attack.persistence

Suspicious MSExchangeMailboxReplication ASPX Write
level
status experimental

Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation

Registry Modification to Hidden File Extension
level
status experimental

Hides the file extension through modification of the registry

IE Change Domain Zone
level
status experimental

Hides the file extension through modification of the registry

Suspicious Get-WmiObject
level
status experimental

The infrastructure for management data and operations that enables local and remote management of Windows personal computers and servers

Winlogon Notify Key Logon Persistence
level
status experimental

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.

Service Registry Permissions Weakness Check
level
status experimental

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services

Service ImagePath Change with Reg.exe
level
status experimental

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services

Registry-Free Process Scope COR_PROFILER
level
status experimental

Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013)

Registry Key Creation or Modification for Shim DataBase
level
status experimental

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time

Creation Exe for Service with Unquoted Path
level
status experimental

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary’s executable to launch.

Add Port Monitor Persistence in Registry
level
status experimental

Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.

Suspicious Screensaver Binary File Creation
level
status experimental

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension

Running Chrome VPN Extensions via the Registry 2 VPN Extension
level
status experimental

Running Chrome VPN Extensions via the Registry install 2 vpn extension

Powershell LocalAccount Manipulation
level
status experimental

Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups

Powershell Create Scheduled Task
level
status experimental

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code

New Shim Database Created in the Default Directory
level
status experimental

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.

Manipulation of User Computer or Group Security Principals Across AD
level
status experimental

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..

Code Executed Via Office Add-in XLL File
level
status experimental

Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs

Abuse of Service Permissions to Hide Services in Tools
level
status experimental

Detection of sc.exe utility adding a new service with special permission which hides that service.

Suspicious Shells Spawn by Java Utility Keytool
level
status experimental

Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)

Suspicious Shells Spawn by Java
level
status experimental

Detects suspicious shell spawn from Java host process (e.g. log4j exploitation)

Shells Spawn by Java
level
status experimental

Detects shell spawn from Java host process, which could a maintenance task or some kind of exploitation (e.g. log4j exploitation)

Azure Kubernetes Admission Controller
level
status experimental

Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Google Cloud Kubernetes Admission Controller
level
status experimental

Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Azure Kubernetes CronJob
level
status experimental

Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Google Cloud Kubernetes CronJob
level
status experimental

Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Suspicious Scheduled Task Write to System32 Tasks
level
status experimental

Detects the creation of tasks from processes executed from suspicious locations

Cron Files
level
status experimental

Detects creation of cron files or files in Cron directories. Potential persistence.

Linux Webshell Indicators
level
status experimental

Detects suspicious sub processes of web server processes

Suspicious Driver Install by pnputil.exe
level
status experimental

Detects when a possible suspicious driver is being installed via pnputil.exe lolbin

Chafer Activity
level
status experimental

Detects Chafer activity attributed to OilRig as reported in Nyotron report in March 2018

Okta MFA Reset or Deactivated
level
status experimental

Detects when an attempt at deactivating or resetting MFA.

Okta API Token Created
level
status experimental

Detects when a API token is created

CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
level
status experimental

Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).

Google Workspace User Granted Admin Privileges
level
status experimental

Detects when an Google Workspace user is granted admin privileges.

Google Workspace Granted Domain API Access
level
status experimental

Detects when an API access service account is granted domain authority.

Certificate Request Export to Exchange Webserver
level
status experimental

Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell

Powerup Write Hijack DLL
level
status experimental

Powerup tool’s Write Hijack DLL exploits DLL hijacking for privilege escalation. In it’s default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).

Suspicious Bitstransfer via PowerShell
level
status experimental

Detects transferring files from system on a server bitstransfer Powershell cmdlets

Mailbox Export to Exchange Webserver
level
status experimental

Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it

AWS ElastiCache Security Group Created
level
status experimental

Detects when an ElastiCache security group has been created.

AWS Route 53 Domain Transfer Lock Disabled
level
status experimental

Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.

AWS Route 53 Domain Transferred to Another Account
level
status experimental

Detects when a request has been made to transfer a Route 53 domain to another AWS account.

SOURGUM Actor Behaviours
level
status experimental

Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM

Serv-U Exploitation CVE-2021-35211 by DEV-0322
level
status experimental

Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322

Outlook C2 Registry Key
level
status experimental

Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other.

Stealthy VSTO Persistence
level
status experimental

Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.

