testing Usage of Uncommonly Used Port", "id": "adf876b3-f1f8-4aa9-a4e4-a64106feec06", "status": "test", "description": "Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.\n", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1571" ], "falsepositives": [ "Legitimate administrative script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Test-NetConnection%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComputerName %' ESCAPE '\\' AND ScriptBlockText LIKE '%-port %' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '% 443 %' ESCAPE '\\' OR ScriptBlockText LIKE '% 80 %' ESCAPE '\\')))" ], "filename": "posh_ps_test_netconnection.yml" }, { "title": "Automated Collection Bookmarks Using Get-ChildItem PowerShell", "id": "e0565f5d-d420-4e02-8a68-ac00d864f9cf", "status": "test", "description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", "author": "frack113", "tags": [ "attack.discovery", "attack.t1217" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Recurse %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Path %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter Bookmarks%' ESCAPE '\\' AND ScriptBlockText LIKE '% -ErrorAction SilentlyContinue%' ESCAPE '\\' AND ScriptBlockText LIKE '% -Force%' ESCAPE '\\')" ], "filename": "posh_ps_get_childitem_bookmarks.yml" }, { "title": "Manipulation of User Computer or Group Security Principals Across AD", "id": "b29a93fb-087c-4b5b-a84d-ee3309e69d08", "status": "test", "description": "Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..\n", "author": "frack113", "tags": [ "attack.persistence", "attack.t1136.002" ], "falsepositives": [ "Legitimate administrative script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.DirectoryServices.AccountManagement%' ESCAPE '\\')" ], "filename": "posh_ps_directoryservices_accountmanagement.yml" }, { "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell", "id": "0adfbc14-0ed1-11eb-adc1-0242ac120002", "status": "experimental", "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" ], "filename": "posh_ps_invoke_obfuscation_var.yml" }, { "title": "Powershell Timestomp", "id": "c6438007-e081-42ce-9483-b067fbef33c3", "status": "test", "description": "Adversaries may modify file time attributes to hide new or changes to existing files.\nTimestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.\n", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1070.006" ], "falsepositives": [ "Legitimate admin script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%.CreationTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%.LastWriteTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%.LastAccessTime =%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetCreationTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetLastAccessTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%[IO.File]::SetLastWriteTime%' ESCAPE '\\'))" ], "filename": "posh_ps_timestomp.yml" }, { "title": "Request A Single Ticket via PowerShell", "id": "a861d835-af37-4930-bcd6-5b178bfb54df", "status": "test", "description": "utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.\nThis behavior is typically used during a kerberos or silver ticket attack.\nA successful execution will output the SPNs for the endpoint in question.\n", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1558.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%System.IdentityModel.Tokens.KerberosRequestorSecurityToken%' ESCAPE '\\')" ], "filename": "posh_ps_request_kerberos_ticket.yml" }, { "title": "HackTool - Rubeus Execution - ScriptBlock", "id": "3245cd30-e015-40ff-a31d-5cadd5f377ec", "status": "experimental", "description": "Detects the execution of the hacktool Rubeus using specific command line flags", "author": "Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003", "attack.t1558.003", "attack.lateral_movement", "attack.t1550.003" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%asreproast %' ESCAPE '\\' OR ScriptBlockText LIKE '%dump /service:krbtgt %' ESCAPE '\\' OR ScriptBlockText LIKE '%dump /luid:0x%' ESCAPE '\\' OR ScriptBlockText LIKE '%kerberoast %' ESCAPE '\\' OR ScriptBlockText LIKE '%createnetonly /program:%' ESCAPE '\\' OR ScriptBlockText LIKE '%ptt /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%/impersonateuser:%' ESCAPE '\\' OR ScriptBlockText LIKE '%renew /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%asktgt /user:%' ESCAPE '\\' OR ScriptBlockText LIKE '%harvest /interval:%' ESCAPE '\\' OR ScriptBlockText LIKE '%s4u /user:%' ESCAPE '\\' OR ScriptBlockText LIKE '%s4u /ticket:%' ESCAPE '\\' OR ScriptBlockText LIKE '%hash /password:%' ESCAPE '\\' OR ScriptBlockText LIKE '%golden /aes256:%' ESCAPE '\\' OR ScriptBlockText LIKE '%silver /user:%' ESCAPE '\\'))" ], "filename": "posh_ps_hktl_rubeus.yml" }, { "title": "Disable of ETW Trace - Powershell", "id": "115fdba9-f017-42e6-84cf-d5573bf2ddf8", "status": "experimental", "description": "Detects usage of powershell cmdlets to disable or remove ETW trace sessions", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1070", "attack.t1562.006", "car.2016-04-002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-EtwTraceProvider %' ESCAPE '\\' OR (ScriptBlockText LIKE '%Set-EtwTraceProvider %' ESCAPE '\\' AND ScriptBlockText LIKE '%0x11%' ESCAPE '\\')))" ], "filename": "posh_ps_etw_trace_evasion.yml" }, { "title": "Malicious PowerShell Keywords", "id": "f62176f3-8128-4faa-bf6c-83261322e5eb", "status": "test", "description": "Detects keywords from well-known PowerShell exploitation frameworks", "author": "Sean Metcalf (source), Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%AdjustTokenPrivileges%' ESCAPE '\\' OR ScriptBlockText LIKE '%IMAGE\\_NT\\_OPTIONAL\\_HDR64\\_MAGIC%' ESCAPE '\\' OR ScriptBlockText LIKE '%Microsoft.Win32.UnsafeNativeMethods%' ESCAPE '\\' OR ScriptBlockText LIKE '%ReadProcessMemory.Invoke%' ESCAPE '\\' OR ScriptBlockText LIKE '%SE\\_PRIVILEGE\\_ENABLED%' ESCAPE '\\' OR ScriptBlockText LIKE '%LSA\\_UNICODE\\_STRING%' ESCAPE '\\' OR ScriptBlockText LIKE '%MiniDumpWriteDump%' ESCAPE '\\' OR ScriptBlockText LIKE '%PAGE\\_EXECUTE\\_READ%' ESCAPE '\\' OR ScriptBlockText LIKE '%SECURITY\\_DELEGATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ADJUST\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ALL\\_ACCESS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ASSIGN\\_PRIMARY%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_DUPLICATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_ELEVATION%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_IMPERSONATE%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_INFORMATION\\_CLASS%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_PRIVILEGES%' ESCAPE '\\' OR ScriptBlockText LIKE '%TOKEN\\_QUERY%' ESCAPE '\\' OR ScriptBlockText LIKE '%Metasploit%' ESCAPE '\\' OR ScriptBlockText LIKE '%Mimikatz%' ESCAPE '\\'))" ], "filename": "posh_ps_malicious_keywords.yml" }, { "title": "Import PowerShell Modules From Suspicious Directories", "id": "21f9162c-5f5d-4b01-89a8-b705bd7d10ab", "status": "experimental", "description": "Detects powershell scripts that import modules from suspicious directories", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Import-Module \"$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module ''$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module $Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module \"$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module ''$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module $Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%Import-Module C:\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo \"$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo ''$Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo $Env:Temp\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo \"$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo ''$Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo $Env:Appdata\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%ipmo C:\\\\Users\\\\Public\\\\%' ESCAPE '\\'))" ], "filename": "posh_ps_import_module_susp_dirs.yml" }, { "title": "PowerShell Credential Prompt", "id": "ca8b77a9-d499-4095-b793-5d5f330d450e", "status": "test", "description": "Detects PowerShell calling a credential prompt", "author": "John Lambert (idea), Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%PromptForCredential%' ESCAPE '\\')" ], "filename": "posh_ps_prompt_credentials.yml" }, { "title": "Winlogon Helper DLL", "id": "851c506b-6b7c-4ce2-8802-c703009d03c0", "status": "experimental", "description": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\nRegistry entries in HKLM\\Software[Wow6432Node]Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ and HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ are\nused to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to\nload and execute malicious DLLs and/or executables.\n", "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.persistence", "attack.t1547.004" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%CurrentVersion\\\\Winlogon%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Set-ItemProperty%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-Item%' ESCAPE '\\'))" ], "filename": "posh_ps_winlogon_helper_dll.yml" }, { "title": "Powershell Directory Enumeration", "id": "162e69a7-7981-4344-84a9-0f1c9a217a52", "status": "test", "description": "Detects technique used by MAZE ransomware to enumerate directories using Powershell", "author": "frack113", "tags": [ "attack.discovery", "attack.t1083" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%foreach%' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-ChildItem%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ErrorAction %' ESCAPE '\\' AND ScriptBlockText LIKE '%SilentlyContinue%' ESCAPE '\\' AND ScriptBlockText LIKE '%Out-File %' ESCAPE '\\' AND ScriptBlockText LIKE '%-append%' ESCAPE '\\')" ], "filename": "posh_ps_susp_directory_enum.yml" }, { "title": "Powershell File and Directory Discovery", "id": "d23f2ba5-9da0-4463-8908-8ee47f614bb9", "status": "test", "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.\nAdversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,\nincluding whether or not the adversary fully infects the target and/or attempts specific actions.\n", "author": "frack113", "tags": [ "attack.discovery", "attack.t1083" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%ls%' ESCAPE '\\' OR ScriptBlockText LIKE '%get-childitem%' ESCAPE '\\' OR ScriptBlockText LIKE '%gci%' ESCAPE '\\') AND ScriptBlockText LIKE '%-recurse%' ESCAPE '\\')" ], "filename": "posh_ps_file_and_directory_discovery.yml" }, { "title": "Active Directory Computers Enumeration with Get-AdComputer", "id": "36bed6b2-e9a0-4fff-beeb-413a92b86138", "status": "experimental", "description": "Detects usage of the \"Get-AdComputer\" to enumerate Computers within Active Directory.", "author": "frack113", "tags": [ "attack.discovery", "attack.t1018" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-AdComputer %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Filter%' ESCAPE '\\')" ], "filename": "posh_ps_get_adcomputer.yml" }, { "title": "Suspicious PowerShell WindowStyle Option", "id": "313fbb0a-a341-4682-848d-6d6f8c4fab7c", "status": "test", "description": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.\nIn some cases, windows that would typically be displayed when an application carries out an operation can be hidden\n", "author": "frack113, Tim Shelton (fp AWS)", "tags": [ "attack.defense_evasion", "attack.t1564.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%powershell%' ESCAPE '\\' AND ScriptBlockText LIKE '%WindowStyle%' ESCAPE '\\' AND ScriptBlockText LIKE '%Hidden%' ESCAPE '\\') AND NOT (ScriptBlockText LIKE '%:\\\\Program Files\\\\Amazon\\\\WorkSpacesConfig\\\\Scripts\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%$PSScriptRoot\\\\Module\\\\WorkspaceScriptModule\\\\WorkspaceScriptModule%' ESCAPE '\\'))" ], "filename": "posh_ps_susp_windowstyle.yml" }, { "title": "Malicious PowerView PowerShell Commandlets", "id": "dcd74b95-3f36-4ed9-9598-0490951643aa", "status": "test", "description": "Detects Commandlet names from PowerView of PowerSploit exploitation framework.", "author": "Bhabesh Raj", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Should not be any as administrators do not use this tool" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-ADName%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertFrom-UACValue%' ESCAPE '\\' OR ScriptBlockText LIKE '%Convert-NameToSid%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-SID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-PowerViewCSV%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainLocalGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainObjectPropertyOutlier%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-DomainUserLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ForeignUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOComputerAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-GPOLocation%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-InterestingFile%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-LocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Find-ManagedSecurityGroups%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-CachedRDPConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DFSshare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainController%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDFSShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDNSRecord%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainDNSZone%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainGroupMember%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainManagedSecurityGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainPolicy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSID%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-DomainUserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Forest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LastLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LoggedOnLocal%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetComputer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetDomain%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetFileServer%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetForest%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGPO%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLocalGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetLoggedon%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetOU%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetRDPSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSession%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetShare%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSite%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetSubnet%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-NetUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-ObjectAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-PathAcl%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-Proxy%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegistryMountedDrive%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-RegLoggedOn%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-SiteName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-UserEvent%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIProcess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-WMIReg%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-CheckLocalAdminAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EnumerateLocalAdmin%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-EventHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-FileFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Kerberoast%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-MapDomainTrust%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ProcessHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-RevertToSelf%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-ShareFinder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-UserImpersonation%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainGroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-DomainUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-RemoteConnection%' ESCAPE '\\' OR ScriptBlockText LIKE '%Request-SPNTicket%' ESCAPE '\\' OR ScriptBlockText LIKE '%Resolve-IPAddress%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-ADObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-DomainUserPassword%' ESCAPE '\\' OR ScriptBlockText LIKE '%Test-AdminAccess%' ESCAPE '\\'))" ], "filename": "posh_ps_powerview_malicious_commandlets.yml" }, { "title": "Powershell Create Scheduled Task", "id": "363eccc0-279a-4ccf-a3ab-24c2e63b11fb", "status": "test", "description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code", "author": "frack113", "tags": [ "attack.persistence", "attack.t1053.005" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%New-ScheduledTaskAction%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskTrigger%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskPrincipal%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTaskSettingsSet%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-ScheduledTask%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-ScheduledTask%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Invoke-CimMethod%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName%' ESCAPE '\\' AND ScriptBlockText LIKE '%PS\\_ScheduledTask%' ESCAPE '\\' AND ScriptBlockText LIKE '%-NameSpace%' ESCAPE '\\' AND ScriptBlockText LIKE '%Root\\\\Microsoft\\\\Windows\\\\TaskScheduler%' ESCAPE '\\')))" ], "filename": "posh_ps_cmdlet_scheduled_task.yml" }, { "title": "Suspicious Get-ADReplAccount", "id": "060c3ef1-fd0a-4091-bf46-e7d625f60b73", "status": "test", "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1003.006" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADReplAccount%' ESCAPE '\\' AND ScriptBlockText LIKE '%-All %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Server %' ESCAPE '\\')" ], "filename": "posh_ps_get_adreplaccount.yml" }, { "title": "Powershell LocalAccount Manipulation", "id": "4fdc44df-bfe9-4fcc-b041-68f5a2d3031c", "status": "test", "description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\n", "author": "frack113", "tags": [ "attack.persistence", "attack.t1098" ], "falsepositives": [ "Legitimate administrative script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Disable-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Rename-LocalUser%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-LocalUser%' ESCAPE '\\'))" ], "filename": "posh_ps_localuser.yml" }, { "title": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock", "id": "88f0884b-331d-403d-a3a1-b668cf035603", "status": "test", "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", "author": "frack113", "tags": [ "attack.discovery", "attack.t1069.001" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%get-ADPrincipalGroupMembership%' ESCAPE '\\' OR (ScriptBlockText LIKE '%get-aduser%' ESCAPE '\\' AND ScriptBlockText LIKE '%-f %' ESCAPE '\\' AND ScriptBlockText LIKE '%-pr %' ESCAPE '\\' AND ScriptBlockText LIKE '%DoesNotRequirePreAuth%' ESCAPE '\\')))" ], "filename": "posh_ps_susp_ad_group_reco.yml" }, { "title": "DirectorySearcher Powershell Exploitation", "id": "1f6399cf-2c80-4924-ace1-6fcff3393480", "status": "test", "description": "Enumerates Active Directory to determine computers that are joined to the domain", "author": "frack113", "tags": [ "attack.discovery", "attack.t1018" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object %' ESCAPE '\\' AND ScriptBlockText LIKE '%System.DirectoryServices.DirectorySearcher%' ESCAPE '\\' AND ScriptBlockText LIKE '%.PropertiesToLoad.Add%' ESCAPE '\\' AND ScriptBlockText LIKE '%.findall()%' ESCAPE '\\' AND ScriptBlockText LIKE '%Properties.name%' ESCAPE '\\')" ], "filename": "posh_ps_directorysearcher.yml" }, { "title": "Service Registry Permissions Weakness Check", "id": "95afc12e-3cbb-40c3-9340-84a032e596a3", "status": "test", "description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", "author": "frack113", "tags": [ "attack.persistence", "attack.t1574.011" ], "falsepositives": [ "Legitimate administrative script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-acl%' ESCAPE '\\' AND ScriptBlockText LIKE '%REGISTRY::HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\%' ESCAPE '\\')" ], "filename": "posh_ps_get_acl_service.yml" }, { "title": "Use Remove-Item to Delete File", "id": "b8af5f36-1361-4ebe-9e76-e36128d947bf", "status": "test", "description": "Powershell Remove-Item with -Path to delete a file or a folder with \"-Recurse\"", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1070.004" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Remove-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Path %' ESCAPE '\\') AND NOT ((ScriptBlockText LIKE '%HKCU:\\\\%' ESCAPE '\\' OR ScriptBlockText LIKE '%HKLM:\\\\%' ESCAPE '\\')))" ], "filename": "posh_ps_remove_item_path.yml" }, { "title": "Suspicious GetTypeFromCLSID ShellExecute", "id": "8bc063d5-3a3a-4f01-a140-bc15e55e8437", "status": "experimental", "description": "Detects suspicious Powershell code that execute COM Objects", "author": "frack113", "tags": [ "attack.privilege_escalation", "attack.persistence", "attack.t1546.015" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%::GetTypeFromCLSID(%' ESCAPE '\\' AND ScriptBlockText LIKE '%.ShellExecute(%' ESCAPE '\\')" ], "filename": "posh_ps_susp_gettypefromclsid.yml" }, { "title": "Root Certificate Installed - PowerShell", "id": "42821614-9264-4761-acfc-5772c3286f76", "status": "experimental", "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", "author": "oscd.community, @redcanary, Zach Stanford @svch0st", "tags": [ "attack.defense_evasion", "attack.t1553.004" ], "falsepositives": [ "Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%Move-Item%' ESCAPE '\\' AND ScriptBlockText LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Import-Certificate%' ESCAPE '\\' AND ScriptBlockText LIKE '%Cert:\\\\LocalMachine\\\\Root%' ESCAPE '\\')))" ], "filename": "posh_ps_root_certificate_installed.yml" }, { "title": "Modify Group Policy Settings - ScriptBlockLogging", "id": "b7216a7d-687e-4c8d-82b1-3080b2ad961f", "status": "experimental", "description": "Detect malicious GPO modifications can be used to implement many other malicious behaviors.", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1484.001" ], "falsepositives": [ "Legitimate use" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System%' ESCAPE '\\' AND (ScriptBlockText LIKE '%GroupPolicyRefreshTimeDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTimeOffsetDC%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTime%' ESCAPE '\\' OR ScriptBlockText LIKE '%GroupPolicyRefreshTimeOffset%' ESCAPE '\\' OR ScriptBlockText LIKE '%EnableSmartScreen%' ESCAPE '\\' OR ScriptBlockText LIKE '%ShellSmartScreenLevel%' ESCAPE '\\'))" ], "filename": "posh_ps_modify_group_policy_settings.yml" }, { "title": "Enable Windows Remote Management", "id": "991a9744-f2f0-44f2-bd33-9092eba17dc3", "status": "test", "description": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.", "author": "frack113", "tags": [ "attack.lateral_movement", "attack.t1021.006" ], "falsepositives": [ "Legitimate script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Enable-PSRemoting %' ESCAPE '\\')" ], "filename": "posh_ps_enable_psremoting.yml" }, { "title": "PowerShell ICMP Exfiltration", "id": "4c4af3cd-2115-479c-8193-6b8bfce9001c", "status": "test", "description": "Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.", "author": "Bartlomiej Czyz @bczyz1, oscd.community", "tags": [ "attack.exfiltration", "attack.t1048.003" ], "falsepositives": [ "Legitimate usage of System.Net.NetworkInformation.Ping class" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Net.NetworkInformation.Ping%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Send(%' ESCAPE '\\')" ], "filename": "posh_ps_icmp_exfiltration.yml" }, { "title": "AADInternals PowerShell Cmdlets Execution - PsScript", "id": "91e69562-2426-42ce-a647-711b8152ced6", "status": "experimental", "description": "Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.", "author": "Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.reconnaissance", "attack.discovery", "attack.credential_access", "attack.impact" ], "falsepositives": [ "Legitimate use of the library for administrative activity" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Add-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%ConvertTo-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Disable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Enable-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Export-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Grant-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Install-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Join-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%New-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Open-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Read-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Register-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Remove-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Restore-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Search-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Send-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-AADInt%' ESCAPE '\\' OR ScriptBlockText LIKE '%Update-AADInt%' ESCAPE '\\'))" ], "filename": "posh_ps_aadinternals_cmdlets_execution.yml" }, { "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell", "id": "1b9dc62e-6e9e-42a3-8990-94d7a10007f7", "status": "experimental", "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \\u2014", "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR ScriptBlockText REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR ScriptBlockText REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR ScriptBlockText REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR ScriptBlockText REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR ScriptBlockText REGEXP '\\$VerbosePreference\\.ToString\\('))" ], "filename": "posh_ps_invoke_obfuscation_obfuscated_iex.yml" }, { "title": "Powershell MsXml COM Object", "id": "78aa1347-1517-4454-9982-b338d6df8343", "status": "experimental", "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", "author": "frack113, MatilJ", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Legitimate administrative script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%MsXml2.%' ESCAPE '\\' AND ScriptBlockText LIKE '%XmlHttp%' ESCAPE '\\')" ], "filename": "posh_ps_msxml_com.yml" }, { "title": "Powershell WMI Persistence", "id": "9e07f6e7-83aa-45c6-998e-0af26efd0a85", "status": "test", "description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", "author": "frack113", "tags": [ "attack.privilege_escalation", "attack.t1546.003" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%New-CimInstance %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namespace root/subscription %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName \\_\\_EventFilter %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Property %' ESCAPE '\\') OR (ScriptBlockText LIKE '%New-CimInstance %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Namespace root/subscription %' ESCAPE '\\' AND ScriptBlockText LIKE '%-ClassName CommandLineEventConsumer %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Property %' ESCAPE '\\')))" ], "filename": "posh_ps_wmi_persistence.yml" }, { "title": "Disable-WindowsOptionalFeature Command PowerShell", "id": "99c4658d-2c5e-4d87-828d-7c066ca537c3", "status": "experimental", "description": "Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool.\nSimilar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images\n", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Disable-WindowsOptionalFeature%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Online%' ESCAPE '\\' AND ScriptBlockText LIKE '%-FeatureName%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Windows-Defender-Gui%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-Features%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender%' ESCAPE '\\' OR ScriptBlockText LIKE '%Windows-Defender-ApplicationGuard%' ESCAPE '\\'))" ], "filename": "posh_ps_disable_windows_optional_feature.yml" }, { "title": "PowerShell Remote Session Creation", "id": "a0edd39f-a0c6-4c17-8141-261f958e8d8f", "status": "experimental", "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system\n", "author": "frack113", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Legitimate administrative script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-PSSession%' ESCAPE '\\' AND ScriptBlockText LIKE '%-ComputerName %' ESCAPE '\\')" ], "filename": "posh_ps_remote_session_creation.yml" }, { "title": "Powershell Token Obfuscation - Powershell", "id": "f3a98ce4-6164-4dd4-867c-4d83de7eca51", "status": "experimental", "description": "Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1027.009" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText REGEXP '\\w+`(\\w+|-|.)`[\\w+|\\s]' OR ScriptBlockText REGEXP '\"(\\{\\d\\}){2,}\"\\s*-f' OR ScriptBlockText REGEXP '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}') AND NOT (((ScriptBlockText LIKE '%it will return true or false instead%' ESCAPE '\\' OR ScriptBlockText LIKE '%The function also prevents `Get-ItemProperty` from failing%' ESCAPE '\\')) OR (Path LIKE 'C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\%' ESCAPE '\\' AND Path LIKE '%\\\\bin\\\\servicecontrol.ps1' ESCAPE '\\' AND ScriptBlockText LIKE '%`r`n%' ESCAPE '\\')))" ], "filename": "posh_ps_token_obfuscation.yml" }, { "title": "Change User Agents with WebRequest", "id": "d4488827-73af-4f8d-9244-7b7662ef046e", "status": "experimental", "description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n", "author": "frack113", "tags": [ "attack.command_and_control", "attack.t1071.