attack.execution

Suspicious PowerShell Download and Execute Pattern
level
status experimental

Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)

Enable Microsoft Dynamic Data Exchange
level
status experimental

Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.

Suspicious Add Scheduled Task Parent
level
status experimental

Detects suspicious scheduled task creations from a parent stored in a temporary folder

Process Start From Suspicious Folder
level
status experimental

Detects process start from rare or uncommon folders like temporary folder or folders that usually don’t contain executable files

BPFtrace Unsafe Option Usage
level
status experimental

Detects the usage of the unsafe bpftrace option

RunXCmd Tool Execution As System
level
status experimental

Detects the use of RunXCmd tool for command execution

NSudo Tool Execution As System
level
status experimental

Detects the use of NSudo tool for command execution

NirCmd Tool Execution As LOCAL SYSTEM
level
status experimental

Detects the use of NirCmd tool for command execution as SYSTEM user

NirCmd Tool Execution
level
status experimental

Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity

Code Integrity Blocked Driver Load
level
status experimental

Detects driver load events that got blocked by Windows code integrity checks

NodejsTools PressAnyKey Lolbin
level
status experimental

Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary

DevInit Lolbin Download
level
status experimental

Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system

False Sysinternals Suite Tools
level
status experimental

Rename as a legitim Sysinternals Suite tools to evade detection

Shell32 DLL Execution in Suspicious Directory
level
status experimental

Detects shell32.dll executing a DLL in a suspicious directory

Azure Kubernetes CronJob
level
status experimental

Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Google Cloud Kubernetes CronJob
level
status experimental

Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Suspicious Scheduled Task Write to System32 Tasks
level
status experimental

Detects the creation of tasks from processes executed from suspicious locations

Change PowerShell Policies to an Unsecure Level
level
status experimental

Detects use of executionpolicy option to set a unsecure policies

OMIGOD HTTP No Authentication RCE
level
status stable

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

OMIGOD SCX RunAsProvider ExecuteScript
level
status experimental

Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.

OMIGOD SCX RunAsProvider ExecuteShellCommand
level
status experimental

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.

OMIGOD SCX RunAsProvider ExecuteShellCommand
level
status experimental

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.

Azure New CloudShell Created
level
status experimental

Identifies when a new cloudshell is created inside of Azure portal.

Atlassian Confluence CVE-2021-26084
level
status experimental

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084

Created Files by Office Applications
level
status experimental

This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.

New Lolbin Process by Office Applications
level
status experimental

This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.

Lolbins Process Creation with WmiPrvse
level
status experimental

This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed.

EDR WMI Command Execution by Office Applications
level
status experimental

Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32

Possible PrintNightmare Print Driver Install
level
status stable

Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.

Malicious ShellIntel PowerShell Commandlets
level
status experimental

Detects Commandlet names from ShellIntel exploitation scripts.

Cabinet File Expansion
level
status experimental

Adversaries can use the inbuilt expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack

Direct Syscall of NtOpenProcess
level
status experimental

Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.

CobaltStrike Process Patterns
level
status experimental

Detects process patterns found in Cobalt Strike beacon activity (see reference for more details)

SMB Relay Attack Tools
level
status test

Detects different hacktools used for relay attacks on Windows for privilege escalation

Regsvr32 Command Line Without DLL
level
status experimental

Detects a regsvr.exe execution that doesn’t contain a DLL in the command line

PowerShell ADRecon Execution
level
status experimental

Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7

Suspicious Script Execution From Temp Folder
level
status experimental

Detects a suspicious script executions from temporary folder

Suspicious Spool Service Child Process
level
status stable

Detects suspicious print spool service (spoolsv.exe) child processes.

Malicious PowerView PowerShell Commandlets
level
status experimental

Detects Commandlet names from PowerView of PowerSploit exploitation framework.

Lazarus Activity
level
status experimental

Detects different process creation events as described in Malwarebytes’s threat report on Lazarus group activity

Lazarus Activity
level
status experimental

Detects different process creation events as described in various threat reports on Lazarus group activity

Lazarus Loaders
level
status test

Detects different loaders as described in various threat reports on Lazarus group activity

Trickbot Malware Activity
level
status test

Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe

Psexec Accepteula Condition
level
status test

Detect ed user accept agreement execution in psexec commandline

Windows Defender AMSI Trigger Detected
level
status stable

Detects triggering of AMSI by Windows Defender.

