LoFP LoFP / unlikely

Techniques

Sample rules

HackTool - BabyShark Agent Default URL Pattern

Description

Detects Baby Shark C2 Framework default communication patterns

Detection logic

condition: selection
selection:
  c-uri|contains: momyshark\?key=

HackTool - DiagTrackEoP Default Named Pipe

Description

Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses “SeImpersonate” privilege.

Detection logic

condition: selection
selection:
  PipeName|contains: thisispipe

HackTool - Koh Default Named Pipe

Description

Detects creation of default named pipes used by the Koh tool

Detection logic

condition: selection
selection:
  PipeName|contains:
  - \imposecost
  - \imposingcost

DNS Query Request To OneLaunch Update Service

Description

Detects DNS query requests to “update.onelaunch.com”. This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.

Detection logic

condition: selection
selection:
  Image|endswith: \OneLaunch.exe
  QueryName: update.onelaunch.com

Suspicious Renamed Comsvcs DLL Loaded By Rundll32

Description

Detects rundll32 loading a renamed comsvcs.dll to dump process memory

Detection logic

condition: selection and not filter
filter:
  ImageLoaded|endswith: \comsvcs.dll
selection:
  Hashes|contains:
  - IMPHASH=eed93054cb555f3de70eaa9787f32ebb
  - IMPHASH=5e0dbdec1fce52daae251a110b4f309d
  - IMPHASH=eadbccbb324829acb5f2bbe87e5549a8
  - IMPHASH=407ca0f7b523319d758a40d7c0193699
  - IMPHASH=281d618f4e6271e527e6386ea6f748de
  Image|endswith: \rundll32.exe

Potential DLL Sideloading Via VMware Xfer

Description

Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL

Detection logic

condition: selection and not filter
filter:
  ImageLoaded|startswith: C:\Program Files\VMware\
selection:
  ImageLoaded|endswith: \glib-2.0.dll
  Image|endswith: \VMwareXferlogs.exe

Potential EACore.DLL Sideloading

Description

Detects potential DLL sideloading of “EACore.dll”

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_legit_path:
  ImageLoaded|startswith: C:\Program Files\Electronic Arts\EA Desktop\
  Image|contains|all:
  - C:\Program Files\Electronic Arts\EA Desktop\
  - \EACoreServer.exe
selection:
  ImageLoaded|endswith: \EACore.dll

Unsigned Module Loaded by ClickOnce Application

Description

Detects unsigned module load by ClickOnce application.

Detection logic

condition: all of selection_*
selection_path:
  Image|contains: \AppData\Local\Apps\2.0\
selection_sig_status:
- Signed: 'false'
- SignatureStatus: Expired

Fax Service DLL Search Order Hijack

Description

The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.

Detection logic

condition: selection and not filter
filter:
  ImageLoaded|startswith: C:\Windows\WinSxS\
selection:
  ImageLoaded|endswith: ualapi.dll
  Image|endswith: \fxssvc.exe

Potential Mfdetours.DLL Sideloading

Description

Detects potential DLL sideloading of “mfdetours.dll”. While using “mftrace.exe” it can be abused to attach to an arbitrary process and force load any DLL named “mfdetours.dll” from the current directory of execution.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_legit_path:
  ImageLoaded|contains: :\Program Files (x86)\Windows Kits\10\bin\
selection:
  ImageLoaded|endswith: \mfdetours.dll

Potential Waveedit.DLL Sideloading

Description

Detects potential DLL sideloading of “waveedit.dll”, which is part of the Nero WaveEditor audio editing software.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_legit_path:
  Image:
  - C:\Program Files (x86)\Nero\Nero Apps\Nero WaveEditor\waveedit.exe
  - C:\Program Files\Nero\Nero Apps\Nero WaveEditor\waveedit.exe
  ImageLoaded|startswith:
  - C:\Program Files (x86)\Nero\Nero Apps\Nero WaveEditor\
  - C:\Program Files\Nero\Nero Apps\Nero WaveEditor\
selection:
  ImageLoaded|endswith: \waveedit.dll

Potential SmadHook.DLL Sideloading

Description

Detects potential DLL sideloading of “SmadHook.dll”, a DLL used by SmadAV antivirus

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_legit_path:
  Image:
  - C:\Program Files (x86)\SMADAV\SmadavProtect32.exe
  - C:\Program Files (x86)\SMADAV\SmadavProtect64.exe
  - C:\Program Files\SMADAV\SmadavProtect32.exe
  - C:\Program Files\SMADAV\SmadavProtect64.exe
  ImageLoaded|startswith:
  - C:\Program Files (x86)\SMADAV\
  - C:\Program Files\SMADAV\
selection:
  ImageLoaded|endswith:
  - \SmadHook32c.dll
  - \SmadHook64c.dll

Potential DLL Sideloading Via comctl32.dll

Description

Detects potential DLL sideloading using comctl32.dll to obtain system privileges

Detection logic

condition: selection
selection:
  ImageLoaded|endswith: \comctl32.dll
  ImageLoaded|startswith:
  - C:\Windows\System32\logonUI.exe.local\
  - C:\Windows\System32\werFault.exe.local\
  - C:\Windows\System32\consent.exe.local\
  - C:\Windows\System32\narrator.exe.local\
  - C:\windows\system32\wermgr.exe.local\

Potential Edputil.DLL Sideloading

Description

Detects potential DLL sideloading of “edputil.dll”

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_generic:
  ImageLoaded|startswith:
  - C:\Windows\System32\
  - C:\Windows\SysWOW64\
  - C\Windows\WinSxS\
selection:
  ImageLoaded|endswith: \edputil.dll

HackTool - SILENTTRINITY Stager DLL Load

Description

Detects SILENTTRINITY stager dll loading activity

Detection logic

condition: selection
selection:
  Description|contains: st2stager

Potential Mpclient.DLL Sideloading

Description

Detects potential sideloading of “mpclient.dll” by Windows Defender processes (“MpCmdRun” and “NisSrv”) from their non-default directory.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_known_locations:
  Image|startswith:
  - C:\Program Files (x86)\Windows Defender\
  - C:\Program Files\Microsoft Security Client\
  - C:\Program Files\Windows Defender\
  - C:\ProgramData\Microsoft\Windows Defender\Platform\
  - C:\Windows\WinSxS\
selection:
  ImageLoaded|endswith: \mpclient.dll
  Image|endswith:
  - \MpCmdRun.exe
  - \NisSrv.exe

Potential RjvPlatform.DLL Sideloading From Non-Default Location

Description

Detects potential DLL sideloading of “RjvPlatform.dll” by “SystemResetPlatform.exe” located in a non-default location.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_legit_path:
  Image|startswith: C:\Windows\System32\SystemResetPlatform\
selection:
  Image: \SystemResetPlatform.exe
  ImageLoaded|endswith: \RjvPlatform.dll

Unsigned Mfdetours.DLL Sideloading

Description

Detects DLL sideloading of unsigned “mfdetours.dll”. Executing “mftrace.exe” can be abused to attach to an arbitrary process and force load any DLL named “mfdetours.dll” from the current directory of execution.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_legit_path:
  ImageLoaded|contains: :\Program Files (x86)\Windows Kits\10\bin\
  SignatureStatus: Valid
selection:
  ImageLoaded|endswith: \mfdetours.dll

Microsoft Office DLL Sideload

Description

Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location

Detection logic

condition: selection and not filter
filter:
  ImageLoaded|startswith:
  - C:\Program Files\Microsoft Office\OFFICE
  - C:\Program Files (x86)\Microsoft Office\OFFICE
  - C:\Program Files\Microsoft Office\Root\OFFICE
  - C:\Program Files (x86)\Microsoft Office\Root\OFFICE
selection:
  ImageLoaded|endswith: \outllib.dll

Potential appverifUI.DLL Sideloading

Description

Detects potential DLL sideloading of “appverifUI.dll”

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_legit_path:
  Image:
  - C:\Windows\SysWOW64\appverif.exe
  - C:\Windows\System32\appverif.exe
  ImageLoaded|startswith:
  - C:\Windows\System32\
  - C:\Windows\SysWOW64\
  - C:\Windows\WinSxS\
selection:
  ImageLoaded|endswith: \appverifUI.dll

PDF File Created By RegEdit.EXE

Description

Detects the creation of a file with the “.pdf” extension by the “RegEdit.exe” process. This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.

Detection logic

condition: selection
selection:
  Image|endswith: \regedit.exe
  TargetFilename|endswith: .pdf

Suspicious File Created In PerfLogs

Description

Detects suspicious file based on their extension being created in “C:\PerfLogs". Note that this directory mostly contains “.etl” files

Detection logic

condition: selection
selection:
  TargetFilename|endswith:
  - .7z
  - .bat
  - .bin
  - .chm
  - .dll
  - .exe
  - .hta
  - .lnk
  - .ps1
  - .psm1
  - .py
  - .scr
  - .sys
  - .vbe
  - .vbs
  - .zip
  TargetFilename|startswith: C:\PerfLogs\

HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators

Description

Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.

Detection logic

condition: selection
selection:
  TargetFilename|endswith:
  - :\windows\temp\sam.tmp
  - :\windows\temp\sec.tmp
  - :\windows\temp\sys.tmp

HackTool - Inveigh Execution Artefacts

Description

Detects the presence and execution of Inveigh via dropped artefacts

Detection logic

condition: selection
selection:
  TargetFilename|endswith:
  - \Inveigh-Log.txt
  - \Inveigh-Cleartext.txt
  - \Inveigh-NTLMv1Users.txt
  - \Inveigh-NTLMv2Users.txt
  - \Inveigh-NTLMv1.txt
  - \Inveigh-NTLMv2.txt
  - \Inveigh-FormInput.txt
  - \Inveigh.dll
  - \Inveigh.exe
  - \Inveigh.ps1
  - \Inveigh-Relay.ps1

Hijack Legit RDP Session to Move Laterally

Description

Detects the usage of tsclient share to place a backdoor on the RDP source machine’s startup folder

Detection logic

condition: selection
selection:
  Image|endswith: \mstsc.exe
  TargetFilename|contains: \Microsoft\Windows\Start Menu\Programs\Startup\

Suspicious File Creation In Uncommon AppData Folder

Description

Detects the creation of suspicious files and folders inside the user’s AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs

Detection logic

condition: selection and not filter_main
filter_main:
  TargetFilename|contains:
  - \AppData\Local\
  - \AppData\LocalLow\
  - \AppData\Roaming\
  TargetFilename|startswith: C:\Users\
selection:
  TargetFilename|contains: \AppData\
  TargetFilename|endswith:
  - .bat
  - .cmd
  - .cpl
  - .dll
  - .exe
  - .hta
  - .iso
  - .lnk
  - .msi
  - .ps1
  - .psm1
  - .scr
  - .vbe
  - .vbs
  TargetFilename|startswith: C:\Users\

Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream

Description

Detects the creation of hidden file/folder with the “::$index_allocation” stream. Which can be used as a technique to prevent access to folder and files from tooling such as “explorer.exe” and “powershell.exe”

Detection logic

condition: selection
selection:
  TargetFilename|contains: ::$index_allocation

PSEXEC Remote Execution File Artefact

Description

Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system

Detection logic

condition: selection
selection:
  TargetFilename|endswith: .key
  TargetFilename|startswith: C:\Windows\PSEXEC-

HackTool - Mimikatz Kirbi File Creation

Description

Detects the creation of files created by mimikatz such as “.kirbi”, “mimilsa.log”, etc.

Detection logic

condition: selection
selection:
  TargetFilename|endswith:
  - .kirbi
  - mimilsa.log

DPAPI Backup Keys And Certificate Export Activity IOC

Description

Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.

Detection logic

condition: selection
selection:
  TargetFilename|contains:
  - ntds_capi_
  - ntds_legacy_
  - ntds_unknown_
  TargetFilename|endswith:
  - .cer
  - .key
  - .pfx
  - .pvk

Suspicious Outlook Macro Created

Description

Detects the creation of a macro file for Outlook.

Detection logic

condition: selection and not filter
filter:
  Image|endswith: \outlook.exe
selection:
  TargetFilename|endswith: \Microsoft\Outlook\VbaProject.OTM

Wmiexec Default Output File

Description

Detects the creation of the default output filename used by the wmiexec tool

Detection logic

condition: selection
selection:
- TargetFilename|re: \\Windows\\__1\d{9}\.\d{1,7}$
- TargetFilename|re: C:\\__1\d{9}\.\d{1,7}$
- TargetFilename|re: D:\\__1\d{9}\.\d{1,7}$

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File

Description

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

Detection logic

condition: system_files and not in_system_folder
in_system_folder:
  TargetFilename|startswith:
  - C:\Windows\System32\
  - C:\Windows\SysWOW64\
system_files:
  TargetFilename|endswith:
  - WsmPty.xsl
  - WsmTxt.xsl

Suspicious Double Extension Files

Description

Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.

Detection logic

condition: 1 of selection_*
selection_exe:
  TargetFilename|endswith:
  - .rar.exe
  - .zip.exe
selection_gen:
  TargetFilename|contains:
  - .doc.
  - .docx.
  - .jpg.
  - .pdf.
  - .ppt.
  - .pptx.
  - .xls.
  - .xlsx.
  TargetFilename|endswith:
  - .exe
  - .iso
  - .rar
  - .zip

Sysmon Blocked File Shredding

Description

Triggers on any Sysmon “FileBlockShredding” event, which indicates a violation of the configured shredding policy.

Detection logic

condition: selection
selection:
  EventID: 28

Sysmon File Executable Creation Detected

Description

Triggers on any Sysmon “FileExecutableDetected” event, which triggers every time a PE that is monitored by the config is created.

