Rules Contributing to Suspicious Process Creation Commandline Alert
The following rules are used to identify suspicious activity relating to command-line process creation. Any one or more of these will trigger the Suspicious Process Creation Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
SystemNightmare Exploitation Script Execution |
Detects the exploitation of PrinterNightmare to get a shell as LOCAL_SYSTEM More details
Rule IDprocess_creation_commandline_1 Query{'selection': {'CommandLine|contains': ['printnightmare.gentilkiwi.com', ' /user:gentilguest ', 'Kiwi Legit Printer']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c01f7bd6-0c1d-47aa-9c61-187b91273a16 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0004, T1068 ReferencesSeverity95 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Reg Add Open Command |
Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key More details
Rule IDprocess_creation_commandline_2 Query{'selection_1': {'CommandLine|contains|all': ['reg', 'add', 'hkcu\\software\\classes\\ms-settings\\shell\\open\\command', '/ve ', '/d']}, 'selection_2': {'CommandLine|contains|all': ['reg', 'add', 'hkcu\\software\\classes\\ms-settings\\shell\\open\\command', '/v', 'DelegateExecute']}, 'selection_3': {'CommandLine|contains|all': ['reg', 'delete', 'hkcu\\software\\classes\\ms-settings']}, 'condition': '1 of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,dd3ee8cc-f751-41c9-ba53-5a32ed47e563 Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0006, T1003 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
CL_LoadAssembly.ps1 Proxy Execution |
Detects the use of a Microsoft signed script to execute commands and bypassing AppLocker. More details
Rule IDprocess_creation_commandline_3 Query{'selection': {'CommandLine|contains': ['\\CL_LoadAssembly.ps1', 'LoadAssemblyFromPath ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c57872c7-614f-4d7f-a40d-b78c8df2d30d Author: frack113, Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1216 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Characters in CommandLine |
Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion More details
Rule IDprocess_creation_commandline_4 Query{'selection_spacing_modifiers': {'CommandLine|contains': ['ˣ', '˪', 'ˢ']}, 'selection_unicode_slashes': {'CommandLine|contains': ['∕', '⁄']}, 'selection_unicode_hyphens': {'CommandLine|contains': ['―', '—']}, 'condition': '1 of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,2c0d2d7b-30d6-4d14-9751-7b9113042ab9 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Firewall Disabled via Netsh.EXE |
Detects netsh commands that turns off the Windows firewall More details
Rule IDprocess_creation_commandline_5 Query{'selection_img': [{'Image|endswith': '\\netsh.exe'}, {'OriginalFileName': 'netsh.exe'}], 'selection_cli_1': {'CommandLine|contains|all': ['firewall', 'set', 'opmode', 'disable']}, 'selection_cli_2': {'CommandLine|contains|all': ['advfirewall', 'set', 'state', 'off']}, 'condition': 'selection_img and 1 of selection_cli_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,57c4bf16-227f-4394-8ec7-1b745ee061c3 Author: Fatih Sirin Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1562.004 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Ke3chang Registry Key Modifications |
Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020 More details
Rule IDprocess_creation_commandline_6 Query{'selection1': {'CommandLine|contains': ['-Property DWORD -name DisableFirstRunCustomize -value 2 -Force', '-Property String -name Check_Associations -value', '-Property DWORD -name IEHarden -value 0 -Force']}, 'condition': 'selection1'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,7b544661-69fc-419f-9a59-82ccc328f205 Author: Markus Neis, Swisscom Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1562.001 ReferencesSeverity95 Suppression Logic Based On
Additional Information
|
||||||||
Potential PowerShell Obfuscation Via WCHAR |
Detects suspicious encoded character syntax often used for defense evasion More details
Rule IDprocess_creation_commandline_7 Query{'selection': {'CommandLine|contains': '(WCHAR)0x'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e312efd0-35a1-407f-8439-b8d434b438a6 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Conti Volume Shadow Listing |
Detects a command used by conti to find volume shadow backups More details
Rule IDprocess_creation_commandline_8 Query{'selection': {'CommandLine|contains|all': ['vssadmin list shadows', 'log.txt']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,7b30e0a7-c675-4b24-8a46-82fa67e2433d Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) Tactics, Techniques, and ProceduresTA0042, T1587.001, TA0002, T1059.003 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
InfDefaultInstall.exe .inf Execution |
Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file. More details
Rule IDprocess_creation_commandline_9 Query{'selection': {'CommandLine|contains|all': ['InfDefaultInstall.exe ', '.inf']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ce7cf472-6fcc-490a-9481-3786840b5d9b Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1218 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Root Certificate Installed From Susp Locations |
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. More details
Rule IDprocess_creation_commandline_10 Query{'selection': {'CommandLine|contains|all': ['Import-Certificate', ' -FilePath ', 'Cert:\\LocalMachine\\Root'], 'CommandLine|contains': ['\\AppData\\Local\\Temp\\', ':\\Windows\\TEMP\\', '\\Desktop\\', '\\Downloads\\', '\\Perflogs\\', ':\\Users\\Public\\']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,5f6a601c-2ecb-498b-9c33-660362323afa Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1553.004 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious PrinterPorts Creation (CVE-2020-1048) |
Detects new commands that add new printer port which point to suspicious file More details
Rule IDprocess_creation_commandline_11 Query{'selection1': {'CommandLine|contains': 'Add-PrinterPort -Name'}, 'selection2': {'CommandLine|contains': ['.exe', '.dll', '.bat']}, 'selection3': {'CommandLine|contains': 'Generic / Text Only'}, 'condition': '(selection1 and selection2) or selection3'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,cc08d590-8b90-413a-aff6-31d1a99678d7 Author: EagleEye Team, Florian Roth Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
PowerShell Script Run in AppData |
Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder More details
Rule IDprocess_creation_commandline_12 Query{'selection1': {'CommandLine|contains': ['powershell.exe', '\\powershell', '\\pwsh', 'pwsh.exe']}, 'selection2': {'CommandLine|contains|all': ['/c ', '\\AppData\\'], 'CommandLine|contains': ['Local\\', 'Roaming\\']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ac175779-025a-4f12-98b0-acdaeb77ea85 Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community Tactics, Techniques, and ProceduresReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Potential Remote Desktop Tunneling |
Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination. More details
Rule IDprocess_creation_commandline_13 Query{'selection': {'CommandLine|contains': ':3389'}, 'selection_opt': {'CommandLine|contains': [' -L ', ' -P ', ' -R ', ' -pw ', ' -ssh ']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,8a3038e8-9c9d-46f8-b184-66234a160f6f Author: Tim Rauch, Elastic (idea) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0008, T1021 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
MSTSC Shadowing |
Detects RDP session hijacking by using MSTSC shadowing More details
Rule IDprocess_creation_commandline_14 Query{'selection': {'CommandLine|contains|all': ['noconsentprompt', 'shadow:']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,6ba5a05f-b095-4f0a-8654-b825f4f16334 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0008, T1563.002 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Scan Loop Network |
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system More details
Rule IDprocess_creation_commandline_15 Query{'selection_loop': {'CommandLine|contains': ['for ', 'foreach ']}, 'selection_tools': {'CommandLine|contains': ['nslookup', 'ping']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f8ad2e2c-40b6-4117-84d7-20b89896ab23 Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0007, T1018 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Obfuscated IP Download |
Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command More details
Rule IDprocess_creation_commandline_16 Query{'selection_img': {'CommandLine|contains': ['Invoke-WebRequest', 'iwr ', 'wget ', 'curl ', 'DownloadFile', 'DownloadString']}, 'selection_ip': [{'CommandLine|contains': ['//0x', '.0x', '.00x']}, {'CommandLine|contains|all': ['http://%', '%2e']}], 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,cb5a2333-56cf-4562-8fcb-22ba1bca728d Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
MSExchange Transport Agent Installation |
Detects the Installation of a Exchange Transport Agent More details
Rule IDprocess_creation_commandline_17 Query{'selection': {'CommandLine|contains': 'Install-TransportAgent'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,83809e84-4475-4b69-bc3e-4aad8568612f Author: Tobias Michalski (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0003, T1505.002 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Pubprn.vbs Proxy Execution |
Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands. More details
Rule IDprocess_creation_commandline_18 Query{'selection': {'CommandLine|contains|all': ['\\pubprn.vbs', 'script:']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1fb76ab8-fa60-4b01-bddd-71e89bf555da Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1216.001 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Tamper Windows Defender Remove-MpPreference |
Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet More details
Rule IDprocess_creation_commandline_19 Query{'selection_remove': {'CommandLine|contains': 'Remove-MpPreference'}, 'selection_tamper': {'CommandLine|contains': ['-ControlledFolderAccessProtectedFolders ', '-AttackSurfaceReductionRules_Ids ', '-AttackSurfaceReductionRules_Actions ', '-CheckForSignaturesBeforeRunningScan ']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,07e3cb2c-0608-410d-be4b-1511cb1a0448 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1562.001 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
AnyDesk Silent Installation |
Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access. More details
Rule IDprocess_creation_commandline_20 Query{'selection': {'CommandLine|contains|all': ['--install', '--start-with-win', '--silent']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,114e7f1c-f137-48c8-8f54-3088c24ce4b9 Author: Ján Trenčanský Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0011, T1219 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Execution via CL_Invocation.ps1 |
Detects Execution via SyncInvoke in CL_Invocation.ps1 module More details
Rule IDprocess_creation_commandline_21 Query{'selection': {'CommandLine|contains|all': ['CL_Invocation.ps1', 'SyncInvoke']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,a0459f02-ac51-4c09-b511-b8c9203fc429 Author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1216 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Writing Of Malicious Files To The Fonts Folder |
Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from. More details
Rule IDprocess_creation_commandline_24 Query{'selection_1': {'CommandLine|contains': ['echo', 'copy', 'type', 'file createnew', 'cacls']}, 'selection_2': {'CommandLine|contains': 'C:\\Windows\\Fonts\\'}, 'selection_3': {'CommandLine|contains': ['.sh', '.exe', '.dll', '.bin', '.bat', '.cmd', '.js', '.msh', '.reg', '.scr', '.ps', '.vb', '.jar', '.pl', '.inf', '.cpl', '.hta', '.msi', '.vbs']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ae9b0bd7-8888-4606-b444-0ed7410cb728 Author: Sreeman Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1211 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious FromBase64String Usage On Gzip Archive - Process Creation |
Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward. More details
Rule IDprocess_creation_commandline_25 Query{'selection': {'CommandLine|contains|all': ['FromBase64String', 'MemoryStream', 'H4sI']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,d75d6b6b-adb9-48f7-824b-ac2e786efe1f Author: frack113 Tactics, Techniques, and ProceduresReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Usage Of ShellExec_RunDLL |
Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack More details
Rule IDprocess_creation_commandline_26 Query{'selection_openasrundll': {'CommandLine|contains': 'ShellExec_RunDLL'}, 'selection_suspcli': {'CommandLine|contains': ['regsvr32', 'msiexec', '\\Users\\Public\\', 'odbcconf', '\\Desktop\\', '\\Temp\\', 'Invoke-', 'iex', 'comspec']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,d87bd452-6da1-456e-8155-7dc988157b7d Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Turla Group Lateral Movement |
Detects automated lateral movement by Turla group More details
Rule IDprocess_creation_commandline_27 Query{'selection': {'CommandLine': ['net use \\\\%DomainController%\\C$ "P@ssw0rd" *', 'dir c:\\*.doc* /s', 'dir %TEMP%\\*.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c601f20d-570a-4cde-a7d6-e17f99cb8e7f Author: Markus Neis Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0007, T1083, T1135, TA0008, T1021.002 ReferencesSeverity95 Suppression Logic Based On
Additional Information
|
||||||||
Netsh RDP Port Opening |
Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware More details
Rule IDprocess_creation_commandline_28 Query{'selection1': {'CommandLine|contains|all': ['netsh', 'firewall add portopening', 'tcp 3389']}, 'selection2': {'CommandLine|contains|all': ['netsh', 'advfirewall firewall add rule', 'action=allow', 'protocol=TCP', 'localport=3389']}, 'condition': '1 of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,01aeb693-138d-49d2-9403-c4f52d7d3d62 Author: Sander Wiebing Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1562.004 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
PowerShell DownloadFile |
Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line More details
Rule IDprocess_creation_commandline_29 Query{'selection': {'CommandLine|contains|all': ['powershell', '.DownloadFile', 'System.Net.WebClient']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,8f70ac5f-1f6f-4f8e-b454-db19561216c5 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059, TA0011, T1104, T1105 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Powershell Defender Exclusion |
Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets More details
Rule IDprocess_creation_commandline_30 Query{'selection1': {'CommandLine|contains': ['Add-MpPreference ', 'Set-MpPreference ']}, 'selection2': {'CommandLine|contains': [' -ExclusionPath ', ' -ExclusionExtension ', ' -ExclusionProcess ', ' -ExclusionIpAddress ']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,17769c90-230e-488b-a463-e05c08e9d48f Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1562.001 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Lazarus Loaders |
Detects different loaders as described in various threat reports on Lazarus group activity More details
Rule IDprocess_creation_commandline_31 Query{'selection_cmd1': {'CommandLine|contains|all': ['cmd.exe /c ', ' -p 0x']}, 'selection_cmd2': {'CommandLine|contains': ['C:\\ProgramData\\', 'C:\\RECYCLER\\']}, 'selection_rundll1': {'CommandLine|contains|all': ['rundll32.exe ', 'C:\\ProgramData\\']}, 'selection_rundll2': {'CommandLine|contains': ['.bin,', '.tmp,', '.dat,', '.io,', '.ini,', '.db,']}, 'condition': '( selection_cmd1 and selection_cmd2 ) or ( selection_rundll1 and selection_rundll2 )'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,7b49c990-4a9a-4e65-ba95-47c9cc448f6e Author: Florian Roth (Nextron Systems), wagga Tactics, Techniques, and ProceduresReferencesSeverity95 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious GrpConv Execution |
Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors More details
Rule IDprocess_creation_commandline_32 Query{'selection': {'CommandLine|contains': ['grpconv.exe -o', 'grpconv -o']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f14e169e-9978-4c69-acb3-1cff8200bc36 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0003, T1547 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Disabled RestrictedAdminMode For RDS - ProcCreation |
Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise More details
Rule IDprocess_creation_commandline_33 Query{'selection': {'CommandLine|contains|all': ['\\System\\CurrentControlSet\\Control\\Lsa\\', 'DisableRestrictedAdmin', ' 1']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,28ac00d6-22d9-4a3c-927f-bbd770104573 Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1112 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Malicious Base64 Encoded Powershell Invoke Cmdlets |
Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets More details
Rule IDprocess_creation_commandline_34 Query{'selection': {'CommandLine|contains': ['SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA', 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA', 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA', 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA', 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A', 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg', 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA', 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw', 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,fd6e2919-3936-40c9-99db-0aa922c356f7 Author: pH-T (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Uninstall Crowdstrike Falcon |
Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon More details
Rule IDprocess_creation_commandline_35 Query{'selection': {'CommandLine|contains|all': ['\\WindowsSensor.exe', ' /uninstall', ' /quiet']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f0f7be61-9cf5-43be-9836-99d6ef448a18 Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1562.001 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Powershell No File or Command |
Detects suspicious powershell execution that ends with a common flag instead of a command or a filename to execute (could be a sign of implicit execution that uses files in WindowsApps directory) More details
Rule IDprocess_creation_commandline_36 Query{'selection': {'CommandLine|endswith': [' -windowstyle hidden"', ' -windowstyle hidden', " -windowstyle hidden'", ' -w hidden"', ' -w hidden', " -w hidden'", ' -ep bypass"', ' -ep bypass', " -ep bypass'", ' -noni"', ' -noni', " -noni'"]}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,b66474aa-bd92-4333-a16c-298155b120df Author: pH-T (Nextron Systems), Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059, TA0003, T1053.005 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
New Network Provider - CommandLine |
Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it More details
Rule IDprocess_creation_commandline_37 Query{'selection': {'CommandLine|contains|all': ['\\System\\CurrentControlSet\\Services\\', '\\NetworkProvider']}, 'filter': {'CommandLine|contains': ['\\System\\CurrentControlSet\\Services\\WebClient\\NetworkProvider', '\\System\\CurrentControlSet\\Services\\LanmanWorkstation\\NetworkProvider', '\\System\\CurrentControlSet\\Services\\RDPNP\\NetworkProvider']}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0006, T1003 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Turla Group Commands May 2020 |
Detects commands used by Turla group as reported by ESET in May 2020 More details
Rule IDprocess_creation_commandline_38 Query{'selection1': {'CommandLine|contains': ['tracert -h 10 yahoo.com', '.WSqmCons))|iex;', 'Fr`omBa`se6`4Str`ing']}, 'selection2': {'CommandLine|contains|all': ['net use https://docs.live.net', '@aol.co.uk']}, 'condition': '1 of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,9e2e51c5-c699-4794-ba5a-29f5da40ac0c Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059, TA0003, T1053.005, TA0005, T1027 ReferencesSeverity95 Suppression Logic Based On
Additional Information
|
||||||||
Potential Data Stealing Via Chromium Headless Debugging |
Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control More details
Rule IDprocess_creation_commandline_39 Query{'selection': {'CommandLine|contains|all': ['--remote-debugging-', '--user-data-dir', '--headless']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,3e8207c5-fcd2-4ea6-9418-15d45b4890e4 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0009, T1185 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Invoke-Obfuscation Via Use MSHTA |
Detects Obfuscated Powershell via use MSHTA in Scripts More details
Rule IDprocess_creation_commandline_40 Query{'selection': {'CommandLine|contains|all': ['set', '&&', 'mshta', 'vbscript:createobject', '.run', '(window.close)']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ac20ae82-8758-4f38-958e-b44a3140ca88 Author: Nikita Nazarov, oscd.community Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Rundll32 Script in CommandLine |
Detects suspicious process related to rundll32 based on arguments More details
Rule IDprocess_creation_commandline_41 Query{'selection': {'CommandLine|contains|all': ['rundll32', 'mshtml,RunHTMLApplication'], 'CommandLine|contains': ['javascript:', 'vbscript:']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,73fcad2e-ff14-4c38-b11d-4172c8ac86c7 Author: frack113, Zaw Min Htun (ZETA) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1218.011 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Base64 Encoded Powershell Invoke |
Detects base64 encoded powershell 'Invoke-' call More details
Rule IDprocess_creation_commandline_42 Query{'selection': {'CommandLine|contains': ['SQBuAHYAbwBrAGUALQ', 'kAbgB2AG8AawBlAC0A', 'JAG4AdgBvAGsAZQAtA']}, 'filter_other_rule': {'CommandLine|contains': ['SQBuAHYAbwBrAGUALQBCAGwAbwBvAGQASABvAHUAbgBkA', 'kAbgB2AG8AawBlAC0AQgBsAG8AbwBkAEgAbwB1AG4AZA', 'JAG4AdgBvAGsAZQAtAEIAbABvAG8AZABIAG8AdQBuAGQA', 'SQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoA', 'kAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6A', 'JAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAeg', 'SQBuAHYAbwBrAGUALQBXAE0ASQBFAHgAZQBjA', 'kAbgB2AG8AawBlAC0AVwBNAEkARQB4AGUAYw', 'JAG4AdgBvAGsAZQAtAFcATQBJAEUAeABlAGMA']}, 'condition': 'selection and not 1 of filter*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,6385697e-9f1b-40bd-8817-f4a91f40508e Author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
HackTool - Bloodhound/Sharphound Execution |
Detects command line parameters used by Bloodhound and Sharphound hack tools More details
Rule IDprocess_creation_commandline_44 Query{'selection_cli_1': {'CommandLine|contains': [' -CollectionMethod All ', ' --CollectionMethods Session ', ' --Loop --Loopduration ', ' --PortScanTimeout ', '.exe -c All -d ', 'Invoke-Bloodhound', 'Get-BloodHoundData']}, 'selection_cli_2': {'CommandLine|contains|all': [' -JsonFolder ', ' -ZipFileName ']}, 'selection_cli_3': {'CommandLine|contains|all': [' DCOnly ', ' --NoSaveCache ']}, 'condition': '1 of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f376c8a7-a2d0-4ddc-aa0c-16c17236d962 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.001, TA0007, T1087, T1482, T1069 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Explorer Process Tree Break |
Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost" More details
Rule IDprocess_creation_commandline_45 Query{'selection': [{'CommandLine|contains': '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}'}, {'CommandLine|contains|all': ['explorer.exe', ' /root,']}], 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,949f1ffb-6e85-4f00-ae1e-c3c5b190d605 Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @gott_cyber Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1036 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Del in CommandLine |
Detects suspicious command line to remove and 'exe' or 'dll' More details
Rule IDprocess_creation_commandline_46 Query{'susp_del_exe': {'CommandLine|contains|all': ['del ', '*.exe', '/f ', '/q ']}, 'susp_del_dll': {'CommandLine|contains|all': ['del ', '*.dll', 'C:\\ProgramData\\']}, 'condition': 'susp_del_exe or susp_del_dll'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,204b17ae-4007-471b-917b-b917b315c5db Author: frack113 , X__Junior (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1070.004 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Invoke-Obfuscation COMPRESS OBFUSCATION |
Detects Obfuscated Powershell via COMPRESS OBFUSCATION More details
Rule IDprocess_creation_commandline_47 Query{'selection': {'CommandLine|contains|all': ['new-object', 'text.encoding]::ascii'], 'CommandLine|contains': ['system.io.compression.deflatestream', 'system.io.streamreader', 'readtoend(']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,7eedcc9d-9fdb-4d94-9c54-474e8affc0c7 Author: Timur Zinniatullin, oscd.community Tactics, Techniques, and ProceduresReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Operation Wocao Activity |
Detects activity mentioned in Operation Wocao report More details
Rule IDprocess_creation_commandline_48 Query{'selection': {'CommandLine|contains': ['checkadmin.exe 127.0.0.1 -all', 'netsh advfirewall firewall add rule name=powershell dir=in', 'cmd /c powershell.exe -ep bypass -file c:\\s.ps1', '/tn win32times /f', 'create win32times binPath=', '\\c$\\windows\\system32\\devmgr.dll', ' -exec bypass -enc JgAg', 'type *keepass\\KeePass.config.xml', 'iie.exe iie.txt', 'reg query HKEY_CURRENT_USER\\Software\\*\\PuTTY\\Sessions\\']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1cfac73c-be78-4f9a-9b08-5bde0c3953ab Author: Florian Roth (Nextron Systems), frack113 Tactics, Techniques, and ProceduresTA0002, T1059, TA0003, T1053.005, TA0005, T1036.004, T1027, TA0007, T1012 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Fireball Archer Install |
Detects Archer malware invocation via rundll32 More details
Rule IDprocess_creation_commandline_49 Query{'selection': {'CommandLine|contains|all': ['rundll32.exe', 'InstallArcherSvc']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,3d4aebe0-6d29-45b2-a8a4-3dfde586a26d Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1218.011 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Zip A Folder With PowerShell For Staging In Temp |
Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration More details
Rule IDprocess_creation_commandline_50 Query{'selection': {'CommandLine|contains|all': ['Compress-Archive ', ' -Path ', ' -DestinationPath ', '$env:TEMP\\']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 Author: Nasreddine Bencherchali (Nextron Systems), frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0009, T1074.001 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Registry Dump of SAM Creds and Secrets |
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored More details
Rule IDprocess_creation_commandline_51 Query{'selection_reg': {'CommandLine|contains': ' save '}, 'selection_key': {'CommandLine|contains': ['HKLM\\sam', 'HKLM\\system', 'HKLM\\security']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0006, T1003.002 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Procdump Evasion |
Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name More details
Rule IDprocess_creation_commandline_52 Query{'selection1': {'CommandLine|contains': ['copy procdump', 'move procdump']}, 'selection2': {'CommandLine|contains|all': ['copy ', '.dmp '], 'CommandLine|contains': ['2.dmp', 'lsass', 'out.dmp']}, 'selection3': {'CommandLine|contains': ['copy lsass.exe_', 'move lsass.exe_']}, 'condition': '1 of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,79b06761-465f-4f88-9ef2-150e24d3d737 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1036, TA0006, T1003.001 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Powershell Token Obfuscation - Process Creation |
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation More details
Rule IDprocess_creation_commandline_53 Query{'selection': [{'CommandLine|re': '\\w+`(\\w+|-|.)`[\\w+|\\s]'}, {'CommandLine|re': '"(\\{\\d\\})+"\\s*-f'}, {'CommandLine|re': '\\$\\{((e|n|v)*`(e|n|v)*)+:path\\}|\\$\\{((e|n|v)*`(e|n|v)*)+:((p|a|t|h)*`(p|a|t|h)*)+\\}|\\$\\{env:((p|a|t|h)*`(p|a|t|h)*)+\\}'}], 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,deb9b646-a508-44ee-b7c9-d8965921c6b6 Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1027 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Minimized MSEdge Start |
Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet More details
Rule IDprocess_creation_commandline_54 Query{'selection': {'CommandLine|contains': 'start /min msedge'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,94771a71-ba41-4b6e-a757-b531372eaab6 Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0011, T1105 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious PowerShell Download and Execute Pattern |
Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive) More details
Rule IDprocess_creation_commandline_55 Query{'selection': {'CommandLine|contains': ['IEX ((New-Object Net.WebClient).DownloadString', 'IEX (New-Object Net.WebClient).DownloadString', 'IEX((New-Object Net.WebClient).DownloadString', 'IEX(New-Object Net.WebClient).DownloadString', ' -command (New-Object System.Net.WebClient).DownloadFile(', ' -c (New-Object System.Net.WebClient).DownloadFile(']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e6c54d94-498c-4562-a37c-b469d8e9a275 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Add User to Local Administrators |
Detects suspicious command line that adds an account to the local administrators/administrateurs group More details
Rule IDprocess_creation_commandline_56 Query{'selection_main': [{'CommandLine|contains|all': ['localgroup ', ' /add']}, {'CommandLine|contains|all': ['Add-LocalGroupMember ', ' -Group ']}], 'selection_group': {'CommandLine|contains': [' administrators ', ' administrateur']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ad720b90-25ad-43ff-9b5e-5c841facc8e5 Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0003, T1098 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Taskkill Symantec Endpoint Protection |
Detects one of the possible scenarios for disabling symantec endpoint protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. More details
Rule IDprocess_creation_commandline_57 Query{'selection': {'CommandLine|contains|all': ['taskkill', ' /F ', ' /IM ', 'ccSvcHst.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,4a6713f6-3331-11ed-a261-0242ac120002 Author: Ilya Krestinichev, Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1562.001 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
MsiExec Web Install |
Detects suspicious msiexec process starts with web addresses as parameter More details
Rule IDprocess_creation_commandline_58 Query{'selection': {'CommandLine|contains|all': [' msiexec', '://']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f7b5f842-a6af-4da5-9e95-e32478f3cd2f Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1218.007, TA0011, T1105 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
PsExec Service Start |
Detects a PsExec service start More details
Rule IDprocess_creation_commandline_59 Query{'selection': {'CommandLine': 'C:\\Windows\\PSEXESVC.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,3ede524d-21cc-472d-a3ce-d21b568d8db7 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Severity24 Suppression Logic Based On