Snatch Ransomware
level
status test

Detects specific process characteristics of Snatch ransomware word document droppers

DNS RCE CVE-2020-1350
level
status test

Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process

PSExec and WMI Process Creations Block
level
status experimental

Detects blocking of process creations originating from PSExec and WMI commands

File Was Not Allowed To Run
level
status test

Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.

Space After Filename
level
status test

Detects space after filename

Suspicious XOR Encoded PowerShell Command Line
level
status experimental

Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.

Windows Defender Threat Detected
level
status stable

Detects all actions taken by Windows Defender malware detection engines

Cmd.exe CommandLine Path Traversal
level
status test

detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking

Suspicious New Printer Ports in Registry (CVE-2020-1048)
level
status test

Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048

Notepad Making Network Connection
level
status test

Detects suspicious network connection by Notepad

Maze Ransomware
level
status experimental

Detects specific process characteristics of Maze ransomware word document droppers

PowerShell Create Local User
level
status experimental

Detects creation of a local user via PowerShell

WMImplant Hack Tool
level
status experimental

Detects parameters used by WMImplant

PowerShell DownloadFile
level
status test

Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line

Exploited CVE-2020-10189 Zoho ManageEngine
level
status test

Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189

VBA DLL Loaded Via Microsoft Word
level
status test

Detects DLL’s Loaded Via Word Containing VBA Macros

GAC DLL Loaded Via Office Applications
level
status test

Detects any GAC DLL being loaded by an Office Product

dotNET DLL Loaded Via Office Applications
level
status test

Detects any assembly DLL being loaded by an Office Product

CLR DLL Loaded Via Office Applications
level
status test

Detects CLR DLL being loaded by an Office Product

Active Directory Kerberos DLL Loaded Via Office Applications
level
status test

Detects Kerberos DLL being loaded by an Office Product

Koadic Execution
level
status test

Detects command line parameters used by Koadic hack tool

AWS EC2 Startup Shell Script Change
level
status experimental

Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.

Curl Start Combination
level
status test

Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.

Audit CVE Event
level
status experimental

Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)

Tasks Folder Evasion
level
status experimental

The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr

Windows Management Instrumentation DLL Loaded Via Microsoft Word
level
status deprecated

Detects DLL’s Loaded Via Word Containing VBA Macros Executing WMI Commands

Operation Wocao Activity
level
status experimental

Detects activity mentioned in Operation Wocao report

Bloodhound and Sharphound Hack Tool
level
status test

Detects command line parameters used by Bloodhound and Sharphound hack tools

Silence.EDA Detection
level
status test

Detects Silence empireDNSagent

Exploiting SetupComplete.cmd CVE-2019-1378
level
status test

Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378

Service Execution
level
status test

Detects manual service execution (start) via system utilities.

Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner
level
status test

Launch 64-bit shellcode from a debugger script file using cdb.exe.

Application Whitelisting Bypass via Bginfo
level
status test

Execute VBscript code that is referenced within the *.bgi file.

Regsvr32 Network Activity
level
status experimental

Detects network connections and DNS queries initiated by Regsvr32.exe

Dnscat Execution
level
status experimental

Dnscat exfiltration tool execution

WMI Modules Loaded
level
status experimental

Detects non wmiprvse loading WMI modules

Remote PowerShell Sessions Network Connections (WinRM)
level
status experimental

Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986

Remote PowerShell Session
level
status test

Detects remote PowerShell sessions

Remote PowerShell Session
level
status test

Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.

Non Interactive PowerShell
level
status experimental

Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.

Alternate PowerShell Hosts Pipe
level
status test

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Alternate PowerShell Hosts
level
status test

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Suspicious HWP Sub Processes
level
status test

Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation

Windows Suspicious Use Of Web Request in CommandLine
level
status experimental

Detects the use of various web request with commandline tools or Windows PowerShell command,methods (including aliases)

DLL Load via LSASS
level
status test

Detects a method to load DLL via LSASS process using an undocumented Registry key

Emotet Process Creation
level
status test

Detects all Emotet like process executions that are not covered by the more generic rules

Control Panel Items
level
status test

Detects the malicious use of a control panel item

Hacktool Ruler
level
status experimental

This events that are generated when using the hacktool Ruler by Sensepost

Mimikatz through Windows Remote Management
level
status stable

Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.

