diff --git a/.github/workflows/goodlog-tests.yml b/.github/workflows/goodlog-tests.yml index 3f6a4274b..20ed3cb43 100644 --- a/.github/workflows/goodlog-tests.yml +++ b/.github/workflows/goodlog-tests.yml @@ -39,7 +39,7 @@ on: workflow_dispatch: env: - EVTX_BASELINE_VERSION: v0.8.1 + EVTX_BASELINE_VERSION: v0.8.2 jobs: check-baseline-win7: diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 688b858e6..2a38f98d9 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -3,11 +3,10 @@ RuleId;RuleName;MatchString ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94;Suspicious WSMAN Provider Image Loads;.* db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;python-3 db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;target\.exe -96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;sharepointclient -96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;odopen +96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;.* 1277f594-a7d1-4f28-a2d3-73af5cbeab43;Windows Shell File Write to Suspicious Folder;Computer: Agamemnon e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell -8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;sysmon-intense\.xml +8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;(sysmon-intense\.xml|sysmonconfig-trace\.xml) 8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;Computer: (evtx-PC|Agamemnon) 4358e5a5-7542-4dcb-b9f3-87667371839b;ISO or Image Mount Indicator in Recent Files;_Office_Professional_Plus_ 36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR @@ -17,8 +16,8 @@ e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell 162ab1e4-6874-4564-853c-53ec3ab8be01;TeamViewer Remote Session;TeamViewer(_Service)?\.exe cdc8da7d-c303-42f8-b08c-b4ab47230263;Rundll32 Internet Connection;20\.49\.150\.241 bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151\.101\.64\.223 +bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;146\.75\.117\.55 9711de76-5d4f-4c50-a94f-21e4e8f8384d;Installation of TeamViewer Desktop;TeamViewer_Desktop\.exe -96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;target\.exe 9494479d-d994-40bf-a8b1-eea890237021;Scheduled Task Creation From Potential Suspicious Parent Location;.* 81325ce1-be01-4250-944f-b4789644556f;Suspicius Schtasks From Env Var Folder;TVInstallRestore 6ea3bf32-9680-422d-9f50-e90716b12a66;UAC Bypass Via Wsreset;EventType: DeleteKey @@ -37,6 +36,7 @@ a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe 7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;TeamViewer_\.exe 949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Explorer Process Tree Break;Computer: Agamemnon +949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Explorer Process Tree Break;Computer: WinDev2310Eval fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.* 100ef69e-3327-481c-8e5c-6d80d9507556;System Eventlog Cleared;.* 52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon @@ -48,8 +48,8 @@ b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;msedge\.exe b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;firefox\.exe b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;7z\.exe 65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;powershell\.exe -a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: DESKTOP-A8CALR3 -a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: WIN-06FB45IHQ35 +65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;Computer: WIN-FPV0DSIC9O6.sigma.fr +a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: .* 4eec988f-7bf0-49f1-8675-1e6a510b3a2a;Potential PendingFileRenameOperations Tamper;target\.exe 4eec988f-7bf0-49f1-8675-1e6a510b3a2a;Potential PendingFileRenameOperations Tamper;target\.tmp 48bfd177-7cf2-412b-ad77-baf923489e82;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd.exe @@ -59,3 +59,14 @@ e9d4ab66-a532-4ef7-a502-66a9e4a34f5d;NTLMv1 Logon Between Client and Server;.* ccb5742c-c248-4982-8c5c-5571b9275ad3;Potential Suspicious Findstr.EXE Execution;httpd\.exe 9ae01559-cf7e-4f8e-8e14-4c290a1b4784;CredUI.DLL Load By Uncommon Process;Spotify\.exe 52182dfb-afb7-41db-b4bc-5336cb29b464;Suspicious File Download From File Sharing Websites;objects\.githubusercontent\.com +ce72ef99-22f1-43d4-8695-419dcb5d9330;Suspicious Windows Service Tampering;TeamViewer +dae8171c-5ec6-4396-b210-8466585b53e9;SCM Database Privileged Operation;0x277c6 +3ce8e9a4-bc61-4c9b-8e69-d7e2492a8781;OpenSSH Server Listening On Socket;.* +b69888d4-380c-45ce-9cf9-d9ce46e67821;Hidden Executable In NTFS Alternate Data Stream;.* +4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76;Potentially Suspicious AccessMask Requested From LSASS;\\setup\.exe +d99b79d2-0a6f-4f46-ad8b-260b6e17f982;Security Eventlog Cleared;Computer: WinDevEval +b28e58e4-2a72-4fae-bdee-0fbe904db642;Windows Defender Real-time Protection Disabled;Computer: WinDev2310Eval +ef9dcfed-690c-4c5d-a9d1-482cd422225c;Browser Execution In Headless Mode;.* +65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;Computer: (DESKTOP-6D0DBMB|WinDev2310Eval) +de587dce-915e-4218-aac4-835ca6af6f70;Potential Persistence Attempt Via Run Keys Using Reg.EXE;\\Discord\\ +24357373-078f-44ed-9ac4-6d334a668a11;Direct Autorun Keys Modification;Discord\.exe diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml new file mode 100644 index 000000000..b60ab8c0c --- /dev/null +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml @@ -0,0 +1,68 @@ +title: Use Short Name Path in Command Line +id: 349d891d-fef0-4fe4-bc53-eee623a15969 +related: + - id: a96970af-f126-420d-90e1-d37bf25e50e1 + type: similar +status: test +description: | + Detects the use of short name paths (8.3 format) in command lines, which can be used to obfuscate paths or access restricted locations. + Windows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs. + When investigating, examine: + - Commands using short paths to access sensitive directories or files + - Web servers on Windows (especially Apache) where short filenames could bypass security controls + - Correlation with other suspicious behaviors + - baseline of short name usage in your environment and look for deviations +references: + - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ + - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) + - https://twitter.com/frack113/status/1555830623633375232 +author: frack113, Nasreddine Bencherchali +date: 2022-08-07 +modified: 2025-10-07 +tags: + - attack.defense-evasion + - attack.t1564.004 + - detection.threat-hunting +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - '~1\' + - '~2\' + filter_main_system_process: + ParentImage: + - 'C:\Windows\System32\Dism.exe' + - 'C:\Windows\System32\cleanmgr.exe' + filter_main_winget: + - ParentImage|endswith: '\winget.exe' + - ParentImage|contains: '\AppData\Local\Temp\WinGet\' + filter_main_installers: + - Image|contains|all: + - '\AppData\' + - '\Temp\' + - CommandLine|contains: '\AppData\Local\Temp\' # sometimes installers spawn other installers from temp folder + filter_optional_dopus: + ParentImage: 'C:\Program Files\GPSoftware\Directory Opus\dopus.exe' + filter_optional_aurora: + ParentImage|endswith: + - '\aurora-agent-64.exe' + - '\aurora-agent.exe' + filter_optional_thor: + ParentImage|endswith: '\thor\thor64.exe' + filter_optional_git: + CommandLine|contains: + - 'C:\Program Files\Git\post-install.bat' + - 'C:\Program Files\Git\cmd\scalar.exe' + filter_optional_webex: + - ParentImage|endswith: '\WebEx\webexhost.exe' + - CommandLine|contains: '\appdata\local\webex\webex64\meetings\wbxreport.exe' + filter_optional_veeam: + ParentImage|endswith: '\veeam.backup.shell.exe' + filter_optional_everything: + ParentImage|endswith: '\Everything\Everything.exe' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process. +level: medium diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml index ad38d53a1..f66cca979 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml @@ -9,7 +9,7 @@ references: - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-11 -modified: 2025-03-07 +modified: 2025-10-07 tags: - attack.defense-evasion logsource: @@ -28,6 +28,7 @@ detection: - 'C:\Windows\ImmersiveControlPanel\' - 'x-windowsupdate://' - 'file:///C:/Program%20Files' # Also covers 'file:///C:/Program%20Files%20(x86)/' + - 'AppData/Local/Temp/WinGet/Microsoft.Winget.Source' filter_main_specific: Path|contains: - 'https://statics.teams.cdn.live.net/' diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml index 14bfbcd8a..dd4fcd41c 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule.yml @@ -6,7 +6,7 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 date: 2022-02-19 -modified: 2024-08-29 +modified: 2025-10-08 tags: - attack.defense-evasion - attack.t1562.004 @@ -28,9 +28,6 @@ detection: - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' - 'C:\Windows\WinSxS\' - filter_optional_msmpeng: - ModifyingApplication|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' - ModifyingApplication|endswith: '\MsMpEng.exe' filter_main_covered_paths: # This filter is added to avoid duplicate alerting from 9e2575e7-2cb9-4da1-adc8-ed94221dca5e ApplicationPath|contains: @@ -41,13 +38,28 @@ detection: - 'C:\Windows\Tasks\' - 'C:\Windows\Temp\' - '\AppData\Local\Temp\' + filter_main_system_dllhost: + ApplicationPath: 'System' + ModifyingApplication: 'C:\Windows\System32\dllhost.exe' + filter_main_tiworker: + ModifyingApplication|startswith: 'C:\Windows\WinSxS\' + ModifyingApplication|endswith: '\TiWorker.exe' + filter_main_null: + ApplicationPath: null filter_optional_no_path: # This filter filters a lot of FPs related to Windows Services ModifyingApplication: - 'C:\Windows\System32\svchost.exe' - 'C:\Windows\System32\dllhost.exe' ApplicationPath: '' - filter_main_null: - ApplicationPath: null + filter_optional_msmpeng: + - ModifyingApplication|startswith: + - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + - 'C:\Program Files\Windows Defender\' + ModifyingApplication|endswith: '\MsMpEng.exe' + - ApplicationPath|startswith: + - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + - 'C:\Program Files\Windows Defender\' + ApplicationPath|endswith: '\MsMpEng.exe' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* level: medium diff --git a/rules/windows/builtin/security/win_security_user_driver_loaded.yml b/rules/windows/builtin/security/win_security_user_driver_loaded.yml index b136b45de..2b74ad5c5 100644 --- a/rules/windows/builtin/security/win_security_user_driver_loaded.yml +++ b/rules/windows/builtin/security/win_security_user_driver_loaded.yml @@ -12,7 +12,7 @@ references: - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673 author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019-04-08 -modified: 2023-01-20 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.t1562.001 @@ -24,7 +24,7 @@ detection: EventID: 4673 PrivilegeList: 'SeLoadDriverPrivilege' Service: '-' - filter_exact: + filter_main_exact: ProcessName: - 'C:\Windows\System32\Dism.exe' - 'C:\Windows\System32\rundll32.exe' @@ -36,7 +36,7 @@ detection: - 'C:\Windows\System32\RuntimeBroker.exe' - 'C:\Windows\System32\SystemSettingsBroker.exe' - 'C:\Windows\explorer.exe' - filter_endswith: + filter_optional_others: ProcessName|endswith: - '\procexp64.exe' - '\procexp.exe' @@ -44,9 +44,14 @@ detection: - '\procmon.exe' - '\Google\Chrome\Application\chrome.exe' - '\AppData\Local\Microsoft\Teams\current\Teams.exe' - filter_startswith: + filter_main_startswith: ProcessName|startswith: 'C:\Program Files\WindowsApps\Microsoft' - condition: selection_1 