Additional Information
|
||||||||
Scheduled Task WScript VBScript |
Detects specific process parameters as used by ACTINIUM scheduled task persistence creation. More details
Rule IDprocess_creation_commandline_60 Query{'selection': {'CommandLine|contains|all': ['schtasks', 'create', 'wscript', 'e:vbscript']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e1118a8f-82f5-44b3-bb6b-8a284e5df602 Author: Andreas Hunkeler (@Karneades) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0003, T1053.005 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Dropping Of Password Filter DLL |
Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS More details
Rule IDprocess_creation_commandline_61 Query{'selection_cmdline': {'CommandLine|contains|all': ['HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa', 'scecli\\0*', 'reg add']}, 'condition': 'selection_cmdline'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,b7966f4a-b333-455b-8370-8ca53c229762 Author: Sreeman Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1556.002 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious UltraVNC Execution |
Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group) More details
Rule IDprocess_creation_commandline_62 Query{'selection': {'CommandLine|contains|all': ['-autoreconnect ', '-connect ', '-id:']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,871b9555-69ca-4993-99d3-35a59f9f3599 Author: Bhabesh Raj Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0008, T1021.005 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Potential AMSI Bypass Using NULL Bits - ProcessCreation |
Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities More details
Rule IDprocess_creation_commandline_63 Query{'selection': {'CommandLine|contains': ["if(0){{{0}}}' -f $(0 -as [char]) +", '#<NULL>']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,92a974db-ab84-457f-9ec0-55db83d7a825 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1562.001 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Invoke-Obfuscation CLIP+ Launcher |
Detects Obfuscated use of Clip.exe to execute PowerShell More details
Rule IDprocess_creation_commandline_65 Query{'selection': {'CommandLine|contains|all': ['cmd', '&&', 'clipboard]::', '-f'], 'CommandLine|contains': ['/c', '/r']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,b222df08-0e07-11eb-adc1-0242ac120002 Author: Jonathan Cheong, oscd.community Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code |
Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs More details
Rule IDprocess_creation_commandline_67 Query{'selection': {'CommandLine|contains|all': ['\\SyncAppvPublishingServer.vbs', ';']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,36475a7d-0f6d-4dce-9b01-6aeb473bbaf1 Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1218, T1216 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Add User to Remote Desktop Users Group |
Detects suspicious command line in which a user gets added to the local Remote Desktop Users group More details
Rule IDprocess_creation_commandline_68 Query{'selection_main': [{'CommandLine|contains|all': ['localgroup ', ' /add']}, {'CommandLine|contains|all': ['Add-LocalGroupMember ', ' -Group ']}], 'selection_group': {'CommandLine|contains': ['Remote Desktop Users', 'Utilisateurs du Bureau à distance', 'Usuarios de escritorio remoto']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ffa28e60-bdb1-46e0-9f82-05f7a61cc06e Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0003, T1133, T1136.001, TA0008, T1021.001 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
GatherNetworkInfo.vbs Script Usage |
Adversaries can abuse of C:\Windows\System32\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target More details
Rule IDprocess_creation_commandline_69 Query{'selection': {'CommandLine|contains|all': ['cscript.exe', 'gatherNetworkInfo.vbs']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,575dce0c-8139-4e30-9295-1ee75969f7fe Author: blueteamer8699 Tactics, Techniques, and ProceduresReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
APT29 |
This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks. More details
Rule IDprocess_creation_commandline_70 Query{'selection': {'CommandLine|contains|all': ['-noni', '-ep', 'bypass', '$']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,033fe7d6-66d1-4240-ac6b-28908009c71f Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious WMIC ActiveScriptEventConsumer Creation |
Detects WMIC executions in which a event consumer gets created in order to establish persistence More details
Rule IDprocess_creation_commandline_71 Query{'selection': {'CommandLine|contains|all': ['ActiveScriptEventConsumer', ' CREATE ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ebef4391-1a81-4761-a40a-1db446c0e625 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0003, T1546.003 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
TAIDOOR RAT DLL Load |
Detects specific process characteristics of Chinese TAIDOOR RAT malware load More details
Rule IDprocess_creation_commandline_72 Query{'selection1': {'CommandLine|contains': ['dll,MyStart', 'dll MyStart']}, 'selection2a': {'CommandLine|endswith': ' MyStart'}, 'selection2b': {'CommandLine|contains': 'rundll32.exe'}, 'condition': 'selection1 or ( selection2a and selection2b )'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,d1aa3382-abab-446f-96ea-4de52908210b Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1055.001 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Empire PowerShell UAC Bypass |
Detects some Empire PowerShell UAC bypass methods More details
Rule IDprocess_creation_commandline_73 Query{'selection': {'CommandLine|contains': [' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)', ' -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,3268b746-88d8-4cd3-bffc-30077d02c787 Author: Ecco Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1548.002 ReferencesSeverity95 Suppression Logic Based On
Additional Information
|
||||||||
Emotet Process Creation |
Detects all Emotet like process executions that are not covered by the more generic rules More details
Rule IDprocess_creation_commandline_74 Query{'selection': {'CommandLine|contains': [' -e* PAA', 'JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ', 'QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA', 'kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA', 'IgAoACcAKgAnACkAOwAkA', 'IAKAAnACoAJwApADsAJA', 'iACgAJwAqACcAKQA7ACQA', 'JABGAGwAeAByAGgAYwBmAGQ', 'PQAkAGUAbgB2ADoAdABlAG0AcAArACgA', '0AJABlAG4AdgA6AHQAZQBtAHAAKwAoA', '9ACQAZQBuAHYAOgB0AGUAbQBwACsAKA']}, 'filter': {'CommandLine|contains': ['fAAgAEMAbwBuAHYAZQByAHQAVABvAC0ASgBzAG8AbgAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQ', 'wAIABDAG8AbgB2AGUAcgB0AFQAbwAtAEoAcwBvAG4AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUA', '8ACAAQwBvAG4AdgBlAHIAdABUAG8ALQBKAHMAbwBuACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlA']}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,d02e8cf5-6099-48cf-9bfc-1eec2d0c7b18 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Esentutl Gather Credentials |
Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab. More details
Rule IDprocess_creation_commandline_75 Query{'selection': {'CommandLine|contains|all': ['esentutl', ' /p']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,7df1713a-1a5b-4a4b-a071-dc83b144a101 Author: sam0x90 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0006, T1003.003 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
EvilNum Golden Chickens Deployment via OCX Files |
Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020 More details
Rule IDprocess_creation_commandline_76 Query{'selection': {'CommandLine|contains|all': ['regsvr32', '/s', '/i', '\\AppData\\Roaming\\', '.ocx']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,8acf3cfa-1e8c-4099-83de-a0c4038e18f0 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1218.011 ReferencesSeverity95 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Dosfuscation Character in Commandline |
Detects possible payload obfuscation via the commandline More details
Rule IDprocess_creation_commandline_77 Query{'selection': {'CommandLine|contains': ['^^', ',;,', '%COMSPEC:~', ' s^et ', ' s^e^t ', ' se^t ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,a77c1610-fc73-4019-8e29-0f51efc04a51 Author: frack113, Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
WhoAmI as Parameter |
Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato) More details
Rule IDprocess_creation_commandline_78 Query{'selection': {'CommandLine|contains': '.exe whoami'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e9142d84-fbe0-401d-ac50-3e519fb00c89 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0007, T1033 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Powershell Inline Execution From A File |
Detects inline execution of PowerShell code from a file More details
Rule IDprocess_creation_commandline_79 Query{'selection_exec': {'CommandLine|contains': ['iex ', 'Invoke-Expression ', 'Invoke-Command ', 'icm ']}, 'selection_read': {'CommandLine|contains': ['cat ', 'get-content ', 'type ']}, 'selection_raw': {'CommandLine|contains': ' -raw'}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ee218c12-627a-4d27-9e30-d6fb2fe22ed2 Author: frack113 Tactics, Techniques, and ProceduresReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Base64 Encoded PowerShell Command Detected |
Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string More details
Rule IDprocess_creation_commandline_80 Query{'selection': {'CommandLine|contains': '::FromBase64String('}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e32d4572-9826-4738-b651-95fa63747e8a Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059, TA0005, T1027, T1140 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
CL_Mutexverifiers.ps1 Proxy Execution |
Detects the use of a Microsoft signed script to execute commands More details
Rule IDprocess_creation_commandline_81 Query{'selection': {'CommandLine|contains|all': ['\\CL_Mutexverifiers.ps1', 'runAfterCancelProcess ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1e0e1a81-e79b-44bc-935b-ddb9c8006b3d Author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1216 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious X509Enrollment - Process Creation |
Detect use of X509Enrollment More details
Rule IDprocess_creation_commandline_82 Query{'selection': {'CommandLine|contains': ['X509Enrollment.CBinaryConverter', '884e2002-217d-11da-b2a4-000e7bbb2b09']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,114de787-4eb2-48cc-abdb-c0b449f93ea4 Author: frack113 Tactics, Techniques, and ProceduresReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Regsvr32 HTTP IP Pattern |
Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN More details
Rule IDprocess_creation_commandline_83 Query{'selection_flags': {'CommandLine|contains|all': [' /s', ' /u']}, 'selection_ip': {'CommandLine|contains': [' /i:http://1', ' /i:http://2', ' /i:http://3', ' /i:http://4', ' /i:http://5', ' /i:http://6', ' /i:http://7', ' /i:http://8', ' /i:http://9', ' /i:https://1', ' /i:https://2', ' /i:https://3', ' /i:https://4', ' /i:https://5', ' /i:https://6', ' /i:https://7', ' /i:https://8', ' /i:https://9']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,2dd2c217-bf68-437a-b57c-fe9fd01d5de8 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1218.010 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Rundll32 Without Parameters |
Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module More details
Rule IDprocess_creation_commandline_84 Query{'selection': {'CommandLine': 'rundll32.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,5bb68627-3198-40ca-b458-49f973db8752 Author: Bartlomiej Czyz, Relativity Tactics, Techniques, and ProceduresTA0002, T1569.002, T1059.003, TA0008, T1021.002, T1570 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Ntdll Pipe Redirection |
Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection More details
Rule IDprocess_creation_commandline_85 Query{'selection': {'CommandLine|contains': ['type %windir%\\system32\\ntdll.dll', 'type %systemroot%\\system32\\ntdll.dll', 'type c:\\windows\\system32\\ntdll.dll', '\\ntdll.dll > \\\\.\\pipe\\']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,bbc865e4-7fcd-45a6-8ff1-95ced28ec5b2 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferences
N/A
Severity74 Suppression Logic Based On
Additional Information
|
||||||||
Raccine Uninstall |
Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. More details
Rule IDprocess_creation_commandline_86 Query{'selection1': {'CommandLine|contains|all': ['taskkill ', 'RaccineSettings.exe']}, 'selection2': {'CommandLine|contains|all': ['reg.exe', 'delete', 'Raccine Tray']}, 'selection3': {'CommandLine|contains|all': ['schtasks', '/DELETE', 'Raccine Rules Updater']}, 'condition': '1 of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1562.001 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
REGISTER_APP.VBS Proxy Execution |
Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application. More details
Rule IDprocess_creation_commandline_88 Query{'selection': {'CommandLine|contains|all': ['\\register_app.vbs', '-register']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1c8774a0-44d4-4db0-91f8-e792359c70bd Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1218 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
PowerShell Get-Process LSASS |
Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity More details
Rule IDprocess_creation_commandline_89 Query{'selection': {'CommandLine|contains': ['Get-Process lsas', 'ps lsas', 'gps lsas']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,b2815d0d-7481-4bf0-9b6c-a4c48a94b349 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0006, T1552.004 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Raspberry Robin Dot Ending File |
Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin More details
Rule IDprocess_creation_commandline_90 Query{'selection': {'CommandLine|re': '\\\\([a-zA-Z0-9]{1,32})\\.([a-zA-Z0-9]{1,6})\\.(\\s*(["\'])|(\\s+[^a-zA-Z0-9\\s.]))'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
LockerGoga Ransomware |
Detects LockerGoga Ransomware command line. More details
Rule IDprocess_creation_commandline_91 Query{'selection': {'CommandLine|contains': '-i SM-tgytutrc -s'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,74db3488-fd28-480a-95aa-b7af626de068 Author: Vasiliy Burov, oscd.community Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0040, T1486 ReferencesSeverity95 Suppression Logic Based On
Additional Information
|
||||||||
Write Protect For Storage Disabled |
Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group. More details
Rule IDprocess_creation_commandline_92 Query{'selection': {'CommandLine|contains|all': ['reg add', '\\system\\currentcontrolset\\control', 'write protection', '0'], 'CommandLine|contains': ['storage', 'storagedevicepolicies']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13 Author: Sreeman Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1562 References
N/A
Severity49 Suppression Logic Based On
Additional Information
|
||||||||
Audio Capture via PowerShell |
Detects audio capture via PowerShell Cmdlet. More details
Rule IDprocess_creation_commandline_93 Query{'selection': {'CommandLine|contains': 'WindowsAudioDevice-Powershell-Cmdlet'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,932fb0d8-692b-4b0f-a26e-5643a50fe7d6 Author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0009, T1123 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Potential Suspicious Windows Feature Enabled - ProcCreation |