Malicious Nishang PowerShell Commandlets
level
status experimental

Detects Commandlet names and arguments from the Nishang exploitation framework

Empire PowerShell Launch Parameters
level
status test

Detects suspicious powershell command line parameters used in Empire

MSHTA Suspicious Execution 01
level
status test

Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism

Baby Shark Activity
level
status test

Detects activity that could be related to Baby Shark malware

Ursnif
level
status experimental

Detects new registry key created by Ursnif malware.

Suspicious PowerShell Keywords
level
status experimental

Detects keywords that could indicate the use of some PowerShell exploitation framework

iOS Implant URL Pattern
level
status test

Detects URL pattern used by iOS Implant

WSF/JSE/JS/VBA/VBE File Execution
level
status test

Detects suspicious file execution by wscript and cscript

WScript or CScript Dropper
level
status test

Detects wscript/cscript executions of scripts located in user directories

Windows Shell Spawning Suspicious Program
level
status test

Detects a suspicious child process of a Windows shell

Sysprep on AppData Folder
level
status test

Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)

Suspicious WMI Execution
level
status test

Detects WMI executing suspicious commands

Suspicious RASdial Activity
level
status test

Detects suspicious process related to rasdial.exe

Suspicious PowerShell Parameter Substring
level
status test

Detects suspicious PowerShell invocation with a parameter substring

Suspicious PowerShell Invocation Based on Parent Process
level
status test

Detects suspicious powershell invocations from interpreters or unusual programs

Suspicious Encoded PowerShell Command Line
level
status experimental

Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)

Scheduled Task Creation
level
status experimental

Detects the creation of scheduled tasks in user session

Quick Execution of a Series of Suspicious Commands
level
status experimental

Detects multiple suspicious process in a limited timeframe

PsExec Service Start
level
status test

Detects a PsExec service start

PowerShell Script Run in AppData
level
status experimental

Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder

PowerShell Download from URL
level
status test

Detects a Powershell process that contains download commands in its command line string

Microsoft Workflow Compiler
level
status experimental

Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.

Microsoft Office Product Spawning Windows Shell
level
status test

Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio

Malicious Base64 Encoded PowerShell Keywords in Command Lines
level
status test

Detects base64 encoded strings used in hidden malicious PowerShell command lines

Exploit for CVE-2017-0261
level
status test

Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262

Droppers Exploiting CVE-2017-11882
level
status test

Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe

Command Line Execution with Suspicious URL and AppData Strings
level
status test

Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)

CMSTP UAC Bypass via COM Object Access
level
status stable

Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)

Suspicious File Characteristics Due to Missing Fields
level
status experimental

Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe

NTFS Alternate Data Stream
level
status experimental

Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.

CMSTP Execution Registry Event
level
status stable

Detects various indicators of Microsoft Connection Manager Profile Installer execution

CMSTP Execution Process Creation
level
status stable

Detects various indicators of Microsoft Connection Manager Profile Installer execution

CMSTP Execution Process Access
level
status stable

Detects various indicators of Microsoft Connection Manager Profile Installer execution

PowerShell Rundll32 Remote Thread Creation
level
status experimental

Detects PowerShell remote thread creation in Rundll32.exe

Default PowerSploit and Empire Schtasks Persistence
level
status test

Detects the creation of a schtask via PowerSploit or Empire Default Configuration.

smbexec.py Service Installation
level
status test

Detects the use of smbexec.py tool by detecting a specific service installation

Elise Backdoor
level
status test

Detects Elise backdoor acitivty as used by APT32

Suspicious Commands Linux
level
status test

Detects relevant commands often related to malware or hacking activity

Exploit for CVE-2017-8759
level
status test

Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759

APT29
level
status test

This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.