and not 1 of filter_* + filter_optional_dropbox: + ProcessName|startswith: + - 'C:\Program Files (x86)\Dropbox\' + - 'C:\Program Files\Dropbox\' + ProcessName|endswith: '\Dropbox.exe' + condition: selection_1 and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers. level: medium diff --git a/rules/windows/file/file_event/file_event_win_creation_system_file.yml b/rules/windows/file/file_event/file_event_win_creation_system_file.yml index 78ac9aa95..de270f6ed 100644 --- a/rules/windows/file/file_event/file_event_win_creation_system_file.yml +++ b/rules/windows/file/file_event/file_event_win_creation_system_file.yml @@ -8,7 +8,7 @@ references: - Internal Research author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2020-05-26 -modified: 2024-06-24 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.t1036.005 @@ -102,19 +102,29 @@ detection: - 'C:\Windows\WinSxS\' - 'C:\Windows\uus\' filter_main_svchost: - Image|endswith: 'C:\Windows\system32\svchost.exe' - TargetFilename|contains: 'C:\Program Files\WindowsApps\' + Image|endswith: + - 'C:\Windows\system32\svchost.exe' + - 'C:\Windows\SysWOW64\svchost.exe' + TargetFilename|contains: + - 'C:\Program Files\WindowsApps\' + - 'C:\Program Files (x86)\WindowsApps\' + - '\AppData\Local\Microsoft\WindowsApps\' filter_main_wuauclt: - Image|endswith: 'C:\Windows\System32\wuauclt.exe' + Image|endswith: + - 'C:\Windows\System32\wuauclt.exe' + - 'C:\Windows\SysWOW64\wuauclt.exe' filter_main_explorer: TargetFilename|endswith: 'C:\Windows\explorer.exe' filter_main_msiexec: # This filter handles system processes who are updated/installed using misexec. - Image|endswith: 'C:\WINDOWS\system32\msiexec.exe' + Image|endswith: + - 'C:\WINDOWS\system32\msiexec.exe' + - 'C:\WINDOWS\SysWOW64\msiexec.exe' # Add more processes if you find them or simply filter msiexec on its own. If the list grows big - TargetFilename|endswith: + TargetFilename|startswith: - 'C:\Program Files\PowerShell\7\pwsh.exe' - 'C:\Program Files\PowerShell\7-preview\pwsh.exe' + - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\' filter_main_healtray: TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\' TargetFilename|endswith: '\SecurityHealthSystray.exe' diff --git a/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml b/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml index 6ffb31e5b..eedfee91b 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_module_uncommon_creation.yml @@ -7,7 +7,7 @@ references: - https://learn.microsoft.com/en-us/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.3 author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-09 -modified: 2023-10-18 +modified: 2025-10-07 tags: - attack.persistence logsource: @@ -28,6 +28,10 @@ detection: - ':\Windows\SysWOW64\poqexec.exe' # https://github.com/SigmaHQ/sigma/issues/4448 - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe' - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' + filter_main_msiexec: + Image: + - 'C:\Windows\System32\msiexec.exe' + - 'C:\Windows\SysWOW64\msiexec.exe' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml b/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml index d410b68ad..ca184a5ee 100644 --- a/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml +++ b/rules/windows/file/file_event/file_event_win_ps_script_policy_test_creation_by_uncommon_process.yml @@ -6,7 +6,7 @@ references: - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-06-01 -modified: 2023-12-11 +modified: 2025-10-07 tags: - attack.defense-evasion logsource: @@ -15,19 +15,26 @@ logsource: detection: selection: TargetFilename|contains: '__PSScriptPolicyTest_' + filter_main_powershell: + Image: + - 'C:\Program Files\PowerShell\7-preview\pwsh.exe' + - 'C:\Program Files\PowerShell\7\pwsh.exe' + - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe' + - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' + - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe' + - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' + filter_main_pwsh_preview: + Image|contains: + - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview' + - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' + Image|endswith: '\pwsh.exe' filter_main_generic: - Image|endswith: - - ':\Program Files\PowerShell\7-preview\pwsh.exe' - - ':\Program Files\PowerShell\7\pwsh.exe' - - ':\Windows\System32\dsac.exe' - - ':\Windows\System32\sdiagnhost.exe' - - ':\Windows\System32\ServerManager.exe' - - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe' - - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' - - ':\Windows\System32\wsmprovhost.exe' - - ':\Windows\SysWOW64\sdiagnhost.exe' - - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe' - - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' + Image: + - 'C:\Windows\System32\dsac.exe' + - 'C:\Windows\System32\sdiagnhost.exe' + - 'C:\Windows\System32\ServerManager.exe' + - 'C:\Windows\System32\wsmprovhost.exe' + - 'C:\Windows\SysWOW64\sdiagnhost.exe' condition: selection and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml index 0c68b7242..3942ab79b 100644 --- a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml +++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml @@ -9,7 +9,7 @@ references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-12 -modified: 2025-08-05 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.t1036 @@ -69,6 +69,14 @@ detection: TargetFilename|contains|all: - 'C:\Program Files\WindowsApps\Clipchamp' - '.ps1' + filter_main_powershell_preview: + Image: + - 'C:\Windows\system32\svchost.exe' + - 'C:\Windows\SysWOW64\svchost.exe' + TargetFilename|startswith: + - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview' + - 'C:\Program Files (x86)\WindowsApps\Microsoft.PowerShellPreview' + TargetFilename|endswith: '.ps1' condition: 1 of selection_* and not 1 of filter_main_* falsepositives: - Unknown diff --git a/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml b/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml index c86897f5b..c411030ce 100644 --- a/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml +++ b/rules/windows/image_load/image_load_dll_amsi_suspicious_process.yml @@ -7,7 +7,7 @@ references: - https://www.paloaltonetworks.com/blog/security-operations/stopping-powershell-without-powershell/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-06-01 -modified: 2023-09-20 +modified: 2025-10-07 tags: - attack.defense-evasion logsource: @@ -20,7 +20,7 @@ detection: # TODO: Add more interesting processes - '\ExtExport.exe' - '\odbcconf.exe' - - '\regsvr32.exe' + # - '\regsvr32.exe' # legitimately calls amsi.dll - '\rundll32.exe' condition: selection falsepositives: diff --git a/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml b/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml index 90572733f..e88299c40 100644 --- a/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml @@ -14,7 +14,7 @@ references: - https://github.com/p3nt4/PowerShdll author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2019-11-14 -modified: 2025-02-24 +modified: 2025-10-07 tags: - attack.t1059.001 - attack.execution @@ -28,50 +28,58 @@ detection: - ImageLoaded|endswith: - '\System.Management.Automation.dll' - '\System.Management.Automation.ni.dll' - filter_main_generic: - Image|endswith: - - ':\Program Files\PowerShell\7\pwsh.exe' # PowerShell 7 - - ':\Windows\System32\dsac.exe' - - ':\WINDOWS\System32\RemoteFXvGPUDisablement.exe' - - ':\Windows\System32\runscripthelper.exe' - - ':\WINDOWS\System32\sdiagnhost.exe' - - ':\Windows\System32\ServerManager.exe' - - ':\Windows\System32\SyncAppvPublishingServer.exe' - - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe' - - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' - - ':\Windows\System32\winrshost.exe' - - ':\Windows\System32\wsmprovhost.exe' - - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe' - - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' - - ':\Windows\SysWOW64\winrshost.exe' - - ':\Windows\SysWOW64\wsmprovhost.exe' - filter_main_dotnet: + filter_main_powershell: + Image: + - 'C:\Program Files\PowerShell\7-preview\pwsh.exe' # PowerShell 7 preview + - 'C:\Program Files\PowerShell\7\pwsh.exe' # PowerShell 7 + - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe' + - 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' + - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe' + - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' + filter_main_pwsh_preview: Image|contains: - - ':\Windows\Microsoft.NET\Framework\' - - ':\Windows\Microsoft.NET\FrameworkArm\' - - ':\Windows\Microsoft.NET\FrameworkArm64\' - - ':\Windows\Microsoft.NET\Framework64\' + - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview' + - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' + Image|endswith: '\pwsh.exe' + filter_main_generic: + Image: + - 'C:\Windows\System32\dsac.exe' + - 'C:\WINDOWS\System32\RemoteFXvGPUDisablement.exe' + - 'C:\Windows\System32\runscripthelper.exe' + - 'C:\WINDOWS\System32\sdiagnhost.exe' + - 'C:\Windows\System32\ServerManager.exe' + - 'C:\Windows\System32\SyncAppvPublishingServer.exe' + - 'C:\Windows\System32\winrshost.exe' + - 'C:\Windows\System32\wsmprovhost.exe' + - 'C:\Windows\SysWOW64\winrshost.exe' + - 'C:\Windows\SysWOW64\wsmprovhost.exe' + filter_main_dotnet: + Image|startswith: + - 'C:\Windows\Microsoft.NET\Framework\' + - 'C:\Windows\Microsoft.NET\FrameworkArm\' + - 'C:\Windows\Microsoft.NET\FrameworkArm64\' + - 'C:\Windows\Microsoft.NET\Framework64\' Image|endswith: '\mscorsvw.exe' filter_optional_sql_server_mgmt: - Image|contains: - - ':\Program Files (x86)\Microsoft SQL Server Management Studio' - - ':\Program Files\Microsoft SQL Server Management Studio' + Image|startswith: + - 'C:\Program Files (x86)\Microsoft SQL Server Management Studio' + - 'C:\Program Files\Microsoft SQL Server Management Studio' Image|endswith: '\IDE\Ssms.exe' filter_optional_sql_server_tools: - Image|contains: - - ':\Program Files (x86)\Microsoft SQL Server\' - - ':\Program Files\Microsoft SQL Server\' + Image|startswith: + - 'C:\Program Files (x86)\Microsoft SQL Server\' + - 'C:\Program Files\Microsoft SQL Server\' Image|endswith: '\Tools\Binn\SQLPS.exe' filter_optional_citrix: Image|endswith: '\Citrix\ConfigSync\ConfigSyncRun.exe' filter_optional_vs: - Image|contains: - - ':\Program Files (x86)\Microsoft Visual Studio\' - - ':\Program Files\Microsoft Visual Studio\' + Image|startswith: + - 'C:\Program Files (x86)\Microsoft Visual Studio\' + - 'C:\Program Files\Microsoft Visual Studio\' filter_optional_chocolatey: - Image|contains: ':\ProgramData\chocolatey\choco.exe' + Image|startswith: 'C:\ProgramData\chocolatey\choco.exe' filter_optional_nextron: - Image|contains: ':\Windows\Temp\asgard2-agent\' + Image|startswith: 'C:\Windows\Temp\asgard2-agent\' Image|endswith: - '\thor64.exe' - '\thor.exe' diff --git a/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml b/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml index 6e51dafd6..5276352bc 100644 --- a/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vssapi_susp_load.yml @@ -11,7 +11,7 @@ references: - https://github.com/ORCx41/DeleteShadowCopies author: frack113 date: 2022-10-31 -modified: 2023-05-03 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.impact @@ -22,7 +22,7 @@ logsource: detection: selection: ImageLoaded|endswith: '\vssapi.dll' - filter_windows: + filter_main_windows: - Image: - 'C:\Windows\explorer.exe' - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' @@ -31,12 +31,12 @@ detection: - 'C:\Windows\SysWOW64\' - 'C:\Windows\Temp\{' # Installers - 'C:\Windows\WinSxS\' - filter_program_files: + filter_main_program_files: # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions Image|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' - filter_programdata_packagecache: + filter_optional_programdata_packagecache: # The following filter is required because of many FPs cause by: # C:\ProgramData\Package Cache\{10c6cfdc-27af-43fe-bbd3-bd20aae88451}\dotnet-sdk-3.1.425-win-x64.exe # C:\ProgramData\Package Cache\{b9cfa33e-ace4-49f4-8bb4-82ded940990a}\windowsdesktop-runtime-6.0.11-win-x86.exe @@ -44,7 +44,11 @@ detection: # C:\ProgramData\Package Cache\{2dcef8c3-1563-4149-a6ec-5b6c98500d7d}\dotnet-sdk-6.0.306-win-x64.exe # etc. Image|startswith: 'C:\ProgramData\Package Cache\' - condition: selection and not 1 of filter_* + filter_optional_avira: + Image|contains|all: + - '\temp\is-' + - '\avira_system_speedup.tmp' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown level: high diff --git a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml index 52f758683..1cf10eb90 100644 --- a/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml +++ b/rules/windows/image_load/image_load_dll_vsstrace_susp_load.yml @@ -11,7 +11,7 @@ references: - https://github.com/ORCx41/DeleteShadowCopies author: frack113 date: 2023-02-17 -modified: 2025-01-19 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.impact @@ -32,12 +32,16 @@ detection: - 'C:\Windows\Temp\{' # Installers - 'C:\Windows\WinSxS\' - 'C:\ProgramData\Package Cache\{' # Microsoft Visual Redistributable installer VC_redist/vcredist EXE - filter_optional_program_files: + filter_main_program_files: # When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions Image|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' - condition: selection and not 1 of filter_* + filter_optional_avira: + Image|contains|all: + - '\temp\is-' + - '\avira_system_speedup.tmp' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown level: medium diff --git a/rules/windows/image_load/image_load_side_load_antivirus.yml b/rules/windows/image_load/image_load_side_load_antivirus.yml index d4b00453b..debca85c1 100644 --- a/rules/windows/image_load/image_load_side_load_antivirus.yml +++ b/rules/windows/image_load/image_load_side_load_antivirus.yml @@ -6,7 +6,7 @@ references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) date: 2022-08-17 -modified: 2023-03-13 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.persistence @@ -30,6 +30,14 @@ detection: - 'C:\Program Files\Dell\SARemediation\audit\log.dll' filter_log_dll_canon: ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\' + filter_log_dll_avast: + ImageLoaded: + - 'C:\Program Files\AVAST Software\Avast\log.dll' + - 'C:\Program Files (x86)\AVAST Software\Avast\log.dll' + filter_log_dll_avg: + ImageLoaded: + - 'C:\Program Files\AVG\Antivirus\log.dll' + - 'C:\Program Files (x86)\AVG\Antivirus\log.dll' # F-Secure selection_fsecure: ImageLoaded|endswith: '\qrt.dll' @@ -57,10 +65,14 @@ detection: # Avast selection_avast: ImageLoaded|endswith: '\wsc.dll' - filter_avast: + filter_wsc_dll_avast: ImageLoaded|startswith: - 'C:\program Files\AVAST Software\Avast\' - 'C:\program Files (x86)\AVAST Software\Avast\' + filter_wsc_dll_avg: + ImageLoaded|startswith: + - 'C:\Program Files\AVG\Antivirus\' + - 'C:\Program Files (x86)\AVG\Antivirus\' # ESET selection_eset_deslock: ImageLoaded|endswith: '\DLPPREM32.dll' @@ -79,7 +91,7 @@ detection: or (selection_fsecure and not filter_fsecure) or (selection_mcafee and not filter_mcafee) or (selection_cyberark and not filter_cyberark) - or (selection_avast and not filter_avast) + or (selection_avast and not 1 of filter_wsc_dll_*) or (selection_titanium and not filter_titanium) or (selection_eset_deslock and not filter_eset_deslock) falsepositives: diff --git a/rules/windows/image_load/image_load_side_load_dbgcore.yml b/rules/windows/image_load/image_load_side_load_dbgcore.yml index 449f8c724..d601be7de 100644 --- a/rules/windows/image_load/image_load_side_load_dbgcore.yml +++ b/rules/windows/image_load/image_load_side_load_dbgcore.yml @@ -6,7 +6,7 @@ references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) date: 2022-10-25 -modified: 2023-05-05 +modified: 2025-10-06 tags: - attack.defense-evasion - attack.persistence @@ -29,6 +29,10 @@ detection: - 'C:\Windows\WinSxS\' filter_optional_steam: ImageLoaded|endswith: '\Steam\bin\cef\cef.win7x64\dbgcore.dll' + filter_optional_opera: + # C:\\Users\\User\\AppData\\Local\\Temp\\.opera\\Opera Installer Temp\\opera_package_202311051506321\\assistant\\dbgcore.dll + ImageLoaded|contains: 'opera\Opera Installer Temp\opera_package' + ImageLoaded|endswith: '\assistant\dbgcore.dll' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate applications loading their own versions of the DLL mentioned in this rule diff --git a/rules/windows/image_load/image_load_side_load_dbghelp.yml b/rules/windows/image_load/image_load_side_load_dbghelp.yml index 245d41675..b7d87720a 100644 --- a/rules/windows/image_load/image_load_side_load_dbghelp.yml +++ b/rules/windows/image_load/image_load_side_load_dbghelp.yml @@ -6,7 +6,7 @@ references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research) date: 2022-10-25 -modified: 2023-05-05 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.persistence @@ -35,6 +35,9 @@ detection: ImageLoaded|endswith: - '\Epic Games\Launcher\Engine\Binaries\ThirdParty\DbgHelp\dbghelp.dll' - '\Epic Games\MagicLegends\x86\dbghelp.dll' + filter_optional_opera: + ImageLoaded|contains: 'opera\Opera Installer Temp\opera_package' + ImageLoaded|endswith: '\assistant\dbghelp.dll' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate applications loading their own versions of the DLL mentioned in this rule diff --git a/rules/windows/image_load/image_load_side_load_goopdate.yml b/rules/windows/image_load/image_load_side_load_goopdate.yml index c3dbeb944..4b1e455e5 100644 --- a/rules/windows/image_load/image_load_side_load_goopdate.yml +++ b/rules/windows/image_load/image_load_side_load_goopdate.yml @@ -6,7 +6,7 @@ references: - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf author: X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023-05-15 -modified: 2023-05-20 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.privilege-escalation @@ -28,7 +28,15 @@ detection: - '.tmp\Dropbox' ImageLoaded|contains|all: - '\AppData\Local\Temp\GUM' - - '.tmp\\goopdate.dll' + - '.tmp\goopdate.dll' + filter_optional_googleupdate_temp: + Image|contains: + - '\AppData\Local\Temp\GUM' + - ':\Windows\SystemTemp\GUM' + Image|endswith: '.tmp\GoogleUpdate.exe' + ImageLoaded|contains: + - '\AppData\Local\Temp\GUM' + - ':\Windows\SystemTemp\GUM' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - False positives are expected from Google Chrome installations running from user locations (AppData) and other custom locations. Apply additional filters accordingly. diff --git a/rules/windows/image_load/image_load_side_load_jli.yml b/rules/windows/image_load/image_load_side_load_jli.yml index 56f100c98..021b3cfdb 100644 --- a/rules/windows/image_load/image_load_side_load_jli.yml +++ b/rules/windows/image_load/image_load_side_load_jli.yml @@ -12,6 +12,7 @@ references: - https://www.proofpoint.com/us/blog/threat-insight/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting author: Swachchhanda Shrawan Poudel (Nextron Systems) date: 2025-07-25 +modified: 2025-10-06 tags: - attack.defense-evasion - attack.persistence @@ -32,7 +33,9 @@ detection: OriginalFileName: 'jli.dll' Product|startswith: 'OpenJDK Platform' Signed: 'true' - condition: selection and not 1 of filter_main_* + filter_optional_eclipse: + ImageLoaded|startswith: 'C:\eclipse\plugins\' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown level: high diff --git a/rules/windows/image_load/image_load_susp_unsigned_dll.yml b/rules/windows/image_load/image_load_susp_unsigned_dll.yml index 0033059ac..5987d09c4 100644 --- a/rules/windows/image_load/image_load_susp_unsigned_dll.yml +++ b/rules/windows/image_load/image_load_susp_unsigned_dll.yml @@ -10,7 +10,7 @@ references: - https://unit42.paloaltonetworks.com/unsigned-dlls/?web_view=true author: Swachchhanda Shrawan Poudel date: 2024-02-28 -modified: 2025-07-15 +modified: 2025-10-07 tags: - attack.t1218.011 - attack.t1218.010 @@ -48,7 +48,30 @@ detection: SignatureStatus: - '' - '-' - condition: selection and not 1 of filter_main_* + filter_main_windows_installer: + Image: + - 'C:\Windows\SysWOW64\rundll32.exe' + - 'C:\Windows\System32\rundll32.exe' + ImageLoaded|startswith: 'C:\Windows\Installer\' + ImageLoaded|endswith: + - '.tmp-\Microsoft.Deployment.WindowsInstaller.dll' + - '.tmp-\Avira.OE.Setup.CustomActions.dll' + filter_main_assembly: + Image|startswith: + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\System32\' + - 'C:\Windows\Microsoft.NET\Framework64' + Image|endswith: '\RegAsm.exe' + ImageLoaded|endswith: '.dll' + ImageLoaded|startswith: 'C:\Windows\assembly\NativeImages' + filter_optional_klite_codec: + Image: + - 'C:\Windows\SysWOW64\regsvr32.exe' + - 'C:\Windows\System32\regsvr32.exe' + ImageLoaded|startswith: + - 'C:\Program Files (x86)\K-Lite Codec Pack\' + - 'C:\Program Files\K-Lite Codec Pack\' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown level: medium diff --git a/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml b/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml index 5104cbdf9..48b2f5e1f 100644 --- a/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml +++ b/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml @@ -10,7 +10,7 @@ references: - https://learn.microsoft.com/de-de/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) date: 2021-11-10 -modified: 2024-07-02 +modified: 2025-10-06 tags: - attack.execution - attack.t1203 @@ -56,10 +56,15 @@ detection: # "outlook.office365.com" # ] DestinationIp|cidr: + - '13.107.4.0/22' - '13.107.6.152/31' - '13.107.18.10/31' + - '13.107.42.0/23' - '13.107.128.0/22' + - '23.35.224.0/20' + - '23.53.40.0/22' - '23.103.160.0/20' + - '23.216.76.0/22' - '40.96.0.0/13' - '40.104.0.0/15' - '52.96.0.0/14' diff --git a/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml b/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml index c865e6f1e..da89efd89 100644 --- a/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml @@ -10,7 +10,7 @@ references: - https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton date: 2019-09-12 -modified: 2024-10-07 +modified: 2025-10-07 tags: - attack.execution - attack.t1059.001 @@ -22,19 +22,25 @@ detection: selection: PipeName|startswith: '\PSHost' filter_main_generic: - Image|contains: - - ':\Program Files\PowerShell\7-preview\pwsh.exe' # Powershell 7 - - ':\Program Files\PowerShell\7\pwsh.exe' # Powershell 7 - - ':\Windows\system32\dsac.exe' - - ':\Windows\system32\inetsrv\w3wp.exe' # this is sad :,( but it triggers FPs on Exchange servers - - ':\Windows\System32\sdiagnhost.exe' - - ':\Windows\system32\ServerManager.exe' - - ':\Windows\system32\wbem\wmiprvse.exe' - - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe' - - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' - - ':\Windows\System32\wsmprovhost.exe' - - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe' - - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' + - Image|contains: + - ':\Program Files\PowerShell\7-preview\pwsh.exe' # Powershell 