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images More details
Rule IDprocess_creation_commandline_94 Query{'selection_cmd': {'CommandLine|contains|all': ['Enable-WindowsOptionalFeature', '-Online', '-FeatureName']}, 'selection_feature': {'CommandLine|contains': ['TelnetServer', 'Internet-Explorer-Optional-amd64', 'TFTP', 'SMB1Protocol', 'Client-ProjFS', 'Microsoft-Windows-Subsystem-Linux']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c740d4cf-a1e9-41de-bb16-8a46a4f57918 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Reg Disable Security Service |
Detects a suspicious reg.exe invocation that looks as if it would disable an important security service More details
Rule IDprocess_creation_commandline_96 Query{'selection_reg_add': {'CommandLine|contains|all': ['reg', 'add']}, 'selection_cli_reg_start': {'CommandLine|contains|all': [' /d 4', ' /v Start'], 'CommandLine|contains': ['\\Sense', '\\WinDefend', '\\MsMpSvc', '\\NisSrv', '\\WdBoot', '\\WdNisDrv', '\\WdNisSvc', '\\wscsvc', '\\SecurityHealthService', '\\wuauserv', '\\UsoSvc', '\\WdFilter', '\\AppIDSvc']}, 'selection_cli_reg_disable_defender': {'CommandLine|contains|all': [' /d 1', 'Windows Defender'], 'CommandLine|contains': ['DisableIOAVProtection', 'DisableOnAccessProtection', 'DisableRoutinelyTakingAction', 'DisableScanOnRealtimeEnable', 'DisableBlockAtFirstSeen', 'DisableBehaviorMonitoring', 'DisableEnhancedNotifications', 'DisableAntiSpyware', 'DisableAntiSpywareRealtimeProtection', 'DisableConfig', 'DisablePrivacyMode', 'SignatureDisableUpdateOnStartupWithoutEngine', 'DisableArchiveScanning', 'DisableIntrusionPreventionSystem', 'DisableScriptScanning']}, 'condition': 'selection_reg_add and 1 of selection_cli_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,5e95028c-5229-4214-afae-d653d573d0ec Author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1562.001 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Serv-U Exploitation CVE-2021-35211 by DEV-0322 |
Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322 More details
Rule IDprocess_creation_commandline_97 Query{'selection_whoami': {'CommandLine|contains': 'whoami'}, 'selection_cmd_1': {'CommandLine|contains': ['./Client/Common/', '.\\Client\\Common\\']}, 'selection_cmd_2': {'CommandLine|contains': 'C:\\Windows\\Temp\\Serv-U.bat'}, 'condition': 'selection_whoami and 1 of selection_cmd*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,75578840-9526-4b2a-9462-af469a45e767 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0003, T1136.001 ReferencesSeverity95 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Debugger Registration Cmdline |
Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor). More details
Rule IDprocess_creation_commandline_98 Query{'selection1': {'CommandLine|contains': '\\CurrentVersion\\Image File Execution Options\\'}, 'selection2': {'CommandLine|contains': ['sethc.exe', 'utilman.exe', 'osk.exe', 'magnify.exe', 'narrator.exe', 'displayswitch.exe', 'atbroker.exe', 'HelpPane.exe']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ae215552-081e-44c7-805f-be16f975c8a2 Author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0003, T1546.008 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
CrackMapExec Command Execution |
Detect various execution methods of the CrackMapExec pentesting framework More details
Rule IDprocess_creation_commandline_99 Query{'selection': {'CommandLine|endswith': ['cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1', 'cmd.exe /C * > \\\\*\\*\\* 2>&1', 'cmd.exe /C * > *\\Temp\\* 2>&1'], 'CommandLine|contains': ['powershell.exe -exec bypass -noni -nop -w 1 -C "', 'powershell.exe -noni -nop -w 1 -enc ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,058f4380-962d-40a5-afce-50207d36d7e2 Author: Thomas Patzke Tactics, Techniques, and ProceduresTA0002, T1047, T1059, TA0003, T1053 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
DevInit Lolbin Download |
Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system More details
Rule IDprocess_creation_commandline_100 Query{'selection': {'CommandLine|contains|all': [' -t msi-install ', ' -i http']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,90d50722-0483-4065-8e35-57efaadd354d Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1218 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Sticky-Key Backdoor Copy Cmd.exe |
By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched. More details
Rule IDprocess_creation_commandline_101 Query{'selection': {'CommandLine': 'copy /y C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1070db9a-3e5d-412e-8e7b-7183b616e1b3 Author: Sreeman Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0003, T1546.008 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Use of Procdump on LSASS |
Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. More details
Rule IDprocess_creation_commandline_102 Query{'selection1': {'CommandLine|contains': [' -ma ', ' /ma ']}, 'selection2': {'CommandLine|contains': ' ls'}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,5afee48e-67dd-4e03-a783-f74259dcf998 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1036, TA0006, T1003.001 References
N/A
Severity74 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Rundll32 Activity Invoking Sys File |
Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 More details
Rule IDprocess_creation_commandline_103 Query{'selection1': {'CommandLine|contains': 'rundll32.exe'}, 'selection2': {'CommandLine|contains': ['.sys,', '.sys ']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,731231b9-0b5d-4219-94dd-abb6959aa7ea Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1218.011 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
ETW Logging Tamper In .NET Processes |
Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. More details
Rule IDprocess_creation_commandline_104 Query{'selection': {'CommandLine|contains': ['COMPlus_ETWEnabled', 'COMPlus_ETWFlags']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,41421f44-58f9-455d-838a-c398859841d4 Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1562 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious WMIC Execution - ProcessCallCreate |
Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32"...etc More details
Rule IDprocess_creation_commandline_105 Query{'selection': {'CommandLine|contains|all': ['process ', 'call ', 'create '], 'CommandLine|contains': ['rundll32', 'bitsadmin', 'regsvr32', 'cmd.exe /c ', 'cmd.exe /k ', 'cmd.exe /r ', 'cmd /c ', 'cmd /k ', 'cmd /r ', 'powershell', 'pwsh', 'certutil', 'cscript', 'wscript', 'mshta', '\\Users\\Public\\', '\\Windows\\Temp\\', '\\AppData\\Local\\', '%temp%', '%tmp%', '%ProgramData%', '%appdata%', '%comspec%', '%localappdata%']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,3c89a1e8-0fba-449e-8f1b-8409d6267ec8 Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32 |
Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local More details
Rule IDprocess_creation_commandline_106 Query{'selection': {'CommandLine|contains|all': ['regsvr32', '\\AppData\\Local\\', '.dll', ',DllEntry']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,bd70d3f8-e60e-4d25-89f0-0b5a9cff20e0 Author: Florian Roth (Nextron Systems), Tim Shelton, Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1218.010 ReferencesSeverity50 Suppression Logic Based On
Additional Information
|
||||||||
Mshtml DLL RunHTMLApplication Abuse |
Detects suspicious command line using the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...) More details
Rule IDprocess_creation_commandline_107 Query{'selection': {'CommandLine|contains|all': ['\\..\\', 'mshtml', 'RunHTMLApplication']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,4782eb5a-a513-4523-a0ac-f3082b26ac5c Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Persistence Via TypedPaths - CommandLine |
Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt More details
Rule IDprocess_creation_commandline_109 Query{'selection': {'CommandLine|contains': '\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ec88289a-7e1a-4cc3-8d18-bd1f60e4b9ba Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
UtilityFunctions.ps1 Proxy Dll |
Detects the use of a Microsoft signed script executing a managed DLL with PowerShell. More details
Rule IDprocess_creation_commandline_110 Query{'selection': {'CommandLine|contains': ['UtilityFunctions.ps1', 'RegSnapin ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,0403d67d-6227-4ea8-8145-4e72db7da120 Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1216 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Unidentified Attacker November 2018 |
A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016. More details
Rule IDprocess_creation_commandline_111 Query{'selection': {'CommandLine|contains': 'cyzfc.dat,', 'CommandLine|endswith': 'PointFunctionCall'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,7453575c-a747-40b9-839b-125a0aae324b Author: Florian Roth (Nextron Systems), @41thexplorer Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1218.011 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Powershell AMSI Bypass via .NET Reflection |
Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning More details
Rule IDprocess_creation_commandline_112 Query{'selection': {'CommandLine|contains': ['System.Management.Automation.AmsiUtils', 'amsiInitFailed']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,30edb182-aa75-42c0-b0a9-e998bb29067c Author: Markus Neis, @Kostastsale Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1562.001 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
PowerShell SAM Copy |
Detects suspicious PowerShell scripts accessing SAM hives More details
Rule IDprocess_creation_commandline_113 Query{'selection_1': {'CommandLine|contains|all': ['\\HarddiskVolumeShadowCopy', 'System32\\config\\sam']}, 'selection_2': {'CommandLine|contains': ['Copy-Item', 'cp $_.', 'cpi $_.', 'copy $_.', '.File]::Copy(']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1af57a4b-460a-4738-9034-db68b880c665 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0006, T1003.002 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
UAC Bypass Using Event Viewer RecentViews |
Detects the pattern of UAC Bypass using Event Viewer RecentViews More details
Rule IDprocess_creation_commandline_114 Query{'selection_path': {'CommandLine|contains': ['\\Event Viewer\\RecentViews', '\\EventV~1\\RecentViews']}, 'selection_redirect': {'CommandLine|contains': '>'}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,30fc8de7-d833-40c4-96b6-28319fbc4f6c Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Office Token Search Via CLI |
Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps. More details
Rule IDprocess_creation_commandline_115 Query{'selection': {'CommandLine|contains': ['eyJ0eXAiOi', ' eyJ0eX', ' "eyJ0eX"', " 'eyJ0eX'"]}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,6d3a3952-6530-44a3-8554-cf17c116c615 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0006, T1528 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Change Default File Association To Executable |
Detects when a program changes the default file association of any extension to an executable More details
Rule IDprocess_creation_commandline_116 Query{'selection': {'CommandLine|contains|all': ['cmd', 'assoc ', 'exefile'], 'CommandLine|contains': [' /c ', ' /r ', ' /k ']}, 'filter': {'CommandLine|contains': '.exe=exefile'}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ae6f14e6-14de-45b0-9f44-c0986f50dc89 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0003, T1546.001 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Conti Backup Database |
Detects a command used by conti to dump database More details
Rule IDprocess_creation_commandline_118 Query{'selection_tools': {'CommandLine|contains': ['sqlcmd ', 'sqlcmd.exe']}, 'selection_svr': {'CommandLine|contains': ' -S localhost '}, 'selection_query': {'CommandLine|contains': ['sys.sysprocesses', 'master.dbo.sysdatabases', 'BACKUP DATABASE']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,2f47f1fd-0901-466e-a770-3b7092834a1b Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0009, T1005 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Winnti Pipemon Characteristics |
Detects specific process characteristics of Winnti Pipemon malware reported by ESET More details
Rule IDprocess_creation_commandline_119 Query{'selection1': {'CommandLine|contains': 'setup0.exe -p'}, 'selection2a': {'CommandLine|contains': 'setup.exe'}, 'selection2b': {'CommandLine|endswith': ['-x:0', '-x:1', '-x:2']}, 'condition': 'selection1 or all of selection2*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,73d70463-75c9-4258-92c6-17500fe972f2 Author: Florian Roth (Nextron Systems), oscd.community Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0003, T1574.002 ReferencesSeverity95 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious ZipExec Execution |
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. More details
Rule IDprocess_creation_commandline_120 Query{'run': {'CommandLine|contains|all': ['/generic:Microsoft_Windows_Shell_ZipFolder:filename=', '.zip', '/pass:', '/user:']}, 'delete': {'CommandLine|contains|all': ['/delete', 'Microsoft_Windows_Shell_ZipFolder:filename=', '.zip']}, 'condition': 'run or delete'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,90dcf730-1b71-4ae7-9ffc-6fcf62bd0132 Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1218, T1202 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
NirCmd Tool Execution As LOCAL SYSTEM |
Detects the use of NirCmd tool for command execution as SYSTEM user More details
Rule IDprocess_creation_commandline_121 Query{'selection': {'CommandLine|contains': ' runassystem '}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,d9047477-0359-48c9-b8c7-792cedcdc9c4 Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Invoke-Obfuscation Via Use Clip |
Detects Obfuscated Powershell via use Clip.exe in Scripts More details
Rule IDprocess_creation_commandline_122 Query{'selection': {'CommandLine|contains|all': ['echo', 'clip', '&&'], 'CommandLine|contains': ['clipboard', 'invoke', 'i`', 'n`', 'v`', 'o`', 'k`', 'e`']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e1561947-b4e3-4a74-9bdd-83baed21bdb5 Author: Nikita Nazarov, oscd.community Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
PowerShell Base64 Encoded Shellcode |
Detects Base64 encoded Shellcode More details
Rule IDprocess_creation_commandline_123 Query{'selection': {'CommandLine|contains': ['OiCAAAAYInlM', 'OiJAAAAYInlM']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,2d117e49-e626-4c7c-bd1f-c3c0147774c8 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1027 ReferencesSeverity95 Suppression Logic Based On
Additional Information
|
||||||||
Ryuk Ransomware |
Detects Ryuk ransomware activity More details
Rule IDprocess_creation_commandline_124 Query{'selection': {'CommandLine|contains|all': ['Microsoft\\Windows\\CurrentVersion\\Run', 'C:\\users\\Public\\']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c37510b8-2107-4b78-aa32-72f251e7a844 Author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0003, T1547.001 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Arbitrary Shell Command Execution Via Settingcontent-Ms |
The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries. More details
Rule IDprocess_creation_commandline_125 Query{'selection': {'CommandLine|contains': '.SettingContent-ms'}, 'filter': {'CommandLine|contains': 'immersivecontrolpanel'}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,24de4f3b-804c-4165-b442-5a06a2302c7e Author: Sreeman Tactics, Techniques, and ProceduresTA0001, T1566.001, TA0002, T1204, T1059.003 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Base64 Encoded Reflective Assembly Load |
Detects base64 encoded .NET reflective loading of Assembly More details