ZxShell Malware
level
status test

Detects a ZxShell start by the called and well-known function name

PsExec Tool Execution
level
status experimental

Detects PsExec service installation and execution events (service and Sysmon)

PowerShell Downgrade Attack
level
status experimental

Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0

Suspicious Activity in Shell Commands
level
status test

Detects suspicious shell commands used in various exploit codes (see references)

Download EXE from Suspicious TLD
level
status test

Detects executable downloads from suspicious remote systems

PowerShell Network Connections
level
status experimental

Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company’s ip range')

Excel Network Connections
level
status experimental

Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.

Suspicious PowerShell Invocations - Generic
level
status deprecated

Detects suspicious PowerShell invocation command parameters

WSL Execution
level
status test

Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN

Wmiprvse Wbemcomn DLL Hijack
level
status experimental

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Wmiprvse Wbemcomn DLL Hijack
level
status experimental

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

WMIExec VBS Script
level
status test

Detects suspicious file execution by wscript and cscript

WMI Reconnaissance List Remote Services
level
status experimental

An adversary might use WMI to check if a certain Remote Service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that “No instance(s) Available” if the service queried is not running. A common error message is “Node - (provided IP or default) ERROR Description =The RPC server is unavailable” if the provided remote host is unreacheable

WMI Event Consumer Created Named Pipe
level
status experimental

Detects the WMI Event Consumer service scrcons.exe creating a named pipe

Windows Update Client LOLBIN
level
status experimental

Detects code execution via the Windows Update client (wuauclt)

VMToolsd Suspicious Child Process
level
status experimental

Detects suspicious child process creations of VMware Tools process which may indicate persistence setup

Using SettingSyncHost.exe as LOLBin
level
status test

Detects using SettingSyncHost.exe to run hijacked binary

Using AppVLP To Circumvent ASR File Path Rule
level
status experimental

Application Virtualization Utility is included with Microsoft Office. We are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder or to mark a file as a system file.

Unidentified Attacker November 2018
level
status stable

A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.

UNC2452 Process Creation Patterns
level
status experimental

Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries

UNC2452 PowerShell Pattern
level
status experimental

Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports

Turla Group Named Pipes
level
status test

Detects a named pipe used by Turla group samples

Turla Group Lateral Movement
level
status experimental

Detects automated lateral movement by Turla group

Turla Group Commands May 2020
level
status test

Detects commands used by Turla group as reported by ESET in May 2020

TropicTrooper Campaign November 2018
level
status stable

Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia

TAIDOOR RAT DLL Load
level
status test

Detects specific process characteristics of Chinese TAIDOOR RAT malware load

TA505 Dropper Load Pattern
level
status test

Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents

T1047 Wmiprvse Wbemcomn DLL Hijack
level
status test

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network for a WMI DLL Hijack scenario.

Symlink Etc Passwd
level
status test

Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd

Suspicious ZipExec Execution
level
status experimental

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

Suspicious WMI Reconnaissance
level
status experimental

An adversary might use WMI to list Processes running on the compromised host or list installed Software hotfix and patches.

Suspicious Use of CSharp Interactive Console
level
status test

Detects the execution of CSharp interactive console by PowerShell

Suspicious Scheduled Task Creation Involving Temp Folder
level
status experimental

Detects the creation of scheduled tasks that involves a temporary folder and runs only once

Suspicious Runscripthelper.exe
level
status test

Detects execution of powershell scripts via Runscripthelper.exe

Suspicious Reverse Shell Command Line
level
status test

Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell

Suspicious PrinterPorts Creation (CVE-2020-1048)
level
status test

Detects new commands that add new printer port which point to suspicious file

Suspicious PowerShell Invocations - Specific
level
status deprecated

Detects suspicious PowerShell invocation command parameters

Suspicious PowerShell Download
level
status deprecated

Detects suspicious PowerShell download command

Suspicious PowerShell Command Line
level
status test

Detects the PowerShell command lines with special characters

Suspicious PowerShell Cmdline
level
status test

Detects the PowerShell command lines with reversed strings

Suspicious Parent of Csc.exe
level
status test

Detects a suspicious parent of csc.exe, which could by a sign of payload delivery

Suspicious Non PowerShell WSMAN COM Provider
level
status experimental

Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.