Solarwinds SUPERNOVA Webshell Access
level
status experimental

Detects access to SUPERNOVA webshell as described in Guidepoint report

Suspicious Shells Spawn by SQL Server
level
status experimental

Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection

AWS User Login Profile Was Modified
level
status experimental

An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users.

WINEKEY Registry Modification
level
status test

Detects potential malicious modification of run keys by winekey or team9 backdoor

Office Application Startup - Office Test
level
status experimental

Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started

Setuid and Setgid
level
status test

Detects suspicious change of file privileges with chown and chmod commands

Suspicious New Printer Ports in Registry (CVE-2020-1048)
level
status test

Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048

Windows Registry Persistence COM Search Order Hijacking
level
status experimental

Detects potential COM object hijacking leveraging the COM Search Order

PowerShell Create Local User
level
status experimental

Detects creation of a local user via PowerShell

Suspicious desktop.ini Action
level
status test

Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder’s content (i.e. renaming files) without changing them on disk.

AWS IAM Backdoor Users Keys
level
status experimental

Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.

Tasks Folder Evasion
level
status experimental

The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr

Ryuk Ransomware
level
status test

Detects Ryuk ransomware activity

Cisco Modify Configuration
level
status test

Modifications to a config that will serve an adversary’s impacts or persistence

Cisco Local Accounts
level
status test

Find local accounts being created or modified as well as remote authentication configurations

Direct Autorun Keys Modification
level
status test

Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.

Suspicious Windows ANONYMOUS LOGON Local Account Created
level
status experimental

Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.

Change Default File Association
level
status test

When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

Svchost DLL Search Order Hijack
level
status test

IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services “svchost.exe -k netsvcs” to gain code execution on a remote machine.

Suspicious Bitsadmin Job via PowerShell
level
status test

Detect download by BITS jobs via PowerShell

Net.exe User Account Creation
level
status test

Identifies creation of local users via the net.exe command.

Possible Privilege Escalation via Weak Service Permissions
level
status test

Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand

Narrator's Feedback-Hub Persistence
level
status test

Detects abusing Windows 10 Narrator’s Feedback-Hub

Suspicious Service Path Modification
level
status test

Detects service path modification to PowerShell or cmd.

Powershell Profile.ps1 Modification
level
status test

Detects a change in profile.ps1 of the Powershell profile

Winlogon Helper DLL
level
status experimental

Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.

Systemd Service Reload or Start
level
status test

Detects a reload or a start of a service.

Webshell Remote Command Execution
level
status experimental

Detects possible command execution by web application/web shell

DLL Load via LSASS
level
status test

Detects a method to load DLL via LSASS process using an undocumented Registry key

WMI Backdoor Exchange Transport Agent
level
status test

Detects a WMI backdoor in Exchange Transport Agents via WMI event filters

Control Panel Items
level
status test

Detects the malicious use of a control panel item

Edit of .bash_profile and .bashrc
level
status test

Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.

Local User Creation
level
status test

Detects local user creation on windows servers, which shouldn’t happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.

Shells Spawned by Web Servers
level
status test

Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack

Scheduled Task Creation
level
status experimental

Detects the creation of scheduled tasks in user session

Possible Shim Database Persistence via sdbinst.exe
level
status experimental

Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications.

IIS Native-Code Module Command Line Installation
level
status test

Detects suspicious IIS native-code module installations via command line

Execution in Webserver Root Folder
level
status test

Detects a suspicious program execution in a web service root folder (filter out false positives)

WMI Event Subscription
level
status test

Detects creation of WMI event subscription persistence method

Logon Scripts (UserInitMprLogonScript)
level
status test

Detects creation or execution of UserInitMprLogonScript persistence method

Turla PNG Dropper Service
level
status test

This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018

Oracle WebLogic Exploit
level
status experimental

Detects access to a webshell dropped into a keystore folder on the WebLogic server

Default PowerSploit and Empire Schtasks Persistence
level
status test

Detects the creation of a schtask via PowerSploit or Empire Default Configuration.

Sticky Key Like Backdoor Usage
level
status experimental

Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen

Defrag Deactivation
level
status experimental

Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group

WMI Persistence
level
status experimental

Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.

Turla Service Install
level
status test

This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET

Shellshock Expression
level
status experimental

Detects shellshock expressions in log files

User Added to Local Administrators
level
status stable

This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity

Password Change on Directory Service Restore Mode (DSRM) Account
level
status stable

The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.