Detection logic

condition: selection
selection:
  EventID: 29

Sysmon Blocked Executable

Description

Triggers on any Sysmon “FileBlockExecutable” event, which indicates a violation of the configured block policy

Detection logic

condition: selection
selection:
  EventID: 27

HackTool - Generic Process Access

Description

Detects process access requests from hacktool processes based on their default image name

Detection logic

condition: selection
selection:
- SourceImage|endswith:
  - \Akagi.exe
  - \Akagi64.exe
  - \atexec_windows.exe
  - \Certify.exe
  - \Certipy.exe
  - \CoercedPotato.exe
  - \crackmapexec.exe
  - \CreateMiniDump.exe
  - \dcomexec_windows.exe
  - \dpapi_windows.exe
  - \findDelegation_windows.exe
  - \GetADUsers_windows.exe
  - \GetNPUsers_windows.exe
  - \getPac_windows.exe
  - \getST_windows.exe
  - \getTGT_windows.exe
  - \GetUserSPNs_windows.exe
  - \gmer.exe
  - \hashcat.exe
  - \htran.exe
  - \ifmap_windows.exe
  - \impersonate.exe
  - \Inveigh.exe
  - \LocalPotato.exe
  - \mimikatz_windows.exe
  - \mimikatz.exe
  - \netview_windows.exe
  - \nmapAnswerMachine_windows.exe
  - \opdump_windows.exe
  - \PasswordDump.exe
  - \Potato.exe
  - \PowerTool.exe
  - \PowerTool64.exe
  - \psexec_windows.exe
  - \PurpleSharp.exe
  - \pypykatz.exe
  - \QuarksPwDump.exe
  - \rdp_check_windows.exe
  - \Rubeus.exe
  - \SafetyKatz.exe
  - \sambaPipe_windows.exe
  - \SelectMyParent.exe
  - \SharpChisel.exe
  - \SharPersist.exe
  - \SharpEvtMute.exe
  - \SharpImpersonation.exe
  - \SharpLDAPmonitor.exe
  - \SharpLdapWhoami.exe
  - \SharpUp.exe
  - \SharpView.exe
  - \smbclient_windows.exe
  - \smbserver_windows.exe
  - \sniff_windows.exe
  - \sniffer_windows.exe
  - \split_windows.exe
  - \SpoolSample.exe
  - \Stracciatella.exe
  - \SysmonEOP.exe
  - \temp\rot.exe
  - \ticketer_windows.exe
  - \TruffleSnout.exe
  - \winPEASany_ofs.exe
  - \winPEASany.exe
  - \winPEASx64_ofs.exe
  - \winPEASx64.exe
  - \winPEASx86_ofs.exe
  - \winPEASx86.exe
  - \xordump.exe
- SourceImage|contains:
  - \goldenPac
  - \just_dce_
  - \karmaSMB
  - \kintercept
  - \LocalPotato
  - \ntlmrelayx
  - \rpcdump
  - \samrdump
  - \secretsdump
  - \smbexec
  - \smbrelayx
  - \wmiexec
  - \wmipersist
  - HotPotato
  - Juicy Potato
  - JuicyPotato
  - PetitPotam
  - RottenPotato

Remote LSASS Process Access Through Windows Remote Management

Description

Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_access:
  GrantedAccess: '0x80000000'
selection:
  SourceImage|endswith: :\Windows\system32\wsmprovhost.exe
  TargetImage|endswith: \lsass.exe

Potential Mpclient.DLL Sideloading Via Defender Binaries

Description

Detects potential sideloading of “mpclient.dll” by Windows Defender processes (“MpCmdRun” and “NisSrv”) from their non-default directory.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_known_locations:
  Image|startswith:
  - C:\Program Files (x86)\Windows Defender\
  - C:\Program Files\Microsoft Security Client\
  - C:\Program Files\Windows Defender\
  - C:\ProgramData\Microsoft\Windows Defender\Platform\
  - C:\Windows\WinSxS\
selection:
  Image|endswith:
  - \MpCmdRun.exe
  - \NisSrv.exe

Security Service Disabled Via Reg.EXE

Description

Detects execution of “reg.exe” to disable security services such as Windows Defender.

Detection logic

condition: all of selection_*
selection_cli_reg_start:
  CommandLine|contains:
  - \AppIDSvc
  - \MsMpSvc
  - \NisSrv
  - \SecurityHealthService
  - \Sense
  - \UsoSvc
  - \WdBoot
  - \WdFilter
  - \WdNisDrv
  - \WdNisSvc
  - \WinDefend
  - \wscsvc
  - \wuauserv
  CommandLine|contains|all:
  - d 4
  - v Start
selection_reg_add:
  CommandLine|contains|all:
  - reg
  - add

HackTool - LocalPotato Execution

Description

Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples

Detection logic

condition: 1 of selection_*
selection_cli:
  CommandLine|contains|all:
  - .exe -i C:\
  - -o Windows\
selection_hash_plain:
  Hashes|contains:
  - IMPHASH=E1742EE971D6549E8D4D81115F88F1FC
  - IMPHASH=DD82066EFBA94D7556EF582F247C8BB5
selection_img:
  Image|endswith: \LocalPotato.exe

HackTool - PCHunter Execution

Description

Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff

Detection logic

condition: 1 of selection_*
selection_hashes:
  Hashes|contains:
  - SHA1=5F1CBC3D99558307BC1250D084FA968521482025
  - MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7
  - SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32
  - IMPHASH=444D210CEA1FF8112F256A4997EED7FF
  - SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB
  - MD5=228DD0C2E6287547E26FFBD973A40F14
  - SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C
  - IMPHASH=0479F44DF47CFA2EF1CCC4416A538663
selection_image:
  Image|endswith:
  - \PCHunter64.exe
  - \PCHunter32.exe
selection_pe:
- OriginalFileName: PCHunter.exe
- Description: Epoolsoft Windows Information View Tools

Potential Arbitrary Code Execution Via Node.EXE

Description

Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe…etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks…etc

Detection logic

condition: selection_main and 1 of selection_action_*
selection_action_reverse_shell:
  CommandLine|contains|all:
  - .exec(
  - net.socket
  - .connect
  - child_process
selection_main:
  CommandLine|contains:
  - ' -e '
  - ' --eval '
  Image|endswith: \node.exe

Service Registry Key Deleted Via Reg.EXE

Description

Detects execution of “reg.exe” commands with the “delete” flag on services registry key. Often used by attacker to remove AV software services

Detection logic

condition: all of selection_*
selection_delete:
  CommandLine|contains: ' delete '
selection_img:
- Image|endswith: reg.exe
- OriginalFileName: reg.exe
selection_key:
  CommandLine|contains: \SYSTEM\CurrentControlSet\services\

Regsvr32 Execution From Highly Suspicious Location

Description

Detects execution of regsvr32 where the DLL is located in a highly suspicious locations

Detection logic

condition: selection_img and (selection_path_1 or (selection_path_2 and not selection_exclude_known_dirs))
  and not 1 of filter_main_*
filter_main_empty:
  CommandLine: ''
filter_main_null:
  CommandLine: null
selection_exclude_known_dirs:
  CommandLine|contains:
  - C:\Program Files (x86)\
  - C:\Program Files\
  - C:\ProgramData\
  - C:\Users\
  - ' C:\Windows\'
  - ' "C:\Windows\'
  - ' ''C:\Windows\'
selection_img:
- Image|endswith: \regsvr32.exe
- OriginalFileName: REGSVR32.EXE
selection_path_1:
  CommandLine|contains:
  - :\PerfLogs\
  - :\Temp\
  - \Windows\Registration\CRMLog
  - \Windows\System32\com\dmp\
  - \Windows\System32\FxsTmp\
  - \Windows\System32\Microsoft\Crypto\RSA\MachineKeys\
  - \Windows\System32\spool\drivers\color\
  - \Windows\System32\spool\PRINTERS\
  - \Windows\System32\spool\SERVERS\
  - \Windows\System32\Tasks_Migrated\
  - \Windows\System32\Tasks\Microsoft\Windows\SyncCenter\
  - \Windows\SysWOW64\com\dmp\
  - \Windows\SysWOW64\FxsTmp\
  - \Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\
  - \Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\
  - \Windows\Tasks\
  - \Windows\Tracing\
selection_path_2:
  CommandLine|contains:
  - ' "C:\'
  - ' C:\'
  - ' ''C:\'
  - D:\

HackTool - PPID Spoofing SelectMyParent Tool Execution

Description

Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent

Detection logic

condition: selection
selection:
- Image|endswith: \SelectMyParent.exe
- CommandLine|contains:
  - PPID-spoof
  - ppid_spoof
  - spoof-ppid
  - spoof_ppid
  - ppidspoof
  - spoofppid
  - spoofedppid
  - ' -spawnto '
- OriginalFileName|contains:
  - PPID-spoof
  - ppid_spoof
  - spoof-ppid
  - spoof_ppid
  - ppidspoof
  - spoofppid
  - spoofedppid
- Description: SelectMyParent
- Hashes|contains:
  - IMPHASH=04D974875BD225F00902B4CAD9AF3FBC
  - IMPHASH=A782AF154C9E743DDF3F3EB2B8F3D16E
  - IMPHASH=89059503D7FBF470E68F7E63313DA3AD
  - IMPHASH=CA28337632625C8281AB8A130B3D6BAD

Boot Configuration Tampering Via Bcdedit.EXE

Description

Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.

Detection logic

condition: all of selection_*
selection_cli:
- CommandLine|contains|all:
  - bootstatuspolicy
  - ignoreallfailures
- CommandLine|contains|all:
  - recoveryenabled
  - 'no'
selection_img:
- Image|endswith: \bcdedit.exe
- OriginalFileName: bcdedit.exe
selection_set:
  CommandLine|contains: set

Capture Credentials with Rpcping.exe

Description

Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.

Detection logic

condition: use_rpcping and remote_server and ntlm_auth
ntlm_auth:
- CommandLine|contains|all|windash:
  - -u
  - NTLM
- CommandLine|contains|all|windash:
  - -t
  - ncacn_np
remote_server:
  CommandLine|contains|windash: -s
use_rpcping:
  Image|endswith: \rpcping.exe

Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Description

Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.

Detection logic

condition: 1 of selection_* and not 1 of filter_optional_*
filter_optional_chromium_installer:
  CommandLine|endswith: rundll32.exe
  Image|endswith: \rundll32.exe
  ParentCommandLine|contains: '--uninstall '
  ParentImage|contains:
  - \AppData\Local\BraveSoftware\Brave-Browser\Application\
  - \AppData\Local\Google\Chrome\Application\
  ParentImage|endswith: \Installer\setup.exe
filter_optional_edge_update:
  CommandLine|endswith: rundll32.exe
  Image|endswith: \rundll32.exe
  ParentImage|contains: \AppData\Local\Microsoft\EdgeUpdate\Install\{
selection_regasm:
  CommandLine|endswith: regasm.exe
  Image|endswith: \regasm.exe
selection_regsvcs:
  CommandLine|endswith: regsvcs.exe
  Image|endswith: \regsvcs.exe
selection_regsvr32:
  CommandLine|endswith: regsvr32.exe
  Image|endswith: \regsvr32.exe
selection_rundll32:
  CommandLine|endswith: rundll32.exe
  Image|endswith: \rundll32.exe
selection_werfault:
  CommandLine|endswith: WerFault.exe
  Image|endswith: \WerFault.exe

Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI

Description

Detects command line containing reference to the “::$index_allocation” stream, which can be used as a technique to prevent access to folders or files from tooling such as “explorer.exe” or “powershell.exe”

Detection logic

condition: selection
selection:
  CommandLine|contains: ::$index_allocation

Potential Manage-bde.wsf Abuse To Proxy Execution

Description

Detects potential abuse of the “manage-bde.wsf” script as a LOLBIN to proxy execution

Detection logic

condition: all of selection_wscript_* or (selection_parent and not selection_filter_cmd)
selection_filter_cmd:
  Image|endswith: \cmd.exe
selection_parent:
  ParentCommandLine|contains: manage-bde.wsf
  ParentImage|endswith:
  - \cscript.exe
  - \wscript.exe
selection_wscript_cli:
  CommandLine|contains: manage-bde.wsf
selection_wscript_img:
- Image|endswith: \wscript.exe
- OriginalFileName: wscript.exe

DNS Exfiltration and Tunneling Tools Execution

Description

Well-known DNS Exfiltration tools execution

Detection logic

condition: selection
selection:
- Image|endswith: \iodine.exe
- Image|contains: \dnscat2

HackTool - Rubeus Execution

Description

Detects the execution of the hacktool Rubeus via PE information of command line parameters

Detection logic

condition: selection
selection:
- Image|endswith: \Rubeus.exe
- OriginalFileName: Rubeus.exe
- Description: Rubeus
- CommandLine|contains:
  - 'asreproast '
  - 'dump /service:krbtgt '
  - dump /luid:0x
  - 'kerberoast '
  - 'createnetonly /program:'
  - 'ptt /ticket:'
  - '/impersonateuser:'
  - 'renew /ticket:'
  - 'asktgt /user:'
  - 'harvest /interval:'
  - 's4u /user:'
  - 's4u /ticket:'
  - 'hash /password:'
  - 'golden /aes256:'
  - 'silver /user:'

HackTool - PurpleSharp Execution

Description

Detects the execution of the PurpleSharp adversary simulation tool

Detection logic

condition: 1 of selection_*
selection_cli:
  CommandLine|contains:
  - xyz123456.exe
  - PurpleSharp
selection_img:
- Image|contains: \purplesharp
- OriginalFileName: PurpleSharp.exe

DeviceCredentialDeployment Execution

Description

Detects the execution of DeviceCredentialDeployment to hide a process from view

Detection logic

condition: selection
selection:
  Image|endswith: \DeviceCredentialDeployment.exe

Root Certificate Installed From Susp Locations

Description

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - \AppData\Local\Temp\
  - :\Windows\TEMP\
  - \Desktop\
  - \Downloads\
  - \Perflogs\
  - :\Users\Public\
  CommandLine|contains|all:
  - Import-Certificate
  - ' -FilePath '
  - Cert:\LocalMachine\Root

Add SafeBoot Keys Via Reg Utility

Description

Detects execution of “reg.exe” commands with the “add” or “copy” flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not