Suspicious LOLBIN AccCheckConsole
level
status experimental

Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL

Suspicious ftp.exe
level
status test

Detects renamed ftp.exe, ftp.exe script execution and child processes ran by ftp.exe

Suspicious Execution of Powershell with Base64
level
status experimental

Commandline to lauch powershell with a base64 payload

Suspicious Execution from Outlook
level
status test

Detects EnableUnsafeClientMailRules used for Script Execution from Outlook

Suspicious Esentutl Use
level
status deprecated

Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.

Suspicious Encoded Scripts in a WMI Consumer
level
status experimental

Detects suspicious encoded payloads in WMI Event Consumers

Suspcious CLR Logs Creation
level
status experimental

Detects suspicious .NET assembly executions. Could detect using Cobalt Strike’s command execute-assembly.

Squirrel Lolbin
level
status experimental

Detects Possible Squirrel Packages Manager as Lolbin

SQL Client Tools PowerShell Session Detection
level
status test

This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

Silenttrinity Stager Msbuild Activity
level
status test

Detects a possible remote connections to Silenttrinity c2

Script Interpreter Execution From Suspicious Folder
level
status experimental

Detects a suspicious script executions in temporary folders or folders accessible by environment variables

Script Event Consumer Spawning Process
level
status experimental

Detects a suspicious child process of Script Event Consumer (scrcons.exe).

Scheduled Task Deletion
level
status experimental

Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME

Scheduled Cron Task/Job
level
status test

Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.

Scheduled Cron Task/Job
level
status test

Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.

Ryuk Ransomware
level
status test

Detects Ryuk Ransomware command lines

Rundll32 Without Parameters
level
status experimental

Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module

Run PowerShell Script from Redirected Input Stream
level
status test

Detects PowerShell script execution via input stream redirect

REvil Kaseya Incident Malware Patterns
level
status test

Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)

Renamed jusched.exe
level
status test

Detects renamed jusched.exe used by cobalt group

Registry Entries For Azorult Malware
level
status test

Detects the presence of a registry key created during Azorult execution

RedMimicry Winnti Playbook Execute
level
status test

Detects actions caused by the RedMimicry Winnti playbook

QBot Process Creation
level
status experimental

Detects QBot like process executions

ProcessHacker Privilege Elevation
level
status experimental

Detects a ProcessHacker tool that elevated privileges to a very high level

Privilege Escalation Preparation
level
status test

Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.

PrinterNightmare Mimimkatz Driver Name
level
status experimental

Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527

Powershell XML Execute Command
level
status experimental

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code

PowerShell Scripts Installed as Services
level
status experimental

Detects powershell script installed as a Service

Powershell Reverse Shell Connection
level
status experimental

Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell

PowerShell Remote Session Creation
level
status experimental

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system

PowerShell PSAttack
level
status experimental

Detects the use of PSAttack PowerShell hack tool

Powershell MsXml COM Object
level
status experimental

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code

Powershell Execute Batch Script
level
status experimental

Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system

PowerShell Encoded Character Syntax
level
status test

Detects suspicious encoded character syntax often used for defense evasion

PowerShell Credential Prompt
level
status experimental

Detects PowerShell calling a credential prompt

PowerShell Called from an Executable Version Mismatch
level
status experimental

Detects PowerShell called from an executable by the version mismatch method

PowerShell as a Service in Registry
level
status experimental

Detects that a powershell code is written to the registry as a service.

Possible CVE-2021-1675 Print Spooler Exploitation
level
status experimental

Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675

PCRE.NET Package Temp Files
level
status experimental

Detects processes creating temp files related to PCRE.NET package

PCRE.NET Package Image Load
level
status experimental

Detects processes loading modules related to PCRE.NET package

New Application in AppCompat
level
status test

A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.

Mshta Spawning Windows Shell
level
status experimental

Detects a suspicious child process of a mshta.exe process

MS Office Product Spawning Exe in User Dir
level
status experimental

Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio

Monitoring Wuauclt.exe For Lolbas Execution Of DLL
level
status experimental

Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL.

Monitoring Winget For LOLbin Execution
level
status experimental

Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe’s, msi, msix files later.