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Invoke-WebRequest%' ESCAPE '\\' AND ScriptBlockText LIKE '%-UserAgent %' ESCAPE '\\')" ], "filename": "posh_ps_susp_invoke_webrequest_useragent.yml" }, { "title": "Disable Powershell Command History", "id": "602f5669-6927-4688-84db-0d4b7afb2150", "status": "experimental", "description": "Detects scripts or commands that disabled the Powershell command history by removing psreadline module", "author": "Ali Alwashali", "tags": [ "attack.defense_evasion", "attack.t1070.003" ], "falsepositives": [ "Legitimate script that disables the command history" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-Module%' ESCAPE '\\' AND ScriptBlockText LIKE '%psreadline%' ESCAPE '\\')" ], "filename": "posh_ps_disable_psreadline_command_history.yml" }, { "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS", "id": "953945c5-22fe-4a92-9f8a-a9edc1e522da", "status": "experimental", "description": "Detects usage of the \"Set-Service\" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as \"sc.exe\", \"Get-Service\"...etc. (Works only in powershell 7)", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.defense_evasion", "attack.privilege_escalation", "attack.t1574.011" ], "falsepositives": [ "Rare intended use of hidden services", "Rare FP could occur due to the non linearity of the ScriptBlockText log" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Service %' ESCAPE '\\' AND ScriptBlockText LIKE '%DCLCWPDTSD%' ESCAPE '\\' AND (ScriptBlockText LIKE '%-SecurityDescriptorSddl %' ESCAPE '\\' OR ScriptBlockText LIKE '%-sd %' ESCAPE '\\'))" ], "filename": "posh_ps_using_set_service_to_hide_services.yml" }, { "title": "Suspicious PowerShell Invocations - Generic", "id": "ed965133-513f-41d9-a441-e38076a0798f", "status": "test", "description": "Detects suspicious PowerShell invocation command parameters", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Very special / sneaky PowerShell scripts" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '% -enc %' ESCAPE '\\' OR ScriptBlockText LIKE '% -EncodedCommand %' ESCAPE '\\' OR ScriptBlockText LIKE '% -ec %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -w hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -window hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ScriptBlockText LIKE '% -w 1 %' ESCAPE '\\') AND (ScriptBlockText LIKE '% -noni %' ESCAPE '\\' OR ScriptBlockText LIKE '% -noninteractive %' ESCAPE '\\'))" ], "filename": "posh_ps_susp_invocation_generic.yml" }, { "title": "Suspicious Start-Process PassThru", "id": "0718cd72-f316-4aa2-988f-838ea8533277", "status": "test", "description": "Powershell use PassThru option to start in background", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1036.003" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' AND ScriptBlockText LIKE '%-PassThru %' ESCAPE '\\' AND ScriptBlockText LIKE '%-FilePath %' ESCAPE '\\')" ], "filename": "posh_ps_susp_start_process.yml" }, { "title": "Data Compressed - PowerShell", "id": "6dc5d284-69ea-42cf-9311-fb1c3932a69a", "status": "test", "description": "An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.", "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.exfiltration", "attack.t1560" ], "falsepositives": [ "Highly likely if archive operations are done via PowerShell." ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%-Recurse%' ESCAPE '\\' AND ScriptBlockText LIKE '%|%' ESCAPE '\\' AND ScriptBlockText LIKE '%Compress-Archive%' ESCAPE '\\')" ], "filename": "posh_ps_data_compressed.yml" }, { "title": "Security Software Discovery by Powershell", "id": "904e8e61-8edf-4350-b59c-b905fc8e810c", "status": "test", "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.\nThis may include things such as firewall rules and anti-viru\n", "author": "frack113", "tags": [ "attack.discovery", "attack.t1518.001" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-process%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Description%' ESCAPE '\\' AND ScriptBlockText LIKE '%-like%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\"%virus%\"%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"%carbonblack%\"%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"%defender%\"%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"%cylance%\"%' ESCAPE '\\'))" ], "filename": "posh_ps_security_software_discovery.yml" }, { "title": "Suspicious Process Discovery With Get-Process", "id": "af4c87ce-bdda-4215-b998-15220772e993", "status": "test", "description": "Get the processes that are running on the local computer.", "author": "frack113", "tags": [ "attack.discovery", "attack.t1057" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-Process%' ESCAPE '\\')" ], "filename": "posh_ps_susp_get_process.yml" }, { "title": "Powershell Trigger Profiles by Add_Content", "id": "05b3e303-faf0-4f4a-9b30-46cc13e69152", "status": "test", "description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.", "author": "frack113", "tags": [ "attack.privilege_escalation", "attack.t1546.013" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\' AND ScriptBlockText LIKE '%$profile%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Value%' ESCAPE '\\' AND (ScriptBlockText LIKE '%Start-Process%' ESCAPE '\\' OR ScriptBlockText LIKE '%\"\"%' ESCAPE '\\'))" ], "filename": "posh_ps_trigger_profiles.yml" }, { "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell", "id": "db885529-903f-4c5d-9864-28fe199e6370", "status": "experimental", "description": "Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.discovery", "attack.t1033" ], "falsepositives": [ "Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Get-ADComputer %' ESCAPE '\\' AND ScriptBlockText LIKE '% -Filter \\*' ESCAPE '\\' AND (ScriptBlockText LIKE '% | Select %' ESCAPE '\\' OR ScriptBlockText LIKE '%Out-File%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-Content%' ESCAPE '\\' OR ScriptBlockText LIKE '%Add-Content%' ESCAPE '\\'))" ], "filename": "posh_ps_computer_discovery_get_adcomputer.yml" }, { "title": "Potential COM Objects Download Cradles Usage - PS Script", "id": "3c7d1587-3b13-439f-9941-7d14313dbdfe", "status": "experimental", "description": "Detects usage of COM objects that can be abused to download files in PowerShell by CLSID", "author": "frack113", "falsepositives": [ "Legitimate use of the library" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Type]::GetTypeFromCLSID(%' ESCAPE '\\' AND (ScriptBlockText LIKE '%0002DF01-0000-0000-C000-000000000046%' ESCAPE '\\' OR ScriptBlockText LIKE '%F6D90F16-9C73-11D3-B32E-00C04F990BB4%' ESCAPE '\\' OR ScriptBlockText LIKE '%F5078F35-C551-11D3-89B9-0000F81FE221%' ESCAPE '\\' OR ScriptBlockText LIKE '%88d96a0a-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR ScriptBlockText LIKE '%AFBA6B42-5692-48EA-8141-DC517DCF0EF1%' ESCAPE '\\' OR ScriptBlockText LIKE '%AFB40FFD-B609-40A3-9828-F88BBE11E4E3%' ESCAPE '\\' OR ScriptBlockText LIKE '%88d96a0b-f192-11d4-a65f-0040963251e5%' ESCAPE '\\' OR ScriptBlockText LIKE '%2087c2f4-2cef-4953-a8ab-66779b670495%' ESCAPE '\\' OR ScriptBlockText LIKE '%000209FF-0000-0000-C000-000000000046%' ESCAPE '\\' OR ScriptBlockText LIKE '%00024500-0000-0000-C000-000000000046%' ESCAPE '\\'))" ], "filename": "posh_ps_download_com_cradles.yml" }, { "title": "Powershell Exfiltration Over SMTP", "id": "9a7afa56-4762-43eb-807d-c3dc9ffe211b", "status": "experimental", "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", "author": "frack113", "tags": [ "attack.exfiltration", "attack.t1048.003" ], "falsepositives": [ "Legitimate script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ScriptBlockText LIKE '%Send-MailMessage%' ESCAPE '\\' AND NOT (ScriptBlockText LIKE '%CmdletsToExport%' ESCAPE '\\'))" ], "filename": "posh_ps_send_mailmessage.yml" }, { "title": "Powershell XML Execute Command", "id": "6c6c6282-7671-4fe9-a0ce-a2dcebdc342b", "status": "experimental", "description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", "author": "frack113", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Legitimate administrative script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%New-Object%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Xml.XmlDocument%' ESCAPE '\\' AND ScriptBlockText LIKE '%.Load%' ESCAPE '\\' AND (ScriptBlockText LIKE '%IEX %' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Expression %' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Command %' ESCAPE '\\' OR ScriptBlockText LIKE '%ICM -%' ESCAPE '\\'))" ], "filename": "posh_ps_xml_iex.yml" }, { "title": "Extracting Information with PowerShell", "id": "bd5971a7-626d-46ab-8176-ed643f694f68", "status": "test", "description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n", "author": "frack113", "tags": [ "attack.credential_access", "attack.t1552.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%ls%' ESCAPE '\\' AND ScriptBlockText LIKE '% -R%' ESCAPE '\\' AND ScriptBlockText LIKE '%select-string %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Pattern %' ESCAPE '\\')" ], "filename": "posh_ps_susp_extracting.yml" }, { "title": "Suspicious PowerShell Get Current User", "id": "4096a49c-7de4-4da0-a230-c66ccd56ea5a", "status": "experimental", "description": "Detects the use of PowerShell to identify the current logged user.", "author": "frack113", "tags": [ "attack.discovery", "attack.t1033" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%[System.Environment]::UserName%' ESCAPE '\\' OR ScriptBlockText LIKE '%$env:UserName%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Security.Principal.WindowsIdentity]::GetCurrent()%' ESCAPE '\\'))" ], "filename": "posh_ps_susp_get_current_user.yml" }, { "title": "Potential Persistence Via Security Descriptors - ScriptBlock", "id": "2f77047c-e6e9-4c11-b088-a3de399524cd", "status": "experimental", "description": "Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.persistence", "attack.defense_evasion", "attack.privilege_escalation" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%win32\\_Trustee%' ESCAPE '\\' AND ScriptBlockText LIKE '%win32\\_Ace%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AccessMask%' ESCAPE '\\' AND ScriptBlockText LIKE '%.AceType%' ESCAPE '\\' AND ScriptBlockText LIKE '%.SetSecurityDescriptor%' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Lsa\\\\JD%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Skew1%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\Data%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Lsa\\\\GBG%' ESCAPE '\\'))" ], "filename": "posh_ps_susp_ace_tampering.yml" }, { "title": "Suspicious Get Local Groups Information - PowerShell", "id": "fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb", "status": "experimental", "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", "author": "frack113", "tags": [ "attack.discovery", "attack.t1069.001" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ScriptBlockText LIKE '%get-localgroup%' ESCAPE '\\' OR ScriptBlockText LIKE '%Get-LocalGroupMember%' ESCAPE '\\') OR (ScriptBlockText LIKE '%Get-WMIObject%' ESCAPE '\\' AND ScriptBlockText LIKE '%Win32\\_Group%' ESCAPE '\\')))" ], "filename": "posh_ps_susp_local_group_reco.yml" }, { "title": "Potential In-Memory Execution Using Reflection.Assembly", "id": "ddcd88cb-7f62-4ce5-86f9-1704190feb0a", "status": "experimental", "description": "Detects usage of \"Reflection.Assembly\" load functions to dynamically load assemblies in memory", "author": "frack113", "falsepositives": [ "Legitimate use of the library" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[Reflection.Assembly]::load%' ESCAPE '\\')" ], "filename": "posh_ps_dotnet_assembly_from_file.yml" }, { "title": "Suspicious Get Information for SMB Share", "id": "95f0643a-ed40-467c-806b-aac9542ec5ab", "status": "test", "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as\na precursor for Collection and to identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", "author": "frack113", "tags": [ "attack.discovery", "attack.t1069.001" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-smbshare%' ESCAPE '\\')" ], "filename": "posh_ps_susp_smb_share_reco.yml" }, { "title": "Remove Account From Domain Admin Group", "id": "48a45d45-8112-416b-8a67-46e03a4b2107", "status": "test", "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n", "author": "frack113", "tags": [ "attack.impact", "attack.t1531" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Remove-ADGroupMember%' ESCAPE '\\' AND ScriptBlockText LIKE '%-Identity %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Members %' ESCAPE '\\')" ], "filename": "posh_ps_susp_remove_adgroupmember.yml" }, { "title": "Powershell Keylogging", "id": "34f90d3c-c297-49e9-b26d-911b05a4866c", "status": "experimental", "description": "Adversaries may log user keystrokes to intercept credentials as the user types them.", "author": "frack113", "tags": [ "attack.collection", "attack.t1056.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ScriptBlockText LIKE '%Get-Keystrokes%' ESCAPE '\\' OR (ScriptBlockText LIKE '%Get-ProcAddress user32.dll GetAsyncKeyState%' ESCAPE '\\' AND ScriptBlockText LIKE '%Get-ProcAddress user32.dll GetForegroundWindow%' ESCAPE '\\')))" ], "filename": "posh_ps_keylogging.yml" }, { "title": "Suspicious Hyper-V Cmdlets", "id": "42d36aa1-3240-4db0-8257-e0118dcdd9cd", "status": "experimental", "description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1564.006" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%New-VM%' ESCAPE '\\' OR ScriptBlockText LIKE '%Set-VMFirmware%' ESCAPE '\\' OR ScriptBlockText LIKE '%Start-VM%' ESCAPE '\\'))" ], "filename": "posh_ps_susp_hyper_v_condlet.yml" }, { "title": "Powershell Install a DLL in System Directory", "id": "63bf8794-9917-45bc-88dd-e1b5abc0ecfd", "status": "experimental", "description": "Uses PowerShell to install/copy a a file into a system directory such as \"System32\" or \"SysWOW64\"", "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.credential_access", "attack.t1556.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Copy-Item %' ESCAPE '\\' AND ScriptBlockText LIKE '%-Destination %' ESCAPE '\\' AND (ScriptBlockText LIKE '%\\\\Windows\\\\System32%' ESCAPE '\\' OR ScriptBlockText LIKE '%\\\\Windows\\\\SysWOW64%' ESCAPE '\\'))" ], "filename": "posh_ps_copy_item_system_directory.yml" }, { "title": "Powershell Detect Virtualization Environment", "id": "d93129cd-1ee0-479f-bc03-ca6f129882e3", "status": "test", "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.\nThis may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox\n", "author": "frack113, Duc.Le-GTSC", "tags": [ "attack.defense_evasion", "attack.t1497.