Detection logic

condition: all of selection*
selection_flag:
  CommandLine|contains:
  - ' copy '
  - ' add '
selection_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe
selection_safeboot:
  CommandLine|contains: \SYSTEM\CurrentControlSet\Control\SafeBoot

Potential Renamed Rundll32 Execution

Description

Detects when ‘DllRegisterServer’ is called in the commandline and the image is not rundll32. This could mean that the ‘rundll32’ utility has been renamed in order to avoid detection

Detection logic

condition: selection and not filter
filter:
  Image|endswith: \rundll32.exe
selection:
  CommandLine|contains: DllRegisterServer

Conhost.exe CommandLine Path Traversal

Description

detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking

Detection logic

condition: selection
selection:
  CommandLine|contains: /../../
  ParentCommandLine|contains: conhost

Mshtml.DLL RunHTMLApplication Suspicious Usage

Description

Detects execution of commands that leverage the “mshtml.dll” RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http…)

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - '#135'
  - RunHTMLApplication
  CommandLine|contains|all:
  - \..\
  - mshtml

PUA - Seatbelt Execution

Description

Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters

Detection logic

condition: selection_img or all of selection_group_*
selection_group_list:
  CommandLine|contains:
  - ' -group=misc'
  - ' -group=remote'
  - ' -group=chromium'
  - ' -group=slack'
  - ' -group=system'
  - ' -group=user'
  - ' -group=all'
selection_group_output:
  CommandLine|contains: ' -outputfile='
selection_img:
- Image|endswith: \Seatbelt.exe
- OriginalFileName: Seatbelt.exe
- Description: Seatbelt
- CommandLine|contains:
  - ' DpapiMasterKeys'
  - ' InterestingProcesses'
  - ' InterestingFiles'
  - ' CertificateThumbprints'
  - ' ChromiumBookmarks'
  - ' ChromiumHistory'
  - ' ChromiumPresence'
  - ' CloudCredentials'
  - ' CredEnum'
  - ' CredGuard'
  - ' FirefoxHistory'
  - ' ProcessCreationEvents'

Dllhost.EXE Execution Anomaly

Description

Detects a “dllhost” process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_null:
  CommandLine: null
selection:
  CommandLine:
  - dllhost.exe
  - dllhost
  Image|endswith: \dllhost.exe

HackTool - RemoteKrbRelay Execution

Description

Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.

Detection logic

condition: selection_img or selection_cli_required or all of selection_cli_attack_rbcd_*
  or selection_cli_attack_changepass or selection_cli_attack_addgrpname or selection_cli_attack_smb
selection_cli_attack_addgrpname:
  CommandLine|contains|all:
  - '-addgroupmember '
  - '-group '
  - '-groupuser '
selection_cli_attack_changepass:
  CommandLine|contains: '-chp '
  CommandLine|contains|all:
  - '-chpPass '
  - '-chpUser '
selection_cli_attack_rbcd_main:
  CommandLine|contains: '-rbcd '
selection_cli_attack_rbcd_options:
  CommandLine|contains:
  - '-cn '
  - '--computername '
selection_cli_attack_smb:
  CommandLine|contains:
  - interactive
  - secrets
  - service-add
  CommandLine|contains|all:
  - '-smb '
  - '--smbkeyword '
selection_cli_required:
  CommandLine|contains|all:
  - ' -clsid '
  - ' -target '
  - ' -victim '
selection_img:
- Image|endswith: \RemoteKrbRelay.exe
- OriginalFileName: RemoteKrbRelay.exe

Execution of Powershell Script in Public Folder

Description

This rule detects execution of PowerShell scripts located in the “C:\Users\Public” folder

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - -f C:\Users\Public
  - -f "C:\Users\Public
  - -f %Public%
  - -fi C:\Users\Public
  - -fi "C:\Users\Public
  - -fi %Public%
  - -fil C:\Users\Public
  - -fil "C:\Users\Public
  - -fil %Public%
  - -file C:\Users\Public
  - -file "C:\Users\Public
  - -file %Public%
  Image|endswith:
  - \powershell.exe
  - \pwsh.exe

Delete Important Scheduled Task

Description

Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - \Windows\BitLocker
  - \Windows\ExploitGuard
  - \Windows\SystemRestore\SR
  - \Windows\UpdateOrchestrator\
  - \Windows\Windows Defender\
  - \Windows\WindowsBackup\
  - \Windows\WindowsUpdate\
  CommandLine|contains|all:
  - /delete
  - /tn
  Image|endswith: \schtasks.exe

OneNote.EXE Execution of Malicious Embedded Scripts

Description

Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the “.one” file, it exports and executes the malicious embedded script from specific directories.

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - \exported\
  - \onenoteofflinecache_files\
  Image|endswith:
  - \cmd.exe
  - \cscript.exe
  - \mshta.exe
  - \powershell.exe
  - \pwsh.exe
  - \wscript.exe
  ParentImage|endswith: \onenote.exe

PUA - DefenderCheck Execution

Description

Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.

Detection logic

condition: selection
selection:
- Image|endswith: \DefenderCheck.exe
- Description: DefenderCheck

DLL Sideloading by VMware Xfer Utility

Description

Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL

Detection logic

condition: selection and not filter
filter:
  Image|startswith: C:\Program Files\VMware\
selection:
  Image|endswith: \VMwareXferlogs.exe

PowerShell Execution With Potential Decryption Capabilities

Description

Detects PowerShell commands that decrypt an “.LNK” “file to drop the next stage of the malware.

Detection logic

condition: all of selection_*
selection_cli_dir:
  CommandLine|contains:
  - 'Get-ChildItem '
  - 'dir '
  - 'gci '
  - 'ls '
selection_cli_gc:
  CommandLine|contains:
  - 'Get-Content '
  - 'gc '
  - 'cat '
  - 'type '
  - ReadAllBytes
selection_cli_specific:
- CommandLine|contains|all:
  - ' ^| '
  - \*.lnk
  - -Recurse
  - '-Skip '
- CommandLine|contains|all:
  - ' -ExpandProperty '
  - \*.lnk
  - WriteAllBytes
  - ' .length '
selection_img:
  Image|endswith:
  - \powershell.exe
  - \pwsh.exe
  OriginalFileName:
  - PowerShell.EXE
  - pwsh.dll

Delete All Scheduled Tasks

Description

Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - ' /delete '
  - /tn \*
  - ' /f'
  Image|endswith: \schtasks.exe

Suspicious Process Masquerading As SvcHost.EXE

Description

Detects a suspicious process that is masquerading as the legitimate “svchost.exe” by naming its binary “svchost.exe” and executing from an uncommon location. Adversaries often disguise their malicious binaries by naming them after legitimate system processes like “svchost.exe” to evade detection.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_img_location:
  Image:
  - C:\Windows\System32\svchost.exe
  - C:\Windows\SysWOW64\svchost.exe
filter_main_ofn:
  OriginalFileName: svchost.exe
selection:
  Image|endswith: \svchost.exe

HackTool - KrbRelay Execution

Description

Detects the use of KrbRelay, a Kerberos relaying tool

Detection logic

condition: 1 of selection_*
selection_cli_1:
  CommandLine|contains|all:
  - ' -spn '
  - ' -clsid '
  - ' -rbcd '
selection_cli_2:
  CommandLine|contains|all:
  - shadowcred
  - clsid
  - spn
selection_cli_3:
  CommandLine|contains|all:
  - 'spn '
  - 'session '
  - 'clsid '
selection_img:
- Image|endswith: \KrbRelay.exe
- OriginalFileName: KrbRelay.exe

Suspicious Response File Execution Via Odbcconf.EXE

Description

Detects execution of “odbcconf” with the “-f” flag in order to load a response file with a non-".rsp” extension.

Detection logic

condition: all of selection_* and not 1 of filter_main_*
filter_main_rsp_ext:
  CommandLine|contains: .rsp
filter_main_runonce_odbc:
  CommandLine|contains: .exe /E /F "C:\WINDOWS\system32\odbcconf.tmp"
  Image: C:\Windows\System32\odbcconf.exe
  ParentImage: C:\Windows\System32\runonce.exe
selection_cli:
  CommandLine|contains|windash: ' -f '
selection_img:
- Image|endswith: \odbcconf.exe
- OriginalFileName: odbcconf.exe

Persistence Via Sticky Key Backdoor

Description

By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are “activated” the privilleged shell is launched.

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - 'copy '
  - '/y '
  - C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe

Potential PowerShell Obfuscation Via Reversed Commands

Description

Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers

Detection logic

condition: all of selection_* and not 1 of filter_main_*
filter_main_encoded_keyword:
  CommandLine|contains:
  - ' -EncodedCommand '
  - ' -enc '
selection_cli:
  CommandLine|contains:
  - hctac
  - kaerb
  - dnammoc
  - ekovn
  - eliFd
  - rahc
  - etirw
  - golon
  - tninon
  - eddih
  - tpircS
  - ssecorp
  - llehsrewop
  - esnopser
  - daolnwod
  - tneilCbeW
  - tneilc
  - ptth
  - elifotevas
  - 46esab
  - htaPpmeTteG
  - tcejbO
  - maerts
  - hcaerof
  - retupmoc
selection_img:
- Image|endswith:
  - \powershell.exe
  - \pwsh.exe
- OriginalFileName:
  - PowerShell.EXE
  - pwsh.dll

DLL Execution via Rasautou.exe

Description

Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.

Detection logic

condition: all of selection*
selection_cli:
  CommandLine|contains|all:
  - ' -d '
  - ' -p '
selection_img:
- Image|endswith: \rasautou.exe
- OriginalFileName: rasdlui.exe

Potential Data Exfiltration Activity Via CommandLine Tools

Description

Detects the use of various CLI utilities exfiltrating data via web requests

Detection logic

condition: (selection_iwr or all of selection_curl* or selection_wget) and payloads
payloads:
- CommandLine|contains:
  - Get-Content
  - GetBytes
  - hostname
  - ifconfig
  - ipconfig
  - net view
  - netstat
  - nltest
  - qprocess
  - sc query
  - systeminfo
  - tasklist
  - ToBase64String
  - whoami
- CommandLine|contains|all:
  - 'type '
  - ' > '
  - ' C:\'
selection_curl:
  CommandLine|contains: --ur
  Image|endswith: \curl.exe
selection_curl_data:
  CommandLine|contains:
  - ' -d '
  - ' --data '
selection_iwr:
  CommandLine|contains:
  - Invoke-WebRequest
  - 'iwr '
  - 'wget '
  - 'curl '
  CommandLine|contains|all:
  - ' -ur'
  - ' -me'
  - ' -b'
  - ' POST '
  Image|endswith:
  - \powershell.exe
  - \pwsh.exe
  - \cmd.exe
selection_wget:
  CommandLine|contains:
  - --post-data
  - --post-file
  Image|endswith: \wget.exe

Uncommon Child Process Of Setres.EXE

Description

Detects uncommon child process of Setres.EXE. Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. It can potentially be abused in order to launch any arbitrary file with a name containing the word “choice” from the current execution path.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_legit_location:
  Image|endswith:
  - C:\Windows\System32\choice.exe
  - C:\Windows\SysWOW64\choice.exe
selection:
  Image|contains: \choice
  ParentImage|endswith: \setres.exe

ETW Logging Tamper In .NET Processes Via CommandLine

Description

Detects changes to environment variables related to ETW logging via the CommandLine. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - COMPlus_ETWEnabled
  - COMPlus_ETWFlags

Sysinternals PsSuspend Suspicious Execution

Description

Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains: msmpeng.exe
selection_img:
- OriginalFileName: pssuspend.exe
- Image|endswith:
  - \pssuspend.exe
  - \pssuspend64.exe

HackTool - Wmiexec Default Powershell Command

Description

Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script

Detection logic

condition: selection
selection:
  CommandLine|contains: -NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc

Process Memory Dump Via Comsvcs.DLL

Description

Detects a process memory dump via “comsvcs.dll” using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)

Detection logic

condition: (selection_img and 1 of selection_cli_*) or selection_generic
selection_cli_1:
  CommandLine|contains:
  - '#-'
  - '#+'
  - '#24'
  - '24 '
  - MiniDump
  CommandLine|contains|all:
  - comsvcs
  - full
selection_generic:
  CommandLine|contains:
  - ' #'
  - ',#'
  - ', #'
  CommandLine|contains|all:
  - '24'
  - comsvcs
  - full
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
- CommandLine|contains: rundll32

Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate

Description

Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rule to detect instances of older versions of Anydesk using the compromised certificate This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.

Detection logic

condition: all of selection_* and not 1 of filter_main_*
filter_main_uninstall:
  CommandLine|contains:
  - ' --remove'
  - ' --uninstall'
selection_img:
- Image|endswith: \AnyDesk.exe
- Description: AnyDesk
- Product: AnyDesk
- Company: AnyDesk Software GmbH
selection_version:
  FileVersion|startswith:
  - 7.0.
  - 7.1.
  - 8.0.1
  - 8.0.2
  - 8.0.3
  - 8.0.4
  - 8.0.5
  - 8.0.6
  - 8.0.7

Sysmon Driver Unloaded Via Fltmc.EXE

Description

Detects possible Sysmon filter driver unloaded via fltmc.exe

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|all:
  - unload
  - sysmon
selection_img:
- Image|endswith: \fltMC.exe
- OriginalFileName: fltMC.exe

Sensitive File Access Via Volume Shadow Copy Backup

Description

Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)

Detection logic

condition: all of selection_*
selection_1:
  CommandLine|contains: \\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy
selection_2:
  CommandLine|contains:
  - \\NTDS.dit
  - \\SYSTEM
  - \\SECURITY

Potential ShellDispatch.DLL Functionality Abuse

Description

Detects potential “ShellDispatch.dll” functionality abuse to execute arbitrary binaries via “ShellExecute”

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains: RunDll_ShellExecuteW
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE

Remote Access Tool - ScreenConnect Server Web Shell Execution

Description

Detects potential web shell execution from the ScreenConnect server process.

Detection logic

condition: selection
selection:
  Image|endswith:
  - \cmd.exe
  - \csc.exe
  ParentImage|endswith: \ScreenConnect.Service.exe

LSASS Dump Keyword In CommandLine

Description

Detects the presence of the keywords “lsass” and “.dmp” in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.