7 + - ':\Program Files\PowerShell\7\pwsh.exe' # Powershell 7 + - ':\Windows\system32\dsac.exe' + - ':\Windows\system32\inetsrv\w3wp.exe' # this is sad :,( but it triggers FPs on Exchange servers + - ':\Windows\System32\sdiagnhost.exe' + - ':\Windows\system32\ServerManager.exe' + - ':\Windows\system32\wbem\wmiprvse.exe' + - ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe' + - ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' + - ':\Windows\System32\wsmprovhost.exe' + - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe' + - ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe' + - Image|contains|all: + - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview' + - '\pwsh.exe' + - Image|contains|all: + - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' + - '\pwsh.exe' filter_optional_sqlserver: # Microsoft SQL Server\130\Tools\ Image|startswith: - 'C:\Program Files (x86)\' diff --git a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml index 8bf8d45ec..0916328f8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml @@ -7,6 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task author: frack113 date: 2021-12-28 +modified: 2025-10-07 tags: - attack.persistence - attack.t1053.005 @@ -30,7 +31,12 @@ detection: - 'PS_ScheduledTask' - '-NameSpace' - 'Root\Microsoft\Windows\TaskScheduler' - condition: 1 of selection_* + filter_main_legitimate_scripts: + ScriptBlockText|contains|all: + - 'Microsoft.PowerShell.Core\Export-ModuleMember' + - 'Microsoft.Management.Infrastructure.CimInstance' + - '__cmdletization_methodParameter' + condition: 1 of selection_* and not 1 of filter_main_* falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml index 81aeead07..dffcf679a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml @@ -14,7 +14,7 @@ references: - https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) date: 2022-09-12 -modified: 2025-03-12 +modified: 2025-10-06 tags: - attack.defense-evasion - attack.t1070.001 @@ -32,7 +32,7 @@ detection: - ScriptBlockText|contains|all: - 'Eventing.Reader.EventLogSession' # [System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($_.LogName) - 'ClearLog' - - ScriptBlockText|contains: + - ScriptBlockText|contains|all: - 'Diagnostics.EventLog' - 'Clear' condition: selection diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml index 31925e6b9..8abed2e27 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md author: 'oscd.community, @redcanary, Zach Stanford @svch0st' date: 2020-10-08 -modified: 2022-12-25 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.t1070.005 @@ -19,7 +19,14 @@ detection: ScriptBlockText|contains: - 'Remove-SmbShare' - 'Remove-FileShare' - condition: selection + filter_main_module_load: + ScriptBlockText|contains|all: + - 'FileShare.cdxml' + - 'Microsoft.PowerShell.Core\Export-ModuleMember' + - 'ROOT/Microsoft/Windows/Storage/MSFT_FileShare' + - 'ObjectModelWrapper' + - 'Cmdletization.MethodParameter' + condition: selection and not 1 of filter_main_* falsepositives: - Administrators or Power users may remove their shares via cmd line level: medium diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml index aa12a1eba..b16c2ee37 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_exec.yml @@ -29,4 +29,4 @@ detection: condition: selection falsepositives: - Unknown -level: medium +level: low diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml index 2d3b7a755..b09b9b5e4 100644 --- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml +++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download.yml @@ -10,7 +10,7 @@ references: - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html author: Sreeman, Florian Roth (Nextron Systems) date: 2022-01-04 -modified: 2023-05-12 +modified: 2025-10-07 tags: - attack.command-and-control - attack.t1105 @@ -30,7 +30,29 @@ detection: - '--headless' - 'dump-dom' - 'http' - condition: selection + filter_optional_edge_1: + Image|startswith: + - 'C:\Program Files (x86)\Microsoft\Edge\Application\' + - 'C:\Program Files (x86)\Microsoft\EdgeCore\' + - 'C:\Program Files (x86)\Microsoft\EdgeWebView\' + - 'C:\Program Files\Microsoft\Edge\Application\' + - 'C:\Program Files\Microsoft\EdgeCore\' + - 'C:\Program Files\Microsoft\EdgeWebView\' + - 'C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge' + Image|endswith: + - '\msedge.exe' + - '\msedgewebview2.exe' + - '\MicrosoftEdge.exe' + CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom' + filter_optional_edge_2: + Image|contains: + - '\AppData\Local\Microsoft\WindowsApps\' + - '\Windows\SystemApps\Microsoft.MicrosoftEdge' + Image|endswith: + - '\msedge.exe' + - '\MicrosoftEdge.exe' + CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom' + condition: selection and not 1 of filter_optional_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml index d655a8c85..2f05817d3 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml @@ -2,7 +2,7 @@ title: File And SubFolder Enumeration Via Dir Command id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006 status: test description: | - Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories. + Detects usage of the "dir" command part of Windows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md author: frack113 diff --git a/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml b/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml index aeb4ed7cd..176369d4e 100644 --- a/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dotnet_arbitrary_dll_csproj_execution.yml @@ -8,7 +8,7 @@ references: - https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ author: Beyu Denis, oscd.community date: 2020-10-18 -modified: 2024-04-24 +modified: 2025-10-08 tags: - attack.defense-evasion - attack.t1218 @@ -27,7 +27,15 @@ detection: - '.dll"' - ".csproj'" - ".dll'" - condition: all of selection_* + filter_optional_notepad++: + ParentImage: + - 'C:\Program Files (x86)\Notepad++\notepad++.exe' + - 'C:\Program Files\Notepad++\notepad++.exe' + CommandLine|contains|all: + - 'C:\ProgramData\CSScriptNpp\' + - '-cscs_path:' + - '\cs-script\cscs.dll' + condition: all of selection_* and not 1 of filter_optional_* falsepositives: - Legitimate administrator usage level: medium diff --git a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml index f5b46ee6e..b7a32c0aa 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml @@ -13,7 +13,7 @@ references: - https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2023-07-06 -modified: 2024-06-27 +modified: 2025-10-08 tags: - attack.discovery - attack.t1057 @@ -32,7 +32,13 @@ detection: - 'systeminfo*|*find' - 'tasklist*|*find' - 'whoami*|*find' - condition: selection + filter_optional_xampp: + CommandLine|contains|all: + - 'cmd.exe /c TASKLIST /V |' + - 'FIND /I' + - '\xampp\' + - '\catalina_start.bat' + condition: selection and not 1 of filter_optional_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml b/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml index f5acdd956..8bc189a75 100644 --- a/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml +++ b/rules/windows/process_creation/proc_creation_win_fltmc_unload_driver.yml @@ -10,7 +10,7 @@ references: - https://www.cybereason.com/blog/threat-analysis-report-lockbit-2.0-all-paths-lead-to-ransom author: Nasreddine Bencherchali (Nextron Systems) date: 2023-02-13 -modified: 2024-06-24 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.t1070 @@ -26,10 +26,13 @@ detection: selection_cli: CommandLine|contains: 'unload' filter_optional_avira: - ParentImage|startswith: 'C:\Users\' - ParentImage|contains: '\AppData\Local\Temp\' + ParentImage|contains: + - '\AppData\Local\Temp\' + - ':\Windows\Temp\' ParentImage|endswith: '\endpoint-protection-installer-x64.tmp' - CommandLine|endswith: 'unload rtp_filesystem_filter' + CommandLine|endswith: + - 'unload rtp_filesystem_filter' + - 'unload rtp_filter' filter_optional_manageengine: ParentImage: 'C:\Program Files (x86)\ManageEngine\uems_agent\bin\dcfaservice64.exe' CommandLine|endswith: 'unload DFMFilter' diff --git a/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml b/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml index 77375ac2b..ccca3bc8b 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_lazagne.yml @@ -12,14 +12,14 @@ references: - https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/800c0e06571993a54e39571cf27fd474dcc5c0bc/2017/2017.11.14.Muddying_the_Water/muddying-the-water-targeted-attacks.pdf author: Nasreddine Bencherchali, Swachchhanda Shrawan Poudel (Nextron Systems) date: 2024-06-24 -modified: 2025-08-18 +modified: 2025-10-07 tags: - attack.credential-access logsource: product: windows category: process_creation detection: - selection_metadata: + selection_img_metadata: Image|endswith: '\lazagne.exe' selection_img_cli: # Note: This selection can be prone to FP. An initial baseline is required @@ -67,20 +67,20 @@ detection: - '.exe windows' selection_cli_modules: CommandLine|contains: - - 'all ' - - 'browsers ' - - 'chats ' - - 'databases ' - - 'games ' - - 'mails ' - - 'maven ' - - 'memory ' - - 'multimedia ' - - 'php ' - - 'svn ' - - 'sysadmin ' - - 'unused ' - - 'wifi ' + - ' all ' + - ' browsers ' + - ' chats ' + - ' databases ' + - ' games ' + - ' mails ' + - ' maven ' + - ' memory ' + - ' multimedia ' + - ' php ' + - ' svn ' + - ' sysadmin ' + - ' unused ' + - ' wifi ' selection_cli_options: CommandLine|contains: - '-1Password' @@ -133,7 +133,7 @@ detection: - '-vaultfiles' - '-vnc' - '-winscp' - condition: selection_metadata or selection_img_cli or all of selection_cli_* + condition: 1 of selection_img_* or all of selection_cli_* falsepositives: - Some false positive is expected from tools with similar command line flags. # Note: Increase the level to "high" after an initial baseline diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml b/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml index 2d07f2368..f8332505a 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_install_remote.yml @@ -9,7 +9,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-10-28 -modified: 2024-03-13 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.t1218.007 @@ -34,7 +34,11 @@ detection: CommandLine|contains: - 'http' - '\\\\' - condition: all of selection_* + filter_optional_openoffice: + CommandLine|contains|all: + - '\AppData\Local\Temp\OpenOffice' + - 'Installation Files\openoffice' + condition: all of selection_* and not 1 of filter_optional_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml index bb57f9796..50986eb4b 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_delete_rule.yml @@ -6,7 +6,7 @@ references: - https://app.any.run/tasks/8bbd5b4c-b82d-4e6d-a3ea-d454594a37cc/ author: frack113 date: 2022-08-14 -modified: 2023-02-10 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.t1562.004 @@ -24,6 +24,9 @@ detection: filter_optional_dropbox: ParentImage|endswith: '\Dropbox.exe' CommandLine|contains: 'name=Dropbox' + filter_optional_avast: + ParentImage|endswith: '\instup.exe' + CommandLine|contains: 'advfirewall firewall delete rule name="Avast Antivirus Admin Client"' condition: all of selection_* and not 1 of filter_optional_* falsepositives: - Legitimate administration activity diff --git a/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml b/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml index df8d01e65..de43d8a5f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml @@ -16,7 +16,7 @@ references: - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/ author: frack113 date: 2021-11-01 -modified: 2023-12-13 +modified: 2025-10-07 tags: - attack.execution - attack.t1059.001 @@ -26,9 +26,11 @@ logsource: detection: selection_img: - OriginalFileName: + - 'powershell_ise.exe' - 'PowerShell.EXE' - 'pwsh.dll' - Image|endswith: + - '\powershell_ise.exe' - '\powershell.exe' - '\pwsh.exe' selection_option: @@ -40,7 +42,22 @@ detection: CommandLine|contains: - 'Bypass' - 'Unrestricted' - condition: all of selection_* + filter_main_powershell_core: + ParentImage: + - 'C:\Windows\SysWOW64\msiexec.exe' + - 'C:\Windows\System32\msiexec.exe' + CommandLine|contains: + - '-NoProfile -ExecutionPolicy Bypass -File "C:\Program Files\PowerShell\7\' + - '-NoProfile -ExecutionPolicy Bypass -File "C:\Program Files (x86)\PowerShell\7\' + filter_optional_avast: + ParentImage|contains: + - 'C:\Program Files\Avast Software\Avast\' + - 'C:\Program Files (x86)\Avast Software\Avast\' + - '\instup.exe' + CommandLine|contains: + - '-ExecutionPolicy ByPass -File "C:\Program Files\Avast Software\Avast' + - '-ExecutionPolicy ByPass -File "C:\Program Files (x86)\Avast Software\Avast\' + condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Administrator scripts level: medium diff --git a/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml b/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml index 9b7116b30..481ba3acf 100644 --- a/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml @@ -8,7 +8,7 @@ references: - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-02 -modified: 2025-01-20 +modified: 2025-10-07 tags: - attack.execution - attack.t1059 @@ -24,12 +24,26 @@ detection: - 'python2.exe' selection_cli: CommandLine|contains: ' -c' - filter_main_python: # Based on baseline - ParentImage|startswith: 'C:\Program Files\Python' + filter_main_python_1: # Based on baseline + ParentImage|startswith: + - 'C:\Program Files\Python' + - 'C:\Program Files (x86)\Python' ParentImage|endswith: '\python.exe' ParentCommandLine|contains: '-E -s -m ensurepip -U --default-pip' + filter_main_python_trace: # Based on baseline + ParentImage|startswith: + - 'C:\Program Files\Python' + - 'C:\Program Files (x86)\Python' + CommandLine|contains|all: + # CommandLine: \"C:\\Program Files\\Python312\\python.exe\" -W ignore::DeprecationWarning -c \"\nimport runpy\nimport sys\nsys.path = ['C:\\\\Users\\\\User\\\\AppData\\\\Local\\\\Temp\\\\tmpdakwn6aj\\\\pip-23.2.1-py3-none-any.whl'] + sys.path\nsys.argv[1:] = ['install', '--no-cache-dir', '--no-index', '--find-links', 'C:\\\\Users\\\\User\\\\AppData\\\\Local\\\\Temp\\\\tmpdakwn6aj', '--upgrade', 'pip']\nrunpy.run_module(\\\"pip\\\", run_name=\\\"__main__\\\", alter_sys=True)\n\ + - '-W ignore::DeprecationWarning' + - "['install', '--no-cache-dir', '--no-index', '--find-links'," + - "'--upgrade', 'pip'" filter_optional_vscode: - ParentImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe' + - ParentImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe' + - ParentImage: + - 'C:\Program Files\Microsoft VS Code\Code.exe' + - 'C:\Program Files (x86)\Microsoft VS Code\Code.exe' filter_optional_pip: CommandLine|contains|all: - '' diff --git a/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml b/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml index bd87a445a..f74975989 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml @@ -15,10 +15,12 @@ logsource: category: process_creation product: windows detection: - selection_1: - Image|endswith: '\reg.exe' + selection_img: + - Image|endswith: '\reg.exe' + - OriginalFileName: 'reg.exe' + selection_cli_add: CommandLine|contains: 'add' # to avoid intersection with discovery tactic rules - selection_2: + selection_cli_keys: CommandLine|contains: # need to improve this list, there are plenty of ASEP reg keys - '\software\Microsoft\Windows\CurrentVersion\Run' # Also covers the strings "RunOnce", "RunOnceEx", "RunServices", "RunServicesOnce" - '\software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run' diff --git a/rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml b/rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml index 8715341d6..ea1bc16a2 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml @@ -6,7 +6,7 @@ references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-07-14 -modified: 2022-08-08 +modified: 2025-10-07 tags: - attack.persistence - attack.privilege-escalation @@ -24,7 +24,17 @@ detection: - 'binPath' - 'type' - 'kernel' - condition: selection + filter_optional_avira_driver: + - CommandLine|contains|all: + - 'create netprotection_network_filter' + - 'type= kernel start= ' + - 'binPath= System32\drivers\netprotection_network_filter' + - 'DisplayName= netprotection_network_filter' + - 'group= PNP_TDI tag= yes' + - CommandLine|contains|all: + - 'create avelam binpath=C:\Windows\system32\drivers\avelam.sys' + - 'type=kernel start=boot error=critical group=Early-Launch' + condition: selection and not 1 of filter_optional_* falsepositives: - Rare legitimate installation of kernel drivers via sc.exe level: medium diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml index ca8cfb758..6529c5d0f 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml @@ -11,7 +11,7 @@ references: - https://blog.talosintelligence.com/gophish-powerrat-dcrat/ author: Florian Roth (Nextron Systems) date: 2022-02-21 -modified: 2024-10-28 +modified: 2025-10-07 tags: - attack.execution - attack.t1053.005 @@ -21,7 +21,7 @@ logsource: detection: selection_1_create: Image|endswith: '\schtasks.exe' - CommandLine|contains: ' /create ' + CommandLine|contains|windash: ' /create ' selection_1_all_folders: CommandLine|contains: - ':\Perflogs' @@ -49,15 +49,15 @@ detection: filter_optional_avira_install: # Comment out this filter if you dont use AVIRA CommandLine|contains|all: - - '/Create /Xml "C:\Users\' - - '\AppData\Local\Temp\.CR.' - - 'Avira_Security_Installation.xml' + - '/Create /Xml ' + - '\Temp\.CR.' + - '\Avira_Security_Installation.xml' filter_optional_avira_other: # Comment out this filter if you dont use AVIRA CommandLine|contains|all: - '/Create /F /TN' - '/Xml ' - - '\AppData\Local\Temp\is-' + - '\Temp\' - 'Avira_' CommandLine|contains: - '.tmp\UpdateFallbackTask.xml' @@ -66,7 +66,7 @@ detection: - '.tmp\MaintenanceTask.xml' filter_optional_klite_codec: CommandLine|contains|all: - - '\AppData\Local\Temp\' + - '\Temp\' - '/Create /TN "klcp_update" /XML ' - '\klcp_update_task.xml' condition: ( all of selection_1_* or all of selection_2_* ) and not 1 of filter_optional_* diff --git a/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml b/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml index 1845ad596..6114f16f6 100644 --- a/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml @@ -14,7 +14,7 @@ references: - http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2022-06-09 -modified: 2023-11-09 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.execution @@ -36,8 +36,10 @@ detection: CommandLine|contains|all: - ':\Users\' - '\AppData\Local\Discord\Update.exe' - - ' --processStart' - 'Discord.exe' + CommandLine|contains: + - '--createShortcut' + - '--processStart' filter_optional_github_desktop: CommandLine|contains|all: - ':\Users\' diff --git a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml index 4b574bd37..b83f2059f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml @@ -7,7 +7,7 @@ references: - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023-01-12 -modified: 2023-08-31 +modified: 2025-10-07 tags: - attack.defense-evasion logsource: @@ -24,6 +24,7 @@ detection: - '\cscript.exe' - '\mshta.exe' - '\powershell.exe' + - '\powershell_ise.exe' - '\pwsh.exe' - '\regsvr32.exe' - '\rundll32.exe' @@ -42,6 +43,9 @@ detection: - '\powershell.exe' - '\cmd.exe' - '\pwsh.exe' + filter_optional_sysinternals: + ParentImage|startswith: 'C:\Program Files\WindowsApps\Microsoft.SysinternalsSuite' + Image|endswith: '\cmd.exe' condition: selection_parent and 1 of selection_susp_* and not 1 of filter_optional_* falsepositives: - Legitimate packages that make use of external binaries such as Windows Terminal diff --git a/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml b/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml index 9ab667f3b..83b561326 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml @@ -8,6 +8,7 @@ references: - https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ # Office Document author: Joseph Kamau date: 2024-05-27 +modified: 2025-10-07 tags: - attack.execution - attack.t1204.002 @@ -29,9 +30,14 @@ detection: - '\maxthon.exe' - '\seamonkey.exe' - '\vivaldi.exe' - - '' CommandLine|contains: 'http' - condition: selection + filter_main_microsoft_help: + CommandLine|contains: 'https://go.microsoft.com/fwlink/' + filter_optional_foxit: + CommandLine|contains: + - 'http://ad.foxitsoftware.com/adlog.php?' + - 'https://globe-map.foxitservice.com/go.php?do=redirect' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed. level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml index 8fd8668f5..ba059a736 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml @@ -13,7 +13,7 @@ references: - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/ author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems) date: 2020-07-03 -modified: 2023-08-29 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.t1036.003 @@ -21,11 +21,12 @@ logsource: category: process_creation product: windows detection: - selection_cmd: + selection_img_cmd: Image|endswith: '\cmd.exe' CommandLine|contains: 'copy ' - selection_pwsh: + selection_img_pwsh: Image|endswith: + - '\powershell_ise.exe' - '\powershell.exe' - '\pwsh.exe' CommandLine|contains: @@ -33,19 +34,28 @@ detection: - ' copy ' - 'cpi ' - ' cp ' - selection_other: + selection_img_other: - Image|endswith: - '\robocopy.exe' - '\xcopy.exe' - OriginalFileName: - 'robocopy.exe' - 'XCOPY.EXE' - target: + selection_target: CommandLine|contains: - '\System32' - '\SysWOW64' - '\WinSxS' - condition: 1 of selection_* and target + filter_optional_avira: + Image|endswith: '\cmd.exe' + CommandLine|contains|all: + - '/c copy' + - '\Temp\' + - '\avira_system_speedup.exe' + CommandLine|contains: + - 'C:\Program Files\Avira\' + - 'C:\Program Files (x86)\Avira\' + condition: 1 of selection_img_* and selection_target and not 1 of filter_optional_* falsepositives: - Depend on scripts and administrative tools used in the monitored environment (For example an admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/) - When cmd.exe and xcopy.exe are called directly # C:\Windows\System32\cmd.exe /c copy file1 file2 diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml deleted file mode 100644 index 04ba58df9..