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Get-WmiObject%' ESCAPE '\\' OR ScriptBlockText LIKE '%gwmi%' ESCAPE '\\') AND (ScriptBlockText LIKE '%MSAcpi\\_ThermalZoneTemperature%' ESCAPE '\\' OR ScriptBlockText LIKE '%Win32\\_ComputerSystem%' ESCAPE '\\'))" ], "filename": "posh_ps_detect_vm_env.yml" }, { "title": "Suspicious TCP Tunnel Via PowerShell Script", "id": "bd33d2aa-497e-4651-9893-5c5364646595", "status": "experimental", "description": "Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.command_and_control", "attack.t1090" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%[System.Net.HttpWebRequest]%' ESCAPE '\\' AND ScriptBlockText LIKE '%System.Net.Sockets.TcpListener%' ESCAPE '\\' AND ScriptBlockText LIKE '%AcceptTcpClient%' ESCAPE '\\')" ], "filename": "posh_ps_susp_proxy_scripts.yml" }, { "title": "Malicious ShellIntel PowerShell Commandlets", "id": "402e1e1d-ad59-47b6-bf80-1ee44985b3a7", "status": "test", "description": "Detects Commandlet names from ShellIntel exploitation scripts.", "author": "Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%Invoke-SMBAutoBrute%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-GPOLinks%' ESCAPE '\\' OR ScriptBlockText LIKE '%Invoke-Potato%' ESCAPE '\\'))" ], "filename": "posh_ps_shellintel_malicious_commandlets.yml" }, { "title": "Suspicious PowerShell Mailbox SMTP Forward Rule", "id": "15b7abbb-8b40-4d01-9ee2-b51994b1d474", "status": "experimental", "description": "Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.exfiltration" ], "falsepositives": [ "Legitimate usage of the cmdlet to forward emails" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%Set-Mailbox %' ESCAPE '\\' AND ScriptBlockText LIKE '% -DeliverToMailboxAndForward %' ESCAPE '\\' AND ScriptBlockText LIKE '% -ForwardingSmtpAddress %' ESCAPE '\\')" ], "filename": "posh_ps_exchange_mailbox_smpt_forwarding_rule.yml" }, { "title": "Registry-Free Process Scope COR_PROFILER", "id": "23590215-4702-4a70-8805-8dc9e58314a2", "status": "test", "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013)\n", "author": "frack113", "tags": [ "attack.persistence", "attack.t1574.012" ], "falsepositives": [ "Legitimate administrative script" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%$env:COR\\_ENABLE\\_PROFILING%' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:COR\\_PROFILER%' ESCAPE '\\' AND ScriptBlockText LIKE '%$env:COR\\_PROFILER\\_PATH%' ESCAPE '\\')" ], "filename": "posh_ps_cor_profiler.yml" }, { "title": "Potential Suspicious PowerShell Keywords", "id": "1f49f2ab-26bc-48b3-96cc-dcffbc93eadf", "status": "test", "description": "Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework", "author": "Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ScriptBlockText LIKE '%System.Reflection.Assembly.Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[System.Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%[Reflection.Assembly]::Load($%' ESCAPE '\\' OR ScriptBlockText LIKE '%System.Reflection.AssemblyName%' ESCAPE '\\' OR ScriptBlockText LIKE '%Reflection.Emit.AssemblyBuilderAccess%' ESCAPE '\\' OR ScriptBlockText LIKE '%Reflection.Emit.CustomAttributeBuilder%' ESCAPE '\\' OR ScriptBlockText LIKE '%Runtime.InteropServices.UnmanagedType%' ESCAPE '\\' OR ScriptBlockText LIKE '%Runtime.InteropServices.DllImportAttribute%' ESCAPE '\\' OR ScriptBlockText LIKE '%SuspendThread%' ESCAPE '\\' OR ScriptBlockText LIKE '%rundll32%' ESCAPE '\\'))" ], "filename": "posh_ps_susp_keywords.yml" }, { "title": "Detected Windows Software Discovery - PowerShell", "id": "2650dd1a-eb2a-412d-ac36-83f06c4f2282", "status": "experimental", "description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.discovery", "attack.t1518" ], "falsepositives": [ "Legitimate administration activities" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4104' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ScriptBlockText LIKE '%get-itemProperty%' ESCAPE '\\' AND ScriptBlockText LIKE '%\\\\software\\\\%' ESCAPE '\\' AND ScriptBlockText LIKE '%select-object%' ESCAPE '\\' AND ScriptBlockText LIKE '%format-table%' ESCAPE '\\')" ], "filename": "posh_ps_software_discovery.yml" }, { "title": "Suspicious PowerShell Download - PoshModule", "id": "de41232e-12e8-49fa-86bc-c05c7e722df9", "status": "experimental", "description": "Detects suspicious PowerShell download command", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "PowerShell scripts that download content from the Internet" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%System.Net.WebClient%' ESCAPE '\\' AND (ContextInfo LIKE '%.DownloadFile(%' ESCAPE '\\' OR ContextInfo LIKE '%.DownloadString(%' ESCAPE '\\'))" ], "filename": "posh_pm_susp_download.yml" }, { "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module", "id": "88a22f69-62f9-4b8a-aa00-6b0212f2f05a", "status": "experimental", "description": "Detects Obfuscated Powershell via use Rundll32 in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%rundll32%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND (Payload LIKE '%value%' ESCAPE '\\' OR Payload LIKE '%invoke%' ESCAPE '\\' OR Payload LIKE '%comspec%' ESCAPE '\\' OR Payload LIKE '%iex%' ESCAPE '\\'))" ], "filename": "posh_pm_invoke_obfuscation_via_use_rundll32.yml" }, { "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module", "id": "8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090", "status": "experimental", "description": "Detects suspicious PowerShell invocation command parameters", "author": "Florian Roth (Nextron Systems), Jonhnathan Ribeiro", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%[Convert]::FromBase64String%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-noni%' ESCAPE '\\' AND ContextInfo LIKE '%-nop%' ESCAPE '\\' AND ContextInfo LIKE '% -c %' ESCAPE '\\' AND ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\') OR (ContextInfo LIKE '% -w %' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%-ep%' ESCAPE '\\' AND ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-Enc%' ESCAPE '\\') OR (ContextInfo LIKE '%powershell%' ESCAPE '\\' AND ContextInfo LIKE '%reg%' ESCAPE '\\' AND ContextInfo LIKE '%add%' ESCAPE '\\' AND ContextInfo LIKE '%HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run%' ESCAPE '\\') OR (ContextInfo LIKE '%bypass%' ESCAPE '\\' AND ContextInfo LIKE '%-noprofile%' ESCAPE '\\' AND ContextInfo LIKE '%-windowstyle%' ESCAPE '\\' AND ContextInfo LIKE '%hidden%' ESCAPE '\\' AND ContextInfo LIKE '%new-object%' ESCAPE '\\' AND ContextInfo LIKE '%system.net.webclient%' ESCAPE '\\' AND ContextInfo LIKE '%.download%' ESCAPE '\\') OR (ContextInfo LIKE '%iex%' ESCAPE '\\' AND ContextInfo LIKE '%New-Object%' ESCAPE '\\' AND ContextInfo LIKE '%Net.WebClient%' ESCAPE '\\' AND ContextInfo LIKE '%.Download%' ESCAPE '\\')) AND NOT (((ContextInfo LIKE '%(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Write-ChocolateyWarning%' ESCAPE '\\'))))" ], "filename": "posh_pm_susp_invocation_specific.yml" }, { "title": "Alternate PowerShell Hosts - PowerShell Module", "id": "64e8e417-c19a-475a-8d19-98ea705394cc", "status": "test", "description": "Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe", "author": "Roberto Rodriguez @Cyb3rWard0g", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Programs using PowerShell directly without invocation of a dedicated interpreter", "MSP Detection Searcher", "Citrix ConfigSync.ps1" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ContextInfo LIKE '%' ESCAPE '\\' AND NOT (((ContextInfo LIKE '%= powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:/Windows/System32/WindowsPowerShell/v1.0/powershell%' ESCAPE '\\' OR ContextInfo LIKE '%= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell%' ESCAPE '\\')) OR (ContextInfo LIKE '%= C:\\\\WINDOWS\\\\System32\\\\sdiagnhost.exe -Embedding%' ESCAPE '\\') OR (ContextInfo LIKE '%ConfigSyncRun.exe%' ESCAPE '\\') OR (ContextInfo LIKE '%C:\\\\Windows\\\\system32\\\\dsac.exe%' ESCAPE '\\') OR (ContextInfo LIKE '%C:\\\\Windows\\\\system32\\\\wsmprovhost.exe -Embedding%' ESCAPE '\\') OR ((Payload LIKE '%Update-Help%' ESCAPE '\\' OR Payload LIKE '%Failed to update Help for the module%' ESCAPE '\\'))))" ], "filename": "posh_pm_alternate_powershell_hosts.yml" }, { "title": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module", "id": "fe5ce7eb-dad8-467c-84a9-31ec23bd644a", "status": "experimental", "description": "Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.", "author": "Ensar Şamil, @sblmsrsn, OSCD Community", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "App-V clients" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%SyncAppvPublishingServer.exe%' ESCAPE '\\')" ], "filename": "posh_pm_syncappvpublishingserver_exe.yml" }, { "title": "Remote PowerShell Session (PS Module)", "id": "96b9f619-aa91-478f-bacb-c3e50f8df575", "status": "test", "description": "Detects remote PowerShell sessions", "author": "Roberto Rodriguez @Cyb3rWard0g, Tim Shelton", "tags": [ "attack.execution", "attack.t1059.001", "attack.lateral_movement", "attack.t1021.006" ], "falsepositives": [ "Legitimate use remote PowerShell sessions" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (ContextInfo LIKE '% = ServerRemoteHost %' ESCAPE '\\' AND ContextInfo LIKE '%wsmprovhost.exe%' ESCAPE '\\') AND NOT ((ContextInfo LIKE '%\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Archive\\\\Microsoft.PowerShell.Archive.psm1%' ESCAPE '\\')))" ], "filename": "posh_pm_remote_powershell_session.yml" }, { "title": "PowerShell Decompress Commands", "id": "1ddc1472-8e52-4f7d-9f11-eab14fc171f5", "status": "test", "description": "A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.defense_evasion", "attack.t1140" ], "falsepositives": [ "Unknown" ], "level": "informational", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Expand-Archive%' ESCAPE '\\')" ], "filename": "posh_pm_decompress_commands.yml" }, { "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module", "id": "a23791fe-8846-485a-b16b-ca691e1b03d4", "status": "experimental", "description": "Detects Obfuscated Powershell via RUNDLL LAUNCHER", "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%rundll32.exe%' ESCAPE '\\' AND Payload LIKE '%shell32.dll%' ESCAPE '\\' AND Payload LIKE '%shellexec\\_rundll%' ESCAPE '\\' AND Payload LIKE '%powershell%' ESCAPE '\\')" ], "filename": "posh_pm_invoke_obfuscation_via_rundll.yml" }, { "title": "Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module", "id": "38a7625e-b2cb-485d-b83d-aff137d859f4", "status": "experimental", "description": "RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1218" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Invoke-ATHRemoteFXvGPUDisablementCommand %' ESCAPE '\\' AND (ContextInfo LIKE '%-ModuleName %' ESCAPE '\\' OR ContextInfo LIKE '%-ModulePath %' ESCAPE '\\' OR ContextInfo LIKE '%-ScriptBlock %' ESCAPE '\\' OR ContextInfo LIKE '%-RemoteFXvGPUDisablementFilePath%' ESCAPE '\\'))" ], "filename": "posh_pm_susp_athremotefxvgpudisablementcommand.yml" }, { "title": "Use Get-NetTCPConnection - PowerShell Module", "id": "aff815cc-e400-4bf0-a47a-5d8a2407d4e1", "status": "experimental", "description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", "author": "frack113", "tags": [ "attack.discovery", "attack.t1049" ], "falsepositives": [ "Unknown" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Get-NetTCPConnection%' ESCAPE '\\')" ], "filename": "posh_pm_susp_get_nettcpconnection.yml" }, { "title": "Suspicious Get Information for SMB Share - PowerShell Module", "id": "6942bd25-5970-40ab-af49-944247103358", "status": "experimental", "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and\nto identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network.\n", "author": "frack113", "tags": [ "attack.discovery", "attack.t1069.001" ], "falsepositives": [ "Administrator script" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload LIKE '%get-smbshare%' ESCAPE '\\' OR ContextInfo LIKE '%get-smbshare%' ESCAPE '\\'))" ], "filename": "posh_pm_susp_smb_share_reco.yml" }, { "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module", "id": "07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb", "status": "experimental", "description": "Detects Obfuscated Powershell via use MSHTA in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%set%' ESCAPE '\\' AND Payload LIKE '%&&%' ESCAPE '\\' AND Payload LIKE '%mshta%' ESCAPE '\\' AND Payload LIKE '%vbscript:createobject%' ESCAPE '\\' AND Payload LIKE '%.run%' ESCAPE '\\' AND Payload LIKE '%(window.close)%' ESCAPE '\\')" ], "filename": "posh_pm_invoke_obfuscation_via_use_mhsta.yml" }, { "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module", "id": "ebdf49d8-b89c-46c9-8fdf-2c308406f6bd", "status": "experimental", "description": "Detects Obfuscated Powershell via use Clip.exe in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*')" ], "filename": "posh_pm_invoke_obfuscation_via_use_clip.yml" }, { "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module", "id": "bbb80e91-5746-4fbe-8898-122e2cafdbf4", "status": "experimental", "description": "Detects suspicious PowerShell invocation command parameters", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Very special / sneaky PowerShell scripts" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (ContextInfo LIKE '% -enc %' ESCAPE '\\' OR ContextInfo LIKE '% -EncodedCommand %' ESCAPE '\\' OR ContextInfo LIKE '% -ec %' ESCAPE '\\') AND (ContextInfo LIKE '% -w hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -window hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -windowstyle hidden %' ESCAPE '\\' OR ContextInfo LIKE '% -w 1 %' ESCAPE '\\') AND (ContextInfo LIKE '% -noni %' ESCAPE '\\' OR ContextInfo LIKE '% -noninteractive %' ESCAPE '\\'))" ], "filename": "posh_pm_susp_invocation_generic.yml" }, { "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module", "id": "9ac8b09b-45de-4a07-9da1-0de8c09304a3", "status": "experimental", "description": "Detects Obfuscated use of stdin to execute PowerShell", "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\\$\\{?input\\}?|noexit).+\"')" ], "filename": "posh_pm_invoke_obfuscation_stdin.yml" }, { "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module", "id": "2f211361-7dce-442d-b78a-c04039677378", "status": "experimental", "description": "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below", "author": "Daniel Bohannon (@Mandiant/@FireEye), oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload REGEXP '\\$PSHome\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$PSHome\\[' OR Payload REGEXP '\\$ShellId\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$ShellId\\[' OR Payload REGEXP '\\$env:Public\\[\\s*\\d{1,3}\\s*\\]\\s*\\+\\s*\\$env:Public\\[' OR Payload REGEXP '\\$env:ComSpec\\[(\\s*\\d{1,3}\\s*,){2}' OR Payload REGEXP '\\*mdr\\*\\W\\s*\\)\\.Name' OR Payload REGEXP '\\$VerbosePreference\\.ToString\\(' OR Payload REGEXP '\\[String\\]\\s*\\$VerbosePreference'))" ], "filename": "posh_pm_invoke_obfuscation_obfuscated_iex.yml" }, { "title": "Invoke-Obfuscation Via Stdin - PowerShell Module", "id": "c72aca44-8d52-45ad-8f81-f96c4d3c755e", "status": "experimental", "description": "Detects Obfuscated Powershell via Stdin in Scripts", "author": "Nikita Nazarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*(set).*&&\\s?set.*(environment|invoke|\\$?\\{?input).*&&.