MMC20 Lateral Movement
level
status test

Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of “-Embedding” as a child of svchost.exe

MITRE BZAR Indicators for Execution
level
status test

Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE

Malicious PowerShell Keywords
level
status experimental

Detects keywords from well-known PowerShell exploitation frameworks

Malicious PowerShell Commandlets
level
status experimental

Detects Commandlet names from well-known PowerShell exploitation frameworks

Malicious PowerShell Commandlet Names
level
status test

Detects the creation of known powershell scripts for exploitation

MacOS Scripting Interpreter AppleScript
level
status test

Detects execution of AppleScript of the macOS scripting language AppleScript.

Login with WMI
level
status stable

Detection of logins performed with WMI

LittleCorporal Generated Maldoc Injection
level
status experimental

Detects the process injection of a LittleCorporal generated Maldoc.

Lateral Movement Indicator ConDrv
level
status deprecated

This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.

JexBoss Command Sequence
level
status test

Detects suspicious command sequence that JexBoss

Invoke-Obfuscation Via Use Rundll32
level
status test

Detects Obfuscated Powershell via use Rundll32 in Scripts

Invoke-Obfuscation Via Use Rundll32
level
status experimental

Detects Obfuscated Powershell via use Rundll32 in Scripts

Invoke-Obfuscation Via Use Rundll32
level
status experimental

Detects Obfuscated Powershell via use Rundll32 in Scripts

Invoke-Obfuscation Via Use MSHTA
level
status test

Detects Obfuscated Powershell via use MSHTA in Scripts

Invoke-Obfuscation Via Use MSHTA
level
status experimental

Detects Obfuscated Powershell via use MSHTA in Scripts

Invoke-Obfuscation Via Use MSHTA
level
status experimental

Detects Obfuscated Powershell via use MSHTA in Scripts

Invoke-Obfuscation Via Use Clip
level
status test

Detects Obfuscated Powershell via use Clip.exe in Scripts

Invoke-Obfuscation Via Use Clip
level
status experimental

Detects Obfuscated Powershell via use Clip.exe in Scripts

Invoke-Obfuscation Via Use Clip
level
status experimental

Detects Obfuscated Powershell via use Clip.exe in Scripts

Invoke-Obfuscation Via Stdin
level
status test

Detects Obfuscated Powershell via Stdin in Scripts

Invoke-Obfuscation Via Stdin
level
status experimental

Detects Obfuscated Powershell via Stdin in Scripts

Invoke-Obfuscation Via Stdin
level
status experimental

Detects Obfuscated Powershell via Stdin in Scripts

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
level
status test

Detects Obfuscated Powershell via VAR++ LAUNCHER

Invoke-Obfuscation VAR+ Launcher
level
status test

Detects Obfuscated use of Environment Variables to execute PowerShell

Invoke-Obfuscation VAR+ Launcher
level
status experimental

Detects Obfuscated use of Environment Variables to execute PowerShell

Invoke-Obfuscation VAR+ Launcher
level
status experimental

Detects Obfuscated use of Environment Variables to execute PowerShell

Invoke-Obfuscation STDIN+ Launcher
level
status test

Detects Obfuscated use of stdin to execute PowerShell

Invoke-Obfuscation STDIN+ Launcher
level
status experimental

Detects Obfuscated use of stdin to execute PowerShell

Invoke-Obfuscation STDIN+ Launcher
level
status experimental

Detects Obfuscated use of stdin to execute PowerShell

Invoke-Obfuscation RUNDLL LAUNCHER
level
status test

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Invoke-Obfuscation RUNDLL LAUNCHER
level
status experimental

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Invoke-Obfuscation RUNDLL LAUNCHER
level
status experimental

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Invoke-Obfuscation COMPRESS OBFUSCATION
level
status test

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Invoke-Obfuscation COMPRESS OBFUSCATION
level
status experimental

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Invoke-Obfuscation COMPRESS OBFUSCATION
level
status experimental

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Invoke-Obfuscation CLIP+ Launcher
level
status test

Detects Obfuscated use of Clip.exe to execute PowerShell

Invoke-Obfuscation CLIP+ Launcher
level
status experimental

Detects Obfuscated use of Clip.exe to execute PowerShell

Invoke-Obfuscation CLIP+ Launcher
level
status experimental

Detects Obfuscated use of Clip.exe to execute PowerShell

Indirect Command Execution By Program Compatibility Wizard
level
status test

Detect indirect command execution via Program Compatibility Assistant pcwrun.exe

Impacket Lateralization Detection
level
status stable

Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework

HTML Help Shell Spawn
level
status test

Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)