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml +++ /dev/null @@ -1,47 +0,0 @@ -title: Use Short Name Path in Command Line -id: 349d891d-fef0-4fe4-bc53-eee623a15969 -related: - - id: a96970af-f126-420d-90e1-d37bf25e50e1 - type: similar -status: test -description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection -references: - - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10) - - https://twitter.com/frack113/status/1555830623633375232 -author: frack113, Nasreddine Bencherchali -date: 2022-08-07 -modified: 2025-07-04 -tags: - - attack.defense-evasion - - attack.t1564.004 -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine|contains: - - '~1\' - - '~2\' - filter: - - ParentImage: - - 'C:\Windows\System32\Dism.exe' - - 'C:\Windows\System32\cleanmgr.exe' - - 'C:\Program Files\GPSoftware\Directory Opus\dopus.exe' - - ParentImage|endswith: - - '\WebEx\WebexHost.exe' - - '\thor\thor64.exe' - - '\veam.backup.shell.exe' - - '\winget.exe' - - '\Everything\Everything.exe' - - '\aurora-agent-64.exe' - - '\aurora-agent.exe' - - ParentImage|contains: '\AppData\Local\Temp\WinGet\' - - CommandLine|contains: - - '\appdata\local\webex\webex64\meetings\wbxreport.exe' - - 'C:\Program Files\Git\post-install.bat' - - 'C:\Program Files\Git\cmd\scalar.exe' - condition: selection and not filter -falsepositives: - - Applications could use this notation occasionally which might generate some false positives. In that case investigate the parent and child process. -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml b/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml index f52a096b7..c506a9456 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sysnative.yml @@ -6,7 +6,7 @@ references: - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ author: Max Altgelt (Nextron Systems) date: 2022-08-23 -modified: 2023-12-14 +modified: 2025-10-08 tags: - attack.defense-evasion - attack.privilege-escalation @@ -15,10 +15,23 @@ logsource: category: process_creation product: windows detection: - sysnative: + selection: - CommandLine|contains: ':\Windows\Sysnative\' - Image|contains: ':\Windows\Sysnative\' - condition: sysnative + filter_main_ngen: + Image|contains: + - 'C:\Windows\Microsoft.NET\Framework64\v' + - 'C:\Windows\Microsoft.NET\Framework\v' + - 'C:\Windows\Microsoft.NET\FrameworkArm\v' + - 'C:\Windows\Microsoft.NET\FrameworkArm64\v' + Image|endswith: '\ngen.exe' + CommandLine|contains: 'install' + filter_optional_xampp: + CommandLine|contains|all: + - '"C:\Windows\sysnative\cmd.exe"' + - '\xampp\' + - '\catalina_start.bat' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml index 6760d9975..6e4393fa9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml @@ -12,7 +12,7 @@ references: - https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2017-11-27 -modified: 2025-07-11 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.t1036 @@ -85,9 +85,12 @@ detection: filter_optional_system32: Image|contains: '\SystemRoot\System32\' filter_main_powershell: - Image: - - 'C:\Program Files\PowerShell\7\pwsh.exe' - - 'C:\Program Files\PowerShell\7-preview\pwsh.exe' + Image|contains: + - 'C:\Program Files\PowerShell\7\' + - 'C:\Program Files\PowerShell\7-preview\' + - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview' + - '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview' # pwsh installed from Microsoft Store + Image|endswith: '\pwsh.exe' filter_main_wsl_windowsapps: Image|startswith: 'C:\Program Files\WindowsApps\MicrosoftCorporationII.WindowsSubsystemForLinux' Image|endswith: '\wsl.exe' diff --git a/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml b/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml index f3d09f001..0a9de8246 100644 --- a/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml +++ b/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml @@ -8,7 +8,7 @@ references: - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ author: Victor Sergeev, oscd.community date: 2020-10-09 -modified: 2022-07-11 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.t1218 @@ -23,7 +23,12 @@ detection: CommandLine|contains|all: - '/S' - '/C' - condition: all of selection_* + filter_main_runtimebroker: + ParentImage|endswith: 'C:\Windows\System32\RuntimeBroker.exe' + CommandLine|contains|all: + - 'verclsid.exe" /S /C {' + - '} /I {' + condition: all of selection_* and not 1 of filter_main_* fields: - CommandLine falsepositives: diff --git a/rules/windows/registry/registry_delete/registry_delete_defender_context_menu.yml b/rules/windows/registry/registry_delete/registry_delete_defender_context_menu.yml index 20febeb39..d0951c9f7 100644 --- a/rules/windows/registry/registry_delete/registry_delete_defender_context_menu.yml +++ b/rules/windows/registry/registry_delete/registry_delete_defender_context_menu.yml @@ -12,6 +12,7 @@ references: - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/ author: 'Matt Anderson (Huntress)' date: 2025-07-11 +modified: 2025-10-07 tags: - attack.defense-evasion logsource: @@ -20,7 +21,13 @@ logsource: detection: selection: TargetObject|contains: 'shellex\ContextMenuHandlers\EPP' - condition: selection + filter_main_defender: + Image|startswith: + - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + - 'C:\Program Files\Windows Defender\' + - 'C:\Program Files (x86)\Windows Defender\' + Image|endswith: '\MsMpEng.exe' + condition: selection and not 1 of filter_main_* falsepositives: - Unlikely as this weakens defenses and normally would not be done even if using another AV. level: medium diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml index 0d00f1589..3324fac1b 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml @@ -7,7 +7,7 @@ references: - https://seclists.org/fulldisclosure/2020/Mar/45 author: frack113 date: 2021-06-07 -modified: 2023-02-08 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.t1562.001 @@ -16,11 +16,16 @@ logsource: category: registry_delete detection: selection: - EventType: DeleteKey TargetObject|endswith: - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' # IOfficeAntiVirus - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' # ProtectionManagement.dll - condition: selection + filter_main_defender: + Image|startswith: + - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + - 'C:\Program Files\Windows Defender\' + - 'C:\Program Files (x86)\Windows Defender\' + Image|endswith: '\MsMpEng.exe' + condition: selection and not 1 of filter_main_* falsepositives: - Unlikely level: high diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index e62321bb0..fd3c00d15 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -12,7 +12,7 @@ references: - https://learn.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020-05-02 -modified: 2025-07-11 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.t1112 @@ -21,50 +21,76 @@ logsource: category: registry_delete detection: selection: - EventType: 'DeleteKey' TargetObject|endswith: '\shell\open\command' - filter_svchost: + filter_main_explorer: + Image|endswith: 'C:\Windows\explorer.exe' + filter_main_svchost: Image: 'C:\Windows\system32\svchost.exe' - filter_office: - Image|startswith: - - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' - Image|endswith: '\OfficeClickToRun.exe' - filter_integrator: + filter_main_msiexec: Image: - - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe' - - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' - filter_dropbox: + - 'C:\Windows\System32\msiexec.exe' + - 'C:\Windows\SysWOW64\msiexec.exe' + filter_main_generic_prorams: + Image|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + filter_main_openwith: + Image: 'C:\Windows\System32\OpenWith.exe' + filter_optional_dropbox: Image|endswith: '\Dropbox.exe' # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) TargetObject|contains: '\Dropbox.' - filter_wireshark: + filter_optional_wireshark: Image|endswith: '\AppData\Local\Temp\Wireshark_uninstaller.exe' # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) TargetObject|contains: '\wireshark-capture-file\' - filter_opera: - Image|startswith: - - 'C:\Program Files\Opera\' - - 'C:\Program Files (x86)\Opera\' - Image|endswith: '\installer.exe' - filter_peazip: + filter_optional_peazip: Image|contains: 'peazip' # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) TargetObject|contains: '\PeaZip.' - filter_everything: + filter_optional_everything: Image|endswith: '\Everything.exe' # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) TargetObject|contains: '\Everything.' - filter_uninstallers: + filter_optional_uninstallers: # This image path is linked with different uninstallers when running as admin unfortunately Image|startswith: 'C:\Windows\Installer\MSI' - filter_java: + filter_optional_java: Image|startswith: 'C:\Program Files (x86)\Java\' Image|endswith: '\installer.exe' TargetObject|contains: '\Classes\WOW6432Node\CLSID\{4299124F-F2C3-41b4-9C73-9236B2AD0E8F}' - filter_edgeupdate: + filter_optional_edgeupdate: Image|contains: '\Microsoft\EdgeUpdate\Install' - condition: selection and not 1 of filter_* + filter_optional_avira: + Image: + - 'C:\Program Files (x86)\Avira\Antivirus\' + - 'C:\Program Files\Avira\Antivirus\' + TargetObject|endswith: + - '\CLSID\{305CA226-D286-468e-B848-2B2E8E697B74}\Shell\Open\Command' + - '\AntiVir.Keyfile\shell\open\command' + filter_optional_installer_temp: + - Image|contains|all: + - 'AppData\Local\Temp' + - '\setup.exe' + - Image|contains|all: + - '\Temp\is-' + - '\target.tmp' + filter_optional_ninite: + Image|endswith: '\ninite.exe' + filter_optional_discord: + Image|endswith: '\reg.exe' + TargetObject|endswith: '\Discord\shell\open\command' + filter_optional_spotify: + Image|endswith: '\Spotify.exe' + TargetObject|endswith: '\Spotify\shell\open\command' + filter_optional_eclipse: + Image|endswith: 'C:\eclipse\eclipse.exe' + TargetObject|contains: '_Classes\eclipse+' + filter_optional_teamviewer: + Image|contains|all: + - '\Temp' + - '\TeamViewer' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - - Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered + - Legitimate software (un)installations are known to cause false positives. Please add them as a filter when encountered level: medium diff --git a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml index 4905def49..1ca62428c 100644 --- a/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml +++ b/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network author: frack113 date: 2022-04-04 -modified: 2024-03-25 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.t1564.001 @@ -26,6 +26,10 @@ detection: TargetObject|endswith: - '\Control\SafeBoot\Minimal\SAVService\(Default)' - '\Control\SafeBoot\Network\SAVService\(Default)' + filter_optional_mbamservice: + Image|endswith: '\MBAMInstallerService.exe' + TargetObject|endswith: '\MBAMService\(Default)' + Details: 'Service' condition: selection and not 1 of filter_optional_* falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index 74d2d0610..dda434e68 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -12,7 +12,7 @@ references: - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019-10-25 -modified: 2025-06-16 +modified: 2025-10-07 tags: - attack.persistence - attack.t1547.001 @@ -20,9 +20,9 @@ logsource: category: registry_set product: windows detection: - current_version_base: + selection_current_version_base: TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion' - current_version_keys: + selection_current_version_keys: TargetObject|contains: - '\ShellServiceObjectDelayLoad' - '\Run\' @@ -44,7 +44,7 @@ detection: - '\Authentication\PLAP Providers' - '\Authentication\Credential Providers' - '\Authentication\Credential Provider Filters' - filter_all: + filter_main_all: - Details: '(Empty)' - TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount' - Image|endswith: @@ -61,85 +61,111 @@ detection: - 'C:\Program Files\Everything\Everything.exe' - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe' - filter_logonui: + filter_main_logonui: Image: 'C:\Windows\system32\LogonUI.exe' TargetObject|contains: - '\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\' # PIN - '\Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\' # fingerprint - '\Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\' # facial recognizion - '\Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\' # Trusted Signal (Phone proximity, Network location) - filter_edge: + filter_main_edge: Image|startswith: - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\' - 'C:\Program Files (x86)\Microsoft\EdgeWebView\' - 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe' - filter_dropbox: + filter_main_officeclicktorun: + Image|startswith: + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' + Image|endswith: '\OfficeClickToRun.exe' + filter_main_defender: + Image: 'C:\Program Files\Windows Defender\MsMpEng.exe' + filter_main_teams: + Image|endswith: '\Microsoft\Teams\current\Teams.exe' + Details|contains: '\Microsoft\Teams\Update.exe --processStart ' + filter_main_ctfmon: + Image: 'C:\Windows\system32\userinit.exe' + Details: 'ctfmon.exe /n' + filter_optional_dropbox: Image: 'C:\Windows\system32\regsvr32.exe' TargetObject|contains: 'DropboxExt' Details|endswith: 'A251-47B7-93E1-CDD82E34AF8B}' - filter_opera: + filter_optional_opera_1: TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant' Details: 'C:\Program Files\Opera\assistant\browser_assistant.exe' - filter_itunes: + filter_optional_opera_2: + TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\Opera Stable' + Details: + - 'C:\Program Files\Opera\launcher.exe' + - 'C:\Program Files (x86)\Opera\launcher.exe' + filter_optional_itunes: TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper' Details: '"C:\Program Files\iTunes\iTunesHelper.exe"' - filter_zoom: + filter_optional_zoom: TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair' Details: '"C:\Program Files\Zoom\bin\installer.exe" /repair' - filter_greenshot: + filter_optional_greenshot: TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot' Details: 'C:\Program Files\Greenshot\Greenshot.exe' - filter_googledrive1: + filter_optional_googledrive1: TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveFS' Details|startswith: 'C:\Program Files\Google\Drive File Stream\' Details|contains: '\GoogleDriveFS.exe' - filter_googledrive2: + filter_optional_googledrive2: TargetObject|contains: 'GoogleDrive' Details: - '{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}' - '{A8E52322-8734-481D-A7E2-27B309EF8D56}' - '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}' - '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}' - filter_onedrive: + filter_optional_onedrive: Details|startswith: - 'C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\' - 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\' Details|contains: '\AppData\Local\Microsoft\OneDrive\' - filter_python: + filter_optional_python: TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\{' Details|contains|all: - '\AppData\Local\Package Cache\{' - '}\python-' Details|endswith: '.exe" /burn.runonce' - filter_officeclicktorun: - Image|startswith: - - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' - Image|endswith: '\OfficeClickToRun.exe' - filter_defender: - Image: 'C:\Program Files\Windows Defender\MsMpEng.exe' - filter_teams: - Image|endswith: '\Microsoft\Teams\current\Teams.exe' - Details|contains: '\Microsoft\Teams\Update.exe --processStart ' - filter_ctfmon: - Image: 'C:\Windows\system32\userinit.exe' - Details: 'ctfmon.exe /n' - filter_AVG: - Image|startswith: 'C:\Program Files\AVG\Antivirus\Setup\' + filter_optional_AVG_setup: + Image|contains: + - 'C:\Program Files\AVG\Antivirus\Setup\' + - 'C:\Program Files (x86)\AVG\Antivirus\Setup\' + - '\instup.exe' Details: - '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui' - '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui' - '{472083B0-C522-11CF-8763-00608CC02F24}' - filter_aurora_dashboard: + - '{472083B1-C522-11CF-8763-00608CC02F24}' + filter_optional_Avast: + Image|contains: + - 'C:\Program Files\Avast Software\Avast\Setup\' + - 'C:\Program Files (x86)\Avast Software\Avast\Setup\' + - '\instup.exe' + Details: + - '"C:\Program Files\Avast Software\Avast\AvLaunch.exe" /gui' + - '"C:\Program Files (x86)\Avast Software\Avast\AvLaunch.exe" /gui' + filter_optional_AVG_avgtoolsvc: + Image: + - 'C:\Program Files\AVG\Antivirus\avgToolsSvc.exe' + - 'C:\Program Files (x86)\AVG\Antivirus\avgToolsSvc.exe' + TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\' + Details: 'Binary Data' + filter_optional_aurora_dashboard: Image|endswith: - '\aurora-agent-64.exe' - '\aurora-agent.exe' TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\aurora-dashboard' Details: 'C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe' - filter_everything: + filter_optional_everything: TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\Everything' Details|endswith: '\Everything\Everything.exe" -startup' # We remove the starting part as it could be installed in different locations - condition: all of current_version_* and not 1 of filter_* + filter_optional_discord: + TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\Discord' + Details|endswith: '\Discord\Update.exe --processStart Discord.exe' + condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml index 01874b6eb..d26238dae 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml @@ -11,7 +11,7 @@ references: - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019-10-25 -modified: 2025-07-04 +modified: 2025-10-07 tags: - attack.persistence - attack.t1547.001 @@ -55,6 +55,17 @@ detection: filter_main_runtimebroker: Image: 'C:\Windows\System32\RuntimeBroker.exe' TargetObject|contains: '\runtimebroker.exe\Microsoft.Windows.ShellExperienceHost' + filter_optional_avguard: + Image|startswith: + - 'C:\Program Files (x86)\Avira\Antivirus\avguard.exe' + - 'C:\Program Files\Avira\Antivirus\avguard.exe' + TargetObject|contains: 'SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\' + TargetObject|endswith: + - '\userinit\UseAsDefault' + - '\shell\UseAsDefault' + Details: + - 'explorer.exe' + - 'C:\Windows\system32\userinit.exe,' filter_optional_edge: Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\' Image|endswith: '\MicrosoftEdgeUpdate.exe' diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index cfbaa067c..98d279b37 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -11,7 +11,7 @@ references: - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019-10-25 -modified: 2023-08-17 +modified: 2025-10-07 tags: - attack.persistence - attack.t1547.001 @@ -19,11 +19,11 @@ logsource: category: registry_set product: windows detection: - office: + selection_office_root: TargetObject|contains: - '\Software\Wow6432Node\Microsoft\Office' - '\Software\Microsoft\Office' - office_details: + selection_office_details: TargetObject|contains: - '\Word\Addins' - '\PowerPoint\Addins' @@ -32,9 +32,9 @@ detection: - '\Excel\Addins' - '\Access\Addins' - 'test\Special\Perf' - filter_empty: + filter_main_empty: Details: '(Empty)' - filter_known_addins: + filter_main_known_addins: Image|startswith: - 'C:\Program Files\Microsoft Office\' - 'C:\Program Files (x86)\Microsoft Office\' @@ -62,15 +62,22 @@ detection: - '\Outlook\Addins\UCAddin.LyncAddin.1' - '\Outlook\Addins\UCAddin.UCAddin.1' - '\Outlook\Addins\UmOutlookAddin.FormRegionAddin\' - filter_officeclicktorun: + filter_main_officeclicktorun: Image|startswith: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' Image|endswith: '\OfficeClickToRun.exe' - filter_avg: - Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe' + filter_optional_avg: + Image: + - 'C:\Program Files\AVG\Antivirus\RegSvr.exe' + - 'C:\Program Files\AVG\Antivirus\x86\RegSvr.exe' TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\' - condition: office and office_details and not 1 of filter_* + filter_optional_avast: + Image: + - 'C:\Program Files\Avast Software\Avast\RegSvr.exe' + - 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe' + TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\' + condition: all of selection_office_* and not 1 of filter_main_* and not 1 of filter_optional_* fields: - SecurityID - ObjectName diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index d1f91723b..9363958fd 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -12,7 +12,7 @@ references: - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019-10-25 -modified: 2023-08-17 +modified: 2025-10-07 tags: - attack.persistence - attack.t1547.001 @@ -35,47 +35,14 @@ detection: - '\Explorer\ShellExecuteHooks' - '\Explorer\SharedTaskScheduler' - '\Explorer\Browser Helper Objects' - filter_empty: + filter_main_empty: Details: '(Empty)' - filter_edge: - Image|contains|all: - - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{' - - '\setup.exe' - filter_msoffice1: - Image: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe' - TargetObject|contains: '\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\' - filter_msoffice2: - Image: - - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe' - - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' - TargetObject|contains: '\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\' - filter_dropbox: - - Details|endswith: '-A251-47B7-93E1-CDD82E34AF8B}' - - Details: 'grpconv -o' - - Details|contains|all: - - 'C:\Program Files' - - '\Dropbox\Client\Dropbox.exe' - - ' /systemstartup' - filter_evernote: - TargetObject|endswith: '\Explorer\Browser Helper Objects\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\NoExplorer' - filter_dotnet: - Image|contains: '\windowsdesktop-runtime-' - TargetObject|endswith: - - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}' - - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7037b699-7382-448c-89a7-4765961d2537}' - Details|startswith: '"C:\ProgramData\Package Cache\' - Details|endswith: '.exe" /burn.runonce' - filter_office: - Image|startswith: - - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' - Image|endswith: '\OfficeClickToRun.exe' - filter_ms_win_desktop_runtime: + filter_main_ms_win_desktop_runtime: Details|startswith: '"C:\ProgramData\Package Cache\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\windowsdesktop-runtime-' - filter_vcredist: + filter_main_vcredist: Image|endswith: '\VC_redist.x64.exe' Details|endswith: '}\VC_redist.x64.exe" /burn.runonce' - filter_upgrades: + filter_main_upgrades: Image|startswith: - 'C:\ProgramData\Package Cache' - 'C:\Windows\Temp\' @@ -84,19 +51,65 @@ detection: - '\windowsdesktop-runtime-' # C:\WINDOWS\Temp\{751E2E78-46DC-4376-9205-99219CDC34AE}\.be\windowsdesktop-runtime-6.0.12-win-x86.exe - '\AspNetCoreSharedFrameworkBundle-' # "C:\ProgramData\Package Cache\{b52191c1-a9c0-4b34-9a4e-930c2dd8a540}\AspNetCoreSharedFrameworkBundle-x86.exe" /burn.runonce Details|endswith: ' /burn.runonce' - filter_uninstallers: + filter_main_uninstallers: # This image path is linked with different uninstallers when running as admin unfortunately Image|startswith: 'C:\Windows\Installer\MSI' TargetObject|contains: '\Explorer\Browser Helper Objects' - filter_msiexec: + filter_main_msiexec: Image: 'C:\WINDOWS\system32\msiexec.exe' TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\' - condition: all of selection_wow_current_version_* and not 1 of filter_* -fields: - - SecurityID - - ObjectName - - OldValueType - - NewValueType + filter_main_edge: + Image|contains|all: + - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{' + - '\setup.exe' + filter_optional_msoffice1: + Image: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe' + TargetObject|contains: '\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\' + filter_optional_msoffice2: + Image: + - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe' + - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' + TargetObject|contains: '\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\' + filter_optional_dropbox: + - Details|endswith: '-A251-47B7-93E1-CDD82E34AF8B}' + - Details: 'grpconv -o' + - Details|contains|all: + - 'C:\Program Files' + - '\Dropbox\Client\Dropbox.exe' + - ' /systemstartup' + filter_optional_evernote: + TargetObject|endswith: '\Explorer\Browser Helper Objects\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\NoExplorer' + filter_optional_dotnet: + Image|contains: '\windowsdesktop-runtime-' + TargetObject|endswith: + - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}' + - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7037b699-7382-448c-89a7-4765961d2537}' + Details|startswith: '"C:\ProgramData\Package Cache\' + Details|endswith: '.exe" /burn.runonce' + filter_optional_office: + Image|startswith: + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' + Image|endswith: '\OfficeClickToRun.exe' + filter_optional_discord: + TargetObject|endswith: '\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Discord' + Details|endswith: 'Discord.exe --checkInstall' + filter_optional_avira: + Details|endswith: '\Avira.OE.Setup.Bundle.exe" /burn.runonce' + Image|endswith: '\Avira.OE.Setup.Bundle.exe' + filter_optional_avg_1: + Image|endswith: '\instup.exe' + TargetObject|endswith: '\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\AvRepair' + Details|endswith: 'instup.exe" /instop:repair /wait' + filter_optional_avg_2: + Image|endswith: '\instup.exe' + TargetObject|endswith: + - '\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg\(Default)' + - '\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00asw\(Default)' + Details: + - '{472083B1-C522-11CF-8763-00608CC02F24}' + - '{472083B0-C522-11CF-8763-00608CC02F24}' + condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml index 4049e8a83..dcba95424 100644 --- a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Florian Roth (Nextron Systems), frack113 date: 2022-05-02 -modified: 2023-08-17 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.t1112 @@ -17,7 +17,7 @@ logsource: category: registry_set product: windows detection: - selection_1: + selection_service_start: TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\' TargetObject|endswith: '\Start' Image|contains: @@ -30,7 +30,7 @@ detection: - 'DWORD (0x00000001)' # System - 'DWORD (0x00000002)' # Automatic # 3 - Manual , 4 - Disabled - selection_2: + selection_service_imagepath: TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\' TargetObject|endswith: '\ImagePath' Details|contains: @@ -38,11 +38,15 @@ detection: - '\Perflogs\' - '\ADMIN$\' - '\Temp\' - filter_1: + filter_optional_avast: Image|contains|all: # Filter FP with Avast software - '\Common Files\' - '\Temp\' - condition: 1 of selection_* and not 1 of filter_* + filter_optional_mbamservice: + TargetObject|endswith: '\CurrentControlSet\Services\MBAMInstallerService\ImagePath' + Details|endswith: '\AppData\Local\Temp\MBAMInstallerService.exe"' + Image: 'C:\Windows\system32\services.exe' + condition: 1 of selection_* and not 1 of filter_optional_* falsepositives: - Unknown level: high diff --git a/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml b/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml index 5f7f98775..2f7665b2d 100644 --- a/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml +++ b/rules/windows/registry/registry_set/registry_set_desktop_background_change.yml @@ -16,6 +16,7 @@ references: - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ) date: 2023-12-21 +modified: 2025-10-08 tags: - attack.defense-evasion - attack.impact @@ -41,6 +42,12 @@ detection: filter_main_svchost: # Note: Excluding GPO changes Image|endswith: '\svchost.exe' + filter_main_empty: + TargetObject|endswith: '\Control Panel\Desktop\Wallpaper' + Details: '(Empty)' + filter_main_explorer: + # Normally Explorer.exe is the process that changes the desktop background + Image|endswith: 'C:\Windows\Explorer.EXE' condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_* falsepositives: - Administrative scripts that change the desktop background to a company logo or other image. diff --git a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml index 460b38b7c..fb0b11414 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml @@ -8,7 +8,7 @@ references: - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-01 -modified: 2023-08-17 +modified: 2025-10-07 tags: - attack.defense-evasion logsource: @@ -25,9 +25,18 @@ detection: - '\Enable' - '\Start' Details: DWORD (0x00000000) - filter_wevtutil: + filter_main_wevtutil: Image: 'C:\Windows\system32\wevtutil.exe' - condition: all of selection_* and not 1 of filter_* + filter_main_defender: + Image|startswith: + - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + - 'C:\Program Files\Windows Defender\' + - 'C:\Program Files (x86)\Windows Defender\' + Image|endswith: '\MsMpEng.exe' + TargetObject|contains: + - '\DefenderApiLogger\' + - '\DefenderAuditLogger\' + condition: all of selection_* and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml b/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml index 8f0d08d4e..c861cf28a 100644 --- a/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml +++ b/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml @@ -9,7 +9,7 @@ references: - https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise author: Nasreddine Bencherchali (Nextron Systems) date: 2023-05-16 -modified: 2023-08-17 +modified: 2025-10-07 tags: - attack.defense-evasion logsource: @@ -25,7 +25,17 @@ detection: Image: - 'C:\Windows\explorer.exe' - 'C:\Windows\System32\ie4uinit.exe' - condition: selection and not 1 of filter_main_* + filter_optional_avira: + Image|contains|all: + - '\Temp\' + - '\.cr\avira_' + Details|contains: 'DWORD (0x00000001)' + filter_optional_foxit: + Image: + - 'C:\Program Files (x86)\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe' + - 'C:\Program Files\Foxit Software\Foxit PDF Reader\FoxitPDFReader.exe' + Details|contains: 'DWORD (0x00000001)' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - As this is controlled by group policy as well as user settings. Some false positives may occur. level: medium diff --git a/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml b/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml index e5713848a..903ba29c2 100644 --- a/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml @@ -13,6 +13,7 @@ references: - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/ author: Anish Bogati date: 2023-11-28 +modified: 2025-10-08 tags: - attack.persistence - attack.t1546.007 @@ -23,7 +24,13 @@ detection: selection: TargetObject|contains: '\SOFTWARE\Microsoft\NetSh' Details|contains: '.dll' - condition: selection + filter_main_poqexec: + Image: 'C:\Windows\System32\poqexec.exe' + Details: + - 'ipmontr.dll' + - 'iasmontr.dll' + - 'ippromon.dll' + condition: selection and not 1 of filter_main_* falsepositives: - Legitimate helper added by different programs and the OS level: medium diff --git a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml index fd2950617..c7f94c19c 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_office_vsto.yml @@ -7,7 +7,7 @@ references: - https://vanmieghem.io/stealth-outlook-persistence/ author: Bhabesh Raj date: 2021-01-10 -modified: 2023-08-28 +modified: 2025-10-07 tags: - attack.t1137.006 - attack.persistence @@ -22,24 +22,46 @@ detection: - '\Software\Microsoft\Office\Excel\Addins\' - '\Software\Microsoft\Office\Powerpoint\Addins\' - '\Software\Microsoft\VSTO\Security\Inclusion\' - filter_image: - Image|endswith: - - '\msiexec.exe' - - '\regsvr32.exe' # e.g. default Evernote installation - # triggered by a default Office 2019 installation - filter_office: + filter_main_system: + Image: + - 'C:\Windows\System32\msiexec.exe' + - 'C:\Windows\SysWOW64\msiexec.exe' + - 'C:\Windows\System32\regsvr32.exe' + - 'C:\Windows\SysWOW64\regsvr32.exe' # e.g. default Evernote installation + filter_main_office_click_to_run: + Image|startswith: + - 'C:\Program Files\Common Files (x86)\Microsoft Shared\ClickToRun\' + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' + Image|endswith: '\OfficeClickToRun.exe' + filter_main_integrator: + Image: + - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' + - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe' + filter_main_office_apps: + Image|startswith: + - 'C:\Program Files\Microsoft Office\OFFICE' + - 'C:\Program Files (x86)\Microsoft Office\OFFICE' + - 'C:\Program Files\Microsoft Office\Root\OFFICE' + - 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE' Image|endswith: - '\excel.exe' - - '\integrator.exe' - - '\OfficeClickToRun.exe' - - '\winword.exe' + - '\Integrator.exe' + - '\outlook.exe' + - '\powerpnt.exe' + - '\Teams.exe' - '\visio.exe' - filter_teams: - Image|endswith: '\Teams.exe' - filter_avg: - Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe' + - '\winword.exe' + filter_optional_avg: + Image: + - 'C:\Program Files\AVG\Antivirus\RegSvr.exe' + - 'C:\Program Files (x86)\AVG\Antivirus\RegSvr.exe' TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\' - condition: selection and not 1 of filter_* + filter_optional_avast: + Image: + - 'C:\Program Files\Avast Software\Avast\RegSvr.exe' + - 'C:\Program Files (x86)\Avast Software\Avast\RegSvr.exe' + TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate Addin Installation level: medium diff --git a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml index 58872729d..4112d87e0 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml @@ -11,7 +11,7 @@ references: - https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html author: frack113 date: 2023-01-27 -modified: 2024-07-03 +modified: 2025-10-07 tags: - attack.defense-evasion - attack.t1036.003 @@ -22,9 +22,8 @@ detection: selection_main: TargetObject|contains: '\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations' selection_susp_paths: - Image|contains: - - '\AppData\Local\Temp\' - - '\Users\Public\' + Image|contains: '\Users\Public\' + # - '\AppData\Local\Temp\' # Commented out as it's used by legitimate installers selection_susp_images: Image|endswith: - '\reg.exe' diff --git a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml index a6f9821c2..6fdf9bcb6 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml @@ -7,7 +7,7 @@ references: - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing, Swachchhanda Shrawan Poudel (Nextron Systems) date: 2018-08-25 -modified: 2025-02-17 +modified: 2025-10-06 tags: - attack.persistence - attack.t1547.001 @@ -55,7 +55,14 @@ detection: Details|contains: - '\AppData\Local\Temp\' - 'C:\Windows\Temp\' - condition: selection_target and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_* )) and not 1 of filter_main_* + filter_optional_spotify: + Image|endswith: + - 'C:\Program Files\Spotify\Spotify.exe' + - 'C:\Program Files (x86)\Spotify\Spotify.exe' + - '\AppData\Roaming\Spotify\Spotify.exe' + TargetObject|endswith: 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spotify' + Details|endswith: 'Spotify.exe --autostart --minimized' + condition: selection_target and (selection_suspicious_paths_1 or (all of selection_suspicious_paths_user_* )) and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Software using weird folders for updates level: high