Addition of SID History to Active Directory Object
level
status stable

An attacker can use the SID history attribute to gain additional privileges.

Suspicious Driver Load from Temp
level
status test

Detects a driver load from a temporary directory

Webshell Detection by Keyword
level
status test

Detects webshells that use GET requests by keyword searches in URL strings

Failed Logins with Different Accounts from Single Source System
level
status experimental

Detects suspicious failed logins with different user accounts from a single source system

Account Tampering - Suspicious Failed Logon Reasons
level
status experimental

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Writing Of Malicious Files To The Fonts Folder
level
status experimental

Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn’t require admin privillege to be written and executed from.

WMI Script Host Process Image Loaded
level
status test

Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe functionality being used via images being loaded by a process.

WMI Persistence - Script Event Consumer File Write
level
status test

Detects file writes of WMI script event consumer

Windows Spooler Service Suspicious File Deletion
level
status experimental

Detect DLL deletions from Spooler Service driver folder

Windows Spooler Service Suspicious Binary Load
level
status experimental

Detect DLL Load from Spooler Service backup folder

Windows Network Access Suspicious desktop.ini Action
level
status test

Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder’s content (i.e. renaming files) without changing them on disk.

Webshell ReGeorg Detection Via Web Logs
level
status experimental

Certain strings in the uri_query field when combined with null referer and null user agent can indicate activity associated with the webshell ReGeorg.

VMToolsd Suspicious Child Process
level
status experimental

Detects suspicious child process creations of VMware Tools process which may indicate persistence setup

VBScript Payload Stored in Registry
level
status experimental

Detects VBScript content stored into registry keys as seen being used by UNC2452 group

UAC Bypass With Fake DLL
level
status experimental

Attempts to load dismcore.dll after dropping it

Systemd Service Creation
level
status experimental

Detects a creation of systemd services which could be used by adversaries to execute malicious code.

Suspicious WMIC ActiveScriptEventConsumer Creation
level
status experimental

Detects WMIC executions in which a event consumer gets created in order to establish persistence

Suspicious VBScript UN2452 Pattern
level
status experimental

Detects suspicious inline VBScript keywords as used by UNC2452

Suspicious Task Added by Powershell
level
status experimental

Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model

Suspicious Task Added by Bitsadmin
level
status experimental

Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model

Suspicious Shells Spawn by WinRM
level
status experimental

Detects suspicious shell spawn from WinRM host process

Suspicious Service DACL Modification
level
status test

Detects suspicious DACL modifications that can be used to hide services or make them unstopable

Suspicious Scheduled Task Creation Involving Temp Folder
level
status experimental

Detects the creation of scheduled tasks that involves a temporary folder and runs only once

Suspicious Run Key from Download
level
status test

Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories

Suspicious PrinterPorts Creation (CVE-2020-1048)
level
status test

Detects new commands that add new printer port which point to suspicious file

Suspicious PowerShell Mailbox Export to Share
level
status experimental

Detects a PowerShell New-MailboxExportRequest that exports a mailbox to a local share, as used in ProxyShell exploitations

Suspicious Encoded Scripts in a WMI Consumer
level
status experimental

Detects suspicious encoded payloads in WMI Event Consumers

Suspicious Download File Extension with Bits
level
status experimental

Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model

Suspicious Debugger Registration Cmdline
level
status test

Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).

Suspicious Add User to Remote Desktop Users Group
level
status experimental

Detects suspicious command line in which a user gets added to the local Remote Desktop Users group

StoneDrill Service Install
level
status test

This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky

Startup Items
level
status test

Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence.

Startup Folder File Write
level
status test

A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.

SilentProcessExit Monitor Registrytion
level
status experimental

Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process

ServiceDll Modification
level
status experimental

Detects the modification of a ServiceDLL value in the service settings

Scheduled Cron Task/Job
level
status test

Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.

Scheduled Cron Task/Job
level
status test

Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.