Detection logic

condition: selection
selection:
- CommandLine|contains:
  - lsass.dmp
  - lsass.zip
  - lsass.rar
  - Andrew.dmp
  - Coredump.dmp
  - NotLSASS.zip
  - lsass_2
  - lsassdump
  - lsassdmp
- CommandLine|contains|all:
  - lsass
  - .dmp
- CommandLine|contains|all:
  - SQLDmpr
  - .mdmp
- CommandLine|contains|all:
  - nanodump
  - .dmp

HackTool - PowerTool Execution

Description

Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files

Detection logic

condition: selection
selection:
- Image|endswith:
  - \PowerTool.exe
  - \PowerTool64.exe
- OriginalFileName: PowerTool.exe

Suspicious Service Path Modification

Description

Detects service path modification via the “sc” binary to a suspicious command or path

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - powershell
  - 'cmd '
  - mshta
  - wscript
  - cscript
  - rundll32
  - svchost
  - dllhost
  - cmd.exe /c
  - cmd.exe /k
  - cmd.exe /r
  - cmd /c
  - cmd /k
  - cmd /r
  - C:\Users\Public
  - \Downloads\
  - \Desktop\
  - \Microsoft\Windows\Start Menu\Programs\Startup\
  - C:\Windows\TEMP\
  - \AppData\Local\Temp
  CommandLine|contains|all:
  - config
  - binPath
  Image|endswith: \sc.exe

Potentially Suspicious DLL Registered Via Odbcconf.EXE

Description

Detects execution of “odbcconf” with the “REGSVR” action where the DLL in question doesn’t contain a “.dll” extension. Which is often used as a method to evade defenses.

Detection logic

condition: all of selection_* and not 1 of filter_main_*
filter_main_dll_ext:
  CommandLine|contains: .dll
selection_cli:
  CommandLine|contains: 'REGSVR '
selection_img:
- Image|endswith: \odbcconf.exe
- OriginalFileName: odbcconf.exe

Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call

Description

Detects suspicious base64 encoded and obfuscated “LOAD” keyword used in .NET “reflection.assembly”

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ
  - oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA
  - 6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA
  - OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ
  - oAOgAoACIATABvACIAKwAiAGEAZAAiACkA
  - 6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA
  - OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ
  - oAOgAoACIATABvAGEAIgArACIAZAAiACkA
  - 6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA
  - OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ
  - oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA
  - 6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA
  - OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ
  - oAOgAoACcATABvACcAKwAnAGEAZAAnACkA
  - 6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA
  - OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ
  - oAOgAoACcATABvAGEAJwArACcAZAAnACkA
  - 6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA

HackTool - winPEAS Execution

Description

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz

Detection logic

condition: 1 of selection_*
selection_cli_dl:
  CommandLine|contains: https://github.com/carlospolop/PEASS-ng/releases/latest/download/
selection_cli_option:
  CommandLine|contains:
  - ' applicationsinfo'
  - ' browserinfo'
  - ' eventsinfo'
  - ' fileanalysis'
  - ' filesinfo'
  - ' processinfo'
  - ' servicesinfo'
  - ' windowscreds'
selection_cli_specific:
- ParentCommandLine|endswith: ' -linpeas'
- CommandLine|endswith: ' -linpeas'
selection_img:
- OriginalFileName: winPEAS.exe
- Image|endswith:
  - \winPEASany_ofs.exe
  - \winPEASany.exe
  - \winPEASx64_ofs.exe
  - \winPEASx64.exe
  - \winPEASx86_ofs.exe
  - \winPEASx86.exe

Mstsc.EXE Execution From Uncommon Parent

Description

Detects potential RDP connection via Mstsc using a local “.rdp” file located in suspicious locations.

Detection logic

condition: all of selection_*
selection_img:
- Image|endswith: \mstsc.exe
- OriginalFileName: mstsc.exe
selection_parent:
  ParentImage|endswith:
  - \brave.exe
  - \CCleanerBrowser.exe
  - \chrome.exe
  - \chromium.exe
  - \firefox.exe
  - \iexplore.exe
  - \microsoftedge.exe
  - \msedge.exe
  - \opera.exe
  - \vivaldi.exe
  - \whale.exe
  - \outlook.exe

Potential AMSI Bypass Via .NET Reflection

Description

Detects Request to “amsiInitFailed” that can be used to disable AMSI Scanning

Detection logic

condition: selection
selection:
- CommandLine|contains|all:
  - System.Management.Automation.AmsiUtils
  - amsiInitFailed
- CommandLine|contains|all:
  - '[Ref].Assembly.GetType'
  - SetValue($null,$true)
  - NonPublic,Static

PUA - Crassus Execution

Description

Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.

Detection logic

condition: selection
selection:
- Image|endswith: \Crassus.exe
- OriginalFileName: Crassus.exe
- Description|contains: Crassus

HackTool - SysmonEOP Execution

Description

Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120

Detection logic

condition: 1 of selection_*
selection_hash:
  Hashes|contains:
  - IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5
  - IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC
selection_img:
  Image|endswith: \SysmonEOP.exe

Suspicious New Service Creation

Description

Detects creation of a new service via “sc” command or the powershell “new-service” cmdlet with suspicious binary paths

Detection logic

condition: 1 of selection* and susp_binpath
selection_posh:
  CommandLine|contains|all:
  - New-Service
  - -BinaryPathName
selection_sc:
  CommandLine|contains|all:
  - create
  - binPath=
  Image|endswith: \sc.exe
susp_binpath:
  CommandLine|contains:
  - powershell
  - mshta
  - wscript
  - cscript
  - svchost
  - dllhost
  - 'cmd '
  - cmd.exe /c
  - cmd.exe /k
  - cmd.exe /r
  - rundll32
  - C:\Users\Public
  - \Downloads\
  - \Desktop\
  - \Microsoft\Windows\Start Menu\Programs\Startup\
  - C:\Windows\TEMP\
  - \AppData\Local\Temp

New User Created Via Net.EXE With Never Expire Option

Description

Detects creation of local users via the net.exe command with the option “never expire”

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains|all:
  - user
  - add
  - expires:never
selection_img:
- Image|endswith:
  - \net.exe
  - \net1.exe
- OriginalFileName:
  - net.exe
  - net1.exe

Suspicious Certreq Command to Download

Description

Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files

Detection logic

condition: all of selection*
selection_cli:
  CommandLine|contains|all:
  - ' -Post '
  - ' -config '
  - ' http'
  - ' C:\windows\win.ini '
selection_img:
- Image|endswith: \certreq.exe
- OriginalFileName: CertReq.exe

Suspicious Advpack Call Via Rundll32.EXE

Description

Detects execution of “rundll32” calling “advpack.dll” with potential obfuscated ordinal calls in order to leverage the “RegisterOCX” function

Detection logic

condition: all of selection_*
selection_cli_dll:
  CommandLine|contains: advpack
selection_cli_ordinal:
- CommandLine|contains|all:
  - '#+'
  - '12'
- CommandLine|contains: '#-'
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
- CommandLine|contains: rundll32

HackTool - SharpChisel Execution

Description

Detects usage of the Sharp Chisel via the commandline arguments

Detection logic

condition: selection
selection:
- Image|endswith: \SharpChisel.exe
- Product: SharpChisel

HackTool - EDRSilencer Execution

Description

Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.

Detection logic

condition: selection
selection:
- Image|endswith: \EDRSilencer.exe
- OriginalFileName: EDRSilencer.exe
- Description|contains: EDRSilencer

HackTool - SafetyKatz Execution

Description

Detects the execution of the hacktool SafetyKatz via PE information and default Image name

Detection logic

condition: selection
selection:
- Image|endswith: \SafetyKatz.exe
- OriginalFileName: SafetyKatz.exe
- Description: SafetyKatz

Renamed Msdt.EXE Execution

Description

Detects the execution of a renamed “Msdt.exe” binary

Detection logic

condition: selection and not filter
filter:
  Image|endswith: \msdt.exe
selection:
  OriginalFileName: msdt.exe

LSA PPL Protection Disabled Via Reg.EXE

Description

Detects the usage of the “reg.exe” utility to disable PPL protection on the LSA process

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains: SYSTEM\CurrentControlSet\Control\Lsa
  CommandLine|contains|all:
  - ' add '
  - ' /d 0'
  - ' /v RunAsPPL '
selection_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe

Execute Pcwrun.EXE To Leverage Follina

Description

Detects indirect command execution via Program Compatibility Assistant “pcwrun.exe” leveraging the follina (CVE-2022-30190) vulnerability

Detection logic

condition: selection
selection:
  CommandLine|contains: ../
  Image|endswith: \pcwrun.exe

Renamed Mavinject.EXE Execution

Description

Detects the execution of a renamed version of the “Mavinject” process. Which can be abused to perform process injection using the “/INJECTRUNNING” flag

Detection logic

condition: selection and not filter
filter:
  Image|endswith:
  - \mavinject32.exe
  - \mavinject64.exe
selection:
  OriginalFileName:
  - mavinject32.exe
  - mavinject64.exe

Hacktool Execution - PE Metadata

Description

Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed

Detection logic

condition: selection
selection:
  Company: Cube0x0

Base64 MZ Header In CommandLine

Description

Detects encoded base64 MZ header in the commandline

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - TVqQAAMAAAAEAAAA
  - TVpQAAIAAAAEAA8A
  - TVqAAAEAAAAEABAA
  - TVoAAAAAAAAAAAAA
  - TVpTAQEAAAAEAAAA

HackTool - Mimikatz Execution

Description

Detection well-known mimikatz command line arguments

Detection logic

condition: 1 of selection_*
selection_function_names:
  CommandLine|contains:
  - ::aadcookie
  - ::detours
  - ::memssp
  - ::mflt
  - ::ncroutemon
  - ::ngcsign
  - ::printnightmare
  - ::skeleton
  - ::preshutdown
  - ::mstsc
  - ::multirdp
selection_module_names:
  CommandLine|contains:
  - 'rpc::'
  - 'token::'
  - 'crypto::'
  - 'dpapi::'
  - 'sekurlsa::'
  - 'kerberos::'
  - 'lsadump::'
  - 'privilege::'
  - 'process::'
  - 'vault::'
selection_tools_name:
  CommandLine|contains:
  - DumpCreds
  - mimikatz

HackTool - KrbRelayUp Execution

Description

Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced

Detection logic

condition: 1 of selection_*
selection_cli_1:
  CommandLine|contains|all:
  - ' relay '
  - ' -Domain '
  - ' -ComputerName '
selection_cli_2:
  CommandLine|contains|all:
  - ' krbscm '
  - ' -sc '
selection_cli_3:
  CommandLine|contains|all:
  - ' spawn '
  - ' -d '
  - ' -cn '
  - ' -cp '
selection_img:
- Image|endswith: \KrbRelayUp.exe
- OriginalFileName: KrbRelayUp.exe

HackTool - Sliver C2 Implant Activity Pattern

Description

Detects process activity patterns as seen being used by Sliver C2 framework implants

Detection logic

condition: selection
selection:
  CommandLine|contains: -NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8

SafeBoot Registry Key Deleted Via Reg.EXE

Description

Detects execution of “reg.exe” commands with the “delete” flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products

Detection logic

condition: all of selection_*
selection_delete:
  CommandLine|contains|all:
  - ' delete '
  - \SYSTEM\CurrentControlSet\Control\SafeBoot
selection_img:
- Image|endswith: reg.exe
- OriginalFileName: reg.exe

Suspicious Driver/DLL Installation Via Odbcconf.EXE

Description

Detects execution of “odbcconf” with the “INSTALLDRIVER” action where the driver doesn’t contain a “.dll” extension. This is often used as a defense evasion method.

Detection logic

condition: all of selection_* and not 1 of filter_main_*
filter_main_dll_ext:
  CommandLine|contains: .dll
selection_cli:
  CommandLine|contains: 'INSTALLDRIVER '
selection_img:
- Image|endswith: \odbcconf.exe
- OriginalFileName: odbcconf.exe

HackTool - SecurityXploded Execution

Description

Detects the execution of SecurityXploded Tools

Detection logic

condition: selection
selection:
- Company: SecurityXploded
- Image|endswith: PasswordDump.exe
- OriginalFileName|endswith: PasswordDump.exe

HackTool - ADCSPwn Execution

Description

Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - ' --adcs '
  - ' --port '

Suspicious Process Execution From Fake Recycle.Bin Folder

Description

Detects process execution from a fake recycle bin folder, often used to avoid security solution.

Detection logic

condition: selection
selection:
  Image|contains:
  - RECYCLERS.BIN\
  - RECYCLER.BIN\

HackTool - SILENTTRINITY Stager Execution

Description

Detects SILENTTRINITY stager use via PE metadata

Detection logic

condition: selection
selection:
  Description|contains: st2stager

HackTool - Stracciatella Execution

Description

Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.