*\"')" ], "filename": "posh_pm_invoke_obfuscation_via_stdin.yml" }, { "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module", "id": "7034cbbb-cc55-4dc2-8dad-36c0b942e8f1", "status": "experimental", "description": "Detects Obfuscated Powershell via COMPRESS OBFUSCATION", "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%new-object%' ESCAPE '\\' AND Payload LIKE '%text.encoding]::ascii%' ESCAPE '\\' AND (Payload LIKE '%system.io.compression.deflatestream%' ESCAPE '\\' OR Payload LIKE '%system.io.streamreader%' ESCAPE '\\') AND Payload LIKE '%readtoend' ESCAPE '\\')" ], "filename": "posh_pm_invoke_obfuscation_via_compress.yml" }, { "title": "Suspicious Get-ADDBAccount Usage", "id": "b140afd9-474b-4072-958e-2ebb435abd68", "status": "test", "description": "Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-ADDBAccount%' ESCAPE '\\' AND Payload LIKE '%BootKey %' ESCAPE '\\' AND Payload LIKE '%DatabasePath %' ESCAPE '\\')" ], "filename": "posh_pm_get_addbaccount.yml" }, { "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module", "id": "6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e", "status": "experimental", "description": "Detects Obfuscated use of Environment Variables to execute PowerShell", "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r)(?:\\s|)\"set\\s[a-zA-Z]{3,6}.*(?:\\{\\d\\}){1,}\\\\\"\\s+?-f(?:.*\\)){1,}.*\"')" ], "filename": "posh_pm_invoke_obfuscation_var.yml" }, { "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module", "id": "daf7eb81-35fd-410d-9d7a-657837e602bb", "status": "experimental", "description": "Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration", "author": "frack113", "tags": [ "attack.collection", "attack.t1074.001" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Compress-Archive %' ESCAPE '\\' AND ContextInfo LIKE '% -Path %' ESCAPE '\\' AND ContextInfo LIKE '% -DestinationPath %' ESCAPE '\\' AND ContextInfo LIKE '%$env:TEMP\\\\%' ESCAPE '\\')" ], "filename": "posh_pm_susp_zip_compress.yml" }, { "title": "Suspicious Computer Machine Password by PowerShell", "id": "e3818659-5016-4811-a73c-dde4679169d2", "status": "test", "description": "The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain.\nYou can use it to reset the password of the local computer.\n", "author": "frack113", "tags": [ "attack.initial_access", "attack.t1078" ], "falsepositives": [ "Administrator PowerShell scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND ContextInfo LIKE '%Reset-ComputerMachinePassword%' ESCAPE '\\')" ], "filename": "posh_pm_susp_reset_computermachinepassword.yml" }, { "title": "Potential Active Directory Enumeration Using AD Module - PsModule", "id": "74176142-4684-4d8a-8b0a-713257e7df8e", "status": "experimental", "description": "Detects usage of the \"Import-Module\" cmdlet to load the \"Microsoft.ActiveDirectory.Management.dl\" DLL. Which is often used by attackers to perform AD enumeration.", "author": "Nasreddine Bencherchali (Nextron Systems), frack113", "tags": [ "attack.reconnaissance", "attack.discovery", "attack.impact" ], "falsepositives": [ "Legitimate use of the library for administrative activity" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Import-Module %' ESCAPE '\\' OR Payload LIKE '%ipmo %' ESCAPE '\\') AND Payload LIKE '%Microsoft.ActiveDirectory.Management.dll%' ESCAPE '\\')" ], "filename": "posh_pm_active_directory_module_dll_import.yml" }, { "title": "AD Groups Or Users Enumeration Using PowerShell - PoshModule", "id": "815bfc17-7fc6-4908-a55e-2f37b98cedb4", "status": "test", "description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n", "author": "frack113", "tags": [ "attack.discovery", "attack.t1069.001" ], "falsepositives": [ "Administrator script" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (Payload LIKE '%get-ADPrincipalGroupMembership%' ESCAPE '\\' OR ContextInfo LIKE '%get-ADPrincipalGroupMembership%' ESCAPE '\\' OR (Payload LIKE '%get-aduser%' ESCAPE '\\' AND Payload LIKE '%-f %' ESCAPE '\\' AND Payload LIKE '%-pr %' ESCAPE '\\' AND Payload LIKE '%DoesNotRequirePreAuth%' ESCAPE '\\') OR (ContextInfo LIKE '%get-aduser%' ESCAPE '\\' AND ContextInfo LIKE '%-f %' ESCAPE '\\' AND ContextInfo LIKE '%-pr %' ESCAPE '\\' AND ContextInfo LIKE '%DoesNotRequirePreAuth%' ESCAPE '\\')))" ], "filename": "posh_pm_susp_ad_group_reco.yml" }, { "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module", "id": "f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6", "status": "experimental", "description": "Detects Obfuscated Powershell via VAR++ LAUNCHER", "author": "Timur Zinniatullin, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '(?i).*&&set.*(\\{\\d\\}){2,}\\\\\"\\s+?-f.*&&.*cmd.*/c')" ], "filename": "posh_pm_invoke_obfuscation_via_var.yml" }, { "title": "PowerShell Get Clipboard", "id": "4cbd4f12-2e22-43e3-882f-bff3247ffb78", "status": "experimental", "description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.collection", "attack.t1115" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload LIKE '%Get-Clipboard%' ESCAPE '\\')" ], "filename": "posh_pm_get_clipboard.yml" }, { "title": "Malicious PowerShell Commandlets - PoshModule", "id": "7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c", "status": "test", "description": "Detects Commandlet names from well-known PowerShell exploitation frameworks", "author": "Nasreddine Bencherchali (Nextron Systems)", "tags": [ "attack.execution", "attack.discovery", "attack.t1482", "attack.t1087", "attack.t1087.001", "attack.t1087.002", "attack.t1069.001", "attack.t1069.002", "attack.t1069", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%Add-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Add-Persistence%' ESCAPE '\\' OR Payload LIKE '%Add-RegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-RemoteRegBackdoor%' ESCAPE '\\' OR Payload LIKE '%Add-ScrnSaveBackdoor%' ESCAPE '\\' OR Payload LIKE '%Check-VM%' ESCAPE '\\' OR Payload LIKE '%ConvertTo-Rc4ByteStream%' ESCAPE '\\' OR Payload LIKE '%Decrypt-Hash%' ESCAPE '\\' OR Payload LIKE '%Disable-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Disable-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Do-Exfiltration%' ESCAPE '\\' OR Payload LIKE '%Enable-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Enable-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Enabled-DuplicateToken%' ESCAPE '\\' OR Payload LIKE '%Exploit-Jboss%' ESCAPE '\\' OR Payload LIKE '%Export-ADR%' ESCAPE '\\' OR Payload LIKE '%Export-ADRCSV%' ESCAPE '\\' OR Payload LIKE '%Export-ADRExcel%' ESCAPE '\\' OR Payload LIKE '%Export-ADRHTML%' ESCAPE '\\' OR Payload LIKE '%Export-ADRJSON%' ESCAPE '\\' OR Payload LIKE '%Export-ADRXML%' ESCAPE '\\' OR Payload LIKE '%Find-Fruit%' ESCAPE '\\' OR Payload LIKE '%Find-GPOLocation%' ESCAPE '\\' OR Payload LIKE '%Find-TrustedDocuments%' ESCAPE '\\' OR Payload LIKE '%Get-ADIDNS%' ESCAPE '\\' OR Payload LIKE '%Get-ApplicationHost%' ESCAPE '\\' OR Payload LIKE '%Get-ChromeDump%' ESCAPE '\\' OR Payload LIKE '%Get-ClipboardContents%' ESCAPE '\\' OR Payload LIKE '%Get-FoxDump%' ESCAPE '\\' OR Payload LIKE '%Get-GPPPassword%' ESCAPE '\\' OR Payload LIKE '%Get-IndexedItem%' ESCAPE '\\' OR Payload LIKE '%Get-KerberosAESKey%' ESCAPE '\\' OR Payload LIKE '%Get-Keystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-LSASecret%' ESCAPE '\\' OR Payload LIKE '%Get-MachineAccountAttribute%' ESCAPE '\\' OR Payload LIKE '%Get-MachineAccountCreator%' ESCAPE '\\' OR Payload LIKE '%Get-PassHashes%' ESCAPE '\\' OR Payload LIKE '%Get-RegAlwaysInstallElevated%' ESCAPE '\\' OR Payload LIKE '%Get-RegAutoLogon%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteBootKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteCachedCredential%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLocalAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteLSAKey%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteMachineAccountHash%' ESCAPE '\\' OR Payload LIKE '%Get-RemoteNLKMKey%' ESCAPE '\\' OR Payload LIKE '%Get-RickAstley%' ESCAPE '\\' OR Payload LIKE '%Get-Screenshot%' ESCAPE '\\' OR Payload LIKE '%Get-SecurityPackages%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceFilePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServicePermission%' ESCAPE '\\' OR Payload LIKE '%Get-ServiceUnquoted%' ESCAPE '\\' OR Payload LIKE '%Get-SiteListPassword%' ESCAPE '\\' OR Payload LIKE '%Get-System%' ESCAPE '\\' OR Payload LIKE '%Get-TimedScreenshot%' ESCAPE '\\' OR Payload LIKE '%Get-UnattendedInstallFile%' ESCAPE '\\' OR Payload LIKE '%Get-Unconstrained%' ESCAPE '\\' OR Payload LIKE '%Get-USBKeystrokes%' ESCAPE '\\' OR Payload LIKE '%Get-VaultCredential%' ESCAPE '\\' OR Payload LIKE '%Get-VulnAutoRun%' ESCAPE '\\' OR Payload LIKE '%Get-VulnSchTask%' ESCAPE '\\' OR Payload LIKE '%Grant-ADIDNSPermission%' ESCAPE '\\' OR Payload LIKE '%Gupt-Backdoor%' ESCAPE '\\' OR Payload LIKE '%HTTP-Login%' ESCAPE '\\' OR Payload LIKE '%Install-ServiceBinary%' ESCAPE '\\' OR Payload LIKE '%Install-SSP%' ESCAPE '\\' OR Payload LIKE '%Invoke-ACLScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADRecon%' ESCAPE '\\' OR Payload LIKE '%Invoke-ADSBackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-AgentSmith%' ESCAPE '\\' OR Payload LIKE '%Invoke-AllChecks%' ESCAPE '\\' OR Payload LIKE '%Invoke-ARPScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-AzureHound%' ESCAPE '\\' OR Payload LIKE '%Invoke-BackdoorLNK%' ESCAPE '\\' OR Payload LIKE '%Invoke-BadPotato%' ESCAPE '\\' OR Payload LIKE '%Invoke-BetterSafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-BypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Carbuncle%' ESCAPE '\\' OR Payload LIKE '%Invoke-Certify%' ESCAPE '\\' OR Payload LIKE '%Invoke-ConPtyShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-CredentialInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DAFT%' ESCAPE '\\' OR Payload LIKE '%Invoke-DCSync%' ESCAPE '\\' OR Payload LIKE '%Invoke-DinvokeKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-DllInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-DNSUpdate%' ESCAPE '\\' OR Payload LIKE '%Invoke-DomainPasswordSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-DowngradeAccount%' ESCAPE '\\' OR Payload LIKE '%Invoke-EgressCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Eyewitness%' ESCAPE '\\' OR Payload LIKE '%Invoke-FakeLogonScreen%' ESCAPE '\\' OR Payload LIKE '%Invoke-Farmer%' ESCAPE '\\' OR Payload LIKE '%Invoke-Get-RBCD-Threaded%' ESCAPE '\\' OR Payload LIKE '%Invoke-Gopher%' ESCAPE '\\' OR Payload LIKE '%Invoke-Grouper%' ESCAPE '\\' OR Payload LIKE '%Invoke-HandleKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonatedProcess%' ESCAPE '\\' OR Payload LIKE '%Invoke-ImpersonateSystem%' ESCAPE '\\' OR Payload LIKE '%Invoke-InteractiveSystemPowerShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Internalmonologue%' ESCAPE '\\' OR Payload LIKE '%Invoke-Inveigh%' ESCAPE '\\' OR Payload LIKE '%Invoke-InveighRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-KrbRelay%' ESCAPE '\\' OR Payload LIKE '%Invoke-LdapSignCheck%' ESCAPE '\\' OR Payload LIKE '%Invoke-Lockless%' ESCAPE '\\' OR Payload LIKE '%Invoke-MalSCCM%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-Mimikittenz%' ESCAPE '\\' OR Payload LIKE '%Invoke-MITM6%' ESCAPE '\\' OR Payload LIKE '%Invoke-NanoDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-NetRipper%' ESCAPE '\\' OR Payload LIKE '%Invoke-Nightmare%' ESCAPE '\\' OR Payload LIKE '%Invoke-NinjaCopy%' ESCAPE '\\' OR Payload LIKE '%Invoke-OfficeScrape%' ESCAPE '\\' OR Payload LIKE '%Invoke-OxidResolver%' ESCAPE '\\' OR Payload LIKE '%Invoke-P0wnedshell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Paranoia%' ESCAPE '\\' OR Payload LIKE '%Invoke-PortScan%' ESCAPE '\\' OR Payload LIKE '%Invoke-PoshRatHttp%' ESCAPE '\\' OR Payload LIKE '%Invoke-PostExfil%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellTCP%' ESCAPE '\\' OR Payload LIKE '%Invoke-PowerShellWMI%' ESCAPE '\\' OR Payload LIKE '%Invoke-PPLDump%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-PSInject%' ESCAPE '\\' OR Payload LIKE '%Invoke-PsUaCme%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReflectivePEInjection%' ESCAPE '\\' OR Payload LIKE '%Invoke-ReverseDNSLookup%' ESCAPE '\\' OR Payload LIKE '%Invoke-Rubeus%' ESCAPE '\\' OR Payload LIKE '%Invoke-RunAs%' ESCAPE '\\' OR Payload LIKE '%Invoke-SafetyKatz%' ESCAPE '\\' OR Payload LIKE '%Invoke-SauronEye%' ESCAPE '\\' OR Payload LIKE '%Invoke-SCShell%' ESCAPE '\\' OR Payload LIKE '%Invoke-Seatbelt%' ESCAPE '\\' OR Payload LIKE '%Invoke-ServiceAbuse%' ESCAPE '\\' OR Payload LIKE '%Invoke-ShadowSpray%' ESCAPE '\\' OR Payload LIKE '%Invoke-Sharp%' ESCAPE '\\' OR Payload LIKE '%Invoke-Shellcode%' ESCAPE '\\' OR Payload LIKE '%Invoke-SMBScanner%' ESCAPE '\\' OR Payload LIKE '%Invoke-Snaffler%' ESCAPE '\\' OR Payload LIKE '%Invoke-Spoolsample%' ESCAPE '\\' OR Payload LIKE '%Invoke-SpraySinglePassword%' ESCAPE '\\' OR Payload LIKE '%Invoke-SSHCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-StandIn%' ESCAPE '\\' OR Payload LIKE '%Invoke-StickyNotesExtract%' ESCAPE '\\' OR Payload LIKE '%Invoke-SystemCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tasksbackdoor%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tater%' ESCAPE '\\' OR Payload LIKE '%Invoke-Thunderfox%' ESCAPE '\\' OR Payload LIKE '%Invoke-ThunderStruck%' ESCAPE '\\' OR Payload LIKE '%Invoke-TokenManipulation%' ESCAPE '\\' OR Payload LIKE '%Invoke-Tokenvator%' ESCAPE '\\' OR Payload LIKE '%Invoke-TotalExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-UrbanBishop%' ESCAPE '\\' OR Payload LIKE '%Invoke-UserHunter%' ESCAPE '\\' OR Payload LIKE '%Invoke-VoiceTroll%' ESCAPE '\\' OR Payload LIKE '%Invoke-Whisker%' ESCAPE '\\' OR Payload LIKE '%Invoke-WinEnum%' ESCAPE '\\' OR Payload LIKE '%Invoke-winPEAS%' ESCAPE '\\' OR Payload LIKE '%Invoke-WireTap%' ESCAPE '\\' OR Payload LIKE '%Invoke-WmiCommand%' ESCAPE '\\' OR Payload LIKE '%Invoke-WMIExec%' ESCAPE '\\' OR Payload LIKE '%Invoke-WScriptBypassUAC%' ESCAPE '\\' OR Payload LIKE '%Invoke-Zerologon%' ESCAPE '\\' OR Payload LIKE '%MailRaider%' ESCAPE '\\' OR Payload LIKE '%New-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%New-DNSRecordArray%' ESCAPE '\\' OR Payload LIKE '%New-HoneyHash%' ESCAPE '\\' OR Payload LIKE '%New-InMemoryModule%' ESCAPE '\\' OR Payload LIKE '%New-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%New-SOASerialNumberArray%' ESCAPE '\\' OR Payload LIKE '%Out-Minidump%' ESCAPE '\\' OR Payload LIKE '%Port-Scan%' ESCAPE '\\' OR Payload LIKE '%PowerBreach%' ESCAPE '\\' OR Payload LIKE '%powercat %' ESCAPE '\\' OR Payload LIKE '%PowerUp%' ESCAPE '\\' OR Payload LIKE '%PowerView%' ESCAPE '\\' OR Payload LIKE '%Remove-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Remove-MachineAccount%' ESCAPE '\\' OR Payload LIKE '%Remove-Update%' ESCAPE '\\' OR Payload LIKE '%Rename-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Revoke-ADIDNSPermission%' ESCAPE '\\' OR Payload LIKE '%Set-ADIDNSNode%' ESCAPE '\\' OR Payload LIKE '%Set-MacAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-MachineAccountAttribute%' ESCAPE '\\' OR Payload LIKE '%Set-Wallpaper%' ESCAPE '\\' OR Payload LIKE '%Show-TargetScreen%' ESCAPE '\\' OR Payload LIKE '%Start-CaptureServer%' ESCAPE '\\' OR Payload LIKE '%Start-WebcamRecorder%' ESCAPE '\\' OR Payload LIKE '%VolumeShadowCopyTools%' ESCAPE '\\'))" ], "filename": "posh_pm_malicious_commandlets.yml" }, { "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module", "id": "a136cde0-61ad-4a61-9b82-8dc490e60dd2", "status": "experimental", "description": "Detects Obfuscated use of Clip.exe to execute PowerShell", "author": "Jonathan Cheong, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1027", "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND Payload REGEXP '.*cmd.{0,5}(?:/c|/r).+clip(?:\\.exe)?.{0,4}&&.+clipboard]::\\(\\s\\\\\"\\{\\d\\}.+-f.