Remote WMI ActiveScriptEventConsumers
level
status test

Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network

Remote Task Creation via ATSVC Named Pipe - Zeek
level
status test

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Remote Task Creation via ATSVC Named Pipe
level
status test

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Remote Service Activity via SVCCTL Named Pipe
level
status test

Detects remote service activity via remote access to the svcctl named pipe

Registry Persistence Mechanism via Windows Telemetry
level
status test

Detects persistence method using windows telemetry

Reg Add RUN Key
level
status experimental

Detects suspicious command line reg.exe tool adding key to RUN key in Registry

Powerview Add-DomainObjectAcl DCSync AD Extend Right
level
status experimental

backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer

Possible Ransomware or Unauthorized MBR Modifications
level
status experimental

Detects, possibly, malicious unauthorized usage of bcdedit.exe

Pingback Backdoor
level
status experimental

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Pingback Backdoor
level
status experimental

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Pingback Backdoor
level
status experimental

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Persistent Outlook Landing Pages
level
status experimental

Detects the manipulation of persistent URLs which can be malicious

Persistent Outlook Landing Pages
level
status experimental

Detects the manipulation of persistent URLs which could execute malicious code

Persistence and Execution at Scale via GPO Scheduled Task
level
status test

Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale

Path To Screensaver Binary Modified
level
status test

Detects value modification of registry key containing path to binary used as screensaver.

Outlook Form Installation
level
status experimental

Detects the creation of new Outlook form which can contain malicious code

Outlook C2 Macro Creation
level
status experimental

Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time.

New TaskCache Entry
level
status experimental

Monitor the creation of a new key under ‘TaskCache’ when a new scheduled task is registered

New Federated Domain Added
level
status experimental

Alert for the addition of a new federated domain.

MSExchange Transport Agent Installation
level
status experimental

Detects the Installation of a Exchange Transport Agent

Moriya Rootkit
level
status experimental

Detects the use of Moriya rootkit as described in the securelist’s Operation TunnelSnake report

Modification Of Existing Services For Persistence
level
status experimental

Detects modification of an existing service on a compromised host in order to execute an arbitrary payload when the service is started or killed as a method of persistence.

MITRE BZAR Indicators for Persistence
level
status test

Windows DCE-RPC functions which indicate a persistence techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE.

Microsoft Office Add-In Loading
level
status test

Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel).

MacOS Emond Launch Daemon
level
status test

Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.

Logon Scripts (UserInitMprLogonScript) Registry
level
status test

Detects creation or execution of UserInitMprLogonScript persistence method

Loading of Kernel Module via Insmod
level
status experimental

Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.

Leviathan Registry Key Activity
level
status experimental

Detects registry key used by Leviathan APT in Malaysian focused campaign

HybridConnectionManager Service Running
level
status experimental

Rule to detect the Hybrid Connection Manager service running on an endpoint.

HybridConnectionManager Service Installation
level
status experimental

Rule to detect the Hybrid Connection Manager service installation.

Hidden Local User Creation
level
status experimental

Detects the creation of a local hidden user account which should not happen for event ID 4720.

Fax Service DLL Search Order Hijack
level
status test

The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.

Failed MSExchange Transport Agent Installation
level
status experimental

Detects a failed installation of a Exchange Transport Agent

Exchange Set OabVirtualDirectory ExternalUrl Property
level
status experimental

Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log

Exchange Exploitation Activity
level
status experimental

Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers

Enabling COR Profiler Environment Variables
level
status test

This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.

Enabled User Right in AD to Control User Objects
level
status test

Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.

DNS HybridConnectionManager Service Bus
level
status experimental

Detects Azure Hybrid Connection Manager services querying the Azure service bus service

Disabled MFA to Bypass Authentication Mechanisms
level
status experimental

Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.

DEWMODE Webshell Access
level
status experimental

Detects access to DEWMODE webshell as described in FIREEYE report

Creation Of An User Account
level
status test

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

Creation Of A Local User Account
level
status test

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

Creation of a Local Hidden User Account by Registry
level
status experimental

Sysmon registry detection of a local hidden user account.

Code Injection by ld.so Preload
level
status experimental

Detects the ld.so preload persistence file. See man ld.so for more information.

Changing RDP Port to Non Standard Number
level
status experimental

Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).

Bypass UAC Using Event Viewer
level
status experimental

Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification

Bitsadmin Download
level
status experimental

Detects usage of bitsadmin downloading a file

Atbroker Registry Change
level
status experimental

Detects creation/modification of Assisitive Technology applications and persistence with usage of ATs

Addition of Domain Trusts
level
status stable

Addition of domains is seldom and should be verified for legitimacy.

Abusing Windows Telemetry For Persistence
level
status experimental

Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.

Abusing Windows Telemetry For Persistence
level
status experimental

Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.