Hidden Powershell in Link File Pattern
level
status experimental

Detects events that appear when a user click on a link file with a powershell command in it

Greenbug Campaign Indicators
level
status test

Detects tools and process executions as observed in a Greenbug campaign in May 2020

GatherNetworkInfo.vbs Script Usage
level
status experimental

Adversaries can abuse of C:\Windows\System32\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target

Fsutil Behavior Set SymlinkEvaluation
level
status experimental

A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt

Fireball Archer Install
level
status test

Detects Archer malware invocation via rundll32

Execution via Diskshadow.exe
level
status test

Detects using Diskshadow.exe to execute arbitrary code in text file

Execute Files with Msdeploy.exe
level
status test

Detects file execution using the msdeploy.exe lolbin

Execute Code with Pester.bat
level
status test

Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)

Exchange PowerShell Snap-Ins Used by HAFNIUM
level
status experimental

Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM

Equation Group Indicators
level
status test

Detects suspicious shell commands used in various Equation Group scripts and tools

Encoded PowerShell Command Line
level
status test

Detects specific combinations of encoding methods in the PowerShell command lines

Download from Suspicious TLD
level
status test

Detects download of certain file types from hosts in suspicious TLDs

Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN
level
status test

dotnet.exe will execute any DLL and execute unsigned code

Dllhost Internet Connection
level
status test

Detects Dllhost that communicates with public IP addresses

Detection of PowerShell Execution via Sqlps.exe
level
status test

This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

DarkSide Ransomware Pattern
level
status experimental

Detects DarkSide Ransomware and helpers

CVE-2021-40444 Process Pattern
level
status test

Detects a suspicious process pattern found in CVE-2021-40444 exploitation

CVE-2021-26858 Exchange Exploitation
level
status experimental

Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for | creation of non-standard files on disk by Exchange Server’s Unified Messaging service | which could indicate dropping web shells or other malicious content

CVE-2021-26857 Exchange Exploitation
level
status stable

Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server’s Unified Messaging service

CVE-2021-1675 Print Spooler Exploitation IPC Access
level
status experimental

Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527

CVE-2021-1675 Print Spooler Exploitation Filename Pattern
level
status experimental

Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675

CVE-2021-1675 Print Spooler Exploitation
level
status experimental

Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675

Cscript Visual Basic Script Execution
level
status experimental

Adversaries may abuse Visual Basic (VB) for execution

Credential Dumping Tools Service Execution
level
status experimental

Detects well-known credential dumping tools execution via service execution events

CrackMapExec PowerShell Obfuscation
level
status test

The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.

CrackMapExec Command Execution
level
status stable

Detect various execution methods of the CrackMapExec pentesting framework

Covenant Launcher Indicators
level
status test

Detects suspicious command lines used in Covenant luanchers

CobaltStrike Service Installations in Registry
level
status experimental

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon’s events.

CobaltStrike Service Installations
level
status experimental

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

CobaltStrike BOF Injection Pattern
level
status experimental

Detects a typical pattern of a CobaltStrike BOF which inject into other processes

CLR DLL Loaded Via Scripting Applications
level
status test

Detects CLR DLL being loaded by an scripting applications

CACTUSTORCH Remote Thread Creation
level
status experimental

Detects remote thread creation from CACTUSTORCH as described in references.

Base64 Encoded Reflective Assembly Load
level
status test

Detects base64 encoded .NET reflective loading of Assembly

Base64 Encoded Listing of Shadowcopy
level
status test

Detects base64 encoded listing Win32_Shadowcopy

Arbitrary Shell Command Execution Via Settingcontent-Ms
level
status experimental

The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create “shortcuts” to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.

Antivirus Exploitation Framework Detection
level
status test

Detects a highly relevant Antivirus alert that reports an exploitation framework

Accessing WinAPI in PowerShell. Code Injection.
level
status test

Detecting Code injection with PowerShell in another process

Accessing WinAPI in PowerShell
level
status experimental

Detecting use WinAPI Functions in PowerShell

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.