Detection logic

condition: selection
selection:
- Image|endswith: \Stracciatella.exe
- OriginalFileName: Stracciatella.exe
- Description: Stracciatella
- Hashes|contains:
  - SHA256=9d25e61ec1527e2a69d7c2a4e3fe2fe15890710c198a66a9f25d99fdf6c7b956
  - SHA256=fd16609bd9830c63b9413671678bb159b89c357d21942ddbb6b93add808d121a

Regsvr32 DLL Execution With Suspicious File Extension

Description

Detects the execution of REGSVR32.exe with DLL files masquerading as other files

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|endswith:
  - .bin
  - .bmp
  - .cr2
  - .dat
  - .eps
  - .gif
  - .ico
  - .jpeg
  - .jpg
  - .nef
  - .orf
  - .png
  - .raw
  - .sr2
  - .temp
  - .tif
  - .tiff
  - .tmp
  - .rtf
  - .txt
selection_img:
- Image|endswith: \regsvr32.exe
- OriginalFileName: REGSVR32.EXE

HackTool - Quarks PwDump Execution

Description

Detects usage of the Quarks PwDump tool via commandline arguments

Detection logic

condition: 1 of selection_*
selection_cli:
  CommandLine:
  - ' -dhl'
  - ' --dump-hash-local'
  - ' -dhdc'
  - ' --dump-hash-domain-cached'
  - ' --dump-bitlocker'
  - ' -dhd '
  - ' --dump-hash-domain '
  - --ntds-file
selection_img:
  Image|endswith: \QuarksPwDump.exe

Webshell Hacking Activity Patterns

Description

Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system

Detection logic

condition: 1 of selection_webserver_* and 1 of selection_child_*
selection_child_1:
  CommandLine|contains|all:
  - rundll32
  - comsvcs
selection_child_2:
  CommandLine|contains|all:
  - ' -hp'
  - ' a '
  - ' -m'
selection_child_3:
  CommandLine|contains|all:
  - net
  - ' user '
  - ' /add'
selection_child_4:
  CommandLine|contains|all:
  - net
  - ' localgroup '
  - ' administrators '
  - /add
selection_child_5:
  Image|endswith:
  - \ntdsutil.exe
  - \ldifde.exe
  - \adfind.exe
  - \procdump.exe
  - \Nanodump.exe
  - \vssadmin.exe
  - \fsutil.exe
selection_child_6:
  CommandLine|contains:
  - ' -decode '
  - ' -NoP '
  - ' -W Hidden '
  - ' /decode '
  - ' /ticket:'
  - ' sekurlsa'
  - .dmp full
  - .downloadfile(
  - .downloadstring(
  - FromBase64String
  - process call create
  - 'reg save '
  - whoami /priv
selection_webserver_characteristics_tomcat1:
  ParentImage|contains:
  - -tomcat-
  - \tomcat
  ParentImage|endswith:
  - \java.exe
  - \javaw.exe
selection_webserver_characteristics_tomcat2:
  CommandLine|contains:
  - catalina.jar
  - CATALINA_HOME
  ParentImage|endswith:
  - \java.exe
  - \javaw.exe
selection_webserver_image:
  ParentImage|endswith:
  - \caddy.exe
  - \httpd.exe
  - \nginx.exe
  - \php-cgi.exe
  - \w3wp.exe
  - \ws_tomcatservice.exe

HackTool - GMER Rootkit Detector and Remover Execution

Description

Detects the execution GMER tool based on image and hash fields.

Detection logic

condition: 1 of selection_*
selection_img:
  Image|endswith: \gmer.exe
selection_sysmon_hash:
  Hashes|contains:
  - MD5=E9DC058440D321AA17D0600B3CA0AB04
  - SHA1=539C228B6B332F5AA523E5CE358C16647D8BBE57
  - SHA256=E8A3E804A96C716A3E9B69195DB6FFB0D33E2433AF871E4D4E1EAB3097237173

PowerShell Base64 Encoded Reflective Assembly Load

Description

Detects base64 encoded .NET reflective loading of Assembly

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA
  - sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA
  - bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA
  - AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC
  - BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp
  - AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK
  - WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ
  - sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA
  - bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA
  - WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA
  - sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA
  - bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA

Suspicious Reg Add BitLocker

Description

Detects suspicious addition to BitLocker related registry keys via the reg.exe utility

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - EnableBDEWithNoTPM
  - UseAdvancedStartup
  - UseTPM
  - UseTPMKey
  - UseTPMKeyPIN
  - RecoveryKeyMessageSource
  - UseTPMPIN
  - RecoveryKeyMessage
  CommandLine|contains|all:
  - REG
  - ADD
  - \SOFTWARE\Policies\Microsoft\FVE
  - /v
  - /f

HackTool - DInjector PowerShell Cradle Execution

Description

Detects the use of the Dinject PowerShell cradle based on the specific flags

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - ' /am51'
  - ' /password'

Process Memory Dump via RdrLeakDiag.EXE

Description

Detects the use of the Microsoft Windows Resource Leak Diagnostic tool “rdrleakdiag.exe” to dump process memory

Detection logic

condition: all of selection_*
selection_cli_dump:
  CommandLine|contains|windash:
  - /memdmp
  - fullmemdmp
selection_cli_output_process:
  CommandLine|contains|windash:
  - ' /o '
  - ' /p '
selection_img:
- Image|endswith: \rdrleakdiag.exe
- OriginalFileName: RdrLeakDiag.exe

Regedit as Trusted Installer

Description

Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe

Detection logic

condition: selection
selection:
  Image|endswith: \regedit.exe
  ParentImage|endswith:
  - \TrustedInstaller.exe
  - \ProcessHacker.exe

Rundll32 UNC Path Execution

Description

Detects rundll32 execution where the DLL is located on a remote location (share)

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains: ' \\\\'
selection_img:
- Image|endswith: \rundll32.exe
- OriginalFileName: RUNDLL32.EXE
- CommandLine|contains: rundll32

HackTool - Default PowerSploit/Empire Scheduled Task Creation

Description

Detects the creation of a schtask via PowerSploit or Empire Default Configuration.

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - /SC ONLOGON
  - /SC DAILY /ST
  - /SC ONIDLE
  - /SC HOURLY
  CommandLine|contains|all:
  - /Create
  - powershell.exe -NonI
  - /TN Updater /TR
  Image|endswith: \schtasks.exe
  ParentImage|endswith:
  - \powershell.exe
  - \pwsh.exe

Sticky Key Like Backdoor Execution

Description

Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - sethc.exe
  - utilman.exe
  - osk.exe
  - Magnify.exe
  - Narrator.exe
  - DisplaySwitch.exe
  Image|endswith:
  - \cmd.exe
  - \cscript.exe
  - \mshta.exe
  - \powershell.exe
  - \pwsh.exe
  - \regsvr32.exe
  - \rundll32.exe
  - \wscript.exe
  - \wt.exe
  ParentImage|endswith: \winlogon.exe

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl

Description

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

Detection logic

condition: contains_winrm and (contains_format_pretty_arg and not image_from_system_folder)
contains_format_pretty_arg:
  CommandLine|contains:
  - format:pretty
  - format:"pretty"
  - format:"text"
  - format:text
contains_winrm:
  CommandLine|contains: winrm
image_from_system_folder:
  Image|startswith:
  - C:\Windows\System32\
  - C:\Windows\SysWOW64\

Scheduled Task Executing Encoded Payload from Registry

Description

Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.

Detection logic

condition: all of selection_*
selection_cli_create:
  CommandLine|contains: /Create
selection_cli_encoding:
  CommandLine|contains:
  - FromBase64String
  - encodedcommand
selection_cli_get:
  CommandLine|contains:
  - Get-ItemProperty
  - ' gp '
selection_cli_hive:
  CommandLine|contains:
  - 'HKCU:'
  - 'HKLM:'
  - 'registry::'
  - HKEY_
selection_img:
- Image|endswith: \schtasks.exe
- OriginalFileName: schtasks.exe

HackTool - Certipy Execution

Description

Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.

Detection logic

condition: selection_img or all of selection_cli_*
selection_cli_commands:
  CommandLine|contains:
  - ' account '
  - ' auth '
  - ' cert '
  - ' find '
  - ' forge '
  - ' ptt '
  - ' relay '
  - ' req '
  - ' shadow '
  - ' template '
selection_cli_flags:
  CommandLine|contains:
  - ' -bloodhound'
  - ' -ca-pfx '
  - ' -dc-ip '
  - ' -kirbi'
  - ' -old-bloodhound'
  - ' -pfx '
  - ' -target'
  - ' -template'
  - ' -username '
  - ' -vulnerable'
  - auth -pfx
  - shadow auto
  - shadow list
selection_img:
- Image|endswith: \Certipy.exe
- OriginalFileName: Certipy.exe
- Description|contains: Certipy

Odbcconf.EXE Suspicious DLL Location

Description

Detects execution of “odbcconf” where the path of the DLL being registered is located in a potentially suspicious location.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains:
  - :\PerfLogs\
  - :\ProgramData\
  - :\Temp\
  - :\Users\Public\
  - :\Windows\Registration\CRMLog
  - :\Windows\System32\com\dmp\
  - :\Windows\System32\FxsTmp\
  - :\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\
  - :\Windows\System32\spool\drivers\color\
  - :\Windows\System32\spool\PRINTERS\
  - :\Windows\System32\spool\SERVERS\
  - :\Windows\System32\Tasks_Migrated\
  - :\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\
  - :\Windows\SysWOW64\com\dmp\
  - :\Windows\SysWOW64\FxsTmp\
  - :\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\
  - :\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\
  - :\Windows\Tasks\
  - :\Windows\Temp\
  - :\Windows\Tracing\
  - \AppData\Local\Temp\
  - \AppData\Roaming\
selection_img:
- Image|endswith: \odbcconf.exe
- OriginalFileName: odbcconf.exe

MMC20 Lateral Movement

Description

Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of “-Embedding” as a child of svchost.exe

Detection logic

condition: selection
selection:
  CommandLine|contains: -Embedding
  Image|endswith: \mmc.exe
  ParentImage|endswith: \svchost.exe

Important Windows Event Auditing Disabled

Description

Detects scenarios where system auditing for important events such as “Process Creation” or “Logon” events is disabled.

Detection logic

condition: 1 of selection_*
selection_state_success_and_failure:
  AuditPolicyChanges|contains:
  - '%%8448'
  - '%%8450'
  EventID: 4719
  SubcategoryGuid:
  - '{0CCE9210-69AE-11D9-BED3-505054503030}'
  - '{0CCE9211-69AE-11D9-BED3-505054503030}'
  - '{0CCE9212-69AE-11D9-BED3-505054503030}'
  - '{0CCE9215-69AE-11D9-BED3-505054503030}'
  - '{0CCE921B-69AE-11D9-BED3-505054503030}'
  - '{0CCE922B-69AE-11D9-BED3-505054503030}'
  - '{0CCE922F-69AE-11D9-BED3-505054503030}'
  - '{0CCE9230-69AE-11D9-BED3-505054503030}'
  - '{0CCE9235-69AE-11D9-BED3-505054503030}'
  - '{0CCE9236-69AE-11D9-BED3-505054503030}'
  - '{0CCE9237-69AE-11D9-BED3-505054503030}'
  - '{0CCE923F-69AE-11D9-BED3-505054503030}'
  - '{0CCE9240-69AE-11D9-BED3-505054503030}'
  - '{0CCE9242-69AE-11D9-BED3-505054503030}'
selection_state_success_only:
  AuditPolicyChanges|contains: '%%8448'
  EventID: 4719
  SubcategoryGuid: '{0CCE9217-69AE-11D9-BED3-505054503030}'

Meterpreter or Cobalt Strike Getsystem Service Installation - Security

Description

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Detection logic

condition: selection_eid and 1 of selection_cli_*
selection_cli_cmd:
  ServiceFileName|contains:
  - cmd
  - '%COMSPEC%'
  ServiceFileName|contains|all:
  - /c
  - echo
  - \pipe\
selection_cli_rundll:
  ServiceFileName|contains|all:
  - rundll32
  - .dll,a
  - '/p:'
selection_cli_share:
  ServiceFileName|startswith: \\\\127.0.0.1\\ADMIN$\
selection_eid:
  EventID: 4697

Scanner PoC for CVE-2019-0708 RDP RCE Vuln

Description

Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep

Detection logic

condition: selection
selection:
  EventID: 4625
  TargetUserName: AAAAAAA

DiagTrackEoP Default Login Username

Description

Detects the default “UserName” used by the DiagTrackEoP POC

Detection logic

condition: selection
selection:
  EventID: 4624
  LogonType: 9
  TargetOutboundUserName: thisisnotvaliduser

Windows Filtering Platform Blocked Connection From EDR Agent Binary

Description

Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.

Detection logic

condition: selection
selection:
  Application|endswith:
  - \AmSvc.exe
  - \cb.exe
  - \CETASvc.exe
  - \CNTAoSMgr.exe
  - \CrAmTray.exe
  - \CrsSvc.exe
  - \CSFalconContainer.exe
  - \CSFalconService.exe
  - \CybereasonAV.exe
  - \CylanceSvc.exe
  - \cyserver.exe
  - \CyveraService.exe
  - \CyvrFsFlt.exe
  - \EIConnector.exe
  - \elastic-agent.exe
  - \elastic-endpoint.exe
  - \EndpointBasecamp.exe
  - \ExecutionPreventionSvc.exe
  - \filebeat.exe
  - \fortiedr.exe
  - \hmpalert.exe
  - \hurukai.exe
  - \LogProcessorService.exe
  - \mcsagent.exe
  - \mcsclient.exe
  - \MsMpEng.exe
  - \MsSense.exe
  - \Ntrtscan.exe
  - \PccNTMon.exe
  - \QualysAgent.exe
  - \RepMgr.exe
  - \RepUtils.exe
  - \RepUx.exe
  - \RepWAV.exe
  - \RepWSC.exe
  - \sedservice.exe
  - \SenseCncProxy.exe
  - \SenseIR.exe
  - \SenseNdr.exe
  - \SenseSampleUploader.exe
  - \SentinelAgent.exe
  - \SentinelAgentWorker.exe
  - \SentinelBrowserNativeHost.exe
  - \SentinelHelperService.exe
  - \SentinelServiceHost.exe
  - \SentinelStaticEngine.exe
  - \SentinelStaticEngineScanner.exe
  - \sfc.exe
  - \sophos ui.exe
  - \sophosfilescanner.exe
  - \sophosfs.exe
  - \sophoshealth.exe
  - \sophosips.exe
  - \sophosLivequeryservice.exe
  - \sophosnetfilter.exe
  - \sophosntpservice.exe
  - \sophososquery.exe
  - \sspservice.exe
  - \TaniumClient.exe
  - \TaniumCX.exe
  - \TaniumDetectEngine.exe
  - \TMBMSRV.exe
  - \TmCCSF.exe
  - \TmListen.exe
  - \TmWSCSvc.exe
  - \Traps.exe
  - \winlogbeat.exe
  - \WSCommunicator.exe
  - \xagt.exe
  EventID: 5157

NTFS Vulnerability Exploitation

Description

This the exploitation of a NTFS vulnerability as reported without many details via Twitter

Detection logic

condition: selection
selection:
  Description|contains|all:
  - contains a corrupted file record
  - The name of the file is "\"
  EventID: 55
  Origin: File System Driver
  Provider_Name: Ntfs

Meterpreter or Cobalt Strike Getsystem Service Installation - System

Description

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Detection logic

condition: selection_id and 1 of selection_cli_*
selection_cli_cmd:
  ImagePath|contains:
  - cmd
  - '%COMSPEC%'
  ImagePath|contains|all:
  - /c
  - echo
  - \pipe\
selection_cli_rundll:
  ImagePath|contains|all:
  - rundll32
  - .dll,a
  - '/p:'
selection_cli_share:
  ImagePath|startswith: \\\\127.0.0.1\\ADMIN$\
selection_id:
  EventID: 7045
  Provider_Name: Service Control Manager

ProcessHacker Privilege Elevation

Description

Detects a ProcessHacker tool that elevated privileges to a very high level

Detection logic

condition: selection
selection:
  AccountName: LocalSystem
  EventID: 7045
  Provider_Name: Service Control Manager
  ServiceName|startswith: ProcessHacker

Query Tor Onion Address - DNS Client

Description

Detects DNS resolution of an .onion address related to Tor routing networks

Detection logic

condition: selection
selection:
  EventID: 3008
  QueryName|contains: .onion

ProxyLogon MSExchange OabVirtualDirectory

Description

Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory

Detection logic

condition: keywords_cmdlet and keywords_params
keywords_cmdlet:
  '|all':
  - OabVirtualDirectory
  - ' -ExternalUrl '
keywords_params:
- eval(request
- http://f/<script
- '"unsafe"};'
- function Page_Load()

Mailbox Export to Exchange Webserver

Description

Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it

Detection logic

condition: (export_command and export_params) or role_assignment
export_command:
  '|all':
  - New-MailboxExportRequest
  - ' -Mailbox '
export_params:
- -FilePath "\\\\
- .aspx
role_assignment:
  '|all':
  - New-ManagementRoleAssignment
  - ' -Role "Mailbox Import Export"'
  - ' -User '

Certificate Request Export to Exchange Webserver

Description

Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell

Detection logic

condition: keywords_export_command and keywords_export_params
keywords_export_command:
  '|all':
  - New-ExchangeCertificate
  - ' -GenerateRequest'
  - ' -BinaryEncoded'
  - ' -RequestFile'
keywords_export_params:
- \\\\localhost\\C$
- \\\\127.0.0.1\\C$
- C:\\inetpub
- .aspx

CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module

Description

Detects loaded kernel modules that did not meet the WHQL signing requirements.

Detection logic

condition: selection and not 1 of filter_optional_*
filter_optional_vmware:
  FileNameBuffer:
  - system32\drivers\vsock.sys
  - System32\drivers\vmci.sys
selection:
  EventID:
  - 3082
  - 3083

CodeIntegrity - Unsigned Image Loaded

Description

Detects loaded unsigned image on the system

Detection logic

condition: selection
selection:
  EventID: 3037

CodeIntegrity - Unsigned Kernel Module Loaded

Description

Detects the presence of a loaded unsigned kernel module on the system.

Detection logic

condition: selection
selection:
  EventID: 3001

CodeIntegrity - Revoked Image Loaded

Description

Detects image load events with revoked certificates by code integrity.

Detection logic

condition: selection
selection:
  EventID:
  - 3032
  - 3035

CodeIntegrity - Blocked Image Load With Revoked Certificate

Description

Detects blocked image load events with revoked certificates by code integrity.

Detection logic

condition: selection
selection:
  EventID: 3036

CodeIntegrity - Revoked Kernel Driver Loaded

Description

Detects the load of a revoked kernel driver

Detection logic

condition: selection
selection:
  EventID:
  - 3021
  - 3022

CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked

Description

Detects block events for files that are disallowed by code integrity for protected processes

Detection logic

condition: selection
selection:
  EventID: 3104

Failed DNS Zone Transfer

Description

Detects when a DNS zone transfer failed.

Detection logic

condition: selection
selection:
  EventID: 6004

Windows Defender Exploit Guard Tamper

Description

Detects when someone is adding or removing applications or folders from exploit guard “ProtectedFolders” or “AllowedApplications”

Detection logic

allowed_apps_key:
  EventID: 5007
  NewValue|contains: \Windows Defender\Windows Defender Exploit Guard\Controlled Folder
    Access\AllowedApplications\
allowed_apps_path:
  NewValue|contains:
  - \Users\Public\
  - \AppData\Local\Temp\
  - \Desktop\
  - \PerfLogs\
  - \Windows\Temp\
condition: all of allowed_apps* or protected_folders
protected_folders:
  EventID: 5007
  OldValue|contains: \Windows Defender\Windows Defender Exploit Guard\Controlled Folder
    Access\ProtectedFolders\

Windows Defender Threat Detected

Description

Detects actions taken by Windows Defender malware detection engines

Detection logic

condition: selection
selection:
  EventID:
  - 1006
  - 1015
  - 1116
  - 1117

Windows Defender AMSI Trigger Detected

Description

Detects triggering of AMSI by Windows Defender.

Detection logic

condition: selection
selection:
  EventID: 1116
  SourceName: AMSI

HackTool - Rubeus Execution - ScriptBlock

Description

Detects the execution of the hacktool Rubeus using specific command line flags

Detection logic

condition: selection
selection:
  ScriptBlockText|contains:
  - 'asreproast '
  - 'dump /service:krbtgt '
  - dump /luid:0x
  - 'kerberoast '
  - 'createnetonly /program:'
  - 'ptt /ticket:'
  - '/impersonateuser:'
  - 'renew /ticket:'
  - 'asktgt /user:'
  - 'harvest /interval:'
  - 's4u /user:'
  - 's4u /ticket:'
  - 'hash /password:'
  - 'golden /aes256:'
  - 'silver /user:'

PSAsyncShell - Asynchronous TCP Reverse Shell

Description

Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell

Detection logic

condition: selection
selection:
  ScriptBlockText|contains: PSAsyncShell

Vulnerable HackSys Extreme Vulnerable Driver Load

Description

Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors

Detection logic

condition: selection
selection:
- ImageLoaded|endswith: \HEVD.sys
- Hashes|contains:
  - IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5
  - IMPHASH=c46ea2e651fd5f7f716c8867c6d13594

Sticky Key Like Backdoor Usage - Registry

Description

Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen

Detection logic

condition: selection_registry
selection_registry:
  TargetObject|endswith:
  - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger
  - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger
  - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger
  - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger
  - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger
  - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger
  - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe\Debugger
  - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger

Office Application Startup - Office Test

Description

Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started

Detection logic

condition: selection
selection:
  TargetObject|contains: \Software\Microsoft\Office test\Special\Perf

Potential Credential Dumping Via LSASS SilentProcessExit Technique

Description

Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process

Detection logic

condition: selection
selection:
  TargetObject|contains: Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe

Suspicious Execution Of Renamed Sysinternals Tools - Registry

Description

Detects the creation of the “accepteula” key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)

Detection logic

condition: selection and not filter
filter:
  Image|endswith:
  - \ADExplorer.exe
  - \ADExplorer64.exe
  - \handle.exe
  - \handle64.exe
  - \livekd.exe
  - \livekd64.exe
  - \procdump.exe
  - \procdump64.exe
  - \procexp.exe
  - \procexp64.exe
  - \PsExec.exe
  - \PsExec64.exe
  - \PsLoggedon.exe
  - \PsLoggedon64.exe
  - \psloglist.exe
  - \psloglist64.exe
  - \pspasswd.exe
  - \pspasswd64.exe
  - \PsPing.exe
  - \PsPing64.exe
  - \PsService.exe
  - \PsService64.exe
  - \sdelete.exe
selection:
  EventType: CreateKey
  TargetObject|contains:
  - \Active Directory Explorer
  - \Handle
  - \LiveKd
  - \ProcDump
  - \Process Explorer
  - \PsExec
  - \PsLoggedon
  - \PsLoglist
  - \PsPasswd
  - \PsPing
  - \PsService
  - \SDelete
  TargetObject|endswith: \EulaAccepted

Removal Of AMSI Provider Registry Keys

Description

Detects the deletion of AMSI provider registry key entries in HKLM\Software\Microsoft\AMSI. This technique could be used by an attacker in order to disable AMSI inspection.

Detection logic

condition: selection
selection:
  EventType: DeleteKey
  TargetObject|endswith:
  - '{2781761E-28E0-4109-99FE-B9D127C57AFE}'
  - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}'

Office Macros Warning Disabled

Description

Detects registry changes to Microsoft Office “VBAWarning” to a value of “1” which enables the execution of all macros, whether signed or unsigned.

Detection logic

condition: selection
selection:
  Details: DWORD (0x00000001)
  TargetObject|endswith: \Security\VBAWarnings

Suspicious Application Allowed Through Exploit Guard

Description

Detects applications being added to the “allowed applications” list of exploit guard in order to bypass controlled folder settings

Detection logic

condition: all of selection_*
selection_key:
  TargetObject|contains: SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit
    Guard\Controlled Folder Access\AllowedApplications
selection_paths:
  TargetObject|contains:
  - \Users\Public\
  - \AppData\Local\Temp\
  - \Desktop\
  - \PerfLogs\
  - \Windows\Temp\

Potential Persistence Via AutodialDLL

Description

Detects change the the “AutodialDLL” key which could be used as a persistence method to load custom DLL via the “ws2_32” library

Detection logic

condition: selection
selection:
  TargetObject|contains: \Services\WinSock2\Parameters\AutodialDLL

COM Object Hijacking Via Modification Of Default System CLSID Default Value

Description

Detects potential COM object hijacking via modification of default system CLSID.

Detection logic

condition: all of selection_target_* and 1 of selection_susp_location_*
selection_susp_location_1:
  Details|contains:
  - :\Perflogs\
  - \AppData\Local\
  - \Desktop\
  - \Downloads\
  - \Microsoft\Windows\Start Menu\Programs\Startup\
  - \System32\spool\drivers\color\
  - \Temporary Internet
  - \Users\Public\
  - \Windows\Temp\
  - '%appdata%'
  - '%temp%'
  - '%tmp%'
selection_susp_location_2:
- Details|contains|all:
  - :\Users\
  - \Favorites\
- Details|contains|all:
  - :\Users\
  - \Favourites\
- Details|contains|all:
  - :\Users\
  - \Contacts\
- Details|contains|all:
  - :\Users\
  - \Pictures\
selection_target_builtin_clsid:
  TargetObject|contains:
  - \{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\
  - \{2155fee3-2419-4373-b102-6843707eb41f}\
  - \{4590f811-1d3a-11d0-891f-00aa004b2e24}\
  - \{4de225bf-cf59-4cfc-85f7-68b90f185355}\
  - \{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\
  - \{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\
  - \{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\
  - \{7849596a-48ea-486e-8937-a2a3009f31a9}\
  - \{0b91a74b-ad7c-4a9d-b563-29eef9167172}\
  - \{603D3801-BD81-11d0-A3A5-00C04FD706EC}\
selection_target_root:
  TargetObject|contains: \CLSID\
  TargetObject|endswith:
  - \InprocServer32\(Default)
  - \LocalServer32\(Default)

Potential Attachment Manager Settings Associations Tamper

Description

Detects tampering with attachment manager settings policies associations to lower the default file type risks (See reference for more information)

Detection logic

condition: selection_main and 1 of selection_value_*
selection_main:
  TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\
selection_value_default_file_type_rsik:
  Details: DWORD (0x00006152)
  TargetObject|endswith: \DefaultFileTypeRisk
selection_value_low_risk_filetypes:
  Details|contains:
  - .zip;
  - .rar;
  - .exe;
  - .bat;
  - .com;
  - .cmd;
  - .reg;
  - .msi;
  - .htm;
  - .html;
  TargetObject|endswith: \LowRiskFileTypes

Microsoft Office Protected View Disabled

Description

Detects changes to Microsoft Office protected view registry keys with which the attacker disables this feature.

Detection logic

condition: selection_path and 1 of selection_values_*
selection_path:
  TargetObject|contains|all:
  - \SOFTWARE\Microsoft\Office\
  - \Security\ProtectedView\
selection_values_0:
  Details: DWORD (0x00000000)
  TargetObject|endswith:
  - \enabledatabasefileprotectedview
  - \enableforeigntextfileprotectedview
selection_values_1:
  Details: DWORD (0x00000001)
  TargetObject|endswith:
  - \DisableAttachementsInPV
  - \DisableInternetFilesInPV
  - \DisableIntranetCheck
  - \DisableUnsafeLocationsInPV

Macro Enabled In A Potentially Suspicious Document

Description

Detects registry changes to Office trust records where the path is located in a potentially suspicious location

Detection logic

condition: all of selection_*
selection_paths:
  TargetObject|contains:
  - /AppData/Local/Microsoft/Windows/INetCache/
  - /AppData/Local/Temp/
  - /PerfLogs/
  - C:/Users/Public/
  - file:///D:/
  - file:///E:/
selection_value:
  TargetObject|contains: \Security\Trusted Documents\TrustRecords

Persistence Via Hhctrl.ocx

Description

Detects when an attacker modifies the registry value of the “hhctrl” to point to a custom binary

Detection logic

condition: selection and not filter
filter:
  Details: C:\Windows\System32\hhctrl.ocx
selection:
  TargetObject|contains: \CLSID\{52A2AAAE-085D-4187-97EA-8C30DB990436}\InprocServer32\(Default)

DNS-over-HTTPS Enabled by Registry

Description

Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.

Detection logic

condition: 1 of selection_*
selection_chrome:
  Details: secure
  TargetObject|endswith: \SOFTWARE\Google\Chrome\DnsOverHttpsMode
selection_edge:
  Details: DWORD (0x00000001)
  TargetObject|endswith: \SOFTWARE\Policies\Microsoft\Edge\BuiltInDnsClientEnabled
selection_firefox:
  Details: DWORD (0x00000001)
  TargetObject|endswith: \SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled

Outlook Macro Execution Without Warning Setting Enabled

Description

Detects the modification of Outlook security setting to allow unprompted execution of macros.