+\"')" ], "filename": "posh_pm_invoke_obfuscation_clip.yml" }, { "title": "Bad Opsec Powershell Code Artifacts", "id": "8d31a8ce-46b5-4dd6-bdc3-680931f1db86", "status": "test", "description": "focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including\nCobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads \nthat often undergo minimal changes by attackers due to bad opsec.\n", "author": "ok @securonix invrep_de, oscd.community", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments." ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational') AND (Payload LIKE '%$DoIt%' ESCAPE '\\' OR Payload LIKE '%harmj0y%' ESCAPE '\\' OR Payload LIKE '%mattifestation%' ESCAPE '\\' OR Payload LIKE '%\\_RastaMouse%' ESCAPE '\\' OR Payload LIKE '%tifkin\\_%' ESCAPE '\\' OR Payload LIKE '%0xdeadbeef%' ESCAPE '\\'))" ], "filename": "posh_pm_bad_opsec_artifacts.yml" }, { "title": "Clear PowerShell History - PowerShell Module", "id": "f99276ad-d122-4989-a09a-d00904a5f9d2", "status": "experimental", "description": "Detects keywords that could indicate clearing PowerShell history", "author": "Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1070.003" ], "falsepositives": [ "Legitimate PowerShell scripts" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND (((Payload LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND Payload LIKE '%–HistorySaveStyle%' ESCAPE '\\' AND Payload LIKE '%SaveNothing%' ESCAPE '\\') OR (Payload LIKE '%Set-PSReadlineOption%' ESCAPE '\\' AND Payload LIKE '%-HistorySaveStyle%' ESCAPE '\\' AND Payload LIKE '%SaveNothing%' ESCAPE '\\')) OR ((Payload LIKE '%del%' ESCAPE '\\' OR Payload LIKE '%Remove-Item%' ESCAPE '\\' OR Payload LIKE '%rm%' ESCAPE '\\') AND Payload LIKE '%(Get-PSReadlineOption).HistorySavePath%' ESCAPE '\\')))" ], "filename": "posh_pm_clear_powershell_history.yml" }, { "title": "Malicious PowerShell Scripts - PoshModule", "id": "41025fd7-0466-4650-a813-574aaacbe7f4", "status": "experimental", "description": "Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance", "author": "frack113, Nasreddine Bencherchali", "tags": [ "attack.execution", "attack.t1059.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((ContextInfo LIKE '%Add-ConstrainedDelegationBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-RemoteRegBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Add-ScrnSaveBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Check-VM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ConvertTo-ROT13.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Copy-VSS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Create-MultipleSessions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DNS\\_TXT\\_Pwnage.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Do-Exfiltration.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%DomainPasswordSpray.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download\\_Execute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Download-Execute-PS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enabled-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Enable-DuplicateToken.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-Command-MSSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-DNSTXT-Code.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Execute-OnTime.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%ExetoText.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Exploit-Jboss.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-AVSignature.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-Fruit.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-GPOLocation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Find-TrustedDocuments.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireBuster.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%FireListener.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ApplicationHost.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ChromeDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ClipboardContents.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ComputerDetail.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-FoxDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPAutologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-GPPPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-IndexedItem.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Keystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LSASecret.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-MicrophoneAudio.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHashes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-PassHints.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAlwaysInstallElevated.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RegAutoLogon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-RickAstley.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Screenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SecurityPackages.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceFilePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServicePermission.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-ServiceUnquoted.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-SiteListPassword.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-System.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-TimedScreenshot.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-UnattendedInstallFile.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-Unconstrained.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-USBKeystrokes.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VaultCredential.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnAutoRun.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-VulnSchTask.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebConfig.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WebCredentials.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Get-WLAN-Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Gupt-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%HTTP-Login.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-ServiceBinary.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Install-SSP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ACLScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ADSBackdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-AmsiBypass.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ARPScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BackdoorLNK.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BadPotato.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BetterSafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BruteForce.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-BypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Carbuncle.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Certify.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ConPtyShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-CredentialsPhish.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DAFT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DCSync.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Decode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DinvokeKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DllInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-DowngradeAccount.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EgressCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Encode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-EventViewer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Eyewitness.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-FakeLogonScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Farmer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Get-RBCD-Threaded.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Gopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper2.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Grouper3.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-HandleKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Interceptor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Internalmonologue.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Inveigh.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-InveighRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRegsvr.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-JSRatRundll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-KrbRelayUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-LdapSignCheck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Lockless.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MalSCCM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MimikatzWDigestDowngrade.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Mimikittenz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-MITM6.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NanoDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetRipper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NetworkRelay.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-NinjaCopy.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-OxidResolver.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-P0wnedshellx86.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Paranoia.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PortScan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PoshRatHttps.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PostExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellIcmp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTCP.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellTcpOneLineBind.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellUdpOneLine.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerShellWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PowerThIEf.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PPLDump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Prasadhak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsGcatAgent.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PSInject.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-PsUaCme.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReflectivePEInjection.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ReverseDNSLookup.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Rubeus.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-RunAs.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SafetyKatz.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SauronEye.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SCShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Seatbelt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ServiceAbuse.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SessionGopher.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ShellCode.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SMBScanner.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Snaffler.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Spoolsample.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSHCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-SSIDExfil.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StandIn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-StickyNotesExtract.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tater.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Thunderfox.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-ThunderStruck.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TokenManipulation.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Tokenvator.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-TotalExec.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UrbanBishop.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-UserHunter.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-VoiceTroll.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Whisker.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WinEnum.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-winPEAS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WireTap.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WmiCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-WScriptBypassUAC.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Invoke-Zerologon.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Keylogger.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%MailRaider.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%New-HoneyHash.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%OfficeMemScraper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Offline\\_Winpwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-CHM.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-DnsTxt.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Excel.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-HTA.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Java.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-JS.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Minidump.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-RundllCommand.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCF.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-SCT.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Shortcut.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-WebQuery.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Out-Word.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Parse\\_Keys.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Port-Scan.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerBreach.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%powercat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerRunAsSystem.psm1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerSharpPack.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUp.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerUpSQL.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PowerView.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%PSAsyncShell.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%RemoteHashRetrieval.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Persistence.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-PoshRat.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Remove-Update.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Run-EXEonRemote.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Schtasks-Backdoor.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-DCShadowPermissions.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-MacAttribute.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemotePSRemoting.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-RemoteWMI.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Set-Wallpaper.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Show-TargetScreen.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Speak.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-CaptureServer.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%Start-WebcamRecorder.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%StringToBase64.