Rule IDprocess_creation_commandline_127 Query{'selection': {'CommandLine|contains': ['WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA', 'sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA', 'bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA', 'AFsAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiAC', 'BbAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgAp', 'AWwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAK', 'WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6ACgAIgBMAG8AYQBkACIAKQ', 'sAUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgAoACIATABvAGEAZAAiACkA', 'bAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoAKAAiAEwAbwBhAGQAIgApA', 'WwByAGUAZgBsAGUAYwB0AGkAbwBuAC4AYQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKA', 'sAcgBlAGYAbABlAGMAdABpAG8AbgAuAGEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgA', 'bAHIAZQBmAGwAZQBjAHQAaQBvAG4ALgBhAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoA']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,62b7ccc9-23b4-471e-aa15-6da3663c4d59 Author: Christian Burkard (Nextron Systems), pH-T (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious NT Resource Kit Auditpol Usage |
Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. More details
Rule IDprocess_creation_commandline_128 Query{'selection': {'CommandLine|contains': ['/logon:none', '/system:none', '/sam:none', '/privilege:none', '/object:none', '/process:none', '/policy:none']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c6c56ada-612b-42d1-9a29-adad3c5c2c1e Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1562.002 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Weak or Abused Passwords In CLI |
Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline More details
Rule IDprocess_creation_commandline_129 Query{'selection': {'CommandLine|contains': ['Asd123.aaaa', 'password123', '123456789', 'P@ssw0rd!']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,91edcfb1-2529-4ac2-9ecc-7617f895c7e4 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Encoded Obfuscated LOAD String |
Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load More details
Rule IDprocess_creation_commandline_130 Query{'selection': {'CommandLine|contains': ['OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ', 'oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA', '6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA', 'OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ', 'oAOgAoACIATABvACIAKwAiAGEAZAAiACkA', '6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA', 'OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ', 'oAOgAoACIATABvAGEAIgArACIAZAAiACkA', '6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA', 'OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ', 'oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA', '6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA', 'OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ', 'oAOgAoACcATABvACcAKwAnAGEAZAAnACkA', '6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA', 'OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ', 'oAOgAoACcATABvAGEAJwArACcAZAAnACkA', '6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,9c0295ce-d60d-40bd-bd74-84673b7592b1 Author: pH-T (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
RunXCmd Tool Execution As System |
Detects the use of RunXCmd tool for command execution More details
Rule IDprocess_creation_commandline_131 Query{'selection': {'CommandLine|contains|all': [' /account=system ', '/exec=']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,93199800-b52a-4dec-b762-75212c196542 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Base64 Encoded Listing of Shadowcopy |
Detects base64 encoded listing Win32_Shadowcopy More details
Rule IDprocess_creation_commandline_132 Query{'selection': {'CommandLine|contains': ['VwBpAG4AMwAyAF8AUwBoAGEAZABvAHcAYwBvAHAAeQAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQA', 'cAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A', 'XAGkAbgAzADIAXwBTAGgAYQBkAG8AdwBjAG8AcAB5ACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdA']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,47688f1b-9f51-4656-b013-3cc49a166a36 Author: Christian Burkard (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
MERCURY Command Line Patterns |
Detects suspicious command line patterns as seen being used by MERCURY threat actor More details
Rule IDprocess_creation_commandline_133 Query{'selection_base': {'CommandLine|contains|all': ['-exec bypass -w 1 -enc', 'UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAaw']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,a62298a3-1fe0-422f-9a68-ffbcbc5a123d Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
DTRACK Process Creation |
Detects specific process parameters as seen in DTRACK infections More details
Rule IDprocess_creation_commandline_134 Query{'selection': {'CommandLine|contains': ' echo EEEE > '}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f1531fa4-5b84-4342-8f68-9cf3fdbd83d4 Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0040, T1490 ReferencesSeverity95 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Netsh Discovery Command |
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems More details
Rule IDprocess_creation_commandline_135 Query{'selection': {'CommandLine|contains|all': ['netsh ', 'show ', 'firewall '], 'CommandLine|contains': ['config ', 'state ', 'rule ', 'name=all']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,0e4164da-94bc-450d-a7be-a4b176179f1f Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0007, T1016 ReferencesSeverity24 Suppression Logic Based On
Additional Information
|
||||||||
F-Secure C3 Load by Rundll32 |
F-Secure C3 produces DLLs with a default exported StartNodeRelay function. More details
Rule IDprocess_creation_commandline_136 Query{'selection': {'CommandLine|contains|all': ['rundll32.exe', '.dll', 'StartNodeRelay']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,b18c9d4c-fac9-4708-bd06-dd5bfacf200f Author: Alfie Champion (ajpc500) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1218.011 ReferencesSeverity95 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious RunAs-Like Flag Combination |
Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools More details
Rule IDprocess_creation_commandline_137 Query{'selection_user': {'CommandLine|contains': [' -u system ', ' --user system ', ' -u NT', ' -u "NT', " -u 'NT", ' --system ', ' -u administrator ']}, 'selection_command': {'CommandLine|contains': [' -c cmd', ' -c "cmd', ' -c powershell', ' -c "powershell', ' --command cmd', ' --command powershell', ' -c whoami', ' -c wscript', ' -c cscript']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,50d66fb0-03f8-4da0-8add-84e77d12a020 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Stop Or Remove Antivirus Service |
Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services. Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service More details
Rule IDprocess_creation_commandline_138 Query{'selection_action': {'CommandLine|contains': ['Stop-Service ', 'Remove-Service ']}, 'selection_product': {'CommandLine|contains': [' McAfeeDLPAgentService', ' Trend Micro Deep Security Manager', ' TMBMServer', 'Sophos', 'Symantec']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,6783aa9e-0dc3-49d4-a94a-8b39c5fd700b Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1562.001 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Adwind RAT / JRAT |
Detects javaw.exe in AppData folder as used by Adwind / JRAT More details
Rule IDprocess_creation_commandline_139 Query{'selection': [{'CommandLine|contains|all': ['\\AppData\\Roaming\\Oracle', '\\java', '.exe ']}, {'CommandLine|contains|all': ['cscript.exe', 'Retrive', '.vbs ']}], 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1fac1481-2dbc-48b2-9096-753c49b4ec71 Author: Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious AdvancedRun Runas Priv User |
Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts More details
Rule IDprocess_creation_commandline_140 Query{'selection': {'CommandLine|contains': ['/EXEFilename', '/CommandLine']}, 'selection_runas': [{'CommandLine|contains': [' /RunAs 8 ', ' /RunAs 4 ', ' /RunAs 10 ', ' /RunAs 11 ']}, {'CommandLine|endswith': ['/RunAs 8', '/RunAs 4', '/RunAs 10', '/RunAs 11']}], 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,fa00b701-44c6-4679-994d-5a18afa8a707 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
ShimCache Flush |
Detects actions that clear the local ShimCache and remove forensic evidence More details
Rule IDprocess_creation_commandline_141 Query{'selection1a': {'CommandLine|contains|all': ['rundll32', 'apphelp.dll']}, 'selection1b': {'CommandLine|contains': ['ShimFlushCache', '#250']}, 'selection2a': {'CommandLine|contains|all': ['rundll32', 'kernel32.dll']}, 'selection2b': {'CommandLine|contains': ['BaseFlushAppcompatCache', '#46']}, 'condition': '( selection1a and selection1b ) or ( selection2a and selection2b )'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,b0524451-19af-4efa-a46f-562a977f792e Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1112 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Sliver C2 Implant Activity Pattern |
Detects process activity patterns as seen being used by Sliver C2 framework implants More details
Rule IDprocess_creation_commandline_142 Query{'selection_cmdline': {'CommandLine|contains': '-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8'}, 'condition': '1 of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,42333b2c-b425-441c-b70e-99404a17170f Author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity95 Suppression Logic Based On
Additional Information
|
||||||||
Disabled IE Security Features |
Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features More details
Rule IDprocess_creation_commandline_143 Query{'selection1': {'CommandLine|contains|all': [' -name IEHarden ', ' -value 0 ']}, 'selection2': {'CommandLine|contains|all': [' -name DEPOff ', ' -value 1 ']}, 'selection3': {'CommandLine|contains|all': [' -name DisableFirstRunCustomize ', ' -value 2 ']}, 'condition': '1 of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,fb50eb7a-5ab1-43ae-bcc9-091818cb8424 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1562.001 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Invoke-Obfuscation RUNDLL LAUNCHER |
Detects Obfuscated Powershell via RUNDLL LAUNCHER More details
Rule IDprocess_creation_commandline_144 Query{'selection': {'CommandLine|contains|all': ['rundll32.exe', 'shell32.dll', 'shellexec_rundll', 'powershell']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,056a7ee1-4853-4e67-86a0-3fd9ceed7555 Author: Timur Zinniatullin, oscd.community Tactics, Techniques, and ProceduresReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Tasks Folder Evasion |
The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr More details
Rule IDprocess_creation_commandline_145 Query{'selection1': {'CommandLine|contains': ['echo ', 'copy ', 'type ', 'file createnew']}, 'selection2': {'CommandLine|contains': [' C:\\Windows\\System32\\Tasks\\', ' C:\\Windows\\SysWow64\\Tasks\\']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,cc4e02ba-9c06-48e2-b09e-2500cace9ae0 Author: Sreeman Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0003, T1574.002 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Sofacy Trojan Loader Activity |
Detects Trojan loader activity as used by APT28 More details
Rule IDprocess_creation_commandline_146 Query{'selection1': {'CommandLine|contains|all': ['rundll32.exe', '%APPDATA%\\']}, 'selection2': [{'CommandLine|contains': '.dat",'}, {'CommandLine|endswith': ['.dll",#1', '.dll #1', '.dll" #1']}], 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,ba778144-5e3d-40cf-8af9-e28fb1df1e20 Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1218.011 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Commandline Escape |
Detects suspicious process that use escape characters More details
Rule IDprocess_creation_commandline_147 Query{'selection': {'CommandLine|contains': ['h^t^t^p', 'h"t"t"p']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f0cdd048-82dc-4f7a-8a7a-b87a52b6d0fd Author: juju4 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1140 ReferencesSeverity24 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Rundll32 Invoking Inline VBScript |
Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452 More details
Rule IDprocess_creation_commandline_148 Query{'selection': {'CommandLine|contains|all': ['rundll32.exe', 'Execute', 'RegRead', 'window.close']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1055 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Disabled Volume Snapshots |
Detects commands that temporarily turn off Volume Snapshots More details
Rule IDprocess_creation_commandline_149 Query{'selection': {'CommandLine|contains|all': ['reg', ' add ', '\\Services\\VSS\\Diag', '/d Disabled']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1562.001 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
PowerShell Get-Clipboard Cmdlet Via CLI |
Detects usage of the 'Get-Clipboard' cmdlet via CLI More details
Rule IDprocess_creation_commandline_150 Query{'selection': {'CommandLine|contains': 'Get-Clipboard'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,b9aeac14-2ffd-4ad3-b967-1354a4e628c3 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0009, T1115 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Reg Add BitLocker |
Detects suspicious addition to BitLocker related registry keys via the reg.exe utility More details
Rule IDprocess_creation_commandline_151 Query{'selection': {'CommandLine|contains|all': ['REG', 'ADD', '\\SOFTWARE\\Policies\\Microsoft\\FVE', '/v', '/f'], 'CommandLine|contains': ['EnableBDEWithNoTPM', 'UseAdvancedStartup', 'UseTPM', 'UseTPMKey', 'UseTPMKeyPIN', 'RecoveryKeyMessageSource', 'UseTPMPIN', 'RecoveryKeyMessage']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,0e0255bf-2548-47b8-9582-c0955c9283f5 Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0040, T1486 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet |
Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet More details
Rule IDprocess_creation_commandline_152 Query{'selection_cmdlet': {'CommandLine|contains': 'Get-LocalGroupMember '}, 'selection_group': {'CommandLine|contains': ['domain admins', ' administrator', ' administrateur', 'enterprise admins', 'Exchange Trusted Subsystem', 'Remote Desktop Users', 'Utilisateurs du Bureau à distance', 'Usuarios de escritorio remoto']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c8a180d6-47a3-4345-a609-53f9c3d834fc Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0007, T1087.001 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Conti Ransomware Execution |
Conti ransomware command line ioc More details
Rule IDprocess_creation_commandline_153 Query{'selection': {'CommandLine|contains|all': ['-m ', '-net ', '-size ', '-nomutex ', '-p \\\\', '$']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,689308fc-cfba-4f72-9897-796c1dc61487 Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0040, T1486 ReferencesSeverity95 Suppression Logic Based On
Additional Information
|
||||||||
Snatch Ransomware |
Detects specific process characteristics of Snatch ransomware word document droppers More details
Rule IDprocess_creation_commandline_154 Query{'selection': {'CommandLine|contains': ['shutdown /r /f /t 00', 'net stop SuperBackupMan']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,5325945e-f1f0-406e-97b8-65104d393fff Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Copy from Volume Shadow Copy |
Detects a copy execution that targets a shadow copy (sometimes used to copy registry hives that are in use) More details