Detection logic

condition: selection
selection:
  Details|contains: '0x00000001'
  TargetObject|endswith: \Outlook\Security\Level

Hide Schedule Task Via Index Value Tamper

Description

Detects when the “index” value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as “schtasks /query” (Read the referenced link for more information about the effects of this technique)

Detection logic

condition: selection
selection:
  Details: DWORD (0x00000000)
  TargetObject|contains|all:
  - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\
  - Index

Usage of Renamed Sysinternals Tools - RegistrySet

Description

Detects non-sysinternals tools setting the “accepteula” key which normally is set on sysinternals tool execution

Detection logic

condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_image_names:
  Image|endswith:
  - \PsExec.exe
  - \PsExec64.exe
  - \procdump.exe
  - \procdump64.exe
  - \handle.exe
  - \handle64.exe
  - \livekd.exe
  - \livekd64.exe
  - \procexp.exe
  - \procexp64.exe
  - \psloglist.exe
  - \psloglist64.exe
  - \pspasswd.exe
  - \pspasswd64.exe
  - \ADExplorer.exe
  - \ADExplorer64.exe
filter_optional_null:
  Image: null
selection:
  TargetObject|contains:
  - \PsExec
  - \ProcDump
  - \Handle
  - \LiveKd
  - \Process Explorer
  - \PsLoglist
  - \PsPasswd
  - \Active Directory Explorer
  TargetObject|endswith: \EulaAccepted

Potential Attachment Manager Settings Attachments Tamper

Description

Detects tampering with attachment manager settings policies attachments (See reference for more information)

Detection logic

condition: selection_main and 1 of selection_value_*
selection_main:
  TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\
selection_value_hide_zone_info:
  Details: DWORD (0x00000001)
  TargetObject|endswith: \HideZoneInfoOnProperties
selection_value_save_zone_info:
  Details: DWORD (0x00000002)
  TargetObject|endswith: \SaveZoneInformation
selection_value_scan_with_av:
  Details: DWORD (0x00000001)
  TargetObject|endswith: \ScanWithAntiVirus

Potentially Suspicious ODBC Driver Registered

Description

Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location

Detection logic

condition: selection
selection:
  Details|contains:
  - :\PerfLogs\
  - :\ProgramData\
  - :\Temp\
  - :\Users\Public\
  - :\Windows\Registration\CRMLog
  - :\Windows\System32\com\dmp\
  - :\Windows\System32\FxsTmp\
  - :\Windows\System32\Microsoft\Crypto\RSA\MachineKeys\
  - :\Windows\System32\spool\drivers\color\
  - :\Windows\System32\spool\PRINTERS\
  - :\Windows\System32\spool\SERVERS\
  - :\Windows\System32\Tasks_Migrated\
  - :\Windows\System32\Tasks\Microsoft\Windows\SyncCenter\
  - :\Windows\SysWOW64\com\dmp\
  - :\Windows\SysWOW64\FxsTmp\
  - :\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\
  - :\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter\
  - :\Windows\Tasks\
  - :\Windows\Temp\
  - :\Windows\Tracing\
  - \AppData\Local\Temp\
  - \AppData\Roaming\
  TargetObject|contains: \SOFTWARE\ODBC\ODBCINST.INI\
  TargetObject|endswith:
  - \Driver
  - \Setup

Potential Persistence Via TypedPaths

Description

Detects modification addition to the ‘TypedPaths’ key in the user or admin registry from a non standard application. Which might indicate persistence attempt

Detection logic

condition: selection and not filter
filter:
  Image:
  - C:\Windows\explorer.exe
  - C:\Windows\SysWOW64\explorer.exe
selection:
  TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\

Potential CobaltStrike Service Installations - Registry

Description

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.

Detection logic

condition: all of selection_*
selection_details:
- Details|contains|all:
  - ADMIN$
  - .exe
- Details|contains|all:
  - '%COMSPEC%'
  - start
  - powershell
selection_key:
- TargetObject|contains: \System\CurrentControlSet\Services
- TargetObject|contains|all:
  - \System\ControlSet
  - \Services

Potential Persistence Via LSA Extensions

Description

Detects when an attacker modifies the “REG_MULTI_SZ” value named “Extensions” to include a custom DLL to achieve persistence via lsass. The “Extensions” list contains filenames of DLLs being automatically loaded by lsass.exe. Each DLL has its InitializeLsaExtension() method called after loading.

Detection logic

condition: selection
selection:
  TargetObject|contains: \SYSTEM\CurrentControlSet\Control\LsaExtensionConfig\LsaSrv\Extensions

Trust Access Disable For VBApplications

Description

Detects registry changes to Microsoft Office “AccessVBOM” to a value of “1” which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.

Detection logic

condition: selection
selection:
  Details: DWORD (0x00000001)
  TargetObject|endswith: \Security\AccessVBOM

Antivirus Filter Driver Disallowed On Dev Drive - Registry

Description

Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a “Dev Drive”.

Detection logic

condition: selection
selection:
  Details: DWORD (0x00000000)
  TargetObject|endswith: \FilterManager\FltmgrDevDriveAllowAntivirusFilter

Network Communication With Crypto Mining Pool

Description

Detects initiated network connections to crypto mining pools

Detection logic

condition: selection
selection:
  DestinationHostname:
  - alimabi.cn
  - ap.luckpool.net
  - bcn.pool.minergate.com
  - bcn.vip.pool.minergate.com
  - bohemianpool.com
  - ca-aipg.miningocean.org
  - ca-dynex.miningocean.org
  - ca-neurai.miningocean.org
  - ca-qrl.miningocean.org
  - ca-upx.miningocean.org
  - ca-zephyr.miningocean.org
  - ca.minexmr.com
  - ca.monero.herominers.com
  - cbd.monerpool.org
  - cbdv2.monerpool.org
  - cryptmonero.com
  - crypto-pool.fr
  - crypto-pool.info
  - cryptonight-hub.miningpoolhub.com
  - d1pool.ddns.net
  - d5pool.us
  - daili01.monerpool.org
  - de-aipg.miningocean.org
  - de-dynex.miningocean.org
  - de-zephyr.miningocean.org
  - de.minexmr.com
  - dl.nbminer.com
  - donate.graef.in
  - donate.ssl.xmrig.com
  - donate.v2.xmrig.com
  - donate.xmrig.com
  - donate2.graef.in
  - drill.moneroworld.com
  - dwarfpool.com
  - emercoin.com
  - emercoin.net
  - emergate.net
  - ethereumpool.co
  - eu.luckpool.net
  - eu.minerpool.pw
  - fcn-xmr.pool.minergate.com
  - fee.xmrig.com
  - fr-aipg.miningocean.org
  - fr-dynex.miningocean.org
  - fr-neurai.miningocean.org
  - fr-qrl.miningocean.org
  - fr-upx.miningocean.org
  - fr-zephyr.miningocean.org
  - fr.minexmr.com
  - hellominer.com
  - herominers.com
  - hk-aipg.miningocean.org
  - hk-dynex.miningocean.org
  - hk-neurai.miningocean.org
  - hk-qrl.miningocean.org
  - hk-upx.miningocean.org
  - hk-zephyr.miningocean.org
  - huadong1-aeon.ppxxmr.com
  - iwanttoearn.money
  - jw-js1.ppxxmr.com
  - koto-pool.work
  - lhr.nbminer.com
  - lhr3.nbminer.com
  - linux.monerpool.org
  - lokiturtle.herominers.com
  - luckpool.net
  - masari.miner.rocks
  - mine.c3pool.com
  - mine.moneropool.com
  - mine.ppxxmr.com
  - mine.zpool.ca
  - mine1.ppxxmr.com
  - minemonero.gq
  - miner.ppxxmr.com
  - miner.rocks
  - minercircle.com
  - minergate.com
  - minerpool.pw
  - minerrocks.com
  - miners.pro
  - minerxmr.ru
  - minexmr.cn
  - minexmr.com
  - mining-help.ru
  - miningpoolhub.com
  - mixpools.org
  - moner.monerpool.org
  - moner1min.monerpool.org
  - monero-master.crypto-pool.fr
  - monero.crypto-pool.fr
  - monero.hashvault.pro
  - monero.herominers.com
  - monero.lindon-pool.win
  - monero.miners.pro
  - monero.riefly.id
  - monero.us.to
  - monerocean.stream
  - monerogb.com
  - monerohash.com
  - moneroocean.stream
  - moneropool.com
  - moneropool.nl
  - monerorx.com
  - monerpool.org
  - moriaxmr.com
  - mro.pool.minergate.com
  - multipool.us
  - myxmr.pw
  - na.luckpool.net
  - nanopool.org
  - nbminer.com
  - node3.luckpool.net
  - noobxmr.com
  - pangolinminer.comgandalph3000.com
  - pool.4i7i.com
  - pool.armornetwork.org
  - pool.cortins.tk
  - pool.gntl.co.uk
  - pool.hashvault.pro
  - pool.minergate.com
  - pool.minexmr.com
  - pool.monero.hashvault.pro
  - pool.ppxxmr.com
  - pool.somec.cc
  - pool.support
  - pool.supportxmr.com
  - pool.usa-138.com
  - pool.xmr.pt
  - pool.xmrfast.com
  - pool2.armornetwork.org
  - poolchange.ppxxmr.com
  - pooldd.com
  - poolmining.org
  - poolto.be
  - ppxvip1.ppxxmr.com
  - ppxxmr.com
  - prohash.net
  - r.twotouchauthentication.online
  - randomx.xmrig.com
  - ratchetmining.com
  - seed.emercoin.com
  - seed.emercoin.net
  - seed.emergate.net
  - seed1.joulecoin.org
  - seed2.joulecoin.org
  - seed3.joulecoin.org
  - seed4.joulecoin.org
  - seed5.joulecoin.org
  - seed6.joulecoin.org
  - seed7.joulecoin.org
  - seed8.joulecoin.org
  - sg-aipg.miningocean.org
  - sg-dynex.miningocean.org
  - sg-neurai.miningocean.org
  - sg-qrl.miningocean.org
  - sg-upx.miningocean.org
  - sg-zephyr.miningocean.org
  - sg.minexmr.com
  - sheepman.mine.bz
  - siamining.com
  - sumokoin.minerrocks.com
  - supportxmr.com
  - suprnova.cc
  - teracycle.net
  - trtl.cnpool.cc
  - trtl.pool.mine2gether.com
  - turtle.miner.rocks
  - us-aipg.miningocean.org
  - us-dynex.miningocean.org
  - us-neurai.miningocean.org
  - us-west.minexmr.com
  - us-zephyr.miningocean.org
  - usxmrpool.com
  - viaxmr.com
  - webservicepag.webhop.net
  - xiazai.monerpool.org
  - xiazai1.monerpool.org
  - xmc.pool.minergate.com
  - xmo.pool.minergate.com
  - xmr-asia1.nanopool.org
  - xmr-au1.nanopool.org
  - xmr-eu1.nanopool.org
  - xmr-eu2.nanopool.org
  - xmr-jp1.nanopool.org
  - xmr-us-east1.nanopool.org
  - xmr-us-west1.nanopool.org
  - xmr-us.suprnova.cc
  - xmr-usa.dwarfpool.com
  - xmr.2miners.com
  - xmr.5b6b7b.ru
  - xmr.alimabi.cn
  - xmr.bohemianpool.com
  - xmr.crypto-pool.fr
  - xmr.crypto-pool.info
  - xmr.f2pool.com
  - xmr.hashcity.org
  - xmr.hex7e4.ru
  - xmr.ip28.net
  - xmr.monerpool.org
  - xmr.mypool.online
  - xmr.nanopool.org
  - xmr.pool.gntl.co.uk
  - xmr.pool.minergate.com
  - xmr.poolto.be
  - xmr.ppxxmr.com
  - xmr.prohash.net
  - xmr.simka.pw
  - xmr.somec.cc
  - xmr.suprnova.cc
  - xmr.usa-138.com
  - xmr.vip.pool.minergate.com
  - xmr1min.monerpool.org
  - xmrf.520fjh.org
  - xmrf.fjhan.club
  - xmrfast.com
  - xmrigcc.graef.in
  - xmrminer.cc
  - xmrpool.de
  - xmrpool.eu
  - xmrpool.me
  - xmrpool.net
  - xmrpool.xyz
  - xx11m.monerpool.org
  - xx11mv2.monerpool.org
  - xxx.hex7e4.ru
  - zarabotaibitok.ru
  - zer0day.ru

Network Connection Initiated By Eqnedt32.EXE

Description

Detects network connections from the Equation Editor process “eqnedt32.exe”.

Detection logic

condition: selection
selection:
  Image|endswith: \eqnedt32.exe

Antivirus Exploitation Framework Detection

Description

Detects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Detection logic

condition: selection
selection:
  Signature|contains:
  - Backdoor.Cobalt
  - Brutel
  - BruteR
  - CobaltStr
  - CobaltStrike
  - COBEACON
  - Cometer
  - Exploit.Script.CVE
  - IISExchgSpawnCMD
  - Metasploit
  - Meterpreter
  - MeteTool
  - Mpreter
  - MsfShell
  - PowerSploit
  - Razy
  - Rozena
  - Sbelt
  - Seatbelt
  - Sliver
  - Swrort

Antivirus Hacktool Detection

Description

Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Detection logic

condition: selection
selection:
- Signature|startswith:
  - ATK/
  - Exploit.Script.CVE
  - HKTL
  - HTOOL
  - PWS.
  - PWSX
  - SecurityTool
- Signature|contains:
  - Adfind
  - Brutel
  - BruteR
  - Cobalt
  - COBEACON
  - Cometer
  - DumpCreds
  - FastReverseProxy
  - Hacktool
  - Havoc
  - Impacket
  - Keylogger
  - Koadic
  - Mimikatz
  - Nighthawk
  - PentestPowerShell
  - Potato
  - PowerSploit
  - PowerSSH
  - PshlSpy
  - PSWTool
  - PWCrack
  - PWDump
  - Rozena
  - Rusthound
  - Sbelt
  - Seatbelt
  - SecurityTool
  - SharpDump
  - SharpHound
  - Shellcode
  - Sliver
  - Snaffler
  - SOAPHound
  - Splinter
  - Swrort
  - TurtleLoader

Antivirus Ransomware Detection

Description

Detects a highly relevant Antivirus alert that reports ransomware. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Detection logic

condition: selection
selection:
  Signature|contains:
  - BlackWorm
  - Chaos
  - Cobra
  - ContiCrypt
  - Crypter
  - CRYPTES
  - Cryptor
  - CylanCrypt
  - DelShad
  - Destructor
  - Filecoder
  - GandCrab
  - GrandCrab
  - Haperlock
  - Hiddentear
  - HydraCrypt
  - Krypt
  - Lockbit
  - Locker
  - Mallox
  - Phobos
  - Ransom
  - Ryuk
  - Ryzerlo
  - Stopcrypt
  - Tescrypt
  - TeslaCrypt
  - WannaCry
  - Xorist

Antivirus Relevant File Paths Alerts

Description

Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Detection logic

condition: 1 of selection_*
selection_ext:
  Filename|endswith:
  - .asax
  - .ashx
  - .asmx
  - .asp
  - .aspx
  - .bat
  - .cfm
  - .cgi
  - .chm
  - .cmd
  - .dat
  - .ear
  - .gif
  - .hta
  - .jpeg
  - .jpg
  - .jsp
  - .jspx
  - .lnk
  - .msc
  - .php
  - .pl
  - .png
  - .ps1
  - .psm1
  - .py
  - .pyc
  - .rb
  - .scf
  - .sct
  - .sh
  - .svg
  - .txt
  - .vbe
  - .vbs
  - .war
  - .wll
  - .wsf
  - .wsh
  - .xll
  - .xml
selection_path:
  Filename|contains:
  - :\PerfLogs\
  - :\Temp\
  - :\Users\Default\
  - :\Users\Public\
  - :\Windows\
  - /www/
  - \inetpub\
  - \tsclient\
  - apache
  - nginx
  - tomcat
  - weblogic

Antivirus Web Shell Detection

Description

Detects a highly relevant Antivirus alert that reports a web shell. It’s highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Detection logic

condition: selection
selection:
- Signature|startswith:
  - ASP.
  - IIS/BackDoor
  - JAVA/Backdoor
  - JSP.
  - Perl.
  - PHP.
  - Troj/ASP
  - Troj/JSP
  - Troj/PHP
  - VBS/Uxor
- Signature|contains:
  - ASP_
  - 'ASP:'
  - ASP.Agent
  - ASP/
  - Aspdoor
  - ASPXSpy
  - Backdoor.ASP
  - Backdoor.Java
  - Backdoor.JSP
  - Backdoor.PHP
  - Backdoor.VBS
  - Backdoor/ASP
  - Backdoor/Java
  - Backdoor/JSP
  - Backdoor/PHP
  - Backdoor/VBS
  - C99shell
  - Chopper
  - filebrowser
  - JSP_
  - 'JSP:'
  - JSP.Agent
  - JSP/
  - 'Perl:'
  - Perl/
  - PHP_
  - 'PHP:'
  - PHP.Agent
  - PHP/
  - PHPShell
  - PShlSpy
  - SinoChoper
  - Trojan.ASP
  - Trojan.JSP
  - Trojan.PHP
  - Trojan.VBS
  - VBS.Agent
  - VBS/Agent
  - Webshell

Antivirus Password Dumper Detection

Description

Detects a highly relevant Antivirus alert that reports a password dumper. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Detection logic

condition: selection
selection:
- Signature|startswith: PWS
- Signature|contains:
  - Certify
  - DCSync
  - DumpCreds
  - DumpLsass
  - DumpPert
  - HTool/WCE
  - Kekeo
  - Lazagne
  - LsassDump
  - Mimikatz
  - MultiDump
  - Nanodump
  - NativeDump
  - Outflank
  - PShlSpy
  - PSWTool
  - PWCrack
  - PWDump
  - PWS.
  - PWSX
  - pypykatz
  - Rubeus
  - SafetyKatz
  - SecurityTool
  - SharpChrome
  - SharpDPAPI
  - SharpDump
  - SharpKatz
  - SharpS.
  - ShpKatz
  - TrickDump

OpenCanary - TFTP Request

Description

Detects instances where a TFTP service on an OpenCanary node has had a request.

Detection logic

condition: selection
selection:
  logtype: 10001

OpenCanary - MSSQL Login Attempt Via SQLAuth

Description

Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.

Detection logic

condition: selection
selection:
  logtype: 9001

OpenCanary - REDIS Action Command Attempt

Description

Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.

Detection logic

condition: selection
selection:
  logtype: 17001

OpenCanary - HTTP POST Login Attempt

Description

Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.

Detection logic

condition: selection
selection:
  logtype: 3001

OpenCanary - FTP Login Attempt

Description

Detects instances where an FTP service on an OpenCanary node has had a login attempt.

Detection logic

condition: selection
selection:
  logtype: 2000

OpenCanary - VNC Connection Attempt

Description

Detects instances where a VNC service on an OpenCanary node has had a connection attempt.

Detection logic

condition: selection
selection:
  logtype: 12001

OpenCanary - SMB File Open Request

Description

Detects instances where an SMB service on an OpenCanary node has had a file open request.

Detection logic

condition: selection
selection:
  logtype: 5000

OpenCanary - GIT Clone Request

Description

Detects instances where a GIT service on an OpenCanary node has had Git Clone request.

Detection logic

condition: selection
selection:
  logtype: 16001

OpenCanary - SSH New Connection Attempt

Description

Detects instances where an SSH service on an OpenCanary node has had a connection attempt.

Detection logic

condition: selection
selection:
  logtype: 4000

OpenCanary - SSH Login Attempt

Description

Detects instances where an SSH service on an OpenCanary node has had a login attempt.

Detection logic

condition: selection
selection:
  logtype: 4002

OpenCanary - MSSQL Login Attempt Via Windows Authentication

Description

Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.

Detection logic

condition: selection
selection:
  logtype: 9002

OpenCanary - NTP Monlist Request

Description

Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.

Detection logic

condition: selection
selection:
  logtype: 11001

OpenCanary - SIP Request

Description

Detects instances where an SIP service on an OpenCanary node has had a SIP request.

Detection logic

condition: selection
selection:
  logtype: 15001

OpenCanary - MySQL Login Attempt

Description

Detects instances where a MySQL service on an OpenCanary node has had a login attempt.

Detection logic

condition: selection
selection:
  logtype: 8001

OpenCanary - HTTPPROXY Login Attempt

Description

Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.

Detection logic

condition: selection
selection:
  logtype: 7001

OpenCanary - HTTP GET Request

Description

Detects instances where an HTTP service on an OpenCanary node has received a GET request.

Detection logic

condition: selection
selection:
  logtype: 3000

OpenCanary - Telnet Login Attempt

Description

Detects instances where a Telnet service on an OpenCanary node has had a login attempt.

Detection logic

condition: selection
selection:
  logtype: 6001

OpenCanary - SNMP OID Request

Description

Detects instances where an SNMP service on an OpenCanary node has had an OID request.

Detection logic

condition: selection
selection:
  logtype: 13001

Okta FastPass Phishing Detection

Description

Detects when Okta FastPass prevents a known phishing site.

Detection logic

condition: selection
selection:
  eventtype: user.authentication.auth_via_mfa
  outcome.reason: FastPass declined phishing attempt
  outcome.result: FAILURE

Potential Okta Password in AlternateID Field

Description

Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files.

Detection logic

condition: selection and not filter_main
filter_main:
  actor.alternateid|re: (^0oa.*|[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,10})
selection:
  legacyeventtype: core.user_auth.login_failed

Disabling Multi Factor Authentication

Description

Detects disabling of Multi Factor Authentication.

Detection logic

condition: selection
selection:
  Operation|contains: Disable Strong Authentication.

Increased Failed Authentications Of Any Type

Description

Detects when sign-ins increased by 10% or greater.

Detection logic

condition: selection
selection:
  Count: <10%
  Status: failure

Bitbucket Unauthorized Full Data Export Triggered

Description

Detects when full data export is attempted an unauthorized user.

Detection logic

condition: selection
selection:
  auditType.action: Unauthorized full data export triggered
  auditType.category: Data pipeline

Clipboard Data Collection Via OSAScript

Description

Detects possible collection of data from the clipboard via execution of the osascript binary

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - osascript
  - ' -e '
  - clipboard

Potential Netcat Reverse Shell Execution

Description

Detects execution of netcat with the “-e” flag followed by common shells. This could be a sign of a potential reverse shell setup.

Detection logic

condition: all of selection_*
selection_flags:
  CommandLine|contains:
  - ' -c '
  - ' -e '
selection_nc:
  Image|endswith:
  - /nc
  - /ncat
selection_shell:
  CommandLine|contains:
  - ' ash'
  - ' bash'
  - ' bsh'
  - ' csh'
  - ' ksh'
  - ' pdksh'
  - ' sh'
  - ' tcsh'
  - /bin/ash
  - /bin/bash
  - /bin/bsh
  - /bin/csh
  - /bin/ksh
  - /bin/pdksh
  - /bin/sh
  - /bin/tcsh
  - /bin/zsh
  - $IFSash
  - $IFSbash
  - $IFSbsh
  - $IFScsh
  - $IFSksh
  - $IFSpdksh
  - $IFSsh
  - $IFStcsh
  - $IFSzsh

Apache Spark Shell Command Injection - ProcessCreation

Description

Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - id -Gn `
  - id -Gn '
  ParentImage|endswith: \bash

Linux Doas Tool Execution

Description

Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.

Detection logic

condition: selection
selection:
  Image|endswith: /doas

Sudo Privilege Escalation CVE-2019-14287

Description

Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287

Detection logic

condition: selection
selection:
  CommandLine|contains: ' -u#'

Potential Perl Reverse Shell Execution

Description

Detects execution of the perl binary with the “-e” flag and common strings related to potential reverse shell activity

Detection logic

condition: all of selection_*
selection_content:
- CommandLine|contains|all:
  - fdopen(
  - ::Socket::INET
- CommandLine|contains|all:
  - Socket
  - connect
  - open
  - exec
selection_img:
  CommandLine|contains: ' -e '
  Image|endswith: /perl

Triple Cross eBPF Rootkit Install Commands

Description

Detects default install commands of the Triple Cross eBPF rootkit based on the “deployer.sh” script

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - ' qdisc '
  - ' filter '
  CommandLine|contains|all:
  - ' tc '
  - ' enp0s3 '
  Image|endswith: /sudo

Linux HackTool Execution

Description

Detects known hacktool execution based on image name.

Detection logic

condition: 1 of selection_*
selection_c2_framework_cobaltstrike:
  Image|contains:
  - /cobaltstrike
  - /teamserver
selection_c2_frameworks:
  Image|endswith:
  - /crackmapexec
  - /havoc
  - /merlin-agent
  - /merlinServer-Linux-x64
  - /msfconsole
  - /msfvenom
  - /ps-empire server
  - /ps-empire
  - /sliver-client
  - /sliver-server
  - /Villain.py
selection_exploit_tools:
  Image|endswith:
  - /aircrack-ng
  - /bloodhound-python
  - /bpfdos
  - /ebpfki
  - /evil-winrm
  - /hashcat
  - /hoaxshell.py
  - /hydra
  - /john
  - /ncrack
  - /nxc-ubuntu-latest
  - /pidhide
  - /pspy32
  - /pspy32s
  - /pspy64
  - /pspy64s
  - /setoolkit
  - /sqlmap
  - /writeblocker
selection_linpeas:
  Image|contains: /linpeas
selection_scanners:
  Image|endswith:
  - /autorecon
  - /httpx
  - /legion
  - /naabu
  - /netdiscover
  - /nuclei
  - /recon-ng
selection_scanners_sniper:
  Image|contains: /sniper
selection_web_enum:
  Image|endswith:
  - /dirb
  - /dirbuster
  - /eyewitness
  - /feroxbuster
  - /ffuf
  - /gobuster
  - /wfuzz
  - /whatweb
selection_web_vuln:
  Image|endswith:
  - /joomscan
  - /nikto
  - /wpscan

Triple Cross eBPF Rootkit Execve Hijack

Description

Detects execution of a the file “execve_hijack” which is used by the Triple Cross rootkit as a way to elevate privileges

Detection logic

condition: selection
selection:
  CommandLine|contains: execve_hijack
  Image|endswith: /sudo

Sudo Privilege Escalation CVE-2019-14287 - Builtin

Description

Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287

Detection logic

condition: selection_user
selection_user:
  USER:
  - '#-*'
  - '#*4294967295'

Triple Cross eBPF Rootkit Default Persistence

Description

Detects the creation of “ebpfbackdoor” files in both “cron.d” and “sudoers.d” directories. Which both are related to the TripleCross persistence method

Detection logic

condition: selection
selection:
  TargetFilename|endswith: ebpfbackdoor

Triple Cross eBPF Rootkit Default LockFile

Description

Detects the creation of the file “rootlog” which is used by the TripleCross rootkit as a way to check if the backdoor is already running.

Detection logic

condition: selection
selection:
  TargetFilename: /tmp/rootlog

Linux Doas Conf File Creation

Description

Detects the creation of doas.conf file in linux host platform.

Detection logic

condition: selection
selection:
  TargetFilename|endswith: /etc/doas.conf

BPFDoor Abnormal Process ID or Lock File Accessed

Description

detects BPFDoor .lock and .pid files access in temporary file storage facility

Detection logic

condition: selection
selection:
  name:
  - /var/run/haldrund.pid
  - /var/run/xinetd.lock
  - /var/run/kdevrund.pid
  type: PATH