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%TexttoExe.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%VolumeShadowCopyTools.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WinPwn.ps1%' ESCAPE '\\' OR ContextInfo LIKE '%WSUSpendu.ps1%' ESCAPE '\\') OR (ContextInfo LIKE '%Invoke-Sharp%' ESCAPE '\\' AND ContextInfo LIKE '%.ps1%' ESCAPE '\\')))" ], "filename": "posh_pm_exploit_scripts.yml" }, { "title": "Suspicious Get Local Groups Information", "id": "cef24b90-dddc-4ae1-a09a-8764872f69fc", "status": "test", "description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", "author": "frack113", "tags": [ "attack.discovery", "attack.t1069.001" ], "falsepositives": [ "Administrator script" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE ((EventID = '4103' AND Channel IN ('Microsoft-Windows-PowerShell/Operational', 'PowerShellCore/Operational')) AND ((Payload LIKE '%get-localgroup%' ESCAPE '\\' OR Payload LIKE '%Get-LocalGroupMember%' ESCAPE '\\') OR (ContextInfo LIKE '%get-localgroup%' ESCAPE '\\' OR ContextInfo LIKE '%Get-LocalGroupMember%' ESCAPE '\\') OR (Payload LIKE '%Get-WMIObject%' ESCAPE '\\' AND Payload LIKE '%Win32\\_Group%' ESCAPE '\\') OR (ContextInfo LIKE '%Get-WMIObject%' ESCAPE '\\' AND ContextInfo LIKE '%Win32\\_Group%' ESCAPE '\\')))" ], "filename": "posh_pm_susp_local_group_reco.yml" }, { "title": "Credential Dumping by Pypykatz", "id": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", "status": "test", "description": "Detects LSASS process access by pypykatz for credential dumping.", "author": "Bhabesh Raj", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%libffi-7.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python3%.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml" }, { "title": "Mimikatz through Windows Remote Management", "id": "aa35a627-33fb-4d04-a165-d33b4afca3e8", "status": "stable", "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", "author": "Patryk Prauze - ING Tech", "tags": [ "attack.credential_access", "attack.execution", "attack.t1003.001", "attack.t1059.001", "attack.lateral_movement", "attack.t1021.006", "attack.s0002" ], "falsepositives": [ "Unlikely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wsmprovhost.exe' ESCAPE '\\') AND NOT (GrantedAccess = '0x80000000'))" ], "filename": "proc_access_win_mimikatz_trough_winrm.yml" }, { "title": "Credential Dumping Tools Accessing LSASS Memory", "id": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", "status": "experimental", "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", "tags": [ "attack.credential_access", "attack.t1003.001", "attack.s0002", "car.2019-04-004" ], "falsepositives": [ "Likely" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '0x40%' ESCAPE '\\' OR GrantedAccess LIKE '0x100000%' ESCAPE '\\' OR GrantedAccess LIKE '0x1410%' ESCAPE '\\' OR GrantedAccess LIKE '0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '0x143a%' ESCAPE '\\' OR GrantedAccess LIKE '0x1418%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f0fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f1fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f2fff%' ESCAPE '\\' OR GrantedAccess LIKE '0x1f3fff%' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\perfmon.exe' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe%' ESCAPE '\\') AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\svchost.exe' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR ((CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\mprtp.dll%' ESCAPE '\\' OR CallTrace LIKE '%|c:\\\\program files\\\\windows defender\\\\MpClient.dll%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x410')) OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\' OR SourceImage LIKE '%C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x40')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\syswow64\\\\MsiExec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1410', '0x410', '0x1f1fff', '0x1f3fff')) OR ((SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\wininit.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\') AND GrantedAccess = '0x1000000') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess IN ('0x100000', '0x1410')) OR ((SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\') AND GrantedAccess IN ('0x40', '0x1010')) OR (SourceImage LIKE '%\\\\explorer.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess IN ('0x1410', '0x1418')) OR (GrantedAccess = '0x40' AND (SourceImage LIKE '%\\\\handle.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\handle64.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Installer\\\\setup.exe' ESCAPE '\\') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' AND GrantedAccess = '0x401') OR (SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE '%:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\') AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\')))" ], "filename": "proc_access_win_cred_dump_lsass_access.yml" }, { "title": "Direct Syscall of NtOpenProcess", "id": "3f3f3506-1895-401b-9cc3-e86b16e630d0", "status": "experimental", "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", "author": "Christian Burkard (Nextron Systems), Tim Shelton", "tags": [ "attack.execution", "attack.t1106" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND CallTrace LIKE 'UNKNOWN%' ESCAPE '\\' AND NOT ((TargetImage LIKE 'C:\\\\Program Files\\\\Cylance\\\\Desktop\\\\CylanceUI.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MicrosoftEdgeUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\' AND SourceImage LIKE '%vcredist\\_x64.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\systeminfo.exe' ESCAPE '\\' AND SourceImage LIKE '%setup64.exe' ESCAPE '\\') OR (TargetImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\' AND SourceImage LIKE '%AmazonSSMAgentSetup.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe' ESCAPE '\\') OR (TargetImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\' AND SourceImage LIKE '%C:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe' ESCAPE '\\') OR (TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\backgroundTaskHost.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Discord\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Discord.exe' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\AUDIODG.EXE' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND SourceImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\yammerdesktop\\\\app-%' ESCAPE '\\' AND TargetImage LIKE '%\\\\Yammer.exe' ESCAPE '\\' AND GrantedAccess = '0x1000') OR (Provider_Name = 'Microsoft-Windows-Kernel-Audit-API-Calls') OR (TargetImage LIKE '%\\\\Evernote\\\\Evernote.exe' ESCAPE '\\')))" ], "filename": "proc_access_win_direct_syscall_ntopenprocess.yml" }, { "title": "WerFault Accassing LSASS", "id": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", "status": "test", "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001", "attack.s0002" ], "falsepositives": [ "Actual failures in lsass.exe that trigger a crash dump (unlikely)", "Unknown cases in which WerFault accesses lsass.exe" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND SourceImage LIKE '%\\\\WerFault.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], "filename": "proc_access_win_lsass_werfault.yml" }, { "title": "SVCHOST Credential Dump", "id": "174afcfa-6e40-4ae9-af64-496546389294", "status": "test", "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", "author": "Florent Labouyrie", "tags": [ "attack.t1548" ], "falsepositives": [ "Non identified legit exectubale" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND (TargetImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x143a') AND NOT ((SourceImage LIKE '%\\\\services.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\msiexec.exe' ESCAPE '\\')))" ], "filename": "proc_access_win_svchost_cred_dump.yml" }, { "title": "LSASS Memory Access by Tool Named Dump", "id": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", "status": "test", "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001", "attack.s0002" ], "falsepositives": [ "Rare programs that contain the word dump in their name and access lsass" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%dump%' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" ], "filename": "proc_access_win_lsass_memdump_indicators.yml" }, { "title": "Potential NT API Stub Patching", "id": "b916cba1-b38a-42da-9223-17114d846fd6", "status": "experimental", "description": "Detects potential NT API stub patching as seen used by the project PatchingAPI", "author": "frack113", "tags": [ "attack.defense_evasion", "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND (GrantedAccess = '0x1FFFFF' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\') OR (TargetImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\GitHubDesktop.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\resources\\\\app\\\\git\\\\usr\\\\bin\\\\sh.exe' ESCAPE '\\') AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\') AND SourceImage LIKE '%\\\\NGenTask.exe' ESCAPE '\\' AND (TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\')) OR ((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\system32\\\\taskhost.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v%' ESCAPE '\\') AND TargetImage LIKE '%\\\\NGenTask.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\WINDOWS\\\\SysWOW64\\\\regsvr32.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\stage\\\\Teams.exe' ESCAPE '\\')))" ], "filename": "proc_access_win_invoke_patchingapi.yml" }, { "title": "LSASS Memory Dump", "id": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", "status": "experimental", "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", "author": "Samir Bousseaden, Michael Haag", "tags": [ "attack.credential_access", "attack.t1003.001", "attack.s0002" ], "falsepositives": [ "False positives are present when looking for 0x1410. Exclusions may be required." ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%0x1038%' ESCAPE '\\' OR GrantedAccess LIKE '%0x1438%' ESCAPE '\\' OR GrantedAccess LIKE '%0x143a%' ESCAPE '\\') AND (CallTrace LIKE '%dbghelp.dll%' ESCAPE '\\' OR CallTrace LIKE '%dbgcore.dll%' ESCAPE '\\' OR CallTrace LIKE '%ntdll.dll%' ESCAPE '\\')) AND NOT ((CallTrace LIKE '%|C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND CallTrace LIKE '%\\\\thor\\\\thor64.exe+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND GrantedAccess = '0x103800') OR (SourceImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\')))" ], "filename": "proc_access_win_lsass_memdump.yml" }, { "title": "HandleKatz Duplicating LSASS Handle", "id": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", "status": "experimental", "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", "author": "Bhabesh Raj (rule), @thefLinkk", "tags": [ "attack.execution", "attack.t1106", "attack.defense_evasion", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess = '0x1440' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%)' ESCAPE '\\')" ], "filename": "proc_access_win_handlekatz_lsass_access.yml" }, { "title": "UAC Bypass Using WOW64 Logger DLL Hijack", "id": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", "status": "test", "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND SourceImage LIKE '%:\\\\Windows\\\\SysWOW64\\\\%' ESCAPE '\\' AND GrantedAccess = '0x1fffff' AND CallTrace LIKE 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|%' ESCAPE '\\')" ], "filename": "proc_access_win_uac_bypass_wow64_logger.yml" }, { "title": "Rare GrantedAccess Flags on LSASS Access", "id": "678dfc63-fefb-47a5-a04c-26bcf8cc9f65", "status": "experimental", "description": "Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001", "attack.s0002" ], "falsepositives": [ "Legitimate software accessing LSASS process for legitimate reason" ], "level": "medium", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND GrantedAccess LIKE '%10' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\sysWOW64\\\\wbem\\\\wmiprvse.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\WindowsApps\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\GamingServices.exe' ESCAPE '\\') OR ((SourceImage LIKE '%\\\\PROCEXP64.EXE' ESCAPE '\\' OR SourceImage LIKE '%\\\\PROCEXP.EXE' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR ((SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\')) OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\%' ESCAPE '\\')) OR (SourceCommandLine LIKE 'C:\\\\WINDOWS\\\\system32\\\\wermgr.exe -upload' ESCAPE '\\') OR (SourceImage LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\')) OR (SourceImage LIKE '%\\\\xampp-control.exe' ESCAPE '\\' AND GrantedAccess = '0x410') OR (SourceImage LIKE '%\\\\SteamLibrary\\\\steamapps\\\\%' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x10'))))" ], "filename": "proc_access_win_rare_proc_access_lsass.yml" }, { "title": "Potential Shellcode Injection", "id": "250ae82f-736e-4844-a68b-0b5e8cc887da", "status": "experimental", "description": "Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject", "author": "Bhabesh Raj", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND (GrantedAccess IN ('0x147a', '0x1f3fff') AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT (((SourceImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\%' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\%' ESCAPE '\\') AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\Explorer.EXE' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\PerfWatson2.exe' ESCAPE '\\') AND (TargetImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\2022\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\' OR TargetImage LIKE 'C:\\\\Program Files (x86)\\\\Microsoft Visual Studio\\\\2019\\\\Community\\\\Common7\\\\IDE\\\\devenv.exe' ESCAPE '\\') AND CallTrace LIKE 'C:\\\\Windows\\\\System32\\\\ntdll.dll%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Program Files\\\\Dell\\\\DellDataVault\\\\DDVDataCollector.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\Wbem\\\\Wmiprvse.exe' ESCAPE '\\' AND TargetImage LIKE 'C:\\\\Windows\\\\system32\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE 'C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll%' ESCAPE '\\' AND CallTrace LIKE '%\\\\System.ni.dll+%' ESCAPE '\\')))" ], "filename": "proc_access_win_shellcode_inject_msf_empire.yml" }, { "title": "SysmonEnte Usage", "id": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", "status": "experimental", "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND (((TargetImage LIKE 'C:\\\\Windows\\\\Sysmon64.exe' ESCAPE '\\' AND GrantedAccess = '0x1400') AND NOT (((SourceImage LIKE 'C:\\\\Program Files%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\'))) OR CallTrace = 'Ente'))" ], "filename": "proc_access_win_hack_sysmonente.yml" }, { "title": "Credential Dumping by LaZagne", "id": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", "status": "stable", "description": "Detects LSASS process access by LaZagne for credential dumping.", "author": "Bhabesh Raj, Jonhnathan Ribeiro", "tags": [ "attack.credential_access", "attack.t1003.001", "attack.s0349" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND CallTrace LIKE '%C:\\\\Windows\\\\SYSTEM32\\\\ntdll.dll+%' ESCAPE '\\' AND CallTrace LIKE '%|C:\\\\Windows\\\\System32\\\\KERNELBASE.dll+%' ESCAPE '\\' AND CallTrace LIKE '%\\_ctypes.pyd+%' ESCAPE '\\' AND CallTrace LIKE '%python27.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF')" ], "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml" }, { "title": "LSASS Access from Program in Suspicious Folder", "id": "fa34b441-961a-42fa-a100-ecc28c886725", "status": "experimental", "description": "Detects process access to LSASS memory with suspicious access flags and from a suspicious folder", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001", "attack.s0002" ], "falsepositives": [ "Updaters and installers are typical false positives. Apply custom filters depending on your environment" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\') AND (SourceImage LIKE '%\\\\Temp\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Users\\\\Public\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\PerfLogs\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\AppData\\\\%' ESCAPE '\\' OR SourceImage LIKE '%\\\\Temporary%' ESCAPE '\\')) AND NOT ((SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\software\\_reporter\\_tool.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\DropboxUpdate.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\MBAMInstallerService.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebexMTA.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\WebEx\\\\WebexHost.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\JetBrains\\\\Toolbox\\\\bin\\\\jetbrains-toolbox.exe' ESCAPE '\\') AND GrantedAccess = '0x410') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\DropboxUpdate.exe' ESCAPE '\\' AND GrantedAccess = '0x1410') OR ((SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent-sc\\\\%' ESCAPE '\\') AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent-64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\aurora-agent.exe' ESCAPE '\\') AND GrantedAccess IN ('0x1fffff', '0x1010', '0x101010')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vs\\_bootstrapper\\_%' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Google\\\\Temp\\\\%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\GoogleUpdate.exe' ESCAPE '\\' AND GrantedAccess IN ('0x410', '0x1410')) OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Local\\\\Keybase\\\\keybase.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR (SourceImage LIKE '%\\\\AppData\\\\Local\\\\Temp\\\\is-%' ESCAPE '\\' AND SourceImage LIKE '%.tmp\\\\avira\\_system\\_speedup.tmp' ESCAPE '\\' AND GrantedAccess = '0x1410') OR (SourceImage LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\AppData\\\\Roaming\\\\ViberPC\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\updater.exe' ESCAPE '\\' AND TargetImage LIKE '%\\\\winlogon.exe' ESCAPE '\\' AND GrantedAccess = '0x1fffff') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\Adobe\\\\ARM\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Common Files\\\\Adobe\\\\ARM\\\\%' ESCAPE '\\') AND SourceImage LIKE '%\\\\AdobeARMHelper.exe' ESCAPE '\\' AND GrantedAccess = '0x1410')))" ], "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml" }, { "title": "Malware Shellcode in Verclsid Target Process", "id": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", "status": "test", "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", "author": "John Lambert (tech), Florian Roth (Nextron Systems)", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1055" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND (TargetImage LIKE '%\\\\verclsid.exe' ESCAPE '\\' AND GrantedAccess = '0x1FFFFF') AND ((CallTrace LIKE '%|UNKNOWN(%' ESCAPE '\\' AND CallTrace LIKE '%VBE7.DLL%' ESCAPE '\\') OR (SourceImage LIKE '%\\\\Microsoft Office\\\\%' ESCAPE '\\' AND CallTrace LIKE '%|UNKNOWN%' ESCAPE '\\')))" ], "filename": "proc_access_win_malware_verclsid_shellcode.yml" }, { "title": "Suspicious GrantedAccess Flags on LSASS Access", "id": "a18dd26b-6450-46de-8c91-9659150cf088", "status": "experimental", "description": "Detects process access to LSASS memory with suspicious access flags", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001", "attack.s0002" ], "falsepositives": [ "Legitimate software such as AV and EDR" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND (TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\')) AND NOT (((SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskmgr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\PROGRAMDATA\\\\MALWAREBYTES\\\\MBAMSERVICE\\\\ctlrupdate\\\\mbupdatr.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\taskhostw.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Windows Defender\\\\MsMpEng.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\msiexec.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\lsass.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\WINDOWS\\\\System32\\\\perfmon.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\MRT.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\Cisco\\\\Cisco AnyConnect Secure Mobility Client\\\\vpnagent.exe' ESCAPE '\\')) OR (SourceImage LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (CallTrace LIKE '%|C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\{%' ESCAPE '\\' AND CallTrace LIKE '%}\\\\mpengine.dll+%' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\ProgramData\\\\VMware\\\\VMware Tools\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\vmtoolsd.exe' ESCAPE '\\') OR ((SourceImage LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR SourceImage LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\') AND SourceImage LIKE '%Antivirus%' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\WINDOWS\\\\system32\\\\MRT.exe' ESCAPE '\\' AND GrantedAccess = '0x1418') OR (SourceImage LIKE 'C:\\\\Program Files\\\\Common Files\\\\McAfee\\\\MMSSHost\\\\MMSSHOST.exe' ESCAPE '\\') OR (SourceImage LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND (SourceImage LIKE '%\\\\thor64.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\thor.exe' ESCAPE '\\') AND GrantedAccess = '0x1fffff')))" ], "filename": "proc_access_win_susp_proc_access_lsass.yml" }, { "title": "CobaltStrike BOF Injection Pattern", "id": "09706624-b7f6-455d-9d02-adee024cee1d", "status": "test", "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.execution", "attack.t1106", "attack.defense_evasion", "attack.t1562.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND CallTrace REGEXP '^C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-z0-9]{4,6}\\|C:\\\\Windows\\\\System32\\\\KERNELBASE\\.dll\\+[a-z0-9]{4,6}\\|UNKNOWN\\([A-Z0-9]{16}\\)$' AND GrantedAccess IN ('0x1028', '0x1fffff'))" ], "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml" }, { "title": "CMSTP Execution Process Access", "id": "3b4b232a-af90-427c-a22f-30b0c0837b95", "status": "stable", "description": "Detects various indicators of Microsoft Connection Manager Profile Installer execution", "author": "Nik Seetharaman", "tags": [ "attack.defense_evasion", "attack.t1218.003", "attack.execution", "attack.t1559.001", "attack.g0069", "attack.g0080", "car.2019-04-001" ], "falsepositives": [ "Legitimate CMSTP use (unlikely in modern enterprise environments)" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND CallTrace LIKE '%cmlua.dll%' ESCAPE '\\')" ], "filename": "proc_access_win_cmstp_execution_by_access.yml" }, { "title": "LSASS Access from White-Listed Processes", "id": "4be8b654-0c01-4c9d-a10c-6b28467fc651", "status": "test", "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", "author": "Florian Roth (Nextron Systems)", "tags": [ "attack.credential_access", "attack.t1003.001", "attack.s0002" ], "falsepositives": [ "Unlikely, since these tools shouldn't access lsass.exe at all" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND (SourceImage LIKE '%\\\\TrolleyExpress.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\ProcessDump.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\dump64.exe' ESCAPE '\\') AND (GrantedAccess LIKE '%10' ESCAPE '\\' OR GrantedAccess LIKE '%30' ESCAPE '\\' OR GrantedAccess LIKE '%50' ESCAPE '\\' OR GrantedAccess LIKE '%70' ESCAPE '\\' OR GrantedAccess LIKE '%90' ESCAPE '\\' OR GrantedAccess LIKE '%B0' ESCAPE '\\' OR GrantedAccess LIKE '%D0' ESCAPE '\\' OR GrantedAccess LIKE '%F0' ESCAPE '\\' OR GrantedAccess LIKE '%18' ESCAPE '\\' OR GrantedAccess LIKE '%38' ESCAPE '\\' OR GrantedAccess LIKE '%58' ESCAPE '\\' OR GrantedAccess LIKE '%78' ESCAPE '\\' OR GrantedAccess LIKE '%98' ESCAPE '\\' OR GrantedAccess LIKE '%B8' ESCAPE '\\' OR GrantedAccess LIKE '%D8' ESCAPE '\\' OR GrantedAccess LIKE '%F8' ESCAPE '\\' OR GrantedAccess LIKE '%1A' ESCAPE '\\' OR GrantedAccess LIKE '%3A' ESCAPE '\\' OR GrantedAccess LIKE '%5A' ESCAPE '\\' OR GrantedAccess LIKE '%7A' ESCAPE '\\' OR GrantedAccess LIKE '%9A' ESCAPE '\\' OR GrantedAccess LIKE '%BA' ESCAPE '\\' OR GrantedAccess LIKE '%DA' ESCAPE '\\' OR GrantedAccess LIKE '%FA' ESCAPE '\\' OR GrantedAccess LIKE '%0x14C2' ESCAPE '\\' OR GrantedAccess LIKE '%FF' ESCAPE '\\'))" ], "filename": "proc_access_win_lsass_memdump_evasion.yml" }, { "title": "Potential Svchost Memory Access", "id": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", "status": "experimental", "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.", "author": "Tim Burrell", "tags": [ "attack.defense_evasion", "attack.t1562.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND (TargetImage LIKE '%\\\\WINDOWS\\\\System32\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x1F3FFF' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\') AND NOT ((SourceImage LIKE 'C:\\\\Program Files\\\\Microsoft Visual Studio\\\\%' ESCAPE '\\' AND SourceImage LIKE '%\\\\MSBuild\\\\Current\\\\Bin\\\\MSBuild.exe' ESCAPE '\\' AND (CallTrace LIKE '%Microsoft.Build.ni.dll%' ESCAPE '\\' OR CallTrace LIKE '%System.ni.dll%' ESCAPE '\\'))))" ], "filename": "proc_access_win_invoke_phantom.yml" }, { "title": "LittleCorporal Generated Maldoc Injection", "id": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", "status": "experimental", "description": "Detects the process injection of a LittleCorporal generated Maldoc.", "author": "Christian Burkard (Nextron Systems)", "tags": [ "attack.execution", "attack.t1204.002", "attack.t1055.003" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND SourceImage LIKE '%\\\\winword.exe' ESCAPE '\\' AND CallTrace LIKE '%:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v2.%' ESCAPE '\\' AND CallTrace LIKE '%UNKNOWN%' ESCAPE '\\')" ], "filename": "proc_access_win_littlecorporal_generated_maldoc.yml" }, { "title": "Lsass Memory Dump via Comsvcs DLL", "id": "a49fa4d5-11db-418c-8473-1e014a8dd462", "status": "test", "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", "author": "Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "critical", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE 'C:\\\\Windows\\\\System32\\\\rundll32.exe' ESCAPE '\\' AND CallTrace LIKE '%comsvcs.dll%' ESCAPE '\\')" ], "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml" }, { "title": "Suspicious LSASS Access Via MalSecLogon", "id": "472159c5-31b9-4f56-b794-b766faa8b0a7", "status": "experimental", "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\' AND SourceImage LIKE '%\\\\svchost.exe' ESCAPE '\\' AND GrantedAccess = '0x14c0' AND CallTrace LIKE '%seclogon.dll%' ESCAPE '\\')" ], "filename": "proc_access_win_susp_seclogon.yml" }, { "title": "Load Undocumented Autoelevated COM Interface", "id": "fb3722e4-1a06-46b6-b772-253e2e7db933", "status": "test", "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", "author": "oscd.community, Dmitry Uchakin", "tags": [ "attack.defense_evasion", "attack.privilege_escalation", "attack.t1548.002" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND CallTrace LIKE '%editionupgrademanagerobj.dll%' ESCAPE '\\')" ], "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml" }, { "title": "Potential Credential Dumping Attempt Via PowerShell", "id": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", "status": "experimental", "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", "author": "oscd.community, Natalia Shornikova", "tags": [ "attack.credential_access", "attack.t1003.001" ], "falsepositives": [ "Unknown" ], "level": "high", "rule": [ "SELECT * FROM Events WHERE (EventID = '10' AND (SourceImage LIKE '%\\\\powershell.exe' ESCAPE '\\' OR SourceImage LIKE '%\\\\pwsh.exe' ESCAPE '\\') AND TargetImage LIKE '%\\\\lsass.exe' ESCAPE '\\')" ], "filename": "proc_access_win_winapi_in_powershell_credentials_dumping.yml" }, { "title": "Potential Defense Evasion Via Raw Disk Access By Uncommon Tools", "id": "db809f10-56ce-4420-8c86-d6a7d793c79c", "status": "test", "description": "Detects raw disk access using uncommon tools, which could indicate possible defense evasion attempts", "author": "Teymur Kheirkhabarov, oscd.community", "tags": [ "attack.defense_evasion", "attack.t1006" ], "falsepositives": [ "Legitimate Administrator using tool for raw access or ongoing forensic investigation" ], "level": "low", "rule": [ "SELECT * FROM Events WHERE (EventID = '9' AND NOT ((Device LIKE '%floppy%' ESCAPE '\\') OR ((NewProcessName LIKE 'C:\\\\Program Files\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Program Files (x86)\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\System32\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\SystemApps\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\WinSxS\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\servicing\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\CCM\\\\%' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\uus\\\\%' ESCAPE '\\')) OR (ProcessId = '4') OR ((NewProcessName LIKE 'C:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe' ESCAPE '\\' OR NewProcessName LIKE 'C:\\\\Windows\\\\explorer.exe' ESCAPE '\\')) OR (NewProcessName IN ('System', 'Registry')) OR (NewProcessName LIKE '%\\\\Keybase\\\\upd.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\MsMpEng.exe' ESCAPE '\\') OR (NewProcessName LIKE '%C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\Microsoft\\\\%' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\asgard2-agent\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\thor.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\SystemApps\\\\Microsoft.Windows.StartMenuExperienceHost%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\StartMenuExperienceHost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupHost.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\SoftwareDistribution\\\\Download%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\WindowsUpdateBox.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Users\\\\%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-%' ESCAPE '\\' AND NewProcessName LIKE '%\\\\resources\\\\app\\\\git\\\\mingw64\\\\bin\\\\git.exe' ESCAPE '\\') OR (NewProcessName LIKE 'C:\\\\Windows\\\\Temp\\\\%' ESCAPE '\\' AND (NewProcessName LIKE '%\\\\HostMetadata\\\\NVMEHostmetadata.exe' ESCAPE '\\' OR NewProcessName LIKE '%\\\\Executables\\\\SSDUpdate.exe' ESCAPE '\\'))))" ], "filename": "raw_access_thread_disk_access_using_illegitimate_tools.yml" } ]