Rule IDprocess_creation_commandline_155 Query{'selection': {'CommandLine|contains': 'copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c73124a7-3e89-44a3-bdc1-25fe4df754b1 Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0040, T1490 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious VBScript UN2452 Pattern |
Detects suspicious inline VBScript keywords as used by UNC2452 More details
Rule IDprocess_creation_commandline_156 Query{'selection': {'CommandLine|contains|all': ['Execute', 'CreateObject', 'RegRead', 'window.close', '\\Microsoft\\Windows\\CurrentVersion']}, 'filter': {'CommandLine|contains': '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,20c3f09d-c53d-4e85-8b74-6aa50e2f1b61 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0003, T1547.001 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Sensitive Registry Access via Volume Shadow Copy |
Detects a command that accesses password storing registry hives via volume shadow backups More details
Rule IDprocess_creation_commandline_157 Query{'selection_1': {'CommandLine|contains': '\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'}, 'selection_2': {'CommandLine|contains': ['\\NTDS.dit', '\\SYSTEM', '\\SECURITY', 'C:\\tmp\\log']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f57f8d16-1f39-4dcb-a604-6c73d9b54b3d Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0040, T1490 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Abusable Invoke-ATHRemoteFXvGPUDisablementCommand |
RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). More details
Rule IDprocess_creation_commandline_158 Query{'selection_cmd': {'CommandLine|contains': 'Invoke-ATHRemoteFXvGPUDisablementCommand '}, 'selection_opt': {'CommandLine|contains': ['-ModuleName ', '-ModulePath ', '-ScriptBlock ', '-RemoteFXvGPUDisablementFilePath']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,a6fc3c46-23b8-4996-9ea2-573f4c4d88c5 Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1218 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Execute From Alternate Data Streams |
Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection More details
Rule IDprocess_creation_commandline_159 Query{'selection_stream': {'CommandLine|contains': 'txt:'}, 'selection_tools_type': {'CommandLine|contains|all': ['type ', ' > ']}, 'selection_tools_makecab': {'CommandLine|contains|all': ['makecab ', '.cab']}, 'selection_tools_reg': {'CommandLine|contains|all': ['reg ', ' export ']}, 'selection_tools_regedit': {'CommandLine|contains|all': ['regedit ', ' /E ']}, 'selection_tools_esentutl': {'CommandLine|contains|all': ['esentutl ', ' /y ', ' /d ', ' /o ']}, 'condition': 'selection_stream and (1 of selection_tools_*)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,7f43c430-5001-4f8b-aaa9-c3b88f18fa5c Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1564.004 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Potential Tampering With Security Products Via WMIC |
Detects uninstallation or termination of security products using the WMIC utility More details
Rule IDprocess_creation_commandline_160 Query{'selection_cli_1': {'CommandLine|contains|all': ['wmic', 'product where ', 'call uninstall', '/nointeractive']}, 'selection_cli_2': {'CommandLine|contains|all': ['wmic', 'caption like '], 'CommandLine|contains': ['call delete', 'call terminate']}, 'selection_cli_3': {'CommandLine|contains|all': ['process ', 'where ', 'delete']}, 'selection_product': {'CommandLine|contains': ['%carbon%', '%cylance%', '%endpoint%', '%eset%', '%malware%', '%Sophos%', '%symantec%', 'Antivirus', 'AVG ', 'Carbon Black', 'CarbonBlack', 'Cb Defense Sensor 64-bit', 'Crowdstrike Sensor', 'Cylance ', 'Dell Threat Defense', 'DLP Endpoint', 'Endpoint Detection', 'Endpoint Protection', 'Endpoint Security', 'Endpoint Sensor', 'ESET File Security', 'LogRhythm System Monitor Service', 'Malwarebytes', 'McAfee Agent', 'Microsoft Security Client', 'Sophos Anti-Virus', 'Sophos AutoUpdate', 'Sophos Credential Store', 'Sophos Management Console', 'Sophos Management Database', 'Sophos Management Server', 'Sophos Remote Management System', 'Sophos Update Manager', 'Threat Protection', 'VirusScan', 'Webroot SecureAnywhere', 'Windows Defender']}, 'condition': '1 of selection_cli_* and selection_product'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,847d5ff3-8a31-4737-a970-aeae8fe21765 Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1562.001 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Potential Download/Upload Activity Using Type Command |
Detects usage of the "type" command to download/upload data from WebDAV server More details
Rule IDprocess_creation_commandline_161 Query{'selection_upload': {'CommandLine|contains|all': ['type ', ' > \\\\']}, 'selection_download': {'CommandLine|contains|all': ['type \\\\', ' > ']}, 'condition': '1 of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0011, T1105 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Invoke-Obfuscation Via Stdin |
Detects Obfuscated Powershell via Stdin in Scripts More details
Rule IDprocess_creation_commandline_162 Query{'selection': {'CommandLine|contains|all': ['set', '&&'], 'CommandLine|contains': ['environment', 'invoke', 'input']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,9c14c9fa-1a63-4a64-8e57-d19280559490 Author: Nikita Nazarov, oscd.community Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Wscript Shell Run In CommandLine |
Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity More details
Rule IDprocess_creation_commandline_163 Query{'selection': {'CommandLine|contains|all': ['Wscript.', '.Shell', '.Run']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,2c28c248-7f50-417a-9186-a85b223010ee Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Reg Add RUN Key |
Detects suspicious command line reg.exe tool adding key to RUN key in Registry More details
Rule IDprocess_creation_commandline_164 Query{'selection': {'CommandLine|contains|all': ['reg', ' ADD ', 'Software\\Microsoft\\Windows\\CurrentVersion\\Run']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,de587dce-915e-4218-aac4-835ca6af6f70 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0003, T1547.001 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Disable or Delete Windows Eventlog |
Detects command that is used to disable or delete Windows eventlog via logman Windows utility More details
Rule IDprocess_creation_commandline_165 Query{'selection_tools': {'CommandLine|contains': 'logman '}, 'selection_action': {'CommandLine|contains': ['stop ', 'delete ']}, 'selection_service': {'CommandLine|contains': 'EventLog-System'}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,cd1f961e-0b96-436b-b7c6-38da4583ec00 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1562.001, T1070.001 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Java Running with Remote Debugging |
Detects a JAVA process running with remote debugging allowing more than just localhost to connect More details
Rule IDprocess_creation_commandline_166 Query{'selection_jdwp_transport': {'CommandLine|contains': 'transport=dt_socket,address='}, 'selection_old_jvm_version': {'CommandLine|contains': ['jre1.', 'jdk1.']}, 'exclusion': [{'CommandLine|contains': 'address=127.0.0.1'}, {'CommandLine|contains': 'address=localhost'}], 'condition': 'all of selection* and not exclusion'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,8f88e3f6-2a49-48f5-a5c4-2f7eedf78710 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Monitoring For Persistence Via BITS |
BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded More details
Rule IDprocess_creation_commandline_167 Query{'selection_1': {'CommandLine|contains|all': ['bitsadmin', '/SetNotifyCmdLine'], 'CommandLine|contains': ['%COMSPEC%', 'cmd.exe', 'regsvr32.exe']}, 'selection_2': {'CommandLine|contains|all': ['bitsadmin', '/Addfile'], 'CommandLine|contains': ['http:', 'https:', 'ftp:', 'ftps:']}, 'condition': '1 of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,b9cbbc17-d00d-4e3d-a827-b06d03d2380d Author: Sreeman Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0003, T1197 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Obfuscated Command Line Using Special Unicode Characters |
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. More details
Rule IDprocess_creation_commandline_168 Query{'selection': {'CommandLine|contains': ['â', '€', '£', '¯', '®', 'µ', '¶']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e0552b19-5a83-4222-b141-b36184bb8d79 Author: frack113, Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1027 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Compress Data and Lock With Password for Exfiltration With 7-ZIP |
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities More details
Rule IDprocess_creation_commandline_169 Query{'selection_7z': {'CommandLine|contains': ['7z.exe', '7za.exe']}, 'selection_password': {'CommandLine|contains': ' -p'}, 'selection_action': {'CommandLine|contains': [' a ', ' u ']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,9fbf5927-5261-4284-a71d-f681029ea574 Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0009, T1560.001 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious DIR Execution |
Detects usage of the "dir" command that's part of windows batch/cmd to collect information about directories More details
Rule IDprocess_creation_commandline_170 Query{'selection': {'CommandLine|contains|all': ['dir ', ' /s', ' /b']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,7c9340a9-e2ee-4e43-94c5-c54ebbea1006 Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0007, T1217 ReferencesSeverity24 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Diantz Download and Compress Into a CAB File |
Download and compress a remote file and store it in a cab file on local machine. More details
Rule IDprocess_creation_commandline_172 Query{'selection': {'CommandLine|contains|all': ['diantz.exe', ' \\\\', '.cab']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,185d7418-f250-42d0-b72e-0c8b70661e93 Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0011, T1105 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION |
Detects Obfuscated Powershell via VAR++ LAUNCHER More details
Rule IDprocess_creation_commandline_173 Query{'selection': {'CommandLine|contains|all': ['&&set', 'cmd', '/c', '-f'], 'CommandLine|contains': ['{0}', '{1}', '{2}', '{3}', '{4}', '{5}']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e9f55347-2928-4c06-88e5-1a7f8169942e Author: Timur Zinniatullin, oscd.community Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Ps.exe Renamed SysInternals Tool |
Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report More details
Rule IDprocess_creation_commandline_174 Query{'selection': {'CommandLine': 'ps.exe -accepteula'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,18da1007-3f26-470f-875d-f77faf1cab31 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1036.003 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
TropicTrooper Campaign November 2018 |
Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia More details
Rule IDprocess_creation_commandline_175 Query{'selection': {'CommandLine|contains': 'abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,8c7090c3-e0a0-4944-bd08-08c3a0cecf79 Author: @41thexplorer, Microsoft Defender ATP Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Shadow Copies Access via Symlink |
Shadow Copies storage symbolic link creation using operating systems utilities More details
Rule IDprocess_creation_commandline_176 Query{'selection': {'CommandLine|contains|all': ['mklink', 'HarddiskVolumeShadowCopy']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,40b19fa6-d835-400c-b301-41f3a2baacaf Author: Teymur Kheirkhabarov, oscd.community Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0006, T1003 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Desktopimgdownldr Command |
Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet More details
Rule IDprocess_creation_commandline_177 Query{'selection1': {'CommandLine|contains': ' /lockscreenurl:'}, 'selection1_filter': {'CommandLine|contains': ['.jpg', '.jpeg', '.png']}, 'selection_reg': {'CommandLine|contains|all': ['reg delete', '\\PersonalizationCSP']}, 'condition': '( selection1 and not selection1_filter ) or selection_reg'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,bb58aa4a-b80b-415a-a2c0-2f65a4c81009 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0011, T1105 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Rundll32 JS RunHTMLApplication Pattern |
Detects suspicious command line patterns used when rundll32 is used to run JavaScript code More details
Rule IDprocess_creation_commandline_178 Query{'selection1': {'CommandLine|contains|all': ['rundll32', 'javascript', '..\\..\\mshtml,RunHTMLApplication']}, 'selection2': {'CommandLine|contains': ';document.write();GetObject("script'}, 'condition': '1 of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,9f06447a-a33a-4cbe-a94f-a3f43184a7a3 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
ADCSPwn Hack Tool |
Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service More details
Rule IDprocess_creation_commandline_179 Query{'selection': {'CommandLine|contains|all': [' --adcs ', ' --port ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,cd8c163e-a19b-402e-bdd5-419ff5859f12 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0006, T1557.001 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Potential PowerShell Execution Policy Tampering - ProcCreation |
Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine More details
Rule IDprocess_creation_commandline_180 Query{'selection_path': {'CommandLine|contains': ['\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy', '\\Policies\\Microsoft\\Windows\\PowerShell\\ExecutionPolicy']}, 'selection_values': {'CommandLine|contains': ['Bypass', 'RemoteSigned', 'Unrestricted']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,cf2e938e-9a3e-4fe8-a347-411642b28a9f Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
CrackMapExec PowerShell Obfuscation |
The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule. More details
Rule IDprocess_creation_commandline_181 Query{'powershell_execution': {'CommandLine|contains': ['powershell.exe', 'pwsh.exe']}, 'snippets': {'CommandLine|contains': ['join*split', "( $ShellId[1]+$ShellId[13]+'x')", '( $PSHome[*]+$PSHOME[*]+', "( $env:Public[13]+$env:Public[5]+'x')", "( $env:ComSpec[4,*,25]-Join'')", "[1,3]+'x'-Join'')"]}, 'condition': 'powershell_execution and snippets'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,6f8b3439-a203-45dc-a88b-abf57ea15ccf Author: Thomas Patzke Tactics, Techniques, and ProceduresTA0002, T1059, TA0005, T1027.005 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Copy DMP Files From Share |
Detects usage of the copy command to copy files with the .dmp extensions from a remote share More details
Rule IDprocess_creation_commandline_182 Query{'selection': {'CommandLine|contains|all': ['.dmp', 'copy ', ' \\\\'], 'CommandLine|contains': [' /c ', ' /r ', ' /k ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,044ba588-dff4-4918-9808-3f95e8160606 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Deletion of Volume Shadow Copies via WMI with PowerShell |
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil More details
Rule IDprocess_creation_commandline_183 Query{'selection_get': {'CommandLine|contains': ['Get-WmiObject', 'gwmi', 'Get-CimInstance', 'gcim']}, 'selection_shadowcopy': {'CommandLine|contains': 'Win32_Shadowcopy'}, 'selection_delete': {'CommandLine|contains': ['.Delete()', 'Remove-WmiObject', 'rwmi', 'Remove-CimInstance', 'rcim']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,21ff4ca9-f13a-41ad-b828-0077b2af2e40 Author: Tim Rauch, Elastic (idea) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0040, T1490 ReferencesSeverity80 Suppression Logic Based On
Additional Information
|
||||||||
ScreenConnect Remote Access |
Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support) More details
Rule IDprocess_creation_commandline_184 Query{'selection': {'CommandLine|contains|all': ['e=Access&', 'y=Guest&', '&p=', '&c=', '&k=']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,75bfe6e6-cd8e-429e-91d3-03921e1d7962 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0003, T1133 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Curl Start Combination |
Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later. More details
Rule IDprocess_creation_commandline_185 Query{'selection': {'CommandLine|contains|all': [' /c ', 'curl ', 'http', '-o', '&']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,21dd6d38-2b18-4453-9404-a0fe4a0cc288 Author: Sreeman, Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1218, TA0011, T1105 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Usage of the Manage-bde.wsf Script |
Detects usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script More details
Rule IDprocess_creation_commandline_186 Query{'selection': {'CommandLine|contains|all': ['cscript', 'manage-bde.wsf']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c363385c-f75d-4753-a108-c1a8e28bdbda Author: oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1216 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Potential COM Objects Download Cradles Usage - Process Creation |
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID More details
Rule IDprocess_creation_commandline_187 Query{'selection_1': {'CommandLine|contains': '[Type]::GetTypeFromCLSID('}, 'selection_2': {'CommandLine|contains': ['0002DF01-0000-0000-C000-000000000046', 'F6D90F16-9C73-11D3-B32E-00C04F990BB4', 'F5078F35-C551-11D3-89B9-0000F81FE221', '88d96a0a-f192-11d4-a65f-0040963251e5', 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1', 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3', '88d96a0b-f192-11d4-a65f-0040963251e5', '2087c2f4-2cef-4953-a8ab-66779b670495', '000209FF-0000-0000-C000-000000000046', '00024500-0000-0000-C000-000000000046']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf Author: frack113 Tactics, Techniques, and ProceduresReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Base64 MZ Header In CommandLine |
Detects encoded base64 MZ header in the commandline More details
Rule IDprocess_creation_commandline_188 Query{'selection': {'CommandLine|contains': ['TVqQAAMAAAAEAAAA', 'TVpQAAIAAAAEAA8A', 'TVqAAAEAAAAEABAA', 'TVoAAAAAAAAAAAAA', 'TVpTAQEAAAAEAAAA']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,22e58743-4ac8-4a9f-bf19-00a0428d8c5f Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Capture a Network Trace with netsh.exe |
Detects capture a network trace via netsh.exe trace functionality More details
Rule IDprocess_creation_commandline_189 Query{'selection': {'CommandLine|contains|all': ['netsh', 'trace', 'start']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,d3c3861d-c504-4c77-ba55-224ba82d0118 Author: Kutepov Anton, oscd.community Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0007, T1040 References
N/A
Severity49 Suppression Logic Based On
Additional Information
|
||||||||
Baby Shark Activity |
Detects activity that could be related to Baby Shark malware More details
Rule IDprocess_creation_commandline_190 Query{'selection': {'CommandLine|contains': ['reg query "HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default"', 'powershell.exe mshta.exe http', 'cmd.exe /c taskkill /im cmd.exe']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,2b30fa36-3a18-402f-a22d-bf4ce2189f35 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059, TA0005, T1218.005, TA0007, T1012 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Ping/Del Command Combination |
Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example More details
Rule IDprocess_creation_commandline_191 Query{'selection_count': {'CommandLine|contains': [' -n ', ' /n ']}, 'selection_nul': {'CommandLine|contains': 'Nul'}, 'selection_del_param': {'CommandLine|contains': [' /f ', ' -f ', ' /q ', ' -q ']}, 'selection_all': {'CommandLine|contains|all': ['ping', 'del ']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,54786ddc-5b8a-11ed-9b6a-0242ac120002 Author: Ilya Krestinichev Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1070.004 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Change Default File Association |
When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. More details
Rule IDprocess_creation_commandline_192 Query{'selection': {'CommandLine|contains|all': ['cmd', 'assoc'], 'CommandLine|contains': [' /c ', ' /k ', ' /r ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,3d3aa6cd-6272-44d6-8afc-7e88dfef7061 Author: Timur Zinniatullin, oscd.community Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0003, T1546.001 ReferencesSeverity24 Suppression Logic Based On
Additional Information
|
||||||||
PowerShell Web Download and Execution |
Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression More details
Rule IDprocess_creation_commandline_193 Query{'selection_download': {'CommandLine|contains': ['.DownloadString(', '.DownloadFile(', 'Invoke-WebRequest ', 'iwr ']}, 'selection_iex': {'CommandLine|contains': ['IEX(', 'IEX (', 'I`EX', 'IE`X', 'I`E`X', '| IEX', '|IEX ', 'Invoke-Expression', ';iex $']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,85b0b087-eddf-4a2b-b033-d771fa2b9775 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Empire PowerShell Launch Parameters |
Detects suspicious powershell command line parameters used in Empire More details
Rule IDprocess_creation_commandline_194 Query{'selection': {'CommandLine|contains': [' -NoP -sta -NonI -W Hidden -Enc ', ' -noP -sta -w 1 -enc ', ' -NoP -NonI -W Hidden -enc ', ' -noP -sta -w 1 -enc', ' -enc SQB', ' -nop -exec bypass -EncodedCommand ']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,79f4ede3-402e-41c8-bc3e-ebbf5f162581 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Invoke-Obfuscation STDIN+ Launcher |
Detects Obfuscated use of stdin to execute PowerShell More details
Rule IDprocess_creation_commandline_195 Query{'selection_main': {'CommandLine|contains|all': ['cmd', 'powershell'], 'CommandLine|contains': ['/c', '/r']}, 'selection_other': [{'CommandLine|contains': 'noexit'}, {'CommandLine|contains|all': ['input', '$']}], 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,6c96fc76-0eb1-11eb-adc1-0242ac120002 Author: Jonathan Cheong, oscd.community Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Conti NTDS Exfiltration Command |
Detects a command used by conti to exfiltrate NTDS More details
Rule IDprocess_creation_commandline_196 Query{'selection': {'CommandLine|contains|all': ['7za.exe', '\\C$\\temp\\log.zip']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,aa92fd02-09f2-48b0-8a93-864813fb8f41 Author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0009, T1560 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Covenant Launcher Indicators |
Detects suspicious command lines used in Covenant luanchers More details
Rule IDprocess_creation_commandline_198 Query{'selection': {'CommandLine|contains|all': ['-Sta', '-Nop', '-Window', 'Hidden'], 'CommandLine|contains': ['-Command', '-EncodedCommand']}, 'selection2': {'CommandLine|contains': ['sv o (New-Object IO.MemorySteam);sv d ', 'mshta file.hta', 'GruntHTTP', '-EncodedCommand cwB2ACAAbwAgA']}, 'condition': 'selection or selection2'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,c260b6db-48ba-4b4a-a76f-2f67644e99d2 Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community Tactics, Techniques, and ProceduresTA0002, T1059, TA0005, T1564.003 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
UNC2452 PowerShell Pattern |
Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports More details
Rule IDprocess_creation_commandline_199 Query{'selection1': {'CommandLine|contains|all': ['Invoke-WMIMethod win32_process -name create -argumentlist', 'rundll32 c:\\windows']}, 'selection2': {'CommandLine|contains|all': ['wmic /node:', 'process call create "rundll32 c:\\windows']}, 'condition': '1 of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,b7155193-8a81-4d8f-805d-88de864ca50c Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity95 Suppression Logic Based On
Additional Information
|
||||||||
Launch-VsDevShell.PS1 Proxy Execution |
Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands. More details
Rule IDprocess_creation_commandline_200 Query{'selection_script': {'CommandLine|contains': 'Launch-VsDevShell.ps1'}, 'selection_flags': {'CommandLine|contains': ['VsWherePath ', 'VsInstallationPath ']}, 'condition': 'all of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,45d3a03d-f441-458c-8883-df101a3bb146 Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1216.001 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Detect Virtualbox Driver Installation OR Starting Of VMs |
Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM. More details
Rule IDprocess_creation_commandline_201 Query{'selection_1': {'CommandLine|contains': ['VBoxRT.dll,RTR3Init', 'VBoxC.dll', 'VBoxDrv.sys']}, 'selection_2': {'CommandLine|contains': ['startvm', 'controlvm']}, 'condition': '1 of selection_*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,bab049ca-7471-4828-9024-38279a4c04da Author: Janantha Marasinghe Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0005, T1564.006 ReferencesSeverity24 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious RDP Redirect Using TSCON |
Detects a suspicious RDP session redirect using tscon.exe More details
Rule IDprocess_creation_commandline_202 Query{'selection': {'CommandLine|contains': ' /dest:rdp-tcp:'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f72aa3e8-49f9-4c7d-bd74-f8ab84ff9bbb Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0008, T1563.002, T1021.001 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Rar Usage with Password and Compression Level |
Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions. More details
Rule IDprocess_creation_commandline_203 Query{'selection_password': {'CommandLine|contains': ' -hp'}, 'selection_other': {'CommandLine|contains': [' -m', ' a ']}, 'condition': 'selection_password and selection_other'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,faa48cae-6b25-4f00-a094-08947fef582f Author: @ROxPinTeddy Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0009, T1560.001 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Invoke-Obfuscation VAR+ Launcher |
Detects Obfuscated use of Environment Variables to execute PowerShell More details
Rule IDprocess_creation_commandline_204 Query{'selection': {'CommandLine|contains|all': ['cmd', '"set', '-f'], 'CommandLine|contains': ['/c', '/r']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,27aec9c9-dbb0-4939-8422-1742242471d0 Author: Jonathan Cheong, oscd.community Tactics, Techniques, and ProceduresReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious SYSVOL Domain Group Policy Access |
Detects Access to Domain Group Policies stored in SYSVOL More details
Rule IDprocess_creation_commandline_205 Query{'selection': {'CommandLine|contains|all': ['\\SYSVOL\\', '\\policies\\']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,05f3c945-dcc8-4393-9f3d-af65077a8f86 Author: Markus Neis, Jonhnathan Ribeiro, oscd.community Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0006, T1552.006 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
AnyDesk Piped Password Via CLI |
Detects piping the password to an anydesk instance via CMD and the '--set-password' flag. More details
Rule IDprocess_creation_commandline_206 Query{'selection': {'CommandLine|contains|all': ['/c ', 'echo ', '.exe --set-password']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,b1377339-fda6-477a-b455-ac0923f9ec2c Author: Nasreddine Bencherchali (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0011, T1219 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious PowerShell Mailbox Export to Share |
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations More details
Rule IDprocess_creation_commandline_207 Query{'selection': {'CommandLine|contains|all': ['New-MailboxExportRequest', ' -Mailbox ', ' -FilePath \\\\']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,889719ef-dd62-43df-86c3-768fb08dc7c0 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity95 Suppression Logic Based On
Additional Information
|
||||||||
Compress Data and Lock With Password for Exfiltration With WINZIP |
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities More details
Rule IDprocess_creation_commandline_208 Query{'selection_winzip': {'CommandLine|contains': ['winzip.exe', 'winzip64.exe']}, 'selection_password': {'CommandLine|contains': '-s"'}, 'selection_other': {'CommandLine|contains': [' -min ', ' -a ']}, 'condition': 'all of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d Author: frack113 Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0009, T1560.001 ReferencesSeverity49 Suppression Logic Based On
Additional Information
|
||||||||
Network Reconnaissance Activity |
Detects a set of suspicious network related commands often used in recon stages More details
Rule IDprocess_creation_commandline_209 Query{'selection_nslookup': {'CommandLine|contains|all': ['nslookup', '_ldap._tcp.dc._msdcs.']}, 'condition': '1 of selection*'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,e6313acd-208c-44fc-a0ff-db85d572e90e Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresTA0002, T1059.003, TA0007, T1087, T1082 ReferencesSeverity74 Suppression Logic Based On
Additional Information
|
||||||||
File overwritten by cipher tool |
The Windows tool cipher can be used to remove data from available unused disk space on the entire volume. Ransomware could use this technique to prevent the victim from using file recovery tools to recover their files. More details
Rule IDprocess_creation_commandline_301 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\cipher.exe'}, 'selection5': {'CommandLine|re': '\\/w\\:[A-Z]{1}'}, 'condition': 'selection2 and selection3 and selection5'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
PowerShell reverse shell one-liner |
A PowerShell process with arguments that may indicate a reverse shell execution has been detected. More details
Rule IDprocess_creation_commandline_302 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': 'powershell.exe'}, 'selection5': {'CommandLine|contains': 'Sockets.TCPClient'}, 'selection6': {'CommandLine|contains': 'GetStream()'}, 'selection7': {'CommandLine|contains': 'IEX'}, 'selection8': {'CommandLine|contains': 'DownloadString'}, 'selection9': {'CommandLine|contains': 'mini-reverse.ps1'}, 'condition': 'selection2 and selection3 and ((selection5 and selection6) or (selection7 and selection8 and selection9))'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Shellcode execution via InstallUtil.exe |
Suspicious file/code has been executed via InstallUtil.exe. This is a common technique used by malware to install additional malicious components and/or execute Shellcode. More details
Rule IDprocess_creation_commandline_303 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': 'InstallUtil.exe'}, 'selection4': {'CommandLine|contains': '/LogToConsole=false'}, 'selection5': {'CommandLine|contains': '/logfile= '}, 'condition': 'selection2 and selection3 and selection4 and selection5'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
ALPC Task Scheduler Exploit LPE |
Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface, which can allow an attacker to perform a local privilege escalation. More details
Rule IDprocess_creation_commandline_304 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\schtasks.exe'}, 'selection5': {'CommandLine|contains': '/change /TN'}, 'selection6': {'CommandLine|contains': '/RU'}, 'selection7': {'CommandLine|contains': '/RP'}, 'condition': 'selection2 and selection3 and selection5 and selection6 and selection7'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Behavior DNS cache cleared |
The DNS cache has been cleared in the system. More details
Rule IDprocess_creation_commandline_305 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\ipconfig.exe'}, 'selection4': {'CommandLine|contains': '/flushdns'}, 'condition': 'selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
WMIC sending output to clipboard |
WMIC command is using /output:clipboard as a way to hide the normal output of process creation that is printed when creating a process with WMIC. More details
Rule IDprocess_creation_commandline_307 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\wmic.exe'}, 'selection5': {'CommandLine|contains': '/output:clipboard'}, 'selection6': {'CommandLine|contains': 'process call create'}, 'condition': 'selection2 and selection3 and selection5 and selection6'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
CnC Channel through Nslookup |
A Windows process was detected using Nslookup with abnormal flag(s) usually used by malware to communicate with the Command and Control. More details
Rule IDprocess_creation_commandline_308 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\slookup.exe'}, 'selection4': {'CommandLine|contains': ' aaaa'}, 'selection5': {'CommandLine|contains': '=aaaa'}, 'selection6': {'CommandLine|re': '[a-z0-9]{15,45}\\. [a-z0-9]{1,15}\\.[a-z0-9]{1,4}'}, 'condition': 'selection2 and selection3 and (selection4 or selection5) and selection6'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
WMIC Retrieving Security Configuration |
The wmic.exe command was executed to get information from the security configurations. This could be an indication of malicious activity. More details
Rule IDprocess_creation_commandline_309 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\wmic.exe'}, 'selection4': {'CommandLine|contains': 'SecurityCenter2'}, 'selection5': {'CommandLine|contains': ['AntiVirusProduct', 'FirewallProduct']}, 'condition': 'selection2 and selection3 and selection4 and selection5'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Taskkill killing Antivirus process |
An attempt to kill an Antivirus process has been detected. This can be the result of a manual command used by an attacker or an automated process as part of malware being deployed in the system. More details
Rule IDprocess_creation_commandline_310 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': 'Taskkill'}, 'selection4': {'CommandLine|re': '(?:fsav32|MsMpEng|FPAVServer|TMBMSRV|Mcshield|avgnsx|AvastSvc|dwengine|secenter|avguard|ccSvcHst|avp|360sd|360tray|AvastUi)\\.exe'}, 'condition': 'selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
WSH Injection via PubPrn |
An attempt to inject malicious code into a Microsoft signed WSH script has been detected. This can be an attempt to bypass whitelisting restrictions. More details
Rule IDprocess_creation_commandline_312 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': 'wscript.exe'}, 'selection4': {'CommandLine|contains': 'pubprn.vbs'}, 'selection5': {'CommandLine|contains': 'script:'}, 'condition': 'selection2 and selection3 and selection4 and selection5'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
AppLocker Bypass |
A successful attempt to bypass AppLocker has been detected. This can indicate an attacker is trying to bypass whitelisting technologhies and escalate privileges or/and move laterally in your network. More details
Rule IDprocess_creation_commandline_314 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\regsvr32.exe'}, 'selection4': {'CommandLine|contains': '/s'}, 'selection5': {'CommandLine|contains': '/i:http'}, 'selection6': {'CommandLine|contains': 'scrobj.dll'}, 'condition': 'selection2 and selection3 and selection4 and selection5 and selection6'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
File Deletion Backup files deleted recursively |
An attempt to delete files and folders that migth contain backup data has been detected. This could be an indication of a ransomware infection or an attacker trying to cause damage. More details
Rule IDprocess_creation_commandline_315 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\cmd.exe'}, 'selection4': {'CommandLine|contains': ' del '}, 'selection5': {'CommandLine|re': '(?:backup|bkup|\\.bak|\\.bac|\\.dsk|\\.win|\\.bkf|\\.wbcat)'}, 'condition': 'selection2 and selection3 and selection4 and selection5'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Attempt to stop or delete Windows Defender service |
Windows Defender Real-time Protection scanning for malware and other potentially unwanted software has been stopped. More details
Rule IDprocess_creation_commandline_316 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\et.exe'}, 'selection5': {'Image|contains': '\\sc.exe'}, 'selection7': {'CommandLine|contains': 'stop'}, 'selection8': {'CommandLine|contains': 'delete'}, 'selection9': {'CommandLine|contains': 'WinDefend'}, 'condition': 'selection2 and (selection3 or selection5) and (selection7 or selection8) and selection9'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Windows Process Argument contains Base64 Encoded PE Header |
A process has been launched with a Base64 encoded argument. Once decoded, the argument corresponds to the PE Header. This can indicate an attacker is trying to bypass any present execution policy. More details
Rule IDprocess_creation_commandline_317 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'CommandLine|contains': 'TVqQAAMAAAAEAAA'}, 'condition': 'selection2 and selection3'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Cobalt Gang Windows script execution |
A known Cobalt Gang script has been executed in the system. This could mean that your computer has been compromised and malicious code is running in your endpoint. More details
Rule IDprocess_creation_commandline_319 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\wscript.exe'}, 'selection5': {'CommandLine|contains': 'error_log.vbe'}, 'condition': 'selection2 and (selection3) and selection5'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Windows execution using odbcconf tool |
The odbcconf tool allows users to configure Open Database Connectivity (ODBC) drivers. The utility can be misused to execute malicious code and evade detection techniques. More details
Rule IDprocess_creation_commandline_320 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\odbcconf.exe'}, 'selection5': {'CommandLine|contains': 'REGSVR'}, 'condition': 'selection2 and selection3 and selection5'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Windows INF file launch |
The Advanced INF Package Installer (advpack.dll) can use the LaunchINFSection function to invoke a section from .inf files. This could be used by attackers to remotely launch staged SCT files with malicious code. More details
Rule IDprocess_creation_commandline_321 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\rundll32.exe'}, 'selection5': {'CommandLine|re': 'advpack\\.dll, (?:LaunchINFSection|#46)\\s+'}, 'condition': 'selection2 and selection3 and selection5'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Windows MavInject DLL Injection |
MavInject is a Windows utility that can be used to execute code. Mavinject can be used to inject a DLL into a running process. More details
Rule IDprocess_creation_commandline_322 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|re': '\\\\Mavinject(?:32|64)?.exe'}, 'selection5': {'CommandLine|contains': '/INJECTRUNNING'}, 'condition': 'selection2 and selection3 and selection5'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious ACL Change |
A suspicious change was detected to an access control list (ACL). In this case, 'Full Access' was granted to 'Everyone' on a file or folder. More details
Rule IDprocess_creation_commandline_324 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\icacls.exe'}, 'selection4': {'CommandLine|re': '\\/grant(?::r)?\\s+Everyone:F'}, 'condition': 'selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Credential Access Tool Detected - LaZagne |
LaZagne is a multiplatform tool capable to retrieve user credentials from several system services and applications, such as web browsers. More details
Rule IDprocess_creation_commandline_325 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\lazagne'}, 'selection4': {'CommandLine|contains': '-quiet'}, 'condition': 'selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Indirect command execution using pcalua.exe |
An user tried to use a Windows pcalua.exe utility to execute commands in an alternative way (without using cmd.exe or powershell.exe). Attackers may use this technique to avoid invoking the cmd but still execute commands. More details
Rule IDprocess_creation_commandline_327 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\pcalua.exe'}, 'selection5': {'CommandLine|contains': ' - a '}, 'selection6': {'CommandLine|re': '\\.(?:hta|vbs|vbe|js|jse|wsf|wsh)'}, 'condition': 'selection2 and selection3 and selection5 and selection6'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Windows UAC Bypass |
A User Account Control Bypass activity was detected. This can be due to either regular operation or because an attacker is trying to escalate privileges. More details
Rule IDprocess_creation_commandline_328 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'CommandLine|contains': 'TpmInitUACBypass.exe'}, 'condition': 'selection2 and selection3'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
SAM, SECURITY or SYSTEM Registry Hive Export |
These hives can be used with a password cracker or creddump to dump the LANMAN/NTLM hashes, view cached credentials, and decrypt LSA secrets. This could be an indication of a ransomware infection or an attacker trying to cause damage. More details
Rule IDprocess_creation_commandline_329 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\reg.exe'}, 'selection4': {'CommandLine|re': 'save.+ (?:hklm|hkey_local_machine)\\\\(?:system|security|sam)'}, 'condition': 'selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious PowerShell Argument |
PowerShell was executed with suspicious command line argument. The script is likely attempting to download files from a remote server. This could be an indication of malicious activity. More details
Rule IDprocess_creation_commandline_330 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\powershell.exe'}, 'selection4': {'CommandLine|contains': 'Net.WebClient'}, 'selection5': {'CommandLine|contains': 'Download'}, 'condition': 'selection2 and selection3 and selection4 and selection5'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Windows UAC bypass - UACME tool |
User Account Control Bypass activity was detected. This can be due to either a regular operation or because an attacker is trying to escalate privileges. More details
Rule IDprocess_creation_commandline_331 Query{'selection2': {'EventID': [1, 4688]}, 'selection9': {'CommandLine|re': '\\.exe\\".*cleanmgr\\.exe \\/autoclean'}, 'condition': 'selection2 and selection9'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Ransomware Decryption Instructions File Detected |
After a ransomware malware infects a host machine, a file with instructions to recover the encrypted files is created. A file with these characteristics was opened in the system, what is an indicator of ransomware infection. More details
Rule IDprocess_creation_commandline_332 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'CommandLine|re': '_Locky_recover_instructions.txt|Coin.Locker.txt DECRYPT_ReadMe.TXT|Contact_Here_To_Recover_Your_Files.txt|DECRYPT_INSTRUCTION.TXT|DECRYPT_INSTRUCTIONS.TXT|DecryptAllFiles.txt|encryptor_raas_readme_liesmich.txt|FILESAREGONE.TXT|help_decrypt_your_files.html|HELP_RECOVER_FILES.txt|HELP_TO_DECRYPT_YOUR_FILES.txt|HELPDECRYPT.TXT|HELPDECYPRT_YOUR_FILES.HTML|How_To_Recover_Files.txt|Howto_Restore_FILES.TXT|HOW TO DECRYPT YOUR DATA.txt|IHAVEYOURSECRET.KEY|INSTRUCCIONES_DESCIFRADO.TXT|ReadDecryptFilesHere.txt|Readme to restore your files.txt|!SBLOCK_INFO!.rtf|КАК ВОССТАНОВИТЬ ЗАШИФРОВАННЫЕ ФАЙЛЫ.TXT|README_LOCKED.txt'}, 'condition': 'selection2 and selection3'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Windows Autorun Registry Entry Added via reg.exe |
An executable was added to the Windows Autorun registry. While this may have occurred due to normal software installation, this is a common technique used by malware to ensure it is started after reboots. More details
Rule IDprocess_creation_commandline_333 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': 'reg.exe'}, 'selection4': {'CommandLine|contains': 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run'}, 'selection5': {'CommandLine|contains': ' add '}, 'condition': 'selection2 and selection3 and selection4 and selection5'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
File Deletion Backup Catalog Deletion |
If the backup catalog is deleted for a computer, you will not be able to access the backups created of that computer using the Windows Server Backup snap-in. This could be an indication of a ransomware infection or an attacker trying to cause damage. More details
Rule IDprocess_creation_commandline_334 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'Image|contains': '\\wbadmin.exe'}, 'selection4': {'CommandLine|contains': 'delete catalog'}, 'condition': 'selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Wireless Network Password Retrieval |
The password of a wireless network was accessed. This could be an indication of malicious activity. More details
Rule IDprocess_creation_commandline_335 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\etsh.exe'}, 'selection5': {'CommandLine|contains': 'wlan'}, 'selection6': {'CommandLine|contains': 'key=clear'}, 'condition': 'selection2 and selection3 and selection5 and selection6'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Metasploit MSSQL Command Execution |
An attacked gained access to the MSSQL Server database and is executing the Metasploit module mssql_exec. More details
Rule IDprocess_creation_commandline_337 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': 'sqlservr.exe'}, 'selection4': {'CommandLine|contains': 'echo OWNED'}, 'condition': 'selection2 and selection3 and selection4'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Internet Explorer executing suspicious wmic command |
An attacker can execute code after a successful exploit attack. Internet Explorer is a commonly targeted software in Exploit Kit campaigns. More details
Rule IDprocess_creation_commandline_338 Query{'selection2': {'EventID': [1, 4688]}, 'selection3': {'ParentImage|contains': '\\iexplore.exe'}, 'selection4': {'Image|contains': '\\WMIC.exe'}, 'selection6': {'CommandLine|contains': 'process call create'}, 'selection7': {'CommandLine|contains': '\\Temp\\'}, 'condition': 'selection2 and selection3 and (selection4 and selection6 and selection7)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
File Deletion Windows Shadow Copies Deletion via Powershell |
An attempt to delete all shadow copies using the Windows Volume Shadow Copy Service (VSS) via Powershell has been detected. This could be an indication of a ransomware infection or an attacker trying to cause damage. More details
Rule IDprocess_creation_commandline_339 Query{'selection2': {'EventID': [1, 4688]}, 'selection7': {'Image|contains': '\\powershell.exe'}, 'selection8': {'CommandLine|contains': 'RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA=='}, 'condition': 'selection2 and (